From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 18:23:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D72816A4DF; Sun, 16 Jul 2006 18:23:20 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92A1B43D53; Sun, 16 Jul 2006 18:23:19 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6GINIPO006956 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 16 Jul 2006 20:23:18 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6GINFA0026185; Sun, 16 Jul 2006 20:23:15 +0200 (MEST) Date: Sun, 16 Jul 2006 20:23:15 +0200 From: Daniel Hartmeier To: Ari Suutari Message-ID: <20060716182315.GC3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44B7D8B8.3090403@suutari.iki.fi> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 18:23:20 -0000 On Fri, Jul 14, 2006 at 08:47:36PM +0300, Ari Suutari wrote: > There has been discussion about this before. I know that perfect > solution would be PF_DEFAULT_BLOCK, but while waiting for that > I wonder why we cannot have pf_boot, which closes the > boot hole (at least when run with proper filter rules). That is certainly not a perfect solution, as it misses the point, mostly. The "hole" being discussed is the time, during boot, before pf is fully functional with the production ruleset. For a comparatively long time, the pf module isn't even loaded yet. The time after module load and enabling pf with the production ruleset is much smaller. So, you first need to check the boot sequence for - interfaces being brought up before pf is loaded - addresses assigned to those interfaces - daemons starting and listening on those addresses - route table getting set up - IP forwarding getting enabled - etc. And to get rid of the "hole", you need to get the order right so there is nothing being exposed before the pf module is loaded. Once you have ensured that nothing gets exposed before rc.d/pf is started, it's trivial to make sure that that script only exits after pf has been enabled and the production ruleset is in place. Hence, a "default block" switch or compile time option _within_ pf is not going to make any difference. The problem lies mostly outside of pf, and the boot order needs to be carefully examined and adjusted, if needed. I think the chronological placement of rc.d/pf is already meant to achieve precisely that, have you actually checked the rc.d scripts and found some order that needs to be adjusted? Daniel From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 18:53:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B27B316A4DF; Sun, 16 Jul 2006 18:53:23 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout4-sn1.fre.skanova.net (pne-smtpout4-sn1.fre.skanova.net [81.228.11.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F2B743D49; Sun, 16 Jul 2006 18:53:22 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout4-sn1.fre.skanova.net (7.2.075) id 44A36A0A00086378; Sun, 16 Jul 2006 20:53:21 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GIrIDc001761; Sun, 16 Jul 2006 21:53:19 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BA8A95.10300@suutari.iki.fi> Date: Sun, 16 Jul 2006 21:51:01 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 18:53:23 -0000 Hi, Daniel Hartmeier wrote: > And to get rid of the "hole", you need to get the order right so there > is nothing being exposed before the pf module is loaded. Once you have > ensured that nothing gets exposed before rc.d/pf is started, it's > trivial to make sure that that script only exits after pf has been > enabled and the production ruleset is in place. Too much tuning on security-related issue. The standard startup sequence should be secure. I really cannot understand what there is so bad on /etc/rc.d/pf_boot that it cannot be added to FreeBSD as NetBSD & OpenBSD use it or something similar. I'm not yelling after default block - others are and use it as a reason not to use something like pf_boot. > I think the chronological placement of rc.d/pf is already meant to > achieve precisely that, have you actually checked the rc.d scripts and > found some order that needs to be adjusted? I could of course adjust my rc.d scripts, but I would very much appreciate that security-related things are there correctly in standard setup. I'll try to port pf_boot myself if nobody else volunteers. (I don't think there is much porting to do, however). Ari S. From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 19:17:44 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7577016A4E0; Sun, 16 Jul 2006 19:17:44 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 193BE43D55; Sun, 16 Jul 2006 19:17:35 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6GJHWlo022178 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 16 Jul 2006 21:17:33 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6GJHWZS011626; Sun, 16 Jul 2006 21:17:32 +0200 (MEST) Date: Sun, 16 Jul 2006 21:17:32 +0200 From: Daniel Hartmeier To: Ari Suutari Message-ID: <20060716191732.GD3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BA8A95.10300@suutari.iki.fi> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 19:17:44 -0000 On Sun, Jul 16, 2006 at 09:51:01PM +0300, Ari Suutari wrote: > I could of course adjust my rc.d scripts, but I would very much > appreciate that security-related things are there correctly in > standard setup. > > I'll try to port pf_boot myself if nobody else volunteers. > (I don't think there is much porting to do, however). The point of OpenBSD's "boot-time" (preliminary) ruleset is that pf can be activated earlier, before the production ruleset can be loaded. The production ruleset can usually not be loaded very early on in the boot sequence, because it can contain constructs that rely on interfaces having been created, IP addresses assigned, or host name resolution working. At the point in time where all these things work, other things are already exposed (briefly). So what OpenBSD does (and I guess what that pf_boot script does on NetBSD) is enable pf with a short hard-coded preliminary ruleset very early on in the boot sequence, which only allows traffic which is needed by the boot process itself subsequently. This protects the things exposed afterwards, but before the production ruleset can be loaded. It also remains effective should the production ruleset fail to load (hence it usually allows ssh access to the firewall itself). So first you need to identify whether FreeBSD's boot sequence suffers the same issue (things are being exposed prior to the point where you can load the production ruleset). Then you need to find the proper time to load the kernel module and activate a preliminary ruleset. And of course the preliminary ruleset needs to account for all legitimate traffic that can subsequently occur during boot on various kinds of setups. One word of warning, the OpenBSD preliminary ruleset had to be revised many times when people found it broke things that the boot sequence needs in non-default setups. You'll likely go through several revisions on FreeBSD as well. You claimed there was a hole. If you can't explain what it consists of ("thing X might get exposed prior to rc.d/pf due to the following sequence of events..."), blindly sticking in pf_boot at some convenient place in the boot order is not guaranteed to solve more than it can break. Whoever is going to do this, will NEED to carefully go through the rc.d sequence with regards to networking. Daniel From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 20:19:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33F7516A4DD; Sun, 16 Jul 2006 20:19:35 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id B058743D45; Sun, 16 Jul 2006 20:19:34 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A1309900097CE9; Sun, 16 Jul 2006 22:19:33 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GKJVC6002258; Sun, 16 Jul 2006 23:19:31 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BA9ECA.6090607@suutari.iki.fi> Date: Sun, 16 Jul 2006 23:17:14 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> In-Reply-To: <20060716191732.GD3240@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:19:35 -0000 Hi, Daniel Hartmeier wrote: > You claimed there was a hole. If you can't explain what it consists of > ("thing X might get exposed prior to rc.d/pf due to the following > sequence of events..."), On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that pf is run after netif so if one is using only pf as firewall, there is a window between run of "netif" and "pf" where network interfaces are up but there is no firewall loaded. Adding pf_boot, which runs before "netif" would fix this, woudn't it ? Please correct me if I'm wrong here (that would be nice since then there wouldn't be any problem at all). > blindly sticking in pf_boot at some convenient > place in the boot order is not guaranteed to solve more than it can > break. I don't think I have been talking about blindly sticking pf_boot into boot order. I would only like to be sure that there *is* no hole. I have been suggesting about using pf_boot because it seeems to be the approach used in other bsds (well, I must admit that I didn't check how OpenBSD does it, but I know that there is somekind of boot-time ruleset there). I assumed that since the pf_boot solution is there possible problems with it had been ironed out on other bsds. Even Windows XP has boot-time firewall protection today - we don't want to be worse than them, do we :-) Ari S. From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 20:30:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 552AD16A4DA; Sun, 16 Jul 2006 20:30:54 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DAC043D45; Sun, 16 Jul 2006 20:30:53 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A1309900097D80; Sun, 16 Jul 2006 22:30:52 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GKUpD0002393; Sun, 16 Jul 2006 23:30:51 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BAA171.8070302@suutari.iki.fi> Date: Sun, 16 Jul 2006 23:28:33 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Andrew Thompson References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> <20060716202253.GF29207@heff.fud.org.nz> In-Reply-To: <20060716202253.GF29207@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:30:54 -0000 Hi, Andrew Thompson wrote: >> >> On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that >> pf is run after netif so if one is using only pf as firewall, >> there is a window between run of "netif" and "pf" where network >> interfaces are up but there is no firewall loaded. Adding >> pf_boot, which runs before "netif" would fix this, woudn't it ? > > But.. pf runs before any userland daemons are loaded so how does it > matter if there is a short window between netif and pf if nothing is > listening? I wasn't thinking about firewall itself, but the network it protects. But now I notice that routing is run *after* pf so things should be ok ? Sorry to be such a pain but I have tried asking about this many times but got no good answers (and I got even more worried when I noticed that NetBSD had special boot-time ruleset). I guess this is case closed then! Ari S. From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 20:54:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBA0816A4DD; Sun, 16 Jul 2006 20:54:11 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (noop.in-addr.com [208.58.23.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BCAB43D58; Sun, 16 Jul 2006 20:54:11 +0000 (GMT) (envelope-from gpalmer@freebsd.org) Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD)) id 1G2Dcw-0007Ew-D9; Sun, 16 Jul 2006 16:54:10 -0400 Date: Sun, 16 Jul 2006 16:54:10 -0400 From: Gary Palmer To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060716205410.GB6444@in-addr.com> Mail-Followup-To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> <20060716202253.GF29207@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060716202253.GF29207@heff.fud.org.nz> Cc: Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:54:11 -0000 On Mon, Jul 17, 2006 at 08:22:53AM +1200, Andrew Thompson wrote: > But.. pf runs before any userland daemons are loaded so how does it > matter if there is a short window between netif and pf if nothing is > listening? That is one use case for PF, where you are protecting the local system. What if you are running PF on a multi-homed host? Is net.inet.ip.forwarding only ever set to 1 by /etc/rc.d/routing, or can that be set by something else before it gets that far? Gary From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 21:05:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C1DB16A4DA; Sun, 16 Jul 2006 21:05:32 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBF0A43D45; Sun, 16 Jul 2006 21:05:31 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id C1F9E2085; Sun, 16 Jul 2006 23:05:27 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on tim.des.no Received: from xps.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id B22892082; Sun, 16 Jul 2006 23:05:27 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id 9D17633C31; Sun, 16 Jul 2006 23:05:27 +0200 (CEST) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> Date: Sun, 16 Jul 2006 23:05:27 +0200 In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> (Daniel Hartmeier's message of "Sun, 16 Jul 2006 20:23:15 +0200") Message-ID: <86y7utgt0o.fsf@xps.des.no> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Ari Suutari , freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 21:05:32 -0000 Daniel Hartmeier writes: > Hence, a "default block" switch or compile time option _within_ pf is > not going to make any difference. Sure it will, if pf is compiled into the kernel or loaded by the BTX loader. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 21:15:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3949C16A4DA for ; Sun, 16 Jul 2006 21:15:37 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30305.mail.mud.yahoo.com (web30305.mail.mud.yahoo.com [68.142.200.98]) by mx1.FreeBSD.org (Postfix) with SMTP id C83BC43D4C for ; Sun, 16 Jul 2006 21:15:36 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 95547 invoked by uid 60001); 16 Jul 2006 21:15:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=VM4ATvRfswlH8NAaIoUcyk3SCQCH1WF+ylb9gU1A/qTwMe1oQGmU/ZdHBprAMJJ+popUpKbRZLTv1qlQBcM1fdFVU1zIGpKJYXdSKQxZJF22ZZZw7udYbOXw4kjd6D9d/RQMOaihYSeRswoAlPELuv9GE9fi5lz6hRKSD1PL7bM= ; Message-ID: <20060716211536.95545.qmail@web30305.mail.mud.yahoo.com> Received: from [213.54.80.218] by web30305.mail.mud.yahoo.com via HTTP; Sun, 16 Jul 2006 14:15:36 PDT Date: Sun, 16 Jul 2006 14:15:36 -0700 (PDT) From: "R. B. Riddick" To: Ari Suutari In-Reply-To: <44BA9ECA.6090607@suutari.iki.