From owner-freebsd-security@FreeBSD.ORG Mon Apr 2 14:53:03 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 31B8F16A403 for ; Mon, 2 Apr 2007 14:53:03 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from zid.claresco.hr (zid.claresco.hr [85.114.42.226]) by mx1.freebsd.org (Postfix) with ESMTP id 81E2213C4BC for ; Mon, 2 Apr 2007 14:53:02 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: (qmail 12146 invoked by uid 1001); 2 Apr 2007 14:26:13 -0000 To: freebsd-security@freebsd.org Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Mon, 02 Apr 2007 16:26:13 +0200 Message-ID: <86lkha6eey.fsf@sparrow.local> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Stronger security with BSD Firewall and Freeradius X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 14:53:03 -0000 I've seen that is possible to use switch port blocking with freeradius and cisco switches via 802.1X and EAP protocol. Here is more info: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO What if I don't have switch that supports 802.1X or I want that blocking is done by FreeBSD, not the switch. Because FreeBSD is the firewall or gateway to some networks. Is there any solution that implements freeradius with PF or any other firewall/blocking feature? -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-security@FreeBSD.ORG Mon Apr 2 16:45:02 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5353C16A402 for ; Mon, 2 Apr 2007 16:45:02 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [193.6.222.241]) by mx1.freebsd.org (Postfix) with ESMTP id 1783413C465 for ; Mon, 2 Apr 2007 16:45:02 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id 54E115639; Mon, 2 Apr 2007 18:17:06 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 5306D562C; Mon, 2 Apr 2007 18:17:06 +0200 (CEST) Date: Mon, 2 Apr 2007 18:17:06 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Marko Lerota In-Reply-To: <86lkha6eey.fsf@sparrow.local> Message-ID: <20070402175305.X73058@mignon.ki.iif.hu> References: <86lkha6eey.fsf@sparrow.local> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Stronger security with BSD Firewall and Freeradius X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 16:45:02 -0000 On Mon, 2 Apr 2007, Marko Lerota wrote: > I've seen that is possible to use switch port blocking with freeradius > and cisco switches via 802.1X and EAP protocol. Here is more info: > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO > > What if I don't have switch that supports 802.1X or I want that blocking > is done by FreeBSD, not the switch. Because FreeBSD is the firewall or > gateway to some networks. Is there any solution that implements freeradius > with PF or any other firewall/blocking feature? Definition: IEEE 802.1X is an IEEE standard for port-based Network Access Control. Port based means, that you have to have large number of ports that you can control by individual usage. Ports can be: ethernet ports or wireless port. In the first case you would need large number of ports in your firewall, which is not really feasible. The later case you should use hostapd. With the hostapd your can configure your firewall as a authenticator (802.1x terminology) or access point, that can provide wireless access based on credential supplied by your users (userid+password, certificate, etc.). I suspect you would like to have something similar that authpf do. Authenticate on the firewall, then allow access on the internal network. Have a look at man authpf or http://www.openbsd.org/faq/pf/authpf.html about authpf usage. I hope this helped. Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 > > -- > One cannot sell the earth upon which the people walk > Tacunka Witco > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Apr 3 15:08:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AE45016A404 for ; Tue, 3 Apr 2007 15:08:26 +0000 (UTC) (envelope-from metadev@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.242]) by mx1.freebsd.org (Postfix) with ESMTP id 6A9AC13C45A for ; Tue, 3 Apr 2007 15:08:26 +0000 (UTC) (envelope-from metadev@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so1720305ana for ; Tue, 03 Apr 2007 08:08:25 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EL+4TQgE2TPMJjXxIzlxzDOrb3S2FFQGOV7ykUwDS8kn7xGT5zRwTsR1+p9QCrOCD+9ShpEncHyQx6znu6UQ2/AgH5udlY1RYv9m16S8sgtnzKCh1XTFMyc2edwxqN8sJVBu00YFyxxjI8QX7xXwwzihEO6kVo7zROVIhkytWsk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WMobeKDIqytDVeuBiEbmT4Vhx6kUG00HBsAljTEKlhEazVVTlSI8Cal1ue+avIBtxvMKQzoc7ghyortC/548KwVuiwZ/rOr/yqv1m0s5cEcJlgGiGkrAbwbCPUR0ovpXgVPXDrq8c0GVTCMoNpIWX/2nHGuaYcpAUHCF6XDn+jk= Received: by 10.100.173.19 with SMTP id v19mr4398575ane.1175611388966; Tue, 03 Apr 2007 07:43:08 -0700 (PDT) Received: by 10.100.166.14 with HTTP; Tue, 3 Apr 2007 07:43:08 -0700 (PDT) Message-ID: <323b75e10704030743x46b25c41p6108dce5e93d58a8@mail.gmail.com> Date: Tue, 3 Apr 2007 17:43:08 +0300 From: metadev To: freebsd-security@freebsd.org In-Reply-To: <20070330100318.wbqww1rilcksskok@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <86648johpj.fsf@dwp.des.no> <20070330100318.wbqww1rilcksskok@webmail.leidinger.net> Subject: Re: nx-bit and TPM X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 15:08:26 -0000 On 3/30/07, Alexander Leidinger wrote: > Quoting Dag-Erling Sm=F8rgrav (from Thu, 29 Mar 2007 > 23:36:24 +0200): > > > Igor writes: > >> I'm was looking through handbook and wikipedia and it appears FreeBSD > >> doesn't support hardware (nor software) nx bit. > >> There also doesn't seem to be any support for TPM (Trusted Platform Mo= dule). > > > > I believe NX support was never implemented because Intel's version of > > AMD64 didn't support it. As for TPM, I don't see the point. > > This should not stop us in using it on amd64 if available. I think one > of the problem was/is the lack of time/man-power. So if someone comes > up with a good (enough) implementation which works on our supported > hardware, I don't think it will be rejected. > Please see this post for more info on the implications of using a non-executable stack http://lists.freebsd.org/pipermail/freebsd-security/2005-November/003318.ht= ml Bogdan From owner-freebsd-security@FreeBSD.ORG Fri Apr 6 13:56:31 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1AE7B16A401 for ; Fri, 6 Apr 2007 13:56:31 +0000 (UTC) (envelope-from gh@raditex.se) Received: from www.raditex.se (www.raditex.se [192.5.36.20]) by mx1.freebsd.org (Postfix) with ESMTP id 9F4F013C4BA for ; Fri, 6 Apr 2007 13:56:30 +0000 (UTC) (envelope-from gh@raditex.se) Received: from gandalf.sickla.raditex.se (gandalf.raditex.se [192.5.36.18]) by www.raditex.se (8.13.8/8.12.11) with ESMTP id l36DbYDl083793 for ; Fri, 6 Apr 2007 13:37:34 GMT (envelope-from gh@raditex.se) Received: from gandalf.sickla.raditex.se (localhost.sickla.raditex.se [127.0.0.1]) by gandalf.sickla.raditex.se (8.13.6/8.13.6) with ESMTP id l36Eo93D088392 for ; Fri, 6 Apr 2007 14:50:09 GMT (envelope-from gh@gandalf.sickla.raditex.se) Received: (from gh@localhost) by gandalf.sickla.raditex.se (8.13.6/8.13.6/Submit) id l36Eo9AD088391 for freebsd-security@freebsd.org; Fri, 6 Apr 2007 16:50:09 +0200 (MEST) (envelope-from gh) Date: Fri, 6 Apr 2007 16:50:08 +0200 From: G Hasse To: freebsd-security@freebsd.org Message-ID: <20070406145008.GA88336@mail.raditex.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (www.raditex.se [192.5.36.20]); Fri, 06 Apr 2007 13:37:34 +0000 (GMT) Subject: The best way to protect against starvation? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2007 13:56:31 -0000 Hello, If an ordinary user runs: -- snip -- cat > starv.c < X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C52EA16A401 for ; Fri, 6 Apr 2007 14:23:27 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 9397213C44C for ; Fri, 6 Apr 2007 14:23:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=l1FRrn4fG7GO3B2TY2cDn+Ry/jaSdp499SEIFVVdpnjeLC+jYHN9UMKwJUx2wqawji2s5hmPIT5cLljgMvC9VyM6kgLjz/qN+rt0xKBkazzfPXt4KBVmt1NuhmNYfVUAGyvFXIL/6Bp1HWuDLZva+atY2ihF4f5sizNMrqZxlhU=; Received: from twilight (daemon.grid.kiae.ru [144.206.66.47]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HZpLZ-0000ca-7K; Fri, 06 Apr 2007 18:23:25 +0400 Date: Fri, 6 Apr 2007 18:23:21 +0400 From: Eygene Ryabinkin To: G Hasse Message-ID: <20070406142321.GC11667@twilight.grid.kiae.ru> References: <20070406145008.GA88336@mail.raditex.se> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20070406145008.GA88336@mail.raditex.se> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-3.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-security@freebsd.org Subject: Re: The best way to protect against starvation? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2007 14:23:27 -0000 G?ran, good day. Fri, Apr 06, 2007 at 04:50:08PM +0200, G Hasse wrote: > If an ordinary user runs: > > -- snip -- > cat > starv.c < main(){ char *point; while(1) { point = ( char * ) malloc(10000); }} > EOF > cc starv.c > while true > do > ./a.out & > done > -- snip -- > > This will fast starv the operating system (FreeBSD 6.2). Yep, the combined malloc/fork bomb. > I have tried to > limit the number of processes and the amount of memmory consumed (in > login.conf). And had any success? I am happening to run some servers for the schoolboys -- they like to do the bombing and I had partial success with the 'maxproc', 'memoryuse' and '{data,stack}size'. But even with the tight limits that are just making the people to get the 'man ' work three of four students can starvate the server resources (though the server is rather old and has some 64 Mb of memory). Having the per-group cumulative restrictions in the login.conf would mitigate the issue, but still, the united efforts of many people from the different groups can provoke the starvation. > There is also a file /etc/malloc.conf - but I don't understand if this > could help? Any advice? 'man malloc.conf', but in short, this will not help you much with this issue. -- Eygene