From owner-freebsd-security Sun Jan 31 08:00:38 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA13071 for freebsd-security-outgoing; Sun, 31 Jan 1999 08:00:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Eleet.iele.polsl.gliwice.pl (eleet.iele.polsl.gliwice.pl [157.158.17.60]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA13058 for ; Sun, 31 Jan 1999 08:00:31 -0800 (PST) (envelope-from wasielew@ae.katowice.pl) Received: from wasyl.home.pl (ppp-wct458.katowice.tpnet.pl [195.205.241.158]) by Eleet.iele.polsl.gliwice.pl (8.8.5/8.8.5) with ESMTP id RAA29090 for ; Sun, 31 Jan 1999 17:01:51 +0100 Received: from ae.katowice.pl (root@wasyl.home.pl [192.168.0.1]) by wasyl.home.pl (8.8.7/8.8.7) with ESMTP id RAA00604 for ; Sun, 31 Jan 1999 17:04:22 +0100 Message-ID: <36B47F06.F84AF310@ae.katowice.pl> Date: Sun, 31 Jan 1999 16:04:22 +0000 From: Jakub Wasielewski Organization: Akademia Ekonomiczna X-Mailer: Mozilla 4.5 [en] (X11; I; Linux 2.2.0 i586) X-Accept-Language: pl,en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org help To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 31 14:10:38 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA29846 for freebsd-security-outgoing; Sun, 31 Jan 1999 14:10:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hyper.az.pl (serv.hyper.dragon.com.pl [195.116.71.146]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA29826 for ; Sun, 31 Jan 1999 14:10:24 -0800 (PST) (envelope-from kris@hyper.az.pl) Received: from kl (kl [10.10.10.2]) by hyper.az.pl with SMTP id XAA02174 for ; Sun, 31 Jan 1999 23:18:09 +0100 (EET) Message-ID: <001701be4d65$af632aa0$020a0a0a@kl> From: "Krzysztof Linniczenko" To: Date: Sun, 31 Jan 1999 23:04:31 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0014_01BE4D6E.0F964440" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.0810.800 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0014_01BE4D6E.0F964440 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0014_01BE4D6E.0F964440 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_0014_01BE4D6E.0F964440-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 00:20:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA11362 for freebsd-security-outgoing; Mon, 1 Feb 1999 00:20:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from coiib.es ([195.76.52.2]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA11322; Mon, 1 Feb 1999 00:20:34 -0800 (PST) (envelope-from janet9981@yahoo.com) From: janet9981@yahoo.com Received: from mirentxu.coiib.es by coiib.es (SMI-8.6/SMI-SVR4) id KAA03948; Mon, 1 Feb 1999 10:14:59 -0100 Message-Id: <199902011114.KAA03948@coiib.es> To: adsrtc@mtyisrot.com Date: Sun, 31 Jan 99 23:41:37 EST Subject: Maximize your website's traffic! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maximize your website's traffic. INCREASE YOUR SEARCH ENGINE RANK! If your Web site isn't getting the traffic it should, it's likely that it's not ranked well on the major Internet search engines. According to recent Internet E-commerce studies, over 90% of consumers find the Web sites they visit by using eight major search engines, which are Yahoo!, Excite, AltaVista, Infoseek, Lycos, Web Crawler, HotBot, and Northern Light. If your website isn't located in the top-30 listings of these engines, chances are your site will never be seen. The single most important thing you can do to increase your Web site's traffic is to increase your search engine ranking. ------------- "PUT YOUR NAME IN LIGHTS -- List your business with search engines to make sure potential customers can find it." -- BIZ Excite, PC Computing magazine, November 1998 ------------- THE BASICS: HOW SEARCH ENGINES RANK YOUR SITE When you submit your website to a search engine to be indexed in its database, it sends a "robot" to scan your page. Using complex algorithms to rank your page for keyword relevance, the "robot" determines whether you'll be ranked number 1 or 1,000,000 when potential visitors conduct a search looking for sites like yours. Because the search engines are constantly changing their algorithms to provide users with the best possible search results, there's only one true solution to high search engine placement--us. In short, submission alone isn't enough. *Good search engine ranking* is critical to your site's success. ------------- HERE'S WHAT WE DO -- A UNIQUE, SUCCESSFUL APPROACH In order to counter the ever-changing search engine algorithms, we create an entire series of "entry pages" that are optimized for the search engines--one for every keyword (or keyword phrase) that you provide. Each entry page is optimized for a different set of algorithm variables. In other words, instead of having only *one* page struggling to rank well on all engines, we create separate, search engine-specific entry pages for each keyword. As a result, your pages rank well because they contain information relevant to search queries that are related to your industry. ------------- HOW ENTRY PAGES AFFECT YOUR WEB SITE'S CURRENT STRUCTURE Put simply, they don't. When creating entry pages we *do not* make any changes to the existing structure, content, or functionality of your current site. The entry pages act as a welcome screen for your Web site when people enter from your highly ranked link on the search engine. The pages will say a few introductory words about your site, which are keyword and/or keyword phrase rich, and then provide a link that asks the visitor to "Click Here To Enter," which moves them directly to your current homepage. ------------ HERE'S WHAT WE DON'T *EVER* DO TO HELP YOUR SEARCH ENGINE RANK We *will not* build pages for irrelevant--yet "popular"--keywords. Also, we will *never* "spamdex" pages. "Spamdexing" is "stuffing" a Web page full of words for the search engine's robots. You may have seen spamdexing, which is placing many words in the same text color as a background onto a Web page. Spamdexing will actually get your pages "kicked" from search engine indexes. What we *will* do is simply present very relevant keywords for your site to the search engines in the way that they "like" to see it. ------------- "It's simple: If they can't find you on the search engines, they can't buy from you." -- J. LeRoss, Internet Sales Consultant ------------ HOW WELL DOES THE SERVICE WORK? We'll send you a detailed report of your current search engine ranking on "The Big Six" engines before we begin. Then, once your new entry pages have been indexed, we'll send you a second report showing how they've ranked. Here's a sampling of some results we've acheived for previous clients. (These examples are for competitive keywords--not just obscure words on which no one is conducting searches.) <> 6 top-10 rankings on Infoseek for different relevant keywords <> 18 top-10 rankings across the major search engines <> 3 top-10 rankings on Alta Vista for one keyword <> 16 total *number one* rankings <> 40 top-30 rankings, spread across the different engines. <> 1 to 2 hits per week increased to 500 per day <> 45,000 hits per month grew to 108,000. ------------ HOW MUCH DOES YOUR SERVICE COST? Our basic services start at only $385. The basic package includes: <> Construction of optimized entry pages for up to 20 keywords -- This gives you good "coverage" in your industry <> Submission of the keyword-dense entry pages to the "Big Six" search engines When you contact us, ask about other services we provide that may be able to help your Internet initiatives succeed. We have special services that can be tailored for your specific Internet marketing needs. ------------ HOW DO I GET STARTED? <> Call us--we'll answer any questions you may have and provide a no-cost initial consultation. (310) 859-4659 <> Submit your keywords and/or keyword phrases (up to 20) to us ------------ COMMENTS FROM CLIENTS "Frankly, I'm impressed with the foregoing. So many solicitations from email sources turn out to be a phone line that hooks up to a voice mail system that is designed to give the impression of size, and people who never return phone calls/messages. . . So its a pleasant surprise to find that someone at the other end is really operating as a business!!!" --Alan B. "Incredible! Our site is now receiving more hits in a day than we used to get in an entire month. [My boss] is still eating his words." -- Bob W. "I knew the search engines were a fantastic marketing tool, but my company simply didn't have the time to devote to search engine placement. It has proven to be the best money we've ever spent on marketing." -- Shelley H. "I worked for weeks to get good search engine placement, but I could never crack the top 80 . . . my site was deserted. Within a month [after using your service], I'd had more hits than I'd had in the last year. I wouldn't believe it if it hadn't happened to me." -- Chris L. ------------ OUR JOB: INCREASE YOUR WEB SITE'S RANKING. We can't guarantee that better ranking will increase the number of visitors that "surf" to your Web site. Some highly-ranked websites still don't get much traffic--much depends on your particular industry and choice of keywords. However, high rankings, in most cases, do mean increased Web site traffic. And, we have never failed to increase a client's ranking. Ever. ------------ CONTACT A REPRESENTATIVE: Search Engine Success Group - Call us at: (310) 859-4659 ----------------------- If you've received this message in error--and are not interested in our services--please click reply or call, (888)-248-2236, and we'll remove you from our list. Maximize your website's traffic. INCREASE YOUR SEARCH ENGINE RANK! If your Web site isn't getting the traffic it should, it's likely that it's not ranked well on the major Internet search engines. According to recent Internet E-commerce studies, over 90% of consumers find the Web sites they visit by using eight major search engines, which are Yahoo!, Excite, AltaVista, Infoseek, Lycos, Web Crawler, HotBot, and Northern Light. If your website isn't located in the top-30 listings of these engines, chances are your site will never be seen. The single most important thing you can do to increase your Web site's traffic is to increase your search engine ranking. ------------- "PUT YOUR NAME IN LIGHTS -- List your