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 21:15:37 -0000 --- Ari Suutari wrote: > On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that > pf is run after netif so if one is using only pf as firewall, > there is a window between run of "netif" and "pf" where network > interfaces are up but there is no firewall loaded. Adding > pf_boot, which runs before "netif" would fix this, woudn't it ? > Hi! I would feel better, when the box is either completely unreachable (due to disabled hardware (e. g. down'ed interface)) or at least protected by a packet filter _all_ the time... That is one reason why I use ipfw _and_ pf at the same time on all my boxes... As you can see in appendix A ipfw2 is initialized even before the hard disks but after the network interfaces, which are detected some lines early. Are the NICs still down and _safe_ after that detection phase? Isn't it possible to just activate pf just like ipfw in order to deny all incoming and outgoing traffic (to me it looks like a design flaw, when the boot up scripts rely on a misconfigured/disabled packet filter...)? Bye Arne appendix A: [...] Jul 16 06:58:53 neo kernel: vr0: Ethernet address: 00:0a:e6:XX:XX:XX [...] Jul 16 06:58:53 neo kernel: ipfw2 (+ipv6) initialized, divert loadable, rule-bas ed forwarding disabled, default to deny, logging disabled Jul 16 06:58:53 neo kernel: ad0: 194481MB at ata0-mast er UDMA133 [...] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 21:45:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0F8416A4E0; Sun, 16 Jul 2006 21:45:02 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A40343D53; Sun, 16 Jul 2006 21:45:00 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6GLivff008269 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 16 Jul 2006 23:44:57 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6GLivPW011825; Sun, 16 Jul 2006 23:44:57 +0200 (MEST) Date: Sun, 16 Jul 2006 23:44:56 +0200 From: Daniel Hartmeier To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20060716214456.GE3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86y7utgt0o.fsf@xps.des.no> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, Ari Suutari , freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 21:45:03 -0000 On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote: > > Hence, a "default block" switch or compile time option _within_ pf is > > not going to make any difference. > > Sure it will, if pf is compiled into the kernel or loaded by the BTX > loader. Ok, in that case I guess you want to enable pf by default, too. I haven't tried it in this mode, but the default block can be achieved by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() - pf_default_rule.action = PF_PASS; + pf_default_rule.action = PF_DROP; bzero(&pf_status, sizeof(pf_status)); + pf_status.running = 1; That would then block all packets on all interfaces, until a ruleset is loaded. If anything started through the startup scripts needs unblocked packets (including the production ruleset loading requiring name resolution over network), you'd need to first load a simpler temporary ruleset to pass that, and finally replace it with the production ruleset. And, of course, if the boot sequence for any reason doesn't reach that point, you can only fix stuff with local access... :) I'm not sure the average user _really_ is worried enough about that half a second period on boot. But I DO know there will be people locking themselves out from far-away remote hosts (on updates, for instance) if this becomes the default. Daniel From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 20:22:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BCC216A4DF for ; Sun, 16 Jul 2006 20:22:56 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from grunt7.ihug.co.nz (grunt7.ihug.co.nz [203.109.254.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4757043D73 for ; Sun, 16 Jul 2006 20:22:55 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz) [203.109.251.39] by grunt7.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian)) id 1G2D8c-00073m-00; Mon, 17 Jul 2006 08:22:51 +1200 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 83C4D1CC22; Mon, 17 Jul 2006 08:22:53 +1200 (NZST) Date: Mon, 17 Jul 2006 08:22:53 +1200 From: Andrew Thompson To: Ari Suutari Message-ID: <20060716202253.GF29207@heff.fud.org.nz> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BA9ECA.6090607@suutari.iki.fi> User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Sun, 16 Jul 2006 22:45:34 +0000 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:22:56 -0000 On Sun, Jul 16, 2006 at 11:17:14PM +0300, Ari Suutari wrote: > Hi, > > > Daniel Hartmeier wrote: > >You claimed there was a hole. If you can't explain what it consists of > >("thing X might get exposed prior to rc.d/pf due to the following > >sequence of events..."), > > > On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that > pf is run after netif so if one is using only pf as firewall, > there is a window between run of "netif" and "pf" where network > interfaces are up but there is no firewall loaded. Adding > pf_boot, which runs before "netif" would fix this, woudn't it ? But.. pf runs before any userland daemons are loaded so how does it matter if there is a short window between netif and pf if nothing is listening? Andrew From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 22:17:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15BF716A4DE; Sun, 16 Jul 2006 22:17:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC9BD43D4C; Sun, 16 Jul 2006 22:17:13 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.181.216] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1G2EvC2aW0-00041a; Mon, 17 Jul 2006 00:17:07 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 17 Jul 2006 00:16:57 +0200 User-Agent: KMail/1.9.3 References: <44B7715E.8050906@suutari.iki.fi> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1233698.PquWgbKCin"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607170017.05241.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Mailman-Approved-At: Sun, 16 Jul 2006 22:45:44 +0000 Cc: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 22:17:15 -0000 --nextPart1233698.PquWgbKCin Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 16 July 2006 23:44, Daniel Hartmeier wrote: > On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm=F8rgrav wrote: > > > Hence, a "default block" switch or compile time option _within_ pf is > > > not going to make any difference. > > > > Sure it will, if pf is compiled into the kernel or loaded by the BTX > > loader. > > Ok, in that case I guess you want to enable pf by default, too. > > I haven't tried it in this mode, but the default block can be achieved > by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() > > - pf_default_rule.action =3D PF_PASS; > + pf_default_rule.action =3D PF_DROP; > > bzero(&pf_status, sizeof(pf_status)); > + pf_status.running =3D 1; You will also need this (just one line below): pf_pfil_hooked =3D 0; + error =3D hook_pf(); + if (error || !pf_pfil_hooked) + panic("Unable to protect you from the scary internet!"); > That would then block all packets on all interfaces, until a ruleset is > loaded. If anything started through the startup scripts needs unblocked > packets (including the production ruleset loading requiring name > resolution over network), you'd need to first load a simpler temporary > ruleset to pass that, and finally replace it with the production > ruleset. > > And, of course, if the boot sequence for any reason doesn't reach that > point, you can only fix stuff with local access... :) > > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1233698.PquWgbKCin Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEurrhXyyEoT62BG0RAgAnAJ9d4AeS7swmGE9FeY9KeouULCvfBwCeJ7wq CvP7kzmkx0Ek/ateDa039dg= =pQS2 -----END PGP SIGNATURE----- --nextPart1233698.PquWgbKCin-- From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 00:00:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93BEA16A4DD; Mon, 17 Jul 2006 00:00:41 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4DC043D45; Mon, 17 Jul 2006 00:00:40 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (patr530-a126.otenet.gr [212.205.215.126]) (authenticated bits=128) by igloo.linux.gr (8.13.7/8.13.7/Debian-1) with ESMTP id k6H00Lt9011602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 17 Jul 2006 03:00:25 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.7/8.13.7) with ESMTP id k6GNxUN9005583; Mon, 17 Jul 2006 02:59:31 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.7/8.13.7/Submit) id k6GMa1gV005106; Mon, 17 Jul 2006 01:36:01 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 17 Jul 2006 01:36:01 +0300 From: Giorgos Keramidas To: Daniel Hartmeier Message-ID: <20060716223601.GA5039@gothmog.pc> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.105, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.29, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: Dag-Erling Sm?rgrav , freebsd-pf@freebsd.org, Ari Suutari , freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 00:00:41 -0000 On 2006-07-16 23:44, Daniel Hartmeier wrote: >On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm?rgrav wrote: >>> Hence, a "default block" switch or compile time option _within_ pf is >>> not going to make any difference. >> >> Sure it will, if pf is compiled into the kernel or loaded by the BTX >> loader. > > Ok, in that case I guess you want to enable pf by default, too. > > I haven't tried it in this mode, but the default block can be achieved > by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() > > - pf_default_rule.action = PF_PASS; > + pf_default_rule.action = PF_DROP; > > bzero(&pf_status, sizeof(pf_status)); > + pf_status.running = 1; If this is the only change needed, then do you think it would be nice to have it as a compile-time option, like IPFW does? Something like this perhaps? options PF_DEFAULT_TO_ACCEPT #allow everything by default I haven't verified that this is the _only_ change needed to make PF block everything by default, but having it as a compile-time option which defaults to block everything would be nice, right? From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 02:37:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1A6E16A4DA; Mon, 17 Jul 2006 02:37:13 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2507143D45; Mon, 17 Jul 2006 02:37:12 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6H2b1Xu023117 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 17 Jul 2006 04:37:01 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6H2b1Or010073; Mon, 17 Jul 2006 04:37:01 +0200 (MEST) Date: Mon, 17 Jul 2006 04:37:00 +0200 From: Daniel Hartmeier To: Giorgos Keramidas Message-ID: <20060717023700.GF3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> <20060716223601.GA5039@gothmog.pc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060716223601.GA5039@gothmog.pc> User-Agent: Mutt/1.5.10i Cc: Dag-Erling Sm?rgrav , freebsd-pf@freebsd.org, Ari Suutari , freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 02:37:14 -0000 On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote: > I haven't verified that this is the _only_ change needed to make PF > block everything by default, but having it as a compile-time option > which defaults to block everything would be nice, right? Sure, when FreeBSD's default becomes to compile pf into the kernel or load it by BTX, that makes sense. Otherwise it doesn't. This is not about a style pet-peeve that some people have. There is no common case where users forget to add a default block rule when they intend to have one. Real production rulesets contain not just one but several explicit block rules (generating replies for only certain blocks, logging only certain blocks, etc.). The only technical reason for this is in a specific case like DES brought up. If you load pf as module and enable it half way through the rc.d startup sequence, there's no need for it that I can see. It doesn't plug the boot-time hole, if there is one. Daniel From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 06:04:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 777EE16A4DF; Mon, 17 Jul 2006 06:04:02 +0000 (UTC) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D46C143D45; Mon, 17 Jul 2006 06:04:01 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.13.6/8.13.6) with ESMTP id k6H63pbT017633; Mon, 17 Jul 2006 16:03:51 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.13.6/8.13.6/Submit) id k6H63lgD017631; Mon, 17 Jul 2006 16:03:47 +1000 (EST) From: Darren Reed Message-Id: <200607170603.k6H63lgD017631@caligula.anu.edu.au> To: daniel@benzedrine.cx (Daniel Hartmeier) Date: Mon, 17 Jul 2006 16:03:47 +1000 (Australia/ACT) In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> from "Daniel Hartmeier" at Jul 16, 2006 11:44:56 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-pf@freebsd.org, Ari Suutari , freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 06:04:02 -0000 In some mail from Daniel Hartmeier, sie said: ... > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. For me this has always been the over riding reason to have IPFilter always default (as shipped) to default allow. There are just too many things that can go wrong that can lead to no access to a system. That said, I believe NetBSD (and FreeBSD?) have this: options IPFILTER_DEFAULT_BLOCK You might want to do something similar for pf to make this easier for those who (think they) now what they're doing. Darren From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 08:11:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4324B16A4DA; Mon, 17 Jul 2006 08:11:41 +0000 (UTC) (envelope-from fb-security@psconsult.nl) Received: from ps226.psconsult.nl (ps226.psconsult.nl [213.222.19.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB59643D53; Mon, 17 Jul 2006 08:11:39 +0000 (GMT) (envelope-from fb-security@psconsult.nl) Received: from phuket.psconsult.nl (localhost [127.0.0.1]) by phuket.psconsult.nl (8.13.1/8.13.1) with ESMTP id k6H8ACbp072309; Mon, 17 Jul 2006 10:10:12 +0200 (CEST) (envelope-from fb-security@psconsult.nl) Received: (from paul@localhost) by phuket.psconsult.nl (8.13.1/8.13.1/Submit) id k6H8ACgc072308; Mon, 17 Jul 2006 10:10:12 +0200 (CEST) (envelope-from fb-security@psconsult.nl) Date: Mon, 17 Jul 2006 10:10:12 +0200 From: Paul Schenkeveld To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060717081012.GA71385@psconsult.nl> Mail-Followup-To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.6i Cc: Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 08:11:41 -0000 On Sun, Jul 16, 2006 at 11:44:56PM +0200, Daniel Hartmeier wrote: > On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote: > > That would then block all packets on all interfaces, until a ruleset is > loaded. If anything started through the startup scripts needs unblocked > packets (including the production ruleset loading requiring name > resolution over network), you'd need to first load a simpler temporary > ruleset to pass that, and finally replace it with the production > ruleset. > > And, of course, if the boot sequence for any reason doesn't reach that > point, you can only fix stuff with local access... :) > > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. There are two completely different issues here. One is protecting the machine itself, the other is to protect the complete network behind it if this is a firewall. Having a firewall open for half a second (is it really ONLY half a second in all cases?) is not acceptable if this is a firewall. So if you build a pf based firewall: - Include pf in your kernel ("device pf" in ${ARCH}/conf/KERNEL) or load pf from BTX ("pf_load=YES" in /boot/loader.conf) - Make sure you have console access before making changes to pf.conf or make sure you can get back to the firewall even after a mistake in pf.conf. I've done quite a lot of remote ipfw.conf and ipf.rules maintenance on remote, unattended firewalls and come up with several easy ways to make sure the device reverts to the last known to work ruleset if I get locked out during the process. One way is to schedule a "pfctl -Fa -f /etc/pf.conf" or a reboot after several minutes using at(1) and make changes to /etc/pf.conf.new, load it manually using pfctl and atrm(1) the scheduled job if you can still reach the firewall. Finally when you are really sure about the changes working correctly, move them to /etc/pf.conf. If you are to protect your company network or your customers network, maintaining access to the firewall is very important but exposing the network behind it, even for a short time, is IMO not acceptable. So I still believe in having some kind of PF_DEFAULT_BLOCK for those caring about the protection of the network behind the firewall. OTOH I see a good point in having the rc.d/pf_boot script the OP asked for as well and install /etc/pf.boot.conf early giving applications DNS (and access to i.e. a remote database needed to start up a certain app) and give the sysadmin access until all required apps are loaded and maybe even proven to work correctly. Regards, Paul Schenkeveld From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 22:56:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B43F316A4DA; Sun, 16 Jul 2006 22:56:39 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01A6A43D5D; Sun, 16 Jul 2006 22:56:38 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 29B282376B8; Sun, 16 Jul 2006 23:56:33 +0100 (BST) From: "Greg Hennessy" To: "'Daniel Hartmeier'" , =?iso-8859-1?Q?'Dag-Erling_Sm=F8rgrav'?= Date: Sun, 16 Jul 2006 23:56:35 +0100 Keywords: freebsd-pf Message-ID: <000c01c6a92b$167fcd00$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcapI1FTJviArYNETTy3a0qJjTWQMQABozmA In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-OriginalArrivalTime: 16 Jul 2006 22:56:35.0280 (UTC) FILETIME=[167FCD00:01C6A92B] X-Mailman-Approved-At: Mon, 17 Jul 2006 12:00:51 +0000 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: RE: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 22:56:39 -0000 =20 > I'm not sure the average user _really_ is worried enough=20 > about that half a second period on boot. But I DO know there=20 > will be people locking themselves out from far-away remote=20 > hosts (on updates, for instance) if this becomes the default. That is pretty much guaranteed. Murphy will always find a way to f*ck up = a reboot and simultaneously cause the 2611 on the console port to halt and catch fire.=20 If punters want a default block, IMHO it doesn=92t get much easier than = using the mac_ifoff(4) kernel option discussed earlier on in the week, they = can tweak the pf startup to twiddle the relevant sysctl appropriately at the right moment in time.=20 In order to salve the consciences of those who know naught but tick = boxes, and more importantly make them STFU and annoy someone else.=20 Perhaps a codicil to the FreeBSD pf.conf manpage, detailing the = mac_ifoff approach as a wholly unsupported solution for 'default block' to satisfy = the anally retentive.=20 Greg From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 03:40:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B53616A4E0 for ; Mon, 17 Jul 2006 03:40:29 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16DA743D5E for ; Mon, 17 Jul 2006 03:40:28 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so1343960pyc for ; Sun, 16 Jul 2006 20:40:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KIMhUZHbKUzuO36qMbgseuXBdF31esCVJZaGxMp7UhoJ6PnmOOQ3dlN4M3tBGHrBrgm6TUhWGlPdTDIj2LFwm23zDEvBoj3Z+wlHS4j64+6tDE/Iirf2fl4zUHPfP+aoCFT2BMRnzdSD5kFjSYqaJ2leqIQ0Ce5Vef29C7eVYUs= Received: by 10.35.37.18 with SMTP id p18mr3374396pyj; Sun, 16 Jul 2006 20:40:27 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Sun, 16 Jul 2006 20:40:27 -0700 (PDT) Message-ID: Date: Sun, 16 Jul 2006 22:40:27 -0500 From: "Travis H." To: "Daniel Hartmeier" In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> X-Mailman-Approved-At: Mon, 17 Jul 2006 12:01:06 +0000 Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-pf@freebsd.org, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 03:40:29 -0000 I'm pretty much in agreement on the necessity to examine startup order, &c. However, On 7/16/06, Daniel Hartmeier wrote: > That would then block all packets on all interfaces, until a ruleset is > loaded. If anything started through the startup scripts needs unblocked > packets (including the production ruleset loading requiring name > resolution over network), you'd need to first load a simpler temporary > ruleset to pass that, and finally replace it with the production > ruleset. Yes. And it can have other effects, too; for example, squid won't start up unless DNS is working. And your main firewall ruleset might have (gasp) DNS names in it... not that relying on DNS for firewall rules is particularly wise, but it is certainly much more manageable, and DNS _can_ be secure for local servers with the right amount of work. And IPv6 will basically make it effectively mandatory. > And, of course, if the boot sequence for any reason doesn't reach that > point, you can only fix stuff with local access... :) Another person said: > That is pretty much guaranteed. Murphy will always find a way to f*ck up a > reboot and simultaneously cause the 2611 on the console port to halt and > catch fire. Tradeoff between security and convenience. Murphy's law cuts both ways; if you're under an aggressive scan and happen to have a power blip... or if the attacker can get your firewall to spontaneously reboot... you have problems. The basic question is; do you want security or availability? Seems to me this should be a personal choice, and I think both sides have a point. Making it a compile-time option or sysctl would solve it, wouldn't it? > I'm not sure the average user _really_ is worried enough about that > half a second period on boot. But I DO know there will be people locking > themselves out from far-away remote hosts (on updates, for instance) if > this becomes the default. Generally, Unix has provided enough rope for people to hang themselves (or their servers). And then he said: > If punters want a default block, IMHO it doesn't get much easier than using > the mac_ifoff(4) kernel option discussed earlier on in the week, they can > tweak the pf startup to twiddle the relevant sysctl appropriately at the > right moment in time. It's not particularly maintainable to be tweaking startup scripts; the tweaks have a way of disappearing during upgrades, and I'm not about to put all of etc under revision control to track one or two changes. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 08:23:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D1A916A4DA; Mon, 17 Jul 2006 08:23:08 +0000 (UTC) (envelope-from harald@clef.at) Received: from stud3.tuwien.ac.at (stud3.tuwien.ac.at [193.170.75.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1276443D49; Mon, 17 Jul 2006 08:23:06 +0000 (GMT) (envelope-from harald@clef.at) Received: from bluedaemon.clef.test (v209-200.vps.tuwien.ac.at [128.131.209.200]) by stud3.tuwien.ac.at (8.9.3 (PHNE_29774)/8.9.3) with ESMTP id KAA10122; Mon, 17 Jul 2006 10:23:04 +0200 (METDST) To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> <20060716223601.GA5039@gothmog.pc> <20060717023700.GF3240@insomnia.benzedrine.cx> From: Harald Muehlboeck Date: Mon, 17 Jul 2006 10:25:37 +0200 In-Reply-To: <20060717023700.GF3240@insomnia.benzedrine.cx> (Daniel Hartmeier's message of "Mon, 17 Jul 2006 04:37:00 +0200") Message-ID: <86hd1ghc3i.fsf@tuha.clef.at> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Mon, 17 Jul 2006 12:01:35 +0000 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 08:23:08 -0000 Daniel Hartmeier writes: > On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote: > >> I haven't verified that this is the _only_ change needed to make PF >> block everything by default, but having it as a compile-time option >> which defaults to block everything would be nice, right? > > Sure, when FreeBSD's default becomes to compile pf into the kernel or load > it by BTX, that makes sense. Otherwise it doesn't. What do you mean with default? None of the the firewalls available with FreeBSD (ipfw, ipf, pf) is part of the GENERIC Kernel. But many users will compile the firewall of their choise into their CUSTOM kernels. For ipfw and ipf this can be done either with "default to accept" or "default to deny" ploicy by adding the option options IPVFIREWALL_DEFAULT_TO_DENY or options IPFILTER_DEFAULT_BLOCK to the custom kernel configruation file. From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 09:13:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD83016A4DD; Mon, 17 Jul 2006 09:13:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id E372243D6A; Mon, 17 Jul 2006 09:13:56 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.82] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1G2PAp2XFG-0001sZ; Mon, 17 Jul 2006 11:13:55 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 17 Jul 2006 11:13:43 +0200 User-Agent: KMail/1.9.3 References: <44B7715E.8050906@suutari.iki.fi> <20060717023700.GF3240@insomnia.benzedrine.cx> <86hd1ghc3i.fsf@tuha.clef.at> In-Reply-To: <86hd1ghc3i.fsf@tuha.clef.at> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9370727.r2jcNg7TsT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607171113.54110.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Mailman-Approved-At: Mon, 17 Jul 2006 12:01:43 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 09:13:57 -0000 --nextPart9370727.r2jcNg7TsT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [Replying to the latest message available] Okay, now this is getting pretty pointless. It started out pretty promissi= ng=20 with an attempt to really investigate into a problem that might exist with= =20 the way we boot up pf. No-one has yet provided evidence that it does exist= ,=20 though. What Daniel and others have suggested is, that interested parties= =20 look at the boot process closely, identify possible windows of vulnarabilit= y=20 and propose a *proper* fix in form of reorder of the boot process, an early= =20 pf_boot or something else. As more and more people are screaming for rope to hang themself with, I am= =20 going to provide it. As we have established, the "fix" is a three line=20 change in pf_ioctl.c and otherwise non-intrusive. You will of course have = to=20 rewrite your rulesets if you have a default to block policy, but since you= =20 care about security, that's a little price to pay - right? I would love to see somebody[tm] *really* looking into the boot process and= =20 come up with a sollution if we do have a problem there. Otherwise I will post a patch for PF_DEFAULT_BLOCK after a few days of=20 cool-off time, if people then still think it's a good idea then, I'll commi= t=20 it. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart9370727.r2jcNg7TsT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEu1TSXyyEoT62BG0RAqUIAJoDm86oQQDKv89ejblJ4XMU/pwzeQCeKMV3 9ST0ZlzZM2H/4vW0C4V1CX4= =anvo -----END PGP SIGNATURE----- --nextPart9370727.r2jcNg7TsT-- From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 12:21:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97EB516A4DE; Mon, 17 Jul 2006 12:21:43 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5623243D5C; Mon, 17 Jul 2006 12:21:30 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id C6E8D2D4921; Mon, 17 Jul 2006 12:21:28 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 8FDAF11444; Mon, 17 Jul 2006 14:21:28 +0200 (CEST) Date: Mon, 17 Jul 2006 14:21:28 +0200 From: "Simon L. Nielsen" To: Daniel Hartmeier Message-ID: <20060717122127.GC1087@zaphod.nitro.dk> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Mon, 17 Jul 2006 12:34:44 +0000 Cc: freebsd-security@freebsd.org, Ari Suutari , freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 12:21:43 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > The "hole" being discussed is the time, during boot, before pf is fully > functional with the production ruleset. For a comparatively long time, > the pf module isn't even loaded yet. The time after module load and > enabling pf with the production ruleset is much smaller. >=20 > So, you first need to check the boot sequence for >=20 > - interfaces being brought up before pf is loaded > - addresses assigned to those interfaces > - daemons starting and listening on those addresses > - route table getting set up > - IP forwarding getting enabled > - etc. Since nobody else seems to have actually done this, I took a look at FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really see a hole. Most importantly pf is enabled before routing. Personally I would still like a default to deny knob, but that's mainly to handle the case of an invalid ruleset which causes pf to be left open. Yes, this is only a problem when the admin screws up, but it happens... (I have been looking at a rc.conf know which would only enable routing/forwarding if pf was properly enabled with a configured ruleset, but I haven't gotten around to finishing that.) # rcorder -s nostart /etc/rc.d/* /etc/rc.d/dumpon /etc/rc.d/initrandom /etc/rc.d/geli /etc/rc.d/gbde /etc/rc.d/encswap /etc/rc.d/ccd /etc/rc.d/swap1 /etc/rc.d/mdconfig /etc/rc.d/ramdisk /etc/rc.d/early.sh /etc/rc.d/fsck /etc/rc.d/root /etc/rc.d/mountcritlocal /etc/rc.d/var /etc/rc.d/cleanvar /etc/rc.d/random /etc/rc.d/adjkerntz /etc/rc.d/atm1 /etc/rc.d/hostname /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/kldxref /etc/rc.d/sppp /etc/rc.d/addswap /etc/rc.d/sysctl /etc/rc.d/serial /etc/rc.d/netif /etc/rc.d/devd /etc/rc.d/ipsec /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/ipfw /etc/rc.d/nsswitch /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/routing [...] --=20 Simon L. Nielsen --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEu4DHh9pcDSc1mlERAihWAJ9+tEkPYzYys9h1aZ/WsH9+zj/BOQCfeXDb PvhBgOI2Ufu/uFawHrW8spg= =k7Oi -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 18:59:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9230216A4DE; Mon, 17 Jul 2006 18:59:20 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BBB343D45; Mon, 17 Jul 2006 18:59:19 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A13099000A05B7; Mon, 17 Jul 2006 20:59:18 +0200 Received: from [127.0.0.1] (raisa.suutari.iki.fi [192.168.60.100]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6HIxGJs012613; Mon, 17 Jul 2006 21:59:16 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BBDE0B.6050004@suutari.iki.fi> Date: Mon, 17 Jul 2006 21:59:23 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: "Simon L. Nielsen" References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> In-Reply-To: <20060717122127.GC1087@zaphod.nitro.