business with search engines to make sure potential customers can find it." -- BIZ Excite, PC Computing magazine, November 1998 ------------- THE BASICS: HOW SEARCH ENGINES RANK YOUR SITE When you submit your website to a search engine to be indexed in its database, it sends a "robot" to scan your page. Using complex algorithms to rank your page for keyword relevance, the "robot" determines whether you'll be ranked number 1 or 1,000,000 when potential visitors conduct a search looking for sites like yours. Because the search engines are constantly changing their algorithms to provide users with the best possible search results, there's only one true solution to high search engine placement--us. In short, submission alone isn't enough. *Good search engine ranking* is critical to your site's success. ------------- HERE'S WHAT WE DO -- A UNIQUE, SUCCESSFUL APPROACH In order to counter the ever-changing search engine algorithms, we create an entire series of "entry pages" that are optimized for the search engines--one for every keyword (or keyword phrase) that you provide. Each entry page is optimized for a different set of algorithm variables. In other words, instead of having only *one* page struggling to rank well on all engines, we create separate, search engine-specific entry pages for each keyword. As a result, your pages rank well because they contain information relevant to search queries that are related to your industry. ------------- HOW ENTRY PAGES AFFECT YOUR WEB SITE'S CURRENT STRUCTURE Put simply, they don't. When creating entry pages we *do not* make any changes to the existing structure, content, or functionality of your current site. The entry pages act as a welcome screen for your Web site when people enter from your highly ranked link on the search engine. The pages will say a few introductory words about your site, which are keyword and/or keyword phrase rich, and then provide a link that asks the visitor to "Click Here To Enter," which moves them directly to your current homepage. ------------ HERE'S WHAT WE DON'T *EVER* DO TO HELP YOUR SEARCH ENGINE RANK We *will not* build pages for irrelevant--yet "popular"--keywords. Also, we will *never* "spamdex" pages. "Spamdexing" is "stuffing" a Web page full of words for the search engine's robots. You may have seen spamdexing, which is placing many words in the same text color as a background onto a Web page. Spamdexing will actually get your pages "kicked" from search engine indexes. What we *will* do is simply present very relevant keywords for your site to the search engines in the way that they "like" to see it. ------------- "It's simple: If they can't find you on the search engines, they can't buy from you." -- J. LeRoss, Internet Sales Consultant ------------ HOW WELL DOES THE SERVICE WORK? We'll send you a detailed report of your current search engine ranking on "The Big Six" engines before we begin. Then, once your new entry pages have been indexed, we'll send you a second report showing how they've ranked. Here's a sampling of some results we've acheived for previous clients. (These examples are for competitive keywords--not just obscure words on which no one is conducting searches.) <> 6 top-10 rankings on Infoseek for different relevant keywords <> 18 top-10 rankings across the major search engines <> 3 top-10 rankings on Alta Vista for one keyword <> 16 total *number one* rankings <> 40 top-30 rankings, spread across the different engines. <> 1 to 2 hits per week increased to 500 per day <> 45,000 hits per month grew to 108,000. ------------ HOW MUCH DOES YOUR SERVICE COST? Our basic services start at only $385. The basic package includes: <> Construction of optimized entry pages for up to 20 keywords -- This gives you good "coverage" in your industry <> Submission of the keyword-dense entry pages to the "Big Six" search engines When you contact us, ask about other services we provide that may be able to help your Internet initiatives succeed. We have special services that can be tailored for your specific Internet marketing needs. ------------ HOW DO I GET STARTED? <> Call us--we'll answer any questions you may have and provide a no-cost initial consultation. (888) 283-2050 <> Submit your keywords and/or keyword phrases (up to 20) to us ------------ COMMENTS FROM CLIENTS "Frankly, I'm impressed with the foregoing. So many solicitations from email sources turn out to be a phone line that hooks up to a voice mail system that is designed to give the impression of size, and people who never return phone calls/messages. . . So its a pleasant surprise to find that someone at the other end is really operating as a business!!!" --Alan B. "Incredible! Our site is now receiving more hits in a day than we used to get in an entire month. [My boss] is still eating his words." -- Bob W. "I knew the search engines were a fantastic marketing tool, but my company simply didn't have the time to devote to search engine placement. It has proven to be the best money we've ever spent on marketing." -- Shelley H. "I worked for weeks to get good search engine placement, but I could never crack the top 80 . . . my site was deserted. Within a month [after using your service], I'd had more hits than I'd had in the last year. I wouldn't believe it if it hadn't happened to me." -- Chris L. ------------ OUR JOB: INCREASE YOUR WEB SITE'S RANKING. We can't guarantee that better ranking will increase the number of visitors that "surf" to your Web site. Some highly-ranked websites still don't get much traffic--much depends on your particular industry and choice of keywords. However, high rankings, in most cases, do mean increased Web site traffic. And, we have never failed to increase a client's ranking. Ever. ------------ CONTACT A REPRESENTATIVE: Search Engine Success Group - Call us at: (888) 283-2050 ----------------------- If you've received this message in error--and are not interested in our services--please click reply or call, (888)-248-2236, and we'll remove you from our list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 09:44:56 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19443 for freebsd-security-outgoing; Mon, 1 Feb 1999 09:44:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from charon.npc.net (charon.finall.com [199.15.61.3] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19438 for ; Mon, 1 Feb 1999 09:44:54 -0800 (PST) (envelope-from mjung@npc.net) Received: from exchange.finall.com (exchange-gw.finall.com [10.0.158.37]) by charon.npc.net (8.9.1/8.8.8) with SMTP id MAA25715 for ; Mon, 1 Feb 1999 12:44:51 -0500 (EST) (envelope-from mjung@npc.net) Received: by exchange.finall.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.996.62) id <01BE4DDF.076B2260@exchange.finall.com>; Mon, 1 Feb 1999 12:33:11 -0500 Message-ID: From: "Jung, Michael" To: "'Igor Roshchin'" , "'security@FreeBSD.ORG'" Subject: RE: Sendmail- headers Date: Mon, 1 Feb 1999 12:33:10 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.996.62 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does this ever happen elsewhere in the message? If si and you have a Cisco PIX firewall this is a known problem using the "mailhost" statement. If so look at cisco's site for a resolution. We had this exact problem a while back --mikej Michael Jung mjung@npc.net >-----Original Message----- >From: Igor Roshchin [SMTP:igor@physics.uiuc.edu] >Sent: Friday, January 29, 1999 5:30 PM >To: security@FreeBSD.ORG >Subject: Sendmail- headers > > >Hello! > >Sorry, if I am asking about some which has been stated clearly. >I just looked in the archives and haven't found the clear answer. > >This week I've received two messages which indicate an attempt >of the header overflow (I think) in the sendmail. >Remembering some discussion recently on one of the lists, >I am not sure if this overflow can result in any break in >or just might cause identity forgering (so, to prevent identification >of the sender and/or his host) ? > >I am running Sendmail 8.8.5/8.7.3 on a 2.1.7.1 -> 2.1-STABLE >Yes, I know it's outdated and the upgrade is pending, >but I am concerned if there was a break in this way, and whether I should >worry about detection of any traces of it. > >The headers are: > > >Return-Path: aho@aho.ne >Received: from >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >xxx >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >Date: Fri, 29 Jan 1999 08:50:44 -0500 (EST) >From: aho@aho.ne >Message-Id: <199901291350.IAA10527@MYHOST.CHANGED.BY.ME.FOR.SECURITY.REASONS> >To: kei37@geocities.co.jp >Subject: test >X-Mailer: Microsoft Outlook Express 4.72.2106 > > > >Thanks, > >Igor > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 11:19:57 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA01829 for freebsd-security-outgoing; Mon, 1 Feb 1999 11:19:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA01824 for ; Mon, 1 Feb 1999 11:19:55 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id NAA03752; Mon, 1 Feb 1999 13:19:50 -0600 (CST) From: Igor Roshchin Message-Id: <199902011919.NAA03752@alecto.physics.uiuc.edu> Subject: Re: Sendmail- headers In-Reply-To: from "Jung, Michael" at "Feb 1, 1999 12:33:10 pm" To: mjung@npc.net (Jung Michael) Date: Mon, 1 Feb 1999 13:19:49 -0600 (CST) Cc: igor@physics.uiuc.edu, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, it didn't happen in the message itself. In the headers only. Also, we don't have Cisco Firewall. Thanks, anyway. Igor > Does this ever happen elsewhere in the message? > > If si and you have a Cisco PIX firewall this is a known problem using > the > "mailhost" statement. If so look at cisco's site for a resolution. > > We had this exact problem a while back > > --mikej > Michael Jung > mjung@npc.net > > >-----Original Message----- > >From: Igor Roshchin [SMTP:igor@physics.uiuc.edu] > >Sent: Friday, January 29, 1999 5:30 PM > >To: security@FreeBSD.ORG > >Subject: Sendmail- headers > > > > > >Hello! > > > >Sorry, if I am asking about some which has been stated clearly. > >I just looked in the archives and haven't found the clear answer. > > > >This week I've received two messages which indicate an attempt > >of the header overflow (I think) in the sendmail. > >Remembering some discussion recently on