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 18:59:20 -0000 Hi, Simon L. Nielsen wrote: > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing. I did this yesterday, but this thread has gotten quite active so maybe you lost the results. But my findings were same as yours: pf is enabled before routing which means that the hole I was afraid of doesn't exist. > > Personally I would still like a default to deny knob, but that's > mainly to handle the case of an invalid ruleset which causes pf to be > left open. Yes, this is only a problem when the admin screws up, but > it happens... Yes, and it might be quite common: some edits ruleset but leaves it unfinished because other, more high-priority jobs arrive (from boss...) and the someone other accidentally reboots your firewall... Default deny (or rc.d/pf_boot) would help here. Ari S. From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 18:18:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F7AE16A4E2 for ; Mon, 17 Jul 2006 18:18:31 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0751843D55 for ; Mon, 17 Jul 2006 18:18:27 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so1500661pyb for ; Mon, 17 Jul 2006 11:18:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tM6sMnJ7bzBAu0DHy2QifG5nqnonXaP7HO/NzFTf/KHwhFyjoO2WJ62Yq7z5unc7QXF0zGuzL3fbruLbSu2dBCuvafAgJAebxjahtl6GbJ0OHqhaO2ioMaRaQ4Bntw6qJ2jUFyrKcKtxPJt/EddDYLVXWnHnydPAyl6xZQTiuxg= Received: by 10.35.62.19 with SMTP id p19mr4369200pyk; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Message-ID: Date: Mon, 17 Jul 2006 13:18:26 -0500 From: "Travis H." To: "Simon L. Nielsen" In-Reply-To: <20060717122127.GC1087@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> X-Mailman-Approved-At: Mon, 17 Jul 2006 19:16:55 +0000 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 18:18:31 -0000 On 7/17/06, Simon L. Nielsen wrote: > Personally I would still like a default to deny knob, but that's > mainly to handle the case of an invalid ruleset which causes pf to be > left open. Yes, this is only a problem when the admin screws up, but > it happens... Since you mention it, this would have been useful to me too. My dynamic firewall daemon manages the ruleset (see homepage), and not all rules are sent to pf at once, and the active rules persist across reboots. In my case, I made a simple error in the script, it flushed the rules (I think...), failed to load a ruleset, but in any case I ended up with an invalid ruleset at boot time, and consequently a completely open firewall. Subsequent to this, I made sure it wouldn't happen again in various ways, but since I didn't have adequate reporting I didn't know it was wide open until several days later. It may be that I hung myself, but I'm pretty good with firewalls and if it can happen to me it can happen to others. OTOH, if it had had default block, I would have known immediately. Fortunately I didn't seem to suffer any ill effects; the obsd firewall runs minimal services. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 04:26:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0C0F16A4E1 for ; Tue, 18 Jul 2006 04:26:31 +0000 (UTC) (envelope-from cfp@ruxcon.org.au) Received: from mail.ruxcon.org.au (ruxcon.org.au [209.9.226.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 893BF43D4C for ; Tue, 18 Jul 2006 04:26:31 +0000 (GMT) (envelope-from cfp@ruxcon.org.au) Received: by mail.ruxcon.org.au (Postfix, from userid 1007) id 36793FC190; Tue, 18 Jul 2006 04:17:34 +0000 (UTC) To: freebsd-security@freebsd.org From: cfp@ruxcon.org.au Message-Id: <20060718041734.36793FC190@mail.ruxcon.org.au> Date: Tue, 18 Jul 2006 04:17:34 +0000 (UTC) Subject: RUXCON 2006 Final Call For Papers X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 04:26:31 -0000 RuxCon staff would like to announce the call for papers for the fourth annual RuxCon conference. This year the conference will run from the 30th of September to the 1st of October, over the long weekend. As with previous years, RuxCon will be held at the University of Technology, Sydney, Australia. The deadline for submissions is the 15th of September. What is RuxCon? RuxCon strives to be Australia's most technical and interesting computer security conference. We're back for the fourth year running and intend to bring you another high quality conference. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst expanding their knowledge of security. Live presentations and activities will cover a full range of defensive and offensive security topics, varying from unpublished research to required reading for the public security community. For more information, please visit http://www.ruxcon.org.au Presentation Information Presentations will be 50 minutes in length, and should be fully supplemented with slides and any other relevant material. Presentation Submissions RuxCon would like to invite people who are interested to submit a presentation. Topics of interest include, but are not limited to: * Code analysis * Exploitation techniques * Network scanning and analysis * Cryptography * Malware Analysis * Reverse engineering * Forensics and Anti-forensics * Social engineering * Web application security * Legal aspects of computer security and surrounding issues * Law enforcement activities * Telecommunications security (mobile, GSM, fraud issues, etc.) Submissions should thoroughly outline your desired presentation subject. Accompanying your submission should be the slides you intend to use or a detailed paper explaining your subject. If you have any enquiries about submissions, or would like to make a submission, please send an e-mail to presentations@ruxcon.org.au. The deadline for submissions is the 15th of September. If approved we will additionally require: 1. A brief personal biography (between 2-5 paragraphs in length), including: skill set, experience, and credentials. 2. A description on your presentation (between 2-5 paragraphs in length). Contact Details Presentation Submissions: presentations@ruxcon.org.au General Enquiries: ruxcon@ruxcon.org.au From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 11:59:05 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94AD216A4DA for ; Tue, 18 Jul 2006 11:59:05 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A72BF43D45 for ; Tue, 18 Jul 2006 11:59:04 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (yburah@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k6IBwsMI099626 for ; Tue, 18 Jul 2006 13:59:00 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k6IBwsZJ099625; Tue, 18 Jul 2006 13:58:54 +0200 (CEST) (envelope-from olli) Date: Tue, 18 Jul 2006 13:58:54 +0200 (CEST) Message-Id: <200607181158.k6IBwsZJ099625@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 18 Jul 2006 13:59:00 +0200 (CEST) X-Mailman-Approved-At: Tue, 18 Jul 2006 12:01:35 +0000 Cc: Subject: Vulnerability in vixie cron? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 11:59:05 -0000 Hi, Recently there have been advisories and patches for SuSE and RedHat (and probably a few others) regarding a vulnerability in Vixie Cron. The details say that there's insufficient checking of the return value of setuid, which can lead to priviledge escalation and lets users run cron jobs with root priviledges. As far as I know, FreBSD also uses Vixie Cron (at least the cron(8) manpage says so). However, I haven't seen any FreeBSD advisory regarding this, so I wonder if FreeBSD's cron isn't affected for some reason? Any information would be appreciated. Best regards Oliver PS: Here's the description of the RedHat advisory: http://rhn.redhat.com/errata/RHSA-2006-0539.html -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. (On the statement print "42 monkeys" + "1 snake":) By the way, both perl and Python get this wrong. Perl gives 43 and Python gives "42 monkeys1 snake", when the answer is clearly "41 monkeys and 1 fat snake". -- Jim Fulton From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 12:23:14 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED37E16A4DE for ; Tue, 18 Jul 2006 12:23:14 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11D5643D77 for ; Tue, 18 Jul 2006 12:23:10 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: (qmail 22579 invoked from network); 18 Jul 2006 12:23:10 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 18 Jul 2006 12:23:10 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 7FD0928449; Tue, 18 Jul 2006 08:23:09 -0400 (EDT) To: freebsd-security@FreeBSD.ORG References: <200607181158.k6IBwsZJ099625@lurza.secnetix.de> From: Lowell Gilbert Date: Tue, 18 Jul 2006 08:23:09 -0400 In-Reply-To: <200607181158.k6IBwsZJ099625@lurza.secnetix.de> (Oliver Fromme's message of "Tue, 18 Jul 2006 13:58:54 +0200 (CEST)") Message-ID: <44ejwjrtjm.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Subject: Re: Vulnerability in vixie cron? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 12:23:15 -0000 Oliver Fromme writes: > Recently there have been advisories and patches for > SuSE and RedHat (and probably a few others) regarding > a vulnerability in Vixie Cron. The details say that > there's insufficient checking of the return value of > setuid, which can lead to priviledge escalation and > lets users run cron jobs with root priviledges. > > As far as I know, FreBSD also uses Vixie Cron (at least > the cron(8) manpage says so). However, I haven't seen > any FreeBSD advisory regarding this, so I wonder if > FreeBSD's cron isn't affected for some reason? > > Any information would be appreciated. It looks to me like this wasn't exploitable in a default configuration anyway, but it was fixed on 1 June in HEAD and on 1 July in RELENG_6. http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 12:31:43 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0F1F16A4DE for ; Tue, 18 Jul 2006 12:31:43 +0000 (UTC) (envelope-from clemun@gmail.com) Received: from gruik.clem1.be (clem1.be [81.56.211.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FCC143D55 for ; Tue, 18 Jul 2006 12:31:42 +0000 (GMT) (envelope-from clemun@gmail.com) Received: from [192.168.2.5] (pouik.clem1.be [192.168.2.5]) by gruik.clem1.be (8.13.5.20060308/8.13.4) with ESMTP id k6ICW8L9020328 for ; Tue, 18 Jul 2006 14:32:08 +0200 (CEST) Message-ID: <44BCD4E9.404@gmail.com> Date: Tue, 18 Jul 2006 14:32:41 +0200 From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= User-Agent: Thunderbird 1.5.0.2 (X11/20060420) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG References: <200607181158.k6IBwsZJ099625@lurza.secnetix.de> In-Reply-To: <200607181158.k6IBwsZJ099625@lurza.secnetix.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Vulnerability in vixie cron? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 12:31:43 -0000 Hi, Oliver Fromme wrote: > Hi, > > (...) > > Any information would be appreciated. > This issue was already discussed few weeks ago on this list. http://lists.freebsd.org/pipermail/freebsd-hackers/2006-June/016729.html In default configuration, this issue is not exploitable because a call to setuid(2) could fail only for non-root user. Anyway setuid(2) return value must be always checked and I guess this issue was fixed in HEAD and probably in RELENG_6 ? Sincerely, Clem From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 16:11:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ED0416A4E0 for ; Tue, 18 Jul 2006 16:11:54 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id A21D443D45 for ; Tue, 18 Jul 2006 16:11:53 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id B058D353073 for ; Tue, 18 Jul 2006 18:11:51 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QFIbrUflTSfC for ; Tue, 18 Jul 2006 18:11:49 +0200 (CEST) Received: from [10.0.0.3] (i5387891F.versanet.de [83.135.137.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id A7C8B3530BE for ; Tue, 18 Jul 2006 18:11:49 +0200 (CEST) Message-ID: <44BD0846.6060405@rinux.net> Date: Tue, 18 Jul 2006 18:11:50 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 16:11:54 -0000 Hi everyone, today I got an e-mail from a company claiming that my server is doing port scans on their firewall machine. I found that hard to believe so I started checking the box. The company rep told me that the scan was originating at port 80 with destination port 8254 on their machine. I couldn't find any hints as to why that computer was subject to the alleged port scans. Searching in logs and crontab entries did not reveal the domain name or IP address of the machine except for my web mailer. It seems that someone from the company's network is accessing the web mailer in 10-15 minute intervals which is absolutely believable since one of my users works for the company and checks his mail via the web mailer. The strange part is that the company rep said these scans started some time on Sunday, while my user definitely was not using the company's hardware. Apparently, the company uses NetScreen hardware and/or software for such intrusion detection / prevention mechanisms and the log he provided read: [Root]system-alert-00016: Port scan! From $my-server-ip:80 to $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred 1 times. My questions are: 1. Can this be malicious code on my side? Both port 80 and 443 are bound to Apache's httpd so they shouldn't be available to other processes, right? 2. I'm using ipfw as a firewall where everything is denied except for a rather tight permitting ruleset that (of course) allows communication to/from port 80/443 on my machine but not to the destination port 8254. If the firewall prohibits access to a remote port 8254, processes on my side shouldn't be able to initiate a connection to that port. If there is a connection to that port, it had to be established earlier by the remote machine. Am I correct? 3. Does anyone know when the NetScreen hardware / software labels something "port scan"? As far as I can tell, the server is free of malicious code, I especially looked for PHP (and similar) files belonging to freely available port scanners etc.; everything seems to be alright. While I was investigating, no one but me was logged in. Any help is greatly appreciated! Clemens From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 16:36:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D6EB16A600 for ; Tue, 18 Jul 2006 16:36:14 +0000 (UTC) (envelope-from nigel@sourcefire.com) Received: from sourcefire.com (gi.sourcefire.com [65.202.215.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C11B943D4C for ; Tue, 18 Jul 2006 16:36:11 +0000 (GMT) (envelope-from nigel@sourcefire.com) Received: from localhost (localhost.localdomain [127.0.0.1]) by sourcefire.com (Postfix) with ESMTP id BDFA21CC030; Tue, 18 Jul 2006 12:36:10 -0400 (EDT) Received: from sourcefire.com ([127.0.0.1]) by localhost (mail.it.sourcefire.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30488-10; Tue, 18 Jul 2006 12:36:10 -0400 (EDT) Received: from localhost (unknown [10.2.3.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sourcefire.com (Postfix) with ESMTP id EB5AE1CC02D; Tue, 18 Jul 2006 12:36:09 -0400 (EDT) Date: Tue, 18 Jul 2006 11:36:07 -0500 From: Nigel Houghton To: Clemens Renner Message-ID: <20060718163606.GI3238@sourcefire.com> Mail-Followup-To: Clemens Renner , freebsd-security@freebsd.org References: <44BD0846.6060405@rinux.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BD0846.6060405@rinux.net> X-Virus-Scanned: Sourcefire AV 1.3.2 Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 16:36:14 -0000 On 0, Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so I > started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as to > why that computer was subject to the alleged port scans. Searching in > logs and crontab entries did not reveal the domain name or IP address of > the machine except for my web mailer. It seems that someone from the > company's network is accessing the web mailer in 10-15 minute intervals > which is absolutely believable since one of my users works for the > company and checks his mail via the web mailer. The strange part is that > the company rep said these scans started some time on Sunday, while my > user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for such > intrusion detection / prevention mechanisms and the log he provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred > 1 times. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are bound > to Apache's httpd so they shouldn't be available to other processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for a > rather tight permitting ruleset that (of course) allows communication > to/from port 80/443 on my machine but not to the destination port 8254. > If the firewall prohibits access to a remote port 8254, processes on my > side shouldn't be able to initiate a connection to that port. If there > is a connection to that port, it had to be established earlier by the > remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I especially > looked for PHP (and similar) files belonging to freely available port > scanners etc.; everything seems to be alright. While I was > investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens Ask them for a packet capture of the incident(s). It may well be that they have a false positive case on their hands. Portscan detection is very much prone to false positives, many things can appear to be portscans when they really aren't. A log message like the one they gave you is nowhere near enough information to determine if the attempt was a real portscan or not. +--------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team There is no theory of evolution, just a list of creatures Vin Diesel allows to live. From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 16:39:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 664A016A4E7 for ; Tue, 18 Jul 2006 16:39:08 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB86743D46 for ; Tue, 18 Jul 2006 16:39:07 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [192.168.2.4]) ([10.251.60.21]) by a50.ironport.com with ESMTP; 18 Jul 2006 09:39:07 -0700 Message-ID: <44BD0EAB.9050001@elischer.org> Date: Tue, 18 Jul 2006 09:39:07 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Clemens Renner References: <44BD0846.6060405@rinux.net> In-Reply-To: <44BD0846.6060405@rinux.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 18 Jul 2006 17:18:41 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 16:39:08 -0000 Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so > I started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as > to why that computer was subject to the alleged port scans. Searching > in logs and crontab entries did not reveal the domain name or IP > address of the machine except for my web mailer. It seems that someone > from the company's network is accessing the web mailer in 10-15 minute > intervals which is absolutely believable since one of my users works > for the company and checks his mail via the web mailer. The strange > part is that the company rep said these scans started some time on > Sunday, while my user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for > such intrusion detection / prevention mechanisms and the log he > provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). > Occurred 1 times. some of their clients accessed your machine a few times and had sequential port numbers on their side.. then netscreen got confused. (probably) on the safe side, run snort on your outside interface for a while. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are > bound to Apache's httpd so they shouldn't be available to other > processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for > a rather tight permitting ruleset that (of course) allows > communication to/from port 80/443 on my machine but not to the > destination port 8254. If the firewall prohibits access to a remote > port 8254, processes on my side shouldn't be able to initiate a > connection to that port. If there is a connection to that port, it had > to be established earlier by the remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I > especially looked for PHP (and similar) files belonging to freely > available port scanners etc.; everything seems to be alright. While I > was investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 17:31:53 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 801DE16A4DD for ; Tue, 18 Jul 2006 17:31:53 +0000 (UTC) (envelope-from lupe@lupe-christoph.de) Received: from buexe.b-5.de (buexe.b-5.de [84.19.0.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78EBA43D8B for ; Tue, 18 Jul 2006 17:31:38 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.13.4/8.13.4/b-5/buexe-3.5) with ESMTP id k6IHVaMa004272; Tue, 18 Jul 2006 19:31:36 +0200 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id B7F4734557; Tue, 18 Jul 2006 19:31:31 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at lupe-christoph.de Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya.lupe-christoph.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Ly-Gaw6S3PHz; Tue, 18 Jul 2006 19:31:27 +0200 (CEST) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 3369B3454B; Tue, 18 Jul 2006 19:31:27 +0200 (CEST) Date: Tue, 18 Jul 2006 19:31:27 +0200 To: Clemens Renner Message-ID: <20060718173127.GD13549@lupe-christoph.de> Mail-Followup-To: Clemens Renner , freebsd-security@freebsd.org References: <44BD0846.6060405@rinux.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BD0846.6060405@rinux.net> User-Agent: Mutt/1.5.11+cvs20060403 From: lupe@lupe-christoph.de (Lupe Christoph) Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 17:31:53 -0000 On Tuesday, 2006-07-18 at 18:11:50 +0200, Clemens Renner wrote: > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). Occurred > 1 times. With IPFilter, I often see "dangling FINs" in the log. These occur when the TCP connection has been shut down but an additional FIN is still travelling. IPFilter will have abandoned the state for the connection, so for it these FIN are not associated to a connection. Since the message they gave you is of the "Danger, Will Robinson" kind, this could be the case. They can't prove it wrong. To me, this is a case of stupid until proven intelligent. HTH, Lupe Christoph PS: I thought a port scan means somebody is probing many ports. How can one packet be considered a port scan?!? -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 18:40:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7AE516A588 for ; Tue, 18 Jul 2006 18:40:49 +0000 (UTC) (envelope-from cs@schug.net) Received: from schug.net (schug.net [195.27.130.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 226F243D5C for ; Tue, 18 Jul 2006 18:40:47 +0000 (GMT) (envelope-from cs@schug.net) Received: by schug.net (Postfix, from userid 10000) id BF8C7C54CB; Tue, 18 Jul 2006 20:41:26 +0200 (CEST) Date: Tue, 18 Jul 2006 20:41:26 +0200 From: Christoph Schug To: Clemens Renner Message-ID: <20060718184126.GA21514@voodoo.schug.net> References: <44BD0846.6060405@rinux.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44BD0846.6060405@rinux.net> Organization: SpaceNet AG User-Agent: Mutt/1.5.11 OpenPKG/2.5 Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 18:40:49 -0000 On Tue, Jul 18, 2006, Clemens Renner wrote: > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so I > started checking the box. Do you have mod_proxy or other modules with proxy functionality in your web server? -cs From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 18:47:40 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3374316A4DD for ; Tue, 18 Jul 2006 18:47:40 +0000 (UTC) (envelope-from mandrews@bit0.com) Received: from mindcrime.bit0.com (bit0.com [216.24.42.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCF1943D6D for ; Tue, 18 Jul 2006 18:47:37 +0000 (GMT) (envelope-from mandrews@bit0.com) Received: from [172.27.0.11] (nat.bit0.com [216.24.42.162]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mindcrime.bit0.com (Postfix) with ESMTP id BEF3F730002; Tue, 18 Jul 2006 14:47:36 -0400 (EDT) Message-ID: <44BD2CEF.4050504@bit0.com> Date: Tue, 18 Jul 2006 14:48:15 -0400 From: Mike Andrews User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Clemens Renner References: <44BD0846.6060405@rinux.net> In-Reply-To: <44BD0846.6060405@rinux.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 18:47:40 -0000 Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so I > started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as to > why that computer was subject to the alleged port scans. Searching in > logs and crontab entries did not reveal the domain name or IP address of > the machine except for my web mailer. It seems that someone from the > company's network is accessing the web mailer in 10-15 minute intervals > which is absolutely believable since one of my users works for the > company and checks his mail via the web mailer. The strange part is that > the company rep said these scans started some time on Sunday, while my > user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for such > intrusion detection / prevention mechanisms and the log he provided read: Almost definitely a false alarm. Firewalls (not just Netscreen) keep track of active TCP connections passing through them. If they stay idle for too long, the firewall assumes the other end died and drops it from its tracking table. Someone behind their firewall viewed your website. If you have, say, 6 images on it, then 7 connections get maintained in the firewall's state table, probably from sequential source port numbers. If you have Apache's keepalives on, then those 7 HTTP connections get held open for a while in case they request more pages/images from you. The problem is when Apache's keepalive interval is longer than the firewall's idle connection retention interval. If the firewall is configured to forget about idle connections after 5 minutes and Apache's keeping connections alive for 8 minutes, then two minutes after the firewall forgets about it, it will log Apache's attempt to close the connection as a FIN scan from 7 different ports. Find out what that TCP interval is on their Netscreen and adjust your Apache keepalive to be less than that. I think we went all the way down to 2 minutes before the dumber firewall admins stopped emailing us. This isn't limited to Netscreen either... Sonicwalls were overly sensitive to this a while back but I think they put out a firmware update to shut up some of the false alarms. PIX firewalls tend to have longer defaults so you don't run into that as much. If you're an ISP, every now and then you'll get similar complaints from your customers complaining that your nameserver is attacking them. Same story -- a slow DNS lookup that takes longer than their firewall is willing to wait on a UDP response, and they assume that every single thing a firewall logs is from an OMG WTF DDOS script kiddie... :) -- Mike Andrews * mandrews@bit0.com * http://www.bit0.com It's not news, it's Fark.com. Carpe cavy! From owner-freebsd-security@FreeBSD.ORG Tue Jul 18 20:54:59 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96B4816A4E2 for ; Tue, 18 Jul 2006 20:54:59 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A90B43D45 for ; Tue, 18 Jul 2006 20:54:57 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id 92D4335309A; Tue, 18 Jul 2006 22:54:55 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zefaDWfXHEvX; Tue, 18 Jul 2006 22:54:51 +0200 (CEST) Received: from [10.0.0.3] (i5387891F.versanet.de [83.135.137.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id 89019353073; Tue, 18 Jul 2006 22:54:51 +0200 (CEST) Message-ID: <44BD4A9D.3090704@rinux.net> Date: Tue, 18 Jul 2006 22:54:53 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Mike Andrews References: <44BD0846.6060405@rinux.net> <44BD2CEF.4050504@bit0.com> In-Reply-To: <44BD2CEF.4050504@bit0.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2006 20:54:59 -0000 Hi Mike, thank you for your sympathy and your thorough comments. :) I had that specific feeling when I read the mail for the first time. I'll try reducing the keepalive time to get rid of further complaints. The question is: Why do the "port scans" still come in on their machine? Should I advise them to restart their "we-take-care-don't-you-worry" hardware? Regards Clemens From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 06:39:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D39316A50D for ; Wed, 19 Jul 2006 06:39:19 +0000 (UTC) (envelope-from danil@sochiwater.ru) Received: from h2.prohosting.com.ua (h2.prohosting.com.ua [217.16.18.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F6E243D5A for ; Wed, 19 Jul 2006 06:39:17 +0000 (GMT) (envelope-from danil@sochiwater.ru) Received: from [194.84.94.12] (helo=smtp.sochiwater.ru) by h2.prohosting.com.ua with esmtpa (Exim 4.62 (FreeBSD)) (envelope-from ) id 1G35iC-0005oZ-86 for freebsd-security@freebsd.org; Wed, 19 Jul 2006 10:39:12 +0400 Message-ID: <44BDCD73.9030508@sochiwater.ru> Date: Wed, 19 Jul 2006 10:13:07 +0400 From: "Danil V. Gerun" Organization: =?windows-1252?Q?=3F=3F=3F_=3F=2E_=3F=3F=3F=3F_=22=3F?= =?windows-1252?Q?=3F=3F=3F=3F=3F=3F=3F=3F=22_/_Water_Supply_and_?= =?windows-1252?Q?Water_Treatment_Municipal_Unitary_Undertaking_?= =?windows-1252?Q?of_city_Sochi?= User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <44BD0846.6060405@rinux.net> <44BD2CEF.4050504@bit0.com> <44BD4A9D.3090704@rinux.net> In-Reply-To: <44BD4A9D.3090704@rinux.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Dr.Web on nebulus.sochiwater.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - h2.prohosting.com.ua X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - sochiwater.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: danil@sochiwater.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 06:39:19 -0000 Hello. The version of a user (behind their firewall) visiting your site, and badly configured stateful firewall timeout can be checked: just look at the logs of your Apache. But if it turns out that none of their users had touched your website at that time, then I think one more reason is quite possible. Think of a TCP packet with a source address of a complaining firewall and SYN-flag set, but sent to you, Clemens, from some other guy (just spoofed src-addr). Sure, your webserver tries to establish connection with the source address, which didn't want to establish a connection. This version can also be checked - just try to ask them for details about packets, that come from you. If they are SYN+ACK, then this version becomes more probable. If they have RST, this is also possible. This can be done simply: for example, someone was scanning your ports, Clemens. And he was doing it from some spoofed source addresses and his real one (you wouldn't want to check them all, would you? - that's why multiple source addresses are used). And another example - someone was just playing :-) with HPing, for example ;-) If this is annoying, it is possible to try to trace the route of the packets, that come to you (if they really do) and to their firewall. BTW, isn't it impossible for Apache (if it's running from non-root) to make connections from his port 80? Clemens Renner ?????: > Hi Mike, > > thank you for your sympathy and your thorough comments. :) I had that > specific feeling when I read the mail for the first time. I'll try > reducing the keepalive time to get rid of further complaints. > > The question is: Why do the "port scans" still come in on their > machine? Should I advise them to restart their > "we-take-care-don't-you-worry" hardware? > > Regards > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Best regards, Danil V. Gerun. From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 07:34:54 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7721016A4DE for ; Wed, 19 Jul 2006 07:34:54 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C80343D55 for ; Wed, 19 Jul 2006 07:34:53 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (elopip@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k6J7YkAv036447; Wed, 19 Jul 2006 09:34:52 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k6J7Yk6J036446; Wed, 19 Jul 2006 09:34:46 +0200 (CEST) (envelope-from olli) Date: Wed, 19 Jul 2006 09:34:46 +0200 (CEST) Message-Id: <200607190734.k6J7Yk6J036446@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, danil@sochiwater.ru In-Reply-To: <44BDCD73.9030508@sochiwater.ru> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 19 Jul 2006 09:34:52 +0200 (CEST) Cc: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, danil@sochiwater.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 07:34:54 -0000 Danil V. Gerun wrote: > BTW, isn't it impossible for Apache (if it's running from non-root) > to make connections from his port 80? Normally Apache doesn't make connections (unless you use mod_proxy, and in that case it doesn't use port 80 as the source port). It rather accepts connections to its port 80. However, the process of bind(2)ing to port 80 in order to accept connections to it is -- by default -- limited to processes with root privileges. There are several ways that can be accomplished without actually running the Apache server processes as root: 1. Usually you start Apache as root, then it bind(2)s to port 80, then it changes its UID to some other, non- privileged user (retaining the binding to port 80), and then it uses listen(2)/accept(2) to accept connec- tions. That's the default setup, so most people use it. 2. You can start Apache as non-root right from the start and have it listen to some non-privileged port, e.g. 8080. If you don't want to force all users to enter that port number in the URLs all the time, you can use NAT to rewrite ports, and/or install a local forwarding rule (e.g. using IPFW) to forward packets destined for port 80 to port 8080. 3. FreeBSD offers the ability to change the range of ports that are considered privileged, using two sysctls. See the ip(4) manpage for details (and warnings). That way you can allow non-root processes to bind to ports below 1024 (e.g. 80), if you're willing to accept the risks. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Python is an experiment in how much freedom programmers need. Too much freedom and nobody can read another's code; too little and expressiveness is endangered." -- Guido van Rossum From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 08:21:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41D0816A4E2 for ; Wed, 19 Jul 2006 08:21:02 +0000 (UTC) (envelope-from mamalos@lan.gr) Received: from ns1.lan.gr (ns1.lan.gr [212.251.2.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FCD343D45 for ; Wed, 19 Jul 2006 08:21:01 +0000 (GMT) (envelope-from mamalos@lan.gr) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id 1D2D7289C2 for ; Wed, 19 Jul 2006 12:07:10 +0300 (EEST) X-Virus-Scanned: amavisd-new at lan.gr Received: from ns1.lan.gr ([127.0.0.1]) by localhost (ns1.lan.gr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X86sXKE7IUvI for ; Wed, 19 Jul 2006 12:07:09 +0300 (EEST) Received: by ns1.lan.gr (Postfix, from userid 1001) id CA55B289C1; Wed, 19 Jul 2006 12:07:08 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id C3EA5289BF for ; Wed, 19 Jul 2006 12:07:08 +0300 (EEST) Date: Wed, 19 Jul 2006 12:07:08 +0300 (EEST) From: George Mamalakis To: freebsd-security@freebsd.org Message-ID: <20060719114613.N18979@ns1.lan.gr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 08:21:02 -0000 Hi everyone, I administer this 5.2.1 Freebsd Box which runs a few services, among of which are bind and postfix. On the same box I run ipfw as a firewall, and have a default policy block for all incoming packets, except for those that are for ports 53 (tcp and udp) and 25 (tcp). I also have the following sysctl values enabled: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 In my security logs I keep on getting the following messages: Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52291 Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP myexternaladdress:52299 from myexternaladdress:53 Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP myexternaladdress:52316 from myexternaladdress:53 Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52328 Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52354 I have googled these messages many times, but haven't still found a real explanation of why these messages occur. The way I see it is that there is no malicious behaviour behind theses messages, most probably there's something that has to do with my firewall settings, and the keep state option. I present the excerpt from my firewall configuration file that relates to the dns incoming traffic: add 00389 allow udp from any to myexternaladdress 53 in via fxp0 keep-state I would be greatful if someone could explain to me why these messages keep showing, and if there is a way to prevent them from occuring in the future. Thank you all in advance, mamalos From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 08:53:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B19616A517 for ; Wed, 19 Jul 2006 08:53:08 +0000 (UTC) (envelope-from mamalos@lan.gr) Received: from ns1.lan.gr (ns1.lan.gr [212.251.2.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 806C543DA4 for ; Wed, 19 Jul 2006 08:52:59 +0000 (GMT) (envelope-from mamalos@lan.gr) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id D0E0B289C1; Wed, 19 Jul 2006 12:39:13 +0300 (EEST) X-Virus-Scanned: amavisd-new at lan.gr Received: from ns1.lan.gr ([127.0.0.1]) by localhost (ns1.lan.gr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SD0-89ijXyyQ; Wed, 19 Jul 2006 12:39:11 +0300 (EEST) Received: by ns1.lan.gr (Postfix, from userid 1001) id 5929D289C0; Wed, 19 Jul 2006 12:39:11 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id 49961289B9; Wed, 19 Jul 2006 12:39:11 +0300 (EEST) Date: Wed, 19 Jul 2006 12:39:11 +0300 (EEST) From: George Mamalakis To: Network Security In-Reply-To: <49756892.20060719013144@hush.com> Message-ID: <20060719122822.L19153@ns1.lan.gr> References: <20060719114613.N18979@ns1.lan.gr> <49756892.20060719013144@hush.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 08:53:08 -0000 Look, first of all I block spoofed incoming packets on my external interface, so traffic from 127.0.0.0/8 cannot pass through it no matter the protocol they use, so spoofing for me is not the case. When you say that it may be that my machine is trying to updates its records, do you mean it tries to update the zone files my machine is hosting? cos my server runs only as a master server, and from what i know its records should be updated only when the administrator requests it through rndc or by restarting bind. To give you a more thorough idea of my dns server, I allow some IPs to query it for any address, I allow the world to query me for my zones, I don't use forwarders, and I don't have a slave dns (though I should have :) ), As far as your third part of your mail is concerned, no I don't have any other log files, the only firewall present in my network is on the server itself, there is of course a router between my server and my ISP, which only routes packets (no packet filtering whatsoever). Thx for your answer, mamalos On Wed, 19 Jul 2006, Network Security wrote: > It's UDP, so who the fuck knows where it's actually coming from. It > might not originate from your machines. > > Remember, UDP packets destined to your address, with the > return address of your same server ise a common way to both DoS and peek > through a firewall.. Is your log by chance suppressing duplicate > entries? > > The other option is your machine may be attempting to update it's > DNS records. But it's not a connection oriented protocol, so you don't > know who actually sent the packet. > > Do you have a router or other firewall log? > > -Brian > > > > > > Brian J. Brandon > Network Security Consultant > Los Angeles, California > SecurityAdmin@Hush.com > Tel. No. 310.925.2987 > Fax. No. 325.204.7815 > > > > > Wednesday, July 19, 2006, 2:07:08 AM, you wrote: > > > Hi everyone, > I administer this 5.2.1 Freebsd Box which runs a few services, among of > which are bind and postfix. On the same box I run ipfw as a firewall, and > have a default policy block for all incoming packets, except for those > that are for ports 53 (tcp and udp) and 25 (tcp). > I also have the following sysctl values enabled: > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > In my security logs I keep on getting the following messages: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 > Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52328 > Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52354 > > I have googled these messages many times, but haven't still found a real > explanation of why these messages occur. The way I see it is that there is > no malicious behaviour behind theses messages, most probably there's > something that has to do with my firewall settings, and the keep state > option. > I present the excerpt from my firewall configuration file that relates to > the dns incoming traffic: > add 00389 allow udp from any to myexternaladdress 53 in via fxp0 > keep-state > > I would be greatful if someone could explain to me why these messages > keep showing, and if there is a way to prevent them from occuring in the > future. > Thank you all in advance, > > mamalos > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 09:02:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A7ED16A4DF for ; Wed, 19 Jul 2006 09:02:22 +0000 (UTC) (envelope-from d.m.pick@qmul.ac.uk) Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2A5D43D45 for ; Wed, 19 Jul 2006 09:02:21 +0000 (GMT) (envelope-from d.m.pick@qmul.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by mail2.qmul.ac.uk with esmtp (Exim 4.43) id 1G37wh-0002VK-Oz; Wed, 19 Jul 2006 10:02:20 +0100 Received: from localhost ([127.0.0.1] helo=xi.css.qmw.ac.uk) by xi.css.qmw.ac.uk with esmtp (Exim 3.34 #1) id 1G37wh-000HMc-00; Wed, 19 Jul 2006 10:02:19 +0100 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: George Mamalakis In-reply-to: Your message of "Wed, 19 Jul 2006 12:07:08 +0300." <20060719114613.N18979@ns1.lan.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Jul 2006 10:02:19 +0100 From: David Pick Message-Id: X-Sender-Host-Address: 138.37.8.11 X-QM-Scan-Virus: virusscan says the message is clean X-QM-Scan-Virus: ClamAV says the message is clean Cc: freebsd-security@freebsd.org Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 09:02:22 -0000 I get similar messages to these: > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP myexternaladdress:52316 from myexternaladdress:53 occasionally when a DNS server takes a long time to respond because a UDP "keep state" *has* to time out eventually, and if the configured interval is less than the DNS server response time the returning DNS response will not match any "kept" entry. Tuning the interval will reduce the messages, and allow the response packets through, but it will still happen *sometimes*. -- David Pick From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 09:22:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2ED616A4DE for ; Wed, 19 Jul 2006 09:22:22 +0000 (UTC) (envelope-from ady@fwd.ady.ro) Received: from nf-out-f131.google.com (nf-out-f131.google.com [64.233.182.