one of the lists, > >I am not sure if this overflow can result in any break in > >or just might cause identity forgering (so, to prevent identification > >of the sender and/or his host) ? > > > >I am running Sendmail 8.8.5/8.7.3 on a 2.1.7.1 -> 2.1-STABLE > >Yes, I know it's outdated and the upgrade is pending, > >but I am concerned if there was a break in this way, and whether I should > >worry about detection of any traces of it. > > > >The headers are: > > > > > >Return-Path: aho@aho.ne > >Received: from > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >xxx > >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >Date: Fri, 29 Jan 1999 08:50:44 -0500 (EST) > >From: aho@aho.ne > >Message-Id: <199901291350.IAA10527@MYHOST.CHANGED.BY.ME.FOR.SECURITY.REASONS> > >To: kei37@geocities.co.jp > >Subject: test > >X-Mailer: Microsoft Outlook Express 4.72.2106 > > > > > > > >Thanks, > > > >Igor > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 21:58:16 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA15790 for freebsd-security-outgoing; Mon, 1 Feb 1999 21:58:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA15785 for ; Mon, 1 Feb 1999 21:58:10 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990202055804.YRQY682101.mta1-rme@wocker> for ; Tue, 2 Feb 1999 18:58:04 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: freebsd-security@FreeBSD.ORG Date: Tue, 2 Feb 1999 18:58:07 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: what were these probes? Reply-to: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990202055804.YRQY682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi folks, Tonight I found these entries in my log files. What were they looking for? Was this a spammer looking for exploits? http: ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" 404 164 ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi HTTP/1.0" 404 170 ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi HTTP/1.0" 404 169 ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi HTTP/1.0" 404 168 ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler HTTP/1.0" 404 168 ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais HTTP/1.0" 404 168 ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail HTTP/1.0" 404 172 ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172 ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey HTTP/1.0" 404 170 ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript HTTP/1.0" 404 171 ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174 ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe HTTP/1.0" 404 169 ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172 ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi- bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" 404 163 telnet: Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com sendmail: Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from root@ns.cvvm.com [139.142.106.131] Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from root@ns.cvvm.com [139.142.106.131] -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 22:28:49 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA18975 for freebsd-security-outgoing; Mon, 1 Feb 1999 22:28:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phluffy.fks.bt (net25-cust199.pdx.wantweb.net [24.236.25.199]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA18970 for ; Mon, 1 Feb 1999 22:28:47 -0800 (PST) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.fks.bt (8.8.8/8.8.8) with ESMTP id WAA28868; Mon, 1 Feb 1999 22:28:28 -0800 (PST) (envelope-from myke@ees.com) Date: Mon, 1 Feb 1999 22:28:28 -0800 (PST) From: Mike Holling X-Sender: myke@phluffy.fks.bt To: Dan Langille cc: freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Tonight I found these entries in my log files. What were they looking > for? Was this a spammer looking for exploits? My offhand guess is that this was indeed some kind of automated script looking for a set of known security holes. - Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 22:55:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA21992 for freebsd-security-outgoing; Mon, 1 Feb 1999 22:55:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta2-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA21987 for ; Mon, 1 Feb 1999 22:55:31 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990202065625.CSGF678125.mta2-rme@wocker>; Tue, 2 Feb 1999 19:56:25 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: Mike Holling Date: Tue, 2 Feb 1999 19:55:28 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: what were these probes? Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG References: <19990202055804.YRQY682101.mta1-rme@wocker> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990202065625.CSGF678125.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1 Feb 99, at 22:28, Mike Holling wrote: > > Tonight I found these entries in my log files. What were they looking > > for? Was this a spammer looking for exploits? > > My offhand guess is that this was indeed some kind of automated script > looking for a set of known security holes. Looks that way to me too. Messages I've received off list seem to indicate that the http probes were well known exploits. And they all failed. It seems that the security in place has done it's job. cheers. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 22:58:58 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA22530 for freebsd-security-outgoing; Mon, 1 Feb 1999 22:58:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA22523 for ; Mon, 1 Feb 1999 22:58:56 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id XAA29402; Mon, 1 Feb 1999 23:58:55 -0700 (MST) From: David G Andersen Received: (from danderse@localhost) by lal.cs.utah.edu (8.8.8/8.8.8) id AAA20881; Tue, 2 Feb 1999 00:00:09 -0700 (MST) Message-Id: <199902020700.AAA20881@lal.cs.utah.edu> Subject: Re: what were these probes? To: junkmale@xtra.co.nz Date: Tue, 2 Feb 1999 00:00:08 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> from "Dan Langille" at Feb 2, 99 06:58:07 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Dan Langille once said: > > Hi folks, > > Tonight I found these entries in my log files. What were they looking > for? Was this a spammer looking for exploits? I doubt it was a spammer. It was most likely a cracker (pick your favorite term for "a malicious jerk") or script kiddie looking for an exploit. Based on the timing, they were fairly obviously using an automated scanning tool to scan your system. You'll probably want to report this to the people who own ns.cvvm.com - it's fairly likely that their box has been hacked. 105 torrey:~> whois cvvm.com Registrant: Cowichan Valley Virtual Mall (CVVM-DOM) 103 - 2700 Beverly St Duncan, BC V9L5C7 CA Domain Name: CVVM.COM Administrative Contact: Goodliffe, M (MG2727) myke@ISLAND.NET 1-250-748-0818 Technical Contact, Zone Contact: Fraser, Tony (TF1661) frasert@ISLANDNET.COM 1-250-245-2984 Billing Contact: Goodliffe, M (MG2727) myke@ISLAND.NET 1-250-748-0818 That really happens to suck, since the box that was hacked (or harboring a malicious person) is their nameserver. The box appears to be offline right now - it won't answer nameservice queries, etc., so the owners probably know it was compromised, but sending them a note can't hurt. -Dave > > http: > > ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" > 404 164 > ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript > HTTP/1.0" 404 171 > ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi > HTTP/1.0" 404 174 > ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi- > bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 > ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" > 404 163 > > > telnet: > > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com > > sendmail: > > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > > -- > Dan Langille > The FreeBSD Diary > http://www.FreeBSDDiary.com/freebsd > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 1 23:23:31 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA26779 for freebsd-security-outgoing; Mon, 1 Feb 1999 23:23:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA26764 for ; Mon, 1 Feb 1999 23:23:29 -0800 (PST) (envelope-from ludwigp@bigfoot.com) Received: (qmail 15388 invoked from network); 2 Feb 1999 07:23:26 -0000 Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1) by inet.chip-web.com with SMTP; 2 Feb 1999 07:23:26 -0000 Message-Id: <4.1.19990201231707.00a17c30@mail-r> X-Sender: ludwigp2@mail-r X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 01 Feb 1999 23:23:24 -0800 To: junkmale@xtra.co.nz, freebsd-security@FreeBSD.ORG From: Ludwig Pummer Subject: Re: what were these probes? In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:58 PM 2/1/99 , Dan Langille wrote: >Hi folks, > >Tonight I found these entries in my log files. What were they looking >for? Was this a spammer looking for exploits? It looks like it. Probably just some script kiddie. A lot of the holes being checked for have been publicly known for a while, so folks in charge of security have fixed them already (or at least, they should have). >http: > >ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" >404 164 The apache docs refer to a phf security hole in an early version >ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi >HTTP/1.0" 404 168 The PHP docs warn that an improperly configured PHP can let web visitors read any world-readable file on your system. >ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl >HTTP/1.0" 404 172 There was a known security hole in one of the web-based message boards. Don't know if it was wwwboard. >telnet: > >Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com >Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com That looks like it's not legitimate. >sendmail: > >Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from >root@ns.cvvm.com [139.142.106.131] >Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from >root@ns.cvvm.com [139.142.106.131] Ditto. There's all sorts of jerks out there looking for some fun. I get at least one or two folks a night knocking on my POP3, IMAP, or Netbios ports. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 ( ludwigp@email.com ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 01:39:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA15777 for freebsd-security-outgoing; Tue, 2 Feb 1999 01:39:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15768 for ; Tue, 2 Feb 1999 01:39:29 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990202093923.ZZMV682101.mta1-rme@wocker> for ; Tue, 2 Feb 1999 22:39:23 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: freebsd-security@FreeBSD.ORG Date: Tue, 2 Feb 1999 22:39:26 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: what were these probes? Reply-to: junkmale@xtra.co.nz In-reply-to: <19990202055804.YRQY682101.mta1-rme@wocker> X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990202093923.ZZMV682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 'm planning to include the logs on one of my webpages. Seeing as I've just posted this publicly anyway, I can't really see any issues surrounding that. Can you? On 2 Feb 99, at 18:58, Dan Langille wrote: > Hi folks, > > Tonight I found these entries in my log files. What were they looking > for? Was this a spammer looking for exploits? > > http: > > ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" > 404 164 > ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript > HTTP/1.0" 404 171 > ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi > HTTP/1.0" 404 174 > ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi- > bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 > ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" > 404 163 > > > telnet: > > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com > > sendmail: > > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > > -- > Dan Langille > The FreeBSD Diary > http://www.FreeBSDDiary.com/freebsd > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 02:27:04 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21342 for freebsd-security-outgoing; Tue, 2 Feb 1999 02:27:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.digital-canvas.com (ns.digital-canvas.com [210.161.219.162]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21336 for ; Tue, 2 Feb 1999 02:27:01 -0800 (PST) (envelope-from daniel@digital-canvas.com) Received: from basecamp (ppp965.kt.rim.or.jp [202.247.132.165]) by ns.digital-canvas.com (8.9.1/3.7W) with SMTP id TAA09988; Tue, 2 Feb 1999 19:22:36 +0900 (JST) Message-ID: <003901be4e95$c2c58210$1400a8c0@basecamp.digital-canvas.com> Reply-To: "Daniel Minoru Saito" From: "Daniel Minoru Saito" To: "David G Andersen" , Cc: Subject: Re: what were these probes? Date: Tue, 2 Feb 1999 19:21:11 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wait.. look where its originating out of.. from the nameserver. I bet ya that that ns.cwm.com was hacked using the dns exploit. From there the attack originated on.. So it would be in the best interest to say to the administrator of cwm.com to do a security check. Daniel Saito -----Original Message----- From: David G Andersen Subject: Re: what were these probes? >Lo and behold, Dan Langille once said: >> >> Hi folks, >> >> Tonight I found these entries in my log files. What were they looking >> for? Was this a spammer looking for exploits? > > I doubt it was a spammer. It was most likely a cracker (pick your >favorite term for "a malicious jerk") or script kiddie looking for an >exploit. Based on the timing, they were fairly obviously using an >automated scanning tool to scan your system. > > You'll probably want to report this to the people who own ns.cvvm.com - >it's fairly likely that their box has been hacked. > >105 torrey:~> whois cvvm.com > >Registrant: >Cowichan Valley Virtual Mall (CVVM-DOM) > 103 - 2700 Beverly St > Duncan, BC V9L5C7 > CA > > Domain Name: CVVM.COM > > Administrative Contact: > Goodliffe, M (MG2727) myke@ISLAND.NET > 1-250-748-0818 > Technical Contact, Zone Contact: > Fraser, Tony (TF1661) frasert@ISLANDNET.COM > 1-250-245-2984 > Billing Contact: > Goodliffe, M (MG2727) myke@ISLAND.NET > 1-250-748-0818 > > > That really happens to suck, since the box that was hacked (or harboring >a malicious person) is their nameserver. The box appears to be offline >right now - it won't answer nameservice queries, etc., so the owners >probably know it was compromised, but sending them a note can't hurt. > > -Dave > >> >> http: >> >> ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" >> 404 164 >> ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi >> HTTP/1.0" 404 170 >> ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi >> HTTP/1.0" 404 169 >> ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi >> HTTP/1.0" 404 168 >> ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler >> HTTP/1.0" 404 168 >> ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais >> HTTP/1.0" 404 168 >> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail >> HTTP/1.0" 404 172 >> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi >> HTTP/1.0" 404 172 >> ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey >> HTTP/1.0" 404 170 >> ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript >> HTTP/1.0" 404 171 >> ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi >> HTTP/1.0" 404 174 >> ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe >> HTTP/1.0" 404 169 >> ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl >> HTTP/1.0" 404 172 >> ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi- >> bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 >> ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" >> 404 163 >> >> >> telnet: >> >> Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com >> Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com >> >> sendmail: >> >> Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from >> root@ns.cvvm.com [139.142.106.131] >> Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from >> root@ns.cvvm.com [139.142.106.131] >> >> -- >> Dan Langille >> The FreeBSD Diary >> http://www.FreeBSDDiary.com/freebsd >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >-- >work: danderse@cs.utah.edu me: angio@pobox.com > University of Utah http://www.angio.net/ > Computer Science - Flux Research Group > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 03:45:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA28609 for freebsd-security-outgoing; Tue, 2 Feb 1999 03:45:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.babel.dk (slut.babel.dk [194.255.106.129] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA28604 for ; Tue, 2 Feb 1999 03:45:46 -0800 (PST) (envelope-from vader@vader.dk) Received: from localhost (vader@localhost) by www.babel.dk (8.9.1a/8.9.1) with SMTP id MAA03489; Tue, 2 Feb 1999 12:45:35 +0100 (CET) Date: Tue, 2 Feb 1999 12:45:35 +0100 (CET) From: Chris Larsen X-Sender: vader@www.babel.dk To: Dan Langille cc: freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id DAA28605 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Dan Langille wrote: > ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" > 404 164 > ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript > HTTP/1.0" 404 171 > ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi > HTTP/1.0" 404 174 > ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi- > bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 > ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" > 404 163 > > > telnet: > > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com > > sendmail: > > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > A little script kid that fell over cgichk.c ?? Its a distinct fingerprint from that program at least. For more information check www.rootshell.com: http://www.rootshell.com/beta/view.cgi?199812 darth@vader.dk | Internet Café : Babel vader@babel.dk | Frederiksborggade 33 Chris Larsen | Phone # +45 33 33 93 38 System Manager | Open: 14-23 Mon - Sat PGP-key id: 0x137993A5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 08:40:26 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA03825 for freebsd-security-outgoing; Tue, 2 Feb 1999 08:40:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta2-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA03819 for ; Tue, 2 Feb 1999 08:40:20 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990202164109.FBNL678125.mta2-rme@wocker>; Wed, 3 Feb 1999 05:41:09 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: "Daniel Minoru Saito" Date: Wed, 3 Feb 1999 05:40:11 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: what were these probes? Reply-to: junkmale@xtra.co.nz CC: In-reply-to: <003901be4e95$c2c58210$1400a8c0@basecamp.digital-canvas.com> X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990202164109.FBNL678125.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those that may copy and paste, please note that it's cVvm.com. (mixed case used to indicate it's a double-v, not a w). On 2 Feb 99, at 19:21, Daniel Minoru Saito wrote: > Wait.. look where its originating out of.. from the nameserver. I bet ya > that that ns.cwm.com was hacked using the dns exploit. From there the > attack originated on.. So it would be in the best interest to say to the > administrator of cwm.com to do a security check. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 12:34:30 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA28321 for freebsd-security-outgoing; Tue, 2 Feb 1999 12:34:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cc181716-a.hwrd1.md.home.com (cc181716-a.hwrd1.md.home.com [24.3.18.63]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28313 for ; Tue, 2 Feb 1999 12:34:27 -0800 (PST) (envelope-from woodford@cc181716-a.hwrd1.md.home.com) Received: (from woodford@localhost) by cc181716-a.hwrd1.md.home.com (8.9.1a/8.9.1a) id PAA01200 for security@FreeBSD.ORG; Tue, 2 Feb 1999 15:34:58 -0500 (EST) Date: Tue, 2 Feb 1999 15:34:58 -0500 From: Bill Woodford To: ML FreeBSD Security Subject: tcpdump Message-ID: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Forgive my ignorance, but I built tcpdump (3.4a3) and libcap (0.4a1) and it built beautifully. I read the docs, and that mentioned a few things to watch out for. However, when I run tcpdump (as root), it gives me: tcpdump: /dev/bpf0: Device not configured I did a little reading, and realize it's possible that my NIC may not support it (it's a 3com 3c509 combo), but how would one tell. Can anyone enlighten me as to the true nature of this error? Im running natd/ipfw, would that interfere with the functioning of tcpdump? Any help would be appreciated. Thanks. -- Bill Woodford * woodford@cc181716-a.hwrd1.md.home.com * ICQ:14076169 "Windows Multitasking: Messing up several things at once." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 12:59:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01897 for freebsd-security-outgoing; Tue, 2 Feb 1999 12:59:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from emu.sourcee.com (emu.sourcee.com [205.181.251.129]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01888 for ; Tue, 2 Feb 1999 12:59:44 -0800 (PST) (envelope-from nrice@emu.sourcee.com) Received: (from nrice@localhost) by emu.sourcee.com (8.9.1/8.9.1) id PAA17032; Tue, 2 Feb 1999 15:59:24 -0500 (EST) Date: Tue, 2 Feb 1999 15:59:24 -0500 From: "Norman C. Rice" To: Bill Woodford Cc: ML FreeBSD Security Subject: Re: tcpdump Message-ID: <19990202155924.A16927@emu.sourcee.com> References: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com>; from Bill Woodford on Tue, Feb 02, 1999 at 03:34:58PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 02, 1999 at 03:34:58PM -0500, Bill Woodford wrote: > Forgive my ignorance, but I built tcpdump (3.4a3) and libcap (0.4a1) and > it built beautifully. I read the docs, and that mentioned a few things to > watch out for. However, when I run tcpdump (as root), it gives me: > > tcpdump: /dev/bpf0: Device not configured > > I did a little reading, and realize it's possible that my NIC may not > support it (it's a 3com 3c509 combo), but how would one tell. Can anyone > enlighten me as to the true nature of this error? Im running natd/ipfw, > would that interfere with the functioning of tcpdump? Any help would be > appreciated. Thanks. Add pseudo-device bpfilter 4 to your kernel config file, build and install a new kernel. You may also need to create the bpf devices. cd /dev ./MAKEDEV bpf0 bpf1 bpf2 bpf3 -- Regards, Norman C. Rice, Jr. > > -- > Bill Woodford * woodford@cc181716-a.hwrd1.md.home.com * ICQ:14076169 > "Windows Multitasking: Messing up several things at once." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 13:01:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA02111 for freebsd-security-outgoing; Tue, 2 Feb 1999 13:01:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from intra.ispchannel.net (intra.ispchannel.net [208.166.60.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA02106 for ; Tue, 2 Feb 1999 13:01:07 -0800 (PST) (envelope-from nicole@ispchannel.com) Received: from dogbert.mediacity.com (dogbert.mediacity.com [208.138.36.140]) by intra.ispchannel.net (Postfix) with ESMTP id 72557F00A; Tue, 2 Feb 1999 13:01:05 -0800 (PST) Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Date: Tue, 02 Feb 1999 13:01:05 -0800 (PST) Organization: The ISP Channel From: Nicole Harrington To: Bill Woodford Subject: RE: tcpdump Cc: ML FreeBSD Security Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 02-Feb-99 Bill Woodford wrote: > Forgive my ignorance, but I built tcpdump (3.4a3) and libcap (0.4a1) and > it built beautifully. I read the docs, and that mentioned a few things to > watch out for. However, when I run tcpdump (as root), it gives me: > > tcpdump: /dev/bpf0: Device not configured > > I did a little reading, and realize it's possible that my NIC may not > support it (it's a 3com 3c509 combo), but how would one tell. Can anyone > enlighten me as to the true nature of this error? Im running natd/ipfw, > would that interfere with the functioning of tcpdump? Any help would be > appreciated. Thanks. > > -- I fell into that too. You have to rebild your kernel with "bpfilter 4" You can find more in LINT. Hope this helps Nicole > Bill Woodford * woodford@cc181716-a.hwrd1.md.home.com * ICQ:14076169 > "Windows Multitasking: Messing up several things at once." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message |\ __ /| (`\ | o_o |__ ) ) // \\ Nicole Harrington | SR Systems Administrator -------------------(((---(((----------------------- nicole@mediacity.com - nicole@ispchannel.com www.mediacity.com - www.ispchannel.com Phone: 650-237-1454 - Pager: 415-301-2482 Powered By Coca-Cola and FreeBSD Why do doctors call what they do practice? Microsoft: What bug would you like today? ---------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 13:03:51 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA02662 for freebsd-security-outgoing; Tue, 2 Feb 1999 13:03:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA02634 for ; Tue, 2 Feb 1999 13:03:47 -0800 (PST) (envelope-from steve.combs@indsys.ge.com) Received: from thomas.ge.com (thomas-o.ge.com [10.47.28.21]) by ns.ge.com (8.9.1/8.9.1) with ESMTP id QAA16099; Tue, 2 Feb 1999 16:02:26 -0500 (EST) Received: from carsdb.salem.ge.com (carsdb.salem.ge.com [3.29.7.15]) by thomas.ge.com (8.9.1/8.9.1) with ESMTP id QAA11014; Tue, 2 Feb 1999 16:02:26 -0500 (EST) Received: from indsys.ge.com (combssf.salem.ge.com [3.29.24.77]) by carsdb.salem.ge.com (8.8.8/8.8.8) with ESMTP id QAA06557; Tue, 2 Feb 1999 16:02:24 -0500 (EST) Message-ID: <36B767DF.1848F5E4@indsys.ge.com> Date: Tue, 02 Feb 1999 16:02:23 -0500 From: "Stephen F. Combs" Organization: GE Industrial Systems, Global Security X-Mailer: Mozilla 4.5 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Bill Woodford CC: ML FreeBSD Security Subject: Re: tcpdump References: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You need to build a kernel with bpfilter enabled. I've run tcpdump on a 3c509 board many times (it's NOT a true network sniffer, but, it does allow you to look at packets intercepted by your '509 board!). Steve Combs Security Analyst GE Industrial Systems Bill Woodford wrote: > > Forgive my ignorance, but I built tcpdump (3.4a3) and libcap (0.4a1) and > it built beautifully. I read the docs, and that mentioned a few things to > watch out for. However, when I run tcpdump (as root), it gives me: > > tcpdump: /dev/bpf0: Device not configured > > I did a little reading, and realize it's possible that my NIC may not > support it (it's a 3com 3c509 combo), but how would one tell. Can anyone > enlighten me as to the true nature of this error? Im running natd/ipfw, > would that interfere with the functioning of tcpdump? Any help would be > appreciated. Thanks. > > -- > Bill Woodford * woodford@cc181716-a.hwrd1.md.home.com * ICQ:14076169 > "Windows Multitasking: Messing up several things at once." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 13:10:53 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA04281 for freebsd-security-outgoing; Tue, 2 Feb 1999 13:10:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firestorm.exit109.com (firestorm.exit109.com [208.225.64.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04272 for ; Tue, 2 Feb 1999 13:10:50 -0800 (PST) (envelope-from chris@exit109.com) Received: from localhost (chris@localhost) by firestorm.exit109.com (8.8.8/8.8.8) with SMTP id QAA14298; Tue, 2 Feb 1999 16:09:38 -0500 (EST) Date: Tue, 2 Feb 1999 16:09:38 -0500 (EST) From: Chris To: Bill Woodford cc: ML FreeBSD Security Subject: Re: tcpdump In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill- You need to enable the Berkley Packet Filter in your kernel config, add the line: pseudo-device bpfilter 2 that will allow you 2 process' useing the bpf device. recompile your kernel, reboot, your good to go :) -------------------------------- Chris O'Hara Network/Systems Administration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Atlantic Internet Technologies 628 Shrewsbury Ave. Red Bank, NJ 07701 Web Hosting/Design, Dialup, Co-Location http://www.exit109.com On Tue, 2 Feb 1999, Bill Woodford wrote: > Forgive my ignorance, but I built tcpdump (3.4a3) and libcap (0.4a1) and > it built beautifully. I read the docs, and that mentioned a few things to > watch out for. However, when I run tcpdump (as root), it gives me: > > tcpdump: /dev/bpf0: Device not configured > > I did a little reading, and realize it's possible that my NIC may not > support it (it's a 3com 3c509 combo), but how would one tell. Can anyone > enlighten me as to the true nature of this error? Im running natd/ipfw, > would that interfere with the functioning of tcpdump? Any help would be > appreciated. Thanks. > > -- > Bill Woodford * woodford@cc181716-a.hwrd1.md.home.com * ICQ:14076169 > "Windows Multitasking: Messing up several things at once." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 13:37:31 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA07906 for freebsd-security-outgoing; Tue, 2 Feb 1999 13:37:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: (from jmb@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA07900; Tue, 2 Feb 1999 13:37:28 -0800 (PST) (envelope-from jmb) Date: Tue, 2 Feb 1999 13:37:28 -0800 (PST) Message-Id: <199902022137.NAA07900@hub.freebsd.org> From: "Jonathan M. Bresler" To: woodford@cc181716-a.hwrd1.md.home.com CC: security@FreeBSD.ORG In-reply-to: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> (message from Bill Woodford on Tue, 2 Feb 1999 15:34:58 -0500) Subject: Re: tcpdump References: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Tue, 2 Feb 1999 15:34:58 -0500 > From: Bill Woodford > Content-Type: text/plain; charset=us-ascii > Sender: owner-freebsd-security@FreeBSD.ORG > X-Loop: FreeBSD.org > > Forgive my ignorance, but I built tcpdump (3.4a3) and libcap (0.4a1) and > it built beautifully. I read the docs, and that mentioned a few things to > watch out for. However, when I run tcpdump (as root), it gives me: > > tcpdump: /dev/bpf0: Device not configured > > I did a little reading, and realize it's possible that my NIC may not > support it (it's a 3com 3c509 combo), but how would one tell. Can anyone > enlighten me as to the true nature of this error? Im running natd/ipfw, > would that interfere with the functioning of tcpdump? Any help would be > appreciated. Thanks. you must create a kernel with bpf support. the line to add to your kernel configuration file is "pseudo-device bpfilter 4". that would give you a kernel that can support 