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B9EF43D46 for ; Wed, 19 Jul 2006 09:22:19 +0000 (GMT) (envelope-from ady@fwd.ady.ro) Received: by nf-out-f131.google.com with SMTP id x9so142809nfb for ; Wed, 19 Jul 2006 02:22:18 -0700 (PDT) Received: by 10.78.165.16 with SMTP id n16mr207177hue; Wed, 19 Jul 2006 02:22:18 -0700 (PDT) Received: by 10.78.159.8 with HTTP; Wed, 19 Jul 2006 02:22:18 -0700 (PDT) Message-ID: <9e01a0da0607190222i426bceccq66fe95c72ffe8d38@mail.gmail.com> Date: Wed, 19 Jul 2006 12:22:18 +0300 From: "Adrian Penisoara" Sender: ady@fwd.ady.ro To: "George Mamalakis" In-Reply-To: <20060719114613.N18979@ns1.lan.gr> MIME-Version: 1.0 References: <20060719114613.N18979@ns1.lan.gr> X-Google-Sender-Auth: 53088633b1df8b7e Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 09:22:22 -0000 Hi, $ grep "\<512/udp" /etc/services biff 512/udp comsat #used by mail system to notify users So basicly you got a process (most likely your local MTA) sending notifications for incoming new mails to the comsat service (which by default is disabled in /etc/inetd.conf). Either adjust your firewall to allow such notifications (UDP packets towards port 512 on subnet 127.0.0.0/8 through lo0 interface) or disable notification from your mail delivery agent. Best regards, Adrian Penisoara Ady (@freebsd.ady.ro) On 7/19/06, George Mamalakis wrote: > > Hi everyone, > I administer this 5.2.1 Freebsd Box which runs a few services, among of > which are bind and postfix. On the same box I run ipfw as a firewall, and > have a default policy block for all incoming packets, except for those > that are for ports 53 (tcp and udp) and 25 (tcp). > I also have the following sysctl values enabled: > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > In my security logs I keep on getting the following messages: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 > Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52328 > Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52354 > > I have googled these messages many times, but haven't still found a real > explanation of why these messages occur. The way I see it is that there is > no malicious behaviour behind theses messages, most probably there's > something that has to do with my firewall settings, and the keep state > option. > I present the excerpt from my firewall configuration file that relates to > the dns incoming traffic: > add 00389 allow udp from any to myexternaladdress 53 in via fxp0 > keep-state > > I would be greatful if someone could explain to me why these messages > keep showing, and if there is a way to prevent them from occuring in the > future. > Thank you all in advance, > > mamalos > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 09:27:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51D3816A4DD for ; Wed, 19 Jul 2006 09:27:26 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B194F43D4C for ; Wed, 19 Jul 2006 09:27:24 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [172.20.1.20] (muff.kolej.mff.cuni.cz [195.113.24.6]) by smtp1.kolej.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k6J9SHJc002136 for ; Wed, 19 Jul 2006 11:28:19 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <44BDFAF8.8020108@obluda.cz> Date: Wed, 19 Jul 2006 11:27:20 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060516 SeaMonkey/1.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20060719114613.N18979@ns1.lan.gr> In-Reply-To: <20060719114613.N18979@ns1.lan.gr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 09:27:26 -0000 George Mamalakis wrote: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 If you have net.inet.ip.check_interface=1 or your firewall block packets with 127/8 addresses arriving via non-loopback interface then the source address isn't spoofed. Then - it's local comunication. You should search for a local program causing this type of communication. The packet content (use tcpdump -s1500 -X -i lo0 dst port 512) may (or may not) help you. > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 It's probably DNS response to nonexistent or expired question. In the first cast - it's an sort of attack. As you configured system to report attacks, you want to see those messages. Please note the source address may be forged and there is no way to determine true source of it without upstream ISP cooperation. In the second case - the packet is "too late response" - the process which send's DNS question no longer wait for it. Unless the source address spoofed, it's local-to-local DNS request. May be the program sending it has too short timeout or it's 'question-related' problem (you asked for a DNS record but apropriate DNS server responded slowly or didn't respond at all). You should identify the local program sending those questions and/or the question trigerring those messages. Please note, that NAT on myexternaladdress host nay cause that some non-local communication appear to be local (e.g., some non-local process communication look as local-process communication). But, your local computers has no reason to contact your DNS server over external address (I assume they use apropriate internal address), so it shouldn't complicate your analysis. In that case you can block DNS question to myexternaladdress for all internal interfaces - just for sure. Dan From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 07:18:50 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1480116A4DD for ; Wed, 19 Jul 2006 07:18:50 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A3B943D55 for ; Wed, 19 Jul 2006 07:18:48 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (jktuxo@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k6J7IfNN036094 for ; Wed, 19 Jul 2006 09:18:47 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k6J7IfcU036093; Wed, 19 Jul 2006 09:18:41 +0200 (CEST) (envelope-from olli) Date: Wed, 19 Jul 2006 09:18:41 +0200 (CEST) Message-Id: <200607190718.k6J7IfcU036093@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: <44BD4A9D.3090704@rinux.net> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 19 Jul 2006 09:18:47 +0200 (CEST) X-Mailman-Approved-At: Wed, 19 Jul 2006 11:58:39 +0000 Cc: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 07:18:50 -0000 Clemens Renner wrote: > thank you for your sympathy and your thorough comments. :) I had that > specific feeling when I read the mail for the first time. I'll try > reducing the keepalive time to get rid of further complaints. Which means reducing the efficiency of your service for _all_ users just because _one_ firewall admin has no clue. I wouldn't do that. Try to ask that admin for a packet trace that you can view in tcpdump or ethereal, so you can verify yourself what might be the cause of it. If he cannot do that, then ask him (politely) to stop bothering you, unless he can *prove* that the packet in question was a malicious scan. I bet he can't. I also agree with the poster in this thread who wondered that a single packet can hardly be called a "port scan". It really is probably a FIN(ACK) packet from a dangling connection. I've often seen that from port 53 on name servers, but it can happen for other kinds of services, too. It all sounds as if someone without any networking clue installed a black-box firewall, watches the logs and goes to panic mode each time it outputs something, no matter what, and not taking into account that there can be false positives (especially if the source port is a WKP, like 80 [HTTP] in this case). "All the world is attacking me!" Just my 2 cents. :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Python tricks" is a tough one, cuz the language is so clean. E.g., C makes an art of confusing pointers with arrays and strings, which leads to lotsa neat pointer tricks; APL mistakes everything for an array, leading to neat one-liners; and Perl confuses everything period, making each line a joyous adventure . -- Tim Peters From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 12:29:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFEF116A4DE for ; Wed, 19 Jul 2006 12:29:28 +0000 (UTC) (envelope-from nick@nickwithers.com) Received: from mail.nickwithers.com (mail.manrags.com [203.219.206.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ED4D43D5C for ; Wed, 19 Jul 2006 12:29:24 +0000 (GMT) (envelope-from nick@nickwithers.com) Received: from localhost (shmick.shmon.net [10.0.0.252]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nickwithers.com (Postfix) with ESMTP id 92A513A9C5; Wed, 19 Jul 2006 22:29:10 +1000 (EST) Date: Wed, 19 Jul 2006 22:29:10 +1000 From: Nick Withers To: freebsd-security@FreeBSD.ORG Message-Id: <20060719222910.317468e0.nick@nickwithers.com> In-Reply-To: <200607190734.k6J7Yk6J036446@lurza.secnetix.de> References: <44BDCD73.9030508@sochiwater.ru> <200607190734.k6J7Yk6J036446@lurza.secnetix.de> Organization: nickwithers.com X-Mailer: Sylpheed version 2.2.6 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-nickwithers-MailScanner: Found to be clean X-nickwithers-MailScanner-From: nick@nickwithers.com Cc: olli@lurza.secnetix.de, danil@sochiwater.ru Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 12:29:28 -0000 On Wed, 19 Jul 2006 09:34:46 +0200 (CEST) Oliver Fromme wrote: > Danil V. Gerun wrote: > > BTW, isn't it impossible for Apache (if it's running from non-root) > > to make connections from his port 80? > > Normally Apache doesn't make connections (unless you use > mod_proxy, and in that case it doesn't use port 80 as the > source port). It rather accepts connections to its port > 80. > > However, the process of bind(2)ing to port 80 in order to > accept connections to it is -- by default -- limited to > processes with root privileges. There are several ways > that can be accomplished without actually running the > Apache server processes as root: > > 1. Usually you start Apache as root, then it bind(2)s to > port 80, then it changes its UID to some other, non- > privileged user (retaining the binding to port 80), > and then it uses listen(2)/accept(2) to accept connec- > tions. That's the default setup, so most people use > it. > > 2. You can start Apache as non-root right from the start > and have it listen to some non-privileged port, e.g. > 8080. If you don't want to force all users to enter > that port number in the URLs all the time, you can use > NAT to rewrite ports, and/or install a local forwarding > rule (e.g. using IPFW) to forward packets destined for > port 80 to port 8080. > > 3. FreeBSD offers the ability to change the range of ports > that are considered privileged, using two sysctls. See > the ip(4) manpage for details (and warnings). That way > you can allow non-root processes to bind to ports below > 1024 (e.g. 80), if you're willing to accept the risks. Just thought I'd point out one particularly nifty thing you can do to alleviate said risks: Use the MAC portacl module. You can, for instance, specify that the Apache HTTPD user specifically is allowed to bind to port 80. How cool's that??? :-) > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "Python is an experiment in how much freedom programmers need. > Too much freedom and nobody can read another's code; too little > and expressiveness is endangered." > -- Guido van Rossum > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446 From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 14:54:44 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 694BF16A4DD for ; Wed, 19 Jul 2006 14:54:44 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C45E43D73 for ; Wed, 19 Jul 2006 14:54:39 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id E344E3530DD for ; Wed, 19 Jul 2006 16:54:37 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id al03t2p73lty for ; Wed, 19 Jul 2006 16:54:36 +0200 (CEST) Received: from [10.0.0.3] (i53878D99.versanet.de [83.135.141.153]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id CA1C8353061 for ; Wed, 19 Jul 2006 16:54:36 +0200 (CEST) Message-ID: <44BE47AD.4010302@rinux.net> Date: Wed, 19 Jul 2006 16:54:37 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.4 (X11/20060609) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG References: <200607190718.k6J7IfcU036093@lurza.secnetix.de> In-Reply-To: <200607190718.k6J7IfcU036093@lurza.secnetix.de> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 14:54:44 -0000 Oliver Fromme wrote: > > I'll try > > reducing the keepalive time to get rid of further complaints. > > Which means reducing the efficiency of your service for > _all_ users just because _one_ firewall admin has no clue. > I wouldn't do that. In theory, you are right and it does sound like a bad trade-off. However, when I checked my Apache configuration, I found KeepAliveTimeout already set to a very low 15 seconds -- which has worked fine in the past -- so I don't want to tinker with it. The Timeout directive however, was set to 300 seconds and after consulting httpd's documentation, I decided to go down to 120 seconds there. Regarding the advice from several people that the complaining admin should provide more details on the alleged "port scan": I will ask him to do that the next time he contacts me. For the moment, however, he has kept quiet already after I hinted at the possibility of someone using the web mailer from their network. I think so far I did everything I could to investigate the issue without any specifics, so I also guess it's his turn now to come forward with more substantial allegations. > It all sounds as if someone without any networking clue > installed a black-box firewall, watches the logs and goes > to panic mode each time it outputs something, no matter > what, and not taking into account that there can be false > positives (especially if the source port is a WKP, like > 80 [HTTP] in this case). "All the world is attacking me!" Exactly my POV. On a side note: Since one of my users is actually working for them and using my web mailer while he's at work, the puzzle pieces fit quite nicely to support the false positive theory. And by the way: Thanks to everyone contributing ideas and invaluable advice on this matter. Clemens From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 16:38:32 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D300A16A536 for ; Wed, 19 Jul 2006 16:38:32 +0000 (UTC) (envelope-from csmith@bonddesk.com) Received: from msmisps01.bonddesk.com (msmisps01.bonddesk.com [12.47.70.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 130F243D5F for ; Wed, 19 Jul 2006 16:38:23 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Wed, 19 Jul 2006 12:38:19 -0400 Received: from [10.133.16.58] ([10.133.16.58] RDNS failed) by mimail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Wed, 19 Jul 2006 12:38:18 -0400 Message-ID: <44BE5FF8.1050108@bonddesk.com> Date: Wed, 19 Jul 2006 12:38:16 -0400 From: Corey Smith User-Agent: Thunderbird 1.5.0.4 (X11/20060608) MIME-Version: 1.0 To: Clemens Renner References: <200607190718.k6J7IfcU036093@lurza.secnetix.de> <44BE47AD.4010302@rinux.net> In-Reply-To: <44BE47AD.4010302@rinux.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 19 Jul 2006 16:38:18.0966 (UTC) FILETIME=[BDAE5F60:01C6AB51] Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 16:38:32 -0000 Clemens Renner wrote: > Regarding the advice from several people that the complaining admin > should provide more details on the alleged "port scan": I will ask him > to do that the next time he contacts me. BTW: I've seen this before on a misconfigured TAP/SPAN when the IDS can only see half of the connection (the recieves but not the sends for example). Since the IDS sees a ton of SYNs without the corresponding SYN/ACKs it looks like a portscan. Your web server probably has more connections per second than any other device on your network... -Corey Smith From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 19:20:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5453716A4E0 for ; Wed, 19 Jul 2006 19:20:38 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail17.syd.optusnet.com.au (mail17.syd.optusnet.com.au [211.29.132.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6B3643D49 for ; Wed, 19 Jul 2006 19:20:37 +0000 (GMT) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail17.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k6JJKWrb007484 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 20 Jul 2006 05:20:34 +1000 Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.6/8.13.6) with ESMTP id k6JJKVK0003301; Thu, 20 Jul 2006 05:20:31 +1000 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.6/8.13.6/Submit) id k6JJKVce003300; Thu, 20 Jul 2006 05:20:31 +1000 (EST) (envelope-from peter) Date: Thu, 20 Jul 2006 05:20:31 +1000 From: Peter Jeremy To: George Mamalakis Message-ID: <20060719192031.GC733@turion.vk2pj.dyndns.org> References: <20060719114613.N18979@ns1.lan.gr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u65IjBhB3TIa72Vp" Content-Disposition: inline In-Reply-To: <20060719114613.N18979@ns1.lan.gr> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 19:20:38 -0000 --u65IjBhB3TIa72Vp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, 2006-Jul-19 12:07:08 +0300, George Mamalakis wrote: >In my security logs I keep on getting the following messages: >Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 1= 27.0.0.1:52291 As others have mentioned, this is sendmail trying to notify biff that the user has new mail but you aren't running biff. To stop it, add the following lines to your sendmail.mc file, rebuild sendmail.cf and restart sendmail: dnl Disable biff notification define(`LOCAL_MAILER_ARGS', `mail.local -Bl') --=20 Peter Jeremy --u65IjBhB3TIa72Vp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEvoX+/opHv/APuIcRAh26AJ4lLS+zJNKCh2iLvhMnckphMIategCdHJiJ x6g0391W5QYI4SdxNry9JAQ= =ShNR -----END PGP SIGNATURE----- --u65IjBhB3TIa72Vp-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 21 04:42:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FE2516A4DA for ; Fri, 21 Jul 2006 04:42:57 +0000 (UTC) (envelope-from comm@rwx.ca) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21FBD43D49 for ; Fri, 21 Jul 2006 04:42:56 +0000 (GMT) (envelope-from comm@rwx.ca) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-qfe3.prod.shaw.ca [10.0.141.110]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J2Q002HVL3K5TD0@l-daemon> for freebsd-security@freebsd.org; Thu, 20 Jul 2006 22:42:56 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd2mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J2Q00GE6L3K38H0@pd2mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 20 Jul 2006 22:42:56 -0600 (MDT) Received: from [127.0.0.1] ([24.84.77.0]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J2Q00JQAL3JR6M0@l-daemon> for freebsd-security@freebsd.org; Thu, 20 Jul 2006 22:42:56 -0600 (MDT) Date: Thu, 20 Jul 2006 21:43:17 -0700 From: "comm@rwx.ca" In-reply-to: <44BD0846.6060405@rinux.net> To: Clemens Renner Message-id: <44C05B65.9070600@rwx.ca> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7bit X-Antivirus: avast! (VPS 0629-1, 07/19/2006), Outbound message X-Antivirus-Status: Clean References: <44BD0846.6060405@rinux.net> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) X-Mailman-Approved-At: Fri, 21 Jul 2006 07:37:23 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 04:42:57 -0000 Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so > I started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as > to why that computer was subject to the alleged port scans. Searching > in logs and crontab entries did not reveal the domain name or IP > address of the machine except for my web mailer. It seems that someone > from the company's network is accessing the web mailer in 10-15 minute > intervals which is absolutely believable since one of my users works > for the company and checks his mail via the web mailer. The strange > part is that the company rep said these scans started some time on > Sunday, while my user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for > such intrusion detection / prevention mechanisms and the log he > provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). > Occurred 1 times. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are > bound to Apache's httpd so they shouldn't be available to other > processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for > a rather tight permitting ruleset that (of course) allows > communication to/from port 80/443 on my machine but not to the > destination port 8254. If the firewall prohibits access to a remote > port 8254, processes on my side shouldn't be able to initiate a > connection to that port. If there is a connection to that port, it had > to be established earlier by the remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I > especially looked for PHP (and similar) files belonging to freely > available port scanners etc.; everything seems to be alright. While I > was investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > We had a client that was being bombarded with a SYN flood on port 80, and of course enabling syn cookies helped. However all the IP's that were sending the SYN flood were spoofed, and we were getting complains left right and center of this customer DoSing or port scanning other customers. In the end, we just asked the complainant to provide move verbose logging of the incident. -jt From owner-freebsd-security@FreeBSD.ORG Fri Jul 21 08:25:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5740D16A4DD for ; Fri, 21 Jul 2006 08:25:32 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36313.mail.mud.yahoo.com (web36313.mail.mud.yahoo.com [209.191.84.243]) by mx1.FreeBSD.org (Postfix) with SMTP id C5A9243D46 for ; Fri, 21 Jul 2006 08:25:31 +0000 (GMT) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 51375 invoked by uid 60001); 21 Jul 2006 08:25:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=GmX3OpIjoGfvilws11sNt1MFdJm3qprJRWXv1h3rot7l5xu1oWdi5kMuoohKDCo2oYfqrQMDaiGMaaDqwv5xWtbX/ylwsamYrXc4mEJtlTgjdVS7AqN7mJFH5g9I78/ol7TwzmiHx3D/WwOhc2H13bSoyvoLVV3Q+K1xIW/RedA= ; Message-ID: <20060721082531.51373.qmail@web36313.mail.mud.yahoo.com> Received: from [213.227.200.244] by web36313.mail.mud.yahoo.com via HTTP; Fri, 21 Jul 2006 01:25:31 PDT Date: Fri, 21 Jul 2006 01:25:31 -0700 (PDT) From: Nash Nipples To: freebsd-security@freebsd.org In-Reply-To: <44C05B65.9070600@rwx.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 08:25:32 -0000 Here Guys: i believe that people who deployed netscreen are quite sure in what they are doing and a friendly notice should not sound like a complaint to u but instead become a solid ground to understanding what could go wrong. Ofcourse if they proudly told you that they ARE using the netscreen. Peeking on log entries provided to u and announcing it on public doesnt make an electronic robinhood scene. unless this is a.. "Do you guys know how does the damn netscreen detect portscans, really..?" > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? isnt that an indirect hit? i suggest u ask ur question directly to the sender dropping this sneaky habbits in freebsd-security list. thats what it is about Nash "comm@rwx.ca" wrote: Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so > I started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as > to why that computer was subject to the alleged port scans. Searching > in logs and crontab entries did not reveal the domain name or IP > address of the machine except for my web mailer. It seems that someone > from the company's network is accessing the web mailer in 10-15 minute > intervals which is absolutely believable since one of my users works > for the company and checks his mail via the web mailer. The strange > part is that the company rep said these scans started some time on > Sunday, while my user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for > such intrusion detection / prevention mechanisms and the log he > provided read: > > [Root]system-alert-00016: Port scan! From $my-server-ip:80 to > $their-server-ip:8254, proto TCP (zone Untrust, int ethernet1). > Occurred 1 times. > > My questions are: > 1. Can this be malicious code on my side? Both port 80 and 443 are > bound to Apache's httpd so they shouldn't be available to other > processes, right? > > 2. I'm using ipfw as a firewall where everything is denied except for > a rather tight permitting ruleset that (of course) allows > communication to/from port 80/443 on my machine but not to the > destination port 8254. If the firewall prohibits access to a remote > port 8254, processes on my side shouldn't be able to initiate a > connection to that port. If there is a connection to that port, it had > to be established earlier by the remote machine. Am I correct? > > 3. Does anyone know when the NetScreen hardware / software labels > something "port scan"? > > As far as I can tell, the server is free of malicious code, I > especially looked for PHP (and similar) files belonging to freely > available port scanners etc.; everything seems to be alright. While I > was investigating, no one but me was logged in. > > Any help is greatly appreciated! > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > We had a client that was being bombarded with a SYN flood on port 80, and of course enabling syn cookies helped. However all the IP's that were sending the SYN flood were spoofed, and we were getting complains left right and center of this customer DoSing or port scanning other customers. In the end, we just asked the complainant to provide move verbose logging of the incident. -jt _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min. From owner-freebsd-security@FreeBSD.ORG Fri Jul 21 09:43:40 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84D4616A4DF for ; Fri, 21 Jul 2006 09:43:40 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DF8043D58 for ; Fri, 21 Jul 2006 09:43:33 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id 553043530BE; Fri, 21 Jul 2006 11:43:31 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TN-Im-qqMaRk; Fri, 21 Jul 2006 11:43:27 +0200 (CEST) Received: from [10.0.0.3] (i53878D05.versanet.de [83.135.141.5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id 10E543530BD; Fri, 21 Jul 2006 11:43:27 +0200 (CEST) Message-ID: <44C0A1BE.4050500@rinux.net> Date: Fri, 21 Jul 2006 11:43:26 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.4 (X11/20060609) MIME-Version: 1.0 To: Nash Nipples References: <20060721082531.51373.qmail@web36313.mail.mud.yahoo.com> In-Reply-To: <20060721082531.51373.qmail@web36313.mail.mud.yahoo.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 09:43:40 -0000 Hi Nash, I'm not sure I really understand what you're up to. In any case, let me clarify that my whole intention was to get a better understanding of what had happened there. In the end, I don't want my server to produce alarms at other people's sites. I tried to find the cause of the problem on my side and couldn't, thus I suggested a working hypothesis to the complaining (yes he was complaining) admin. So my question which you cited below was really about the criteria that need to be met for the NetScreen hw/sw to classify something as a port scan. Pure diagnostic information. As I mentioned earlier, the admin hasn't contacted me since I posted my hypothesis with the web mailer which I don't quite like either because I'd prefer a message that says "It's alright, it wasn't your fault." or "We still don't know what's wrong. Can you investigate further using this pile of low-level details?" Of course I'd prefer the first one since it means less work for me but the second one would also be fine with me. And on a last note: I didn't mean to be sneaky, I just wanted some advice as to the origins since I thought I might have missed something. For that, this list seemed appropriate to me. Best wishes Clemens Nash Nipples wrote: > i believe that people who deployed netscreen are quite sure in what > they are doing and a friendly notice should not sound like a > complaint to u but instead become a solid ground to understanding > what could go wrong. Ofcourse if they proudly told you that they ARE > using the netscreen. Peeking on log entries provided to u and > announcing it on public doesnt make an electronic robinhood scene. > unless this is a.. "Do you guys know how does the damn netscreen > detect portscans, really..?" > >> 3. Does anyone know when the NetScreen hardware / software labels >> something "port scan"? > > isnt that an indirect hit? i suggest u ask ur question directly to > the sender dropping this sneaky habbits in freebsd-security list. > thats what it is about From owner-freebsd-security@FreeBSD.ORG Fri Jul 21 12:42:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0873616A4DD for ; Fri, 21 Jul 2006 12:42:49 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85E6943D45 for ; Fri, 21 Jul 2006 12:42:48 +0000 (GMT) (envelope-from scheidell@secnap.net) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Fri, 21 Jul 2006 08:42:47 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Port scan from Apache? Thread-Index: AcasmTmIRDADZq4nSk+mtEW+1WPMcAAKMRzg From: "Michael Scheidell" To: "Clemens Renner" Cc: freebsd-security@freebsd.org Subject: RE: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 12:42:49 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of comm@rwx.ca > Sent: Friday, July 21, 2006 12:43 AM > To: Clemens Renner > Cc: freebsd-security@freebsd.org > Subject: Re: Port scan from Apache? >=20 >=20 > Clemens Renner wrote: > > Hi everyone, > > > > today I got an e-mail from a company claiming that my=20 > server is doing > > port scans on their firewall machine. I found that hard to=20 > believe so=20 > > I started checking the box. Let me put my 2/c (CAD) into this, as a user of netscreens, the CTO of a Managed network security service. The person who sent you the 'alert' might be wrong. We see "port scans" from web servers (incrementing source ports > 1024, destination port 80) and it is usually just noise, internet traffic, and the failure of his netscreen to properly close the connection. Can you correlate the netscreen logs with times his users have accessed your web site? Do you have complaints from just this one person? Send him a note telling him this is just normal internet traffic and that he should try to understand the three way TCP handshake, and what stateful firewalls do when they close their side of the TCP connection before you do. If it happens A LOT, to lots of different networks, then, well, it is possible you have a worm, do a tcpdump on the traffic and look for it. Another possibility, is that your web site spawns many different http threads for each user connection (do you have a zillion thumbnail gifs? Each one could spawn a different tcp connection) Do you have an unusually high keep-alive? It YOUR firewall closing (timing out) the tcp connection? Mostly, if this was just one complaint, grep your web server logs for his user connecting, tell him this is just normal tcp traffic and go about your business from then on. If he gets rude, blacklist him and/or send him a $50 lawyer letter and tell him to either drop dead or call his local FBI (or RCMP) office.