4 devices in promiscious mode. (id you dont know how to create a kernel, take a look in the handbook /usr/share/doc/handbook/*html or www.freebsd.org). you need to create the device files for /dev/bpf1, /dev/bnpf2, and /dev/bpf3. cd over to /dev and run "sh MAKEDEV bpf3". jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 13:44:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA08649 for freebsd-security-outgoing; Tue, 2 Feb 1999 13:44:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA08640 for ; Tue, 2 Feb 1999 13:44:46 -0800 (PST) (envelope-from ftobin@bigfoot.com) Received: (qmail 6437 invoked by uid 1000); 2 Feb 1999 21:44:41 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Feb 1999 21:44:41 -0000 Date: Tue, 2 Feb 1999 15:44:25 -0600 (CST) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu To: Bill Woodford cc: ML FreeBSD Security Subject: Re: tcpdump In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 2 Feb 1999, Bill Woodford wrote: > tcpdump: /dev/bpf0: Device not configured You need the Berkeley packet filter device set in your kernel. pseudo-device bpfilter 4 #Berkeley packet filter (from LINT) Be aware that if you install this device, and root is compromised on your machine, one may use a sniffing program to monitor traffic. - -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve If you use Pine and PGP 5.0(i), try pgpenvelope. http://www.bigfoot.com/~ftobin/resources.html -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNrdjtwL4UDr0DrZeEQLpjgCfRq5mjhyMp6EQY0XpL+VPUU2iqU8AoPwT SxdbNhtszTYgIGRKbWp12n90 =rb2u -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 13:57:43 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA10666 for freebsd-security-outgoing; Tue, 2 Feb 1999 13:57:43 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cc181716-a.hwrd1.md.home.com (cc181716-a.hwrd1.md.home.com [24.3.18.63]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA10659 for ; Tue, 2 Feb 1999 13:57:41 -0800 (PST) (envelope-from woodford@cc181716-a.hwrd1.md.home.com) Received: (from woodford@localhost) by cc181716-a.hwrd1.md.home.com (8.9.1a/8.9.1a) id QAA01434 for security@FreeBSD.ORG; Tue, 2 Feb 1999 16:58:13 -0500 (EST) Date: Tue, 2 Feb 1999 16:58:13 -0500 From: Bill Woodford To: ML FreeBSD Security Subject: Re: tcpdump Message-ID: <19990202165813.F1365@cc181716-a.hwrd1.md.home.com> References: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com>; from Bill Woodford on Tue, Feb 02, 1999 at 03:34:58PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 02, 1999 at 03:34:58PM -0500, Bill Woodford wrote: | tcpdump: /dev/bpf0: Device not configured I'd like to thank everyone here who helped me out. I wasnt expected the answers to come so quickly :) At any rate, thanks to everyone for the information. -- Bill Woodford * woodford@cc181716-a.hwrd1.md.home.com * ICQ:14076169 Volunteer Coordinator, OTAKON 1999: Convention of Otaku Generation "Windows Multitasking: Messing up several things at once." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 14:05:43 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA12440 for freebsd-security-outgoing; Tue, 2 Feb 1999 14:05:43 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA12424 for ; Tue, 2 Feb 1999 14:05:35 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1307 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 2 Feb 1999 15:56:39 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Tue, 2 Feb 1999 15:56:37 -0600 (CST) From: James Wyatt To: Dan Langille cc: Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? In-Reply-To: <19990202065625.CSGF678125.mta2-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Dan Langille wrote: > On 1 Feb 99, at 22:28, Mike Holling wrote: > > > Tonight I found these entries in my log files. What were they looking > > > for? Was this a spammer looking for exploits? > > My offhand guess is that this was indeed some kind of automated script > > looking for a set of known security holes. > Looks that way to me too. Messages I've received off list seem to > indicate that the http probes were well known exploits. And they all > failed. It seems that the security in place has done it's job. Notice that they are coming from a hostname beginning ns.*.com. Looks like someone's nameserver wasn't as lucky as your webserver... 8{( To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 14:26:39 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16108 for freebsd-security-outgoing; Tue, 2 Feb 1999 14:26:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.86]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16097 for ; Tue, 2 Feb 1999 14:26:36 -0800 (PST) (envelope-from Binh@asu.edu) Received: from smtp2.asu.edu by asu.edu (PMDF V5.1-12 #24133) with ESMTP id <01J79M1ME1QY8X08J1@asu.edu> for freebsd-security@FreeBSD.ORG; Tue, 2 Feb 1999 11:32:31 MST Received: from ai.asu.edu (ai.asu.edu [129.219.10.147]) by smtp2.asu.edu (8.9.1/8.9.1) with ESMTP id LAA07965 for ; Tue, 02 Feb 1999 11:31:34 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by ai.asu.edu (8.9.1/8.9.1) with SMTP id LAA08882 for ; Tue, 02 Feb 1999 11:31:40 -0700 (MST) Date: Tue, 02 Feb 1999 11:31:40 -0700 (MST) From: Binh Nguyen Subject: hosts.allow and deny! X-Sender: binh1@ai.asu.edu To: freebsd-security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I want to ask a question. Is there a way on Freebsd2.2.8 that I could implement the hosts.allow and hosts.deny, so no one could access my server without being addin the hosts.allow. Also, is there a good admin tool for system security such ask monitors the system, or any tools that help on how to do hosts.allow and hosts.deny. Thanks Binh Nguyen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 14:35:45 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA18132 for freebsd-security-outgoing; Tue, 2 Feb 1999 14:35:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18119 for ; Tue, 2 Feb 1999 14:35:37 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2361 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 2 Feb 1999 16:20:14 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Tue, 2 Feb 1999 16:20:13 -0600 (CST) From: James Wyatt To: Bill Woodford cc: ML FreeBSD Security Subject: Re: tcpdump In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Bill Woodford wrote: [ ... ] > watch out for. However, when I run tcpdump (as root), it gives me: > > tcpdump: /dev/bpf0: Device not configured > > I did a little reading, and realize it's possible that my NIC may not > support it (it's a 3com 3c509 combo), but how would one tell. Can anyone I have not used an ISA/PCI card yet that doesn't support BPF... It is an invaluable tool around here and even better on a laptop for travelling! Don't forget to: 1. Build a bpf device into the kernel config file like so: pseudo-device bpfilter 1 #Berkeley packet filter 2. Make the device like so: cd /dev ./MAKEDEV bpf0 3. Watch for syslog messages showing when it is used like: de0: promiscuous mode enabled Don't make more BPFs than you need (usually 1) and leave tcpdump running to lock it. If someone gets in and gets rootly, they can use it to sniff passwords, discover VPN links, view IPX and SNA traffic as well as TCP, and all manner of evil investigation... Other executables you may want to build and use on BPF include: trafshow - curses-based dynamic traffic list. Shows who your top traffic users are (host or service). Shows when you have ICMP storms and such too! ethereal - X-based sniffer tool that I *love* showing our network folks that think Network General is the only decent sniffer vendor. IMHO: BPF is one of the things I think Free/Net/OpenBSD do better than Linux. This was back in the old VAX BSD years ago when I worked at Tandy R&D and was interesting to read for fun and learning. I wanted it for Windows for years, but got it back with FreeBSD. Thanks bunches! - James To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 15:49:46 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28840 for freebsd-security-outgoing; Tue, 2 Feb 1999 15:49:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28833 for ; Tue, 2 Feb 1999 15:49:44 -0800 (PST) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40334>; Wed, 3 Feb 1999 10:39:40 +1100 Date: Wed, 3 Feb 1999 10:49:29 +1100 From: Peter Jeremy Subject: Re: tcpdump To: jwyatt@RWSystems.net Cc: security@FreeBSD.ORG Message-Id: <99Feb3.103940est.40334@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt wrote: >Don't make more BPFs than you need (usually 1) If you use multiple network interfaces (including ppp/lpip), having a second BPF can be useful when you're trying to resolve routing problems. If you're using DHCP, you'll need a spare BPF for dhcpd. > and leave tcpdump running >to lock it. If someone gets in and gets rootly, they can use it to sniff This doesn't buy you anything: 1) Anyone with root access can kill your tcpdump to grab the BPF (or just run ktrace on it to grab the output without alerting you). 2) Anyone with physical access to your network can achieve the same thing with sniffer software on a laptop. Running tcpdump (especially in promiscuous mode) can substantially increase the load on your system. You _don't_ want to do this if your machine is on a heavily loaded network. I've seen suggestions (I can't recall where) that you might as well "chmod 666 /dev/bpf*" to more accurately reflect the difficulty of network snooping (although I think this is going too far). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 15:54:57 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29598 for freebsd-security-outgoing; Tue, 2 Feb 1999 15:54:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cs.bc.edu (cs.bc.edu [136.167.32.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29582 for ; Tue, 2 Feb 1999 15:54:53 -0800 (PST) (envelope-from kelleyry@cs.bc.edu) Received: from localhost (kelleyry@localhost) by cs.bc.edu (8.8.6/8.8.6) with ESMTP id SAA24861; Tue, 2 Feb 1999 18:56:23 -0500 (EST) Date: Tue, 2 Feb 1999 18:56:21 -0500 (EST) From: Ryan Kelley To: Binh Nguyen cc: freebsd-security@FreeBSD.ORG Subject: Re: hosts.allow and deny! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org check out /usr/ports/security/tcp_wrapper. you also might want to check out /etc/login.access which gives you decent control over user logins both locally and remotely. latez. -ryan On Tue, 2 Feb 1999, Binh Nguyen wrote: > Hi! > > I want to ask a question. Is there a way on Freebsd2.2.8 that I could > implement the hosts.allow and hosts.deny, so no one could access my server > without being addin the hosts.allow. > Also, is there a good admin tool for system security such ask monitors > the system, or any tools that help on how to do hosts.allow and hosts.deny. > Thanks > > Binh Nguyen > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 16:07:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA02913 for freebsd-security-outgoing; Tue, 2 Feb 1999 16:07:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from emu.sourcee.com (emu.sourcee.com [205.181.251.129]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA02899 for ; Tue, 2 Feb 1999 16:07:01 -0800 (PST) (envelope-from nrice@emu.sourcee.com) Received: (from nrice@localhost) by emu.sourcee.com (8.9.1/8.9.1) id TAA17518; Tue, 2 Feb 1999 19:06:55 -0500 (EST) Date: Tue, 2 Feb 1999 19:06:55 -0500 From: "Norman C. Rice" To: Binh Nguyen Cc: freebsd-security@FreeBSD.ORG Subject: Re: hosts.allow and deny! Message-ID: <19990202190654.B16927@emu.sourcee.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Binh Nguyen on Tue, Feb 02, 1999 at 11:31:40AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 02, 1999 at 11:31:40AM -0700, Binh Nguyen wrote: > Hi! > > I want to ask a question. Is there a way on Freebsd2.2.8 that I could > implement the hosts.allow and hosts.deny, so no one could access my server > without being addin the hosts.allow. Just put "ALL: ALL" in /usr/local/etc/hosts.deny for a default policy of denying everyone access to all wrapped services. Grant service access by adding an appropriate entry in /usr/local/etc/hosts.allow. > Also, is there a good admin tool for system security such ask monitors > the system, or any tools that help on how to do hosts.allow and hosts.deny. tcpdchk(8) will check your tcp_wrappers configuration. tcpdmatch(8) will let you check how tcp_wrappers will respond to a specific request for service. `man 5 hosts_access' and `man 5 hosts_options' should provide you with more information on how to configure the access control files. There are several security-related monitors in the ports, e.g., arpwatch, smurflog, sniff, and sentry. You might also want to read the FreeBSD Security How-To at http://www.freebsd.org/~jkb/howto.html -- Regards, Norman C. Rice, Jr. > Thanks > > Binh Nguyen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 16:10:39 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA03777 for freebsd-security-outgoing; Tue, 2 Feb 1999 16:10:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA03748 for ; Tue, 2 Feb 1999 16:10:26 -0800 (PST) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.2/8.9.2) with ESMTP id TAA32136; Tue, 2 Feb 1999 19:10:12 -0500 (EST) (envelope-from matt@zigg.com) Date: Tue, 2 Feb 1999 19:10:11 -0500 (EST) From: Matt Behrens To: Binh Nguyen cc: freebsd-security@FreeBSD.ORG Subject: Re: hosts.allow and deny! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You need the TCP wrappers package. See /usr/ports/security/tcp_wrapper. On Tue, 2 Feb 1999, Binh Nguyen wrote: : Hi! : : I want to ask a question. Is there a way on Freebsd2.2.8 that I could : implement the hosts.allow and hosts.deny, so no one could access my server : without being addin the hosts.allow. : Also, is there a good admin tool for system security such ask monitors : the system, or any tools that help on how to do hosts.allow and hosts.deny. : Thanks : : Binh Nguyen - Matt Behrens Network Administrator, zigg.com Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 16:57:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA11583 for freebsd-security-outgoing; Tue, 2 Feb 1999 16:57:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from admin.gzero.org ([209.98.116.66]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA11572 for ; Tue, 2 Feb 1999 16:57:40 -0800 (PST) (envelope-from kingjedi@gzero.org) Received: (qmail 7614 invoked from network); 3 Feb 1999 00:52:00 -0000 Received: from lb-151-72.azalea.net (HELO windows) (206.52.151.72) by gzero.org with SMTP; 3 Feb 1999 00:52:00 -0000 Message-ID: <002301be4f10$a82dd6c0$010101c6@webhosting.asd> From: "KingJedi" To: "ML FreeBSD Security" Subject: Looking for something like tcpdump Date: Tue, 2 Feb 1999 19:00:55 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0020_01BE4EDE.5C5DA5E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.0810.800 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0020_01BE4EDE.5C5DA5E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Im wondering if someone knows of a program that could help me that is = secure and free ;), Im looking for a program that will tell me how much = net traffic an IP is getting, sending and recieving. The reason I ask is = that i want to charge my webspace customers for traffic they generate. = And to help keep an eye out for any nasty abusers who might put up some = warez or something else that is illegal. Thanks, KingJedi ------=_NextPart_000_0020_01BE4EDE.5C5DA5E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Im wondering if someone knows of a = program that=20 could help me that is secure and free ;), Im looking for a program that = will=20 tell me how much net traffic an IP is getting, sending and recieving. = The reason=20 I ask is that i want to charge my webspace customers for traffic they = generate.=20 And to help keep an eye out for any nasty abusers who might put up some = warez or=20 something else that is illegal.
 
Thanks,
KingJedi
------=_NextPart_000_0020_01BE4EDE.5C5DA5E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 17:26:03 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA15137 for freebsd-security-outgoing; Tue, 2 Feb 1999 17:26:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA15078 for ; Tue, 2 Feb 1999 17:25:56 -0800 (PST) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id UAA15624; Tue, 2 Feb 1999 20:25:43 -0500 (EST) From: mike@sentex.net (Mike Tancsa) To: Binh@asu.edu (Binh Nguyen) Cc: security@FreeBSD.ORG Subject: Re: hosts.allow and deny! Date: Wed, 03 Feb 1999 01:32:25 GMT Message-ID: <36b7a502.193777517@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2 Feb 1999 18:03:57 -0500, in sentex.lists.freebsd.misc you wrote: >Hi! > > I want to ask a question. Is there a way on Freebsd2.2.8 that I could >implement the hosts.allow and hosts.deny, so no one could access my server >without being addin the hosts.allow. > Also, is there a good admin tool for system security such ask monitors >the system, or any tools that help on how to do hosts.allow and hosts.deny. > Thanks There are a few tools like this in the /usr/ports/security tree. What you are after is tcpwrappers. cd /usr/ports/security/tcp_wrapper make install Then edit /etc/inetd.conf and change the telnet line to be telnet stream tcp nowait root /usr/local/libexec/tcpd telnetd Then in /usr/local/etc/hosts.deny ALL:ALL In /usr/local/etc/hosts.allow goodhost.com If you add to /etc/syslog.conf auth* and authpriv.*, you will see it logged to syslog. You should also look into ipfw as well. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 17:31:19 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA15834 for freebsd-security-outgoing; Tue, 2 Feb 1999 17:31:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA15828 for ; Tue, 2 Feb 1999 17:31:14 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.2/8.9.2/best.sh) id RAA19976; Tue, 2 Feb 1999 17:30:32 -0800 (PST) Message-ID: <19990202173031.A18823@best.com> Date: Tue, 2 Feb 1999 17:30:31 -0800 From: "Jan B. Koum " To: KingJedi , ML FreeBSD Security Subject: Re: Looking for something like tcpdump References: <002301be4f10$a82dd6c0$010101c6@webhosting.asd> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <002301be4f10$a82dd6c0$010101c6@webhosting.asd>; from KingJedi on Tue, Feb 02, 1999 at 07:00:55PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 02, 1999 at 07:00:55PM -0600, KingJedi wrote: > Im wondering if someone knows of a program that could help me that is secure and free ;), Im looking for a program that will tell me how much net traffic an IP is getting, sending and recieving. The reason I ask is that i want to charge my webspace customers for traffic they generate. And to help keep an eye out for any nasty abusers who might put up some warez or something else that is illegal. > > Thanks, > KingJedi NFR: http://www.nfr.net It is not free - but it is open source and runs on freebsd. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 17:56:45 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA19340 for freebsd-security-outgoing; Tue, 2 Feb 1999 17:56:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19327 for ; Tue, 2 Feb 1999 17:56:43 -0800 (PST) (envelope-from brooks@one-eyed-alien.net) From: brooks@one-eyed-alien.net Received: from localhost (brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) with ESMTP id RAA28879; Tue, 2 Feb 1999 17:56:41 -0800 (PST) X-Authentication-Warning: orion.ac.hmc.edu: brdavis owned process doing -bs Date: Tue, 2 Feb 1999 17:56:31 -0800 (PST) X-Sender: brdavis@orion.ac.hmc.edu To: ML FreeBSD Security cc: KingJedi Subject: Re: Looking for something like tcpdump In-Reply-To: <002301be4f10$a82dd6c0$010101c6@webhosting.asd> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, KingJedi wrote: > Im wondering if someone knows of a program that could help me that is > secure and free ;), Im looking for a program that will tell me how > much net traffic an IP is getting, sending and recieving. The reason I > ask is that i want to charge my webspace customers for traffic they > generate. And to help keep an eye out for any nasty abusers who might > put up some warez or something else that is illegal. To monitor traffic volume on your network you want NeTraMet (http://www.auckland.ac.nz/net/NeTraMet/). It's a very general traffic metering system. It takes a bit of work to setup, but it's quite powerful and is used in a number of very large installations. -- Brooks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 18:15:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA22329 for freebsd-security-outgoing; Tue, 2 Feb 1999 18:15:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA22300 for ; Tue, 2 Feb 1999 18:15:25 -0800 (PST) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id WAA27759; Tue, 2 Feb 1999 22:14:57 -0400 (AST) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id WAA29365; Tue, 2 Feb 1999 22:14:55 -0400 (AST) Date: Tue, 2 Feb 1999 22:14:55 -0400 (AST) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: KingJedi cc: ML FreeBSD Security Subject: Re: Looking for something like tcpdump In-Reply-To: <002301be4f10$a82dd6c0$010101c6@webhosting.asd> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, KingJedi wrote: > getting, sending and recieving. The reason I ask is that i want to > charge my webspace customers for traffic they generate. And to help keep > an eye out for any nasty abusers who might put up some warez or > something else that is illegal. Would it not make more sense to log all of the transfers on the machines, ie http and ftp logs and then run a standard analyzer on them? Warez sites are pretty easy to find that way. If you don't have admin access on the machines serving out the traffic, what about a firewall type setup? Sniffing on the traffic might not be the most accurate approach to billing. -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 19:12:09 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA29406 for freebsd-security-outgoing; Tue, 2 Feb 1999 19:12:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29400; Tue, 2 Feb 1999 19:12:06 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.2/8.9.2) with ESMTP id TAA09578; Tue, 2 Feb 1999 19:12:46 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: "Jonathan M. Bresler" cc: woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-reply-to: Your message of "Tue, 02 Feb 1999 13:37:28 PST." <199902022137.NAA07900@hub.freebsd.org> Date: Tue, 02 Feb 1999 19:12:46 -0800 Message-ID: <9575.918011566@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, time to raise this topic again. What to people think about enabling bpfilter by default in GENERIC? And before everyone screams "That would not be BSD!" let me just note that NetBSD and probably OpenBSD (haven't looked) already do this. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 19:52:21 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA04993 for freebsd-security-outgoing; Tue, 2 Feb 1999 19:52:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA04983; Tue, 2 Feb 1999 19:52:19 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.2/8.9.1) id TAA42425; Tue, 2 Feb 1999 19:52:13 -0800 (PST) (envelope-from dillon) Date: Tue, 2 Feb 1999 19:52:13 -0800 (PST) From: Matthew Dillon Message-Id: <199902030352.TAA42425@apollo.backplane.com> To: "Jordan K. Hubbard" Cc: "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump References: <9575.918011566@zippy.cdrom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :OK, time to raise this topic again. What to people think about :enabling bpfilter by default in GENERIC? : :And before everyone screams "That would not be BSD!" let me just :note that NetBSD and probably OpenBSD (haven't looked) already do :this. : :- Jordan Well, not having bpfilter enabled by default doesn't really enhance security since the kernel module loader *is* enabled by default. Still, perhaps it would be a good idea to lockout new open()'s on bpf when the secure level is > 0. The module loader already disables itself when securelevel > 0. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:04:25 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA06823 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:04:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA06814 for ; Tue, 2 Feb 1999 20:04:23 -0800 (PST) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id XAA20584; Tue, 2 Feb 1999 23:16:06 -0500 (EST) Message-ID: <19990202231605.A20526@weathership.homeport.org> Date: Tue, 2 Feb 1999 23:16:05 -0500 From: Adam Shostack To: Yuan John Jiang , freebsd-security@FreeBSD.ORG Subject: Re: How to do DOS checking without crashing the system? References: <199901170358.WAA29400@cletus.cw.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199901170358.WAA29400@cletus.cw.net>; from Yuan John Jiang on Sat, Jan 16, 1999 at 10:58:13PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 16, 1999 at 10:58:13PM -0500, Yuan John Jiang wrote: | I'm think of using a vulnerability scanner, e.g. ISS, CyberCop, SATA | or a homemade, | to automate part of my security auditing of the boxes in service. | However, how should I check for denial-of-service type of vulnerabilities, | such as Land or Teardrop without crashing boxes and disrupting the service? | | I guess a simple thing to do is to check the OS version. However, I hope | someone can suggest something more reliable. You can learn a certain amount using tcp fingerprinting; eg, this host is not vulnerable to this problem. However, you can't learn that something is vulnerable to teardrop without either having some sort of agent or login on the machine to reliably get patch information, or with a 'live fire' test. (If you can think of a way to do this, it would make a fascinating paper, and/or you could sell it. I'm confident that Netect would pay for such a technique, since we want to encourage customers to do DOS testing, and encounter exactly the above problem.) Let me point out also that keeping up with the new techniques out there and adding tests for them is more than a full time job. The Nessus project is gathering speed, and if you're thinking of homegrowing something, you may want to consider supporting them instead. See www.nessus.org. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:06:50 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA07442 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:06:50 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from spike.snickers.org (snickers.org [209.167.224.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA07421 for ; Tue, 2 Feb 1999 20:06:44 -0800 (PST) (envelope-from sygma@snickers.org) Received: from spike (sygma@spike [209.167.224.2]) by spike.snickers.org (8.9.2/8.9.1) with ESMTP id XAA23771 for ; Tue, 2 Feb 1999 23:18:13 -0500 (EST) Date: Tue, 2 Feb 1999 23:18:12 -0500 (EST) From: Jon Nistor To: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org # network pseudo-devices pseudo-device bpfilter 8 # Berkeley packet filter 8 from NetBSD, hah high number =) ._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. Jon Nistor http://www.snickers.org/ nistor@snickers.org ICQ: 1429373 Network Operations FP: 66 3F 1B 23 C0 AA 40 IRC: sygma/efnet #snickers On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: -OK, time to raise this topic again. What to people think about -enabling bpfilter by default in GENERIC? - -And before everyone screams "That would not be BSD!" let me just -note that NetBSD and probably OpenBSD (haven't looked) already do -this. - -- Jordan - -To Unsubscribe: send mail to majordomo@FreeBSD.org -with "unsubscribe freebsd-security" in the body of the message - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:21:41 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA10164 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:21:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA10106 for ; Tue, 2 Feb 1999 20:21:20 -0800 (PST) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id AAA14834; Wed, 3 Feb 1999 00:21:08 -0400 (AST) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id AAA19940; Wed, 3 Feb 1999 00:21:00 -0400 (AST) Date: Wed, 3 Feb 1999 00:21:00 -0400 (AST) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? I would think that the majority of us do not use the bpfilter by default. My personal opinion (whether correct or not) is that it is more secure this way. Many kiddiez have scripts to automate tcpdumping for passwords and other such nasties and having to compile a bpf module and load it is beyond many people. (I admit I'd have to go find some instructions) -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:25:35 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA10621 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:25:35 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA10612 for ; Tue, 2 Feb 1999 20:25:33 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990203042530.GQPY682101.mta1-rme@wocker>; Wed, 3 Feb 1999 17:25:30 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: James Wyatt Date: Wed, 3 Feb 1999 17:25:25 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: what were these probes? Reply-to: junkmale@xtra.co.nz CC: Mike Holling , freebsd-security@FreeBSD.ORG References: <19990202065625.CSGF678125.mta2-rme@wocker> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990203042530.GQPY682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2 Feb 99, at 15:56, James Wyatt wrote: > On Tue, 2 Feb 1999, Dan Langille wrote: > > On 1 Feb 99, at 22:28, Mike Holling wrote: > > > > Tonight I found these entries in my log files. What were they looking > > > > for? Was this a spammer looking for exploits? > > > My offhand guess is that this was indeed some kind of automated script > > > looking for a set of known security holes. > > Looks that way to me too. Messages I've received off list seem to > > indicate that the http probes were well known exploits. And they all > > failed. It seems that the security in place has done it's job. > > Notice that they are coming from a hostname beginning ns.*.com. Looks > like someone's nameserver wasn't as lucky as your webserver... 8{( > FWIW, they appear to be online again. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:25:41 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA10651 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:25:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA10637 for ; Tue, 2 Feb 1999 20:25:37 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990203042535.GQQH682101.mta1-rme@wocker>; Wed, 3 Feb 1999 17:25:35 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: ira miller Date: Wed, 3 Feb 1999 17:25:25 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Thanks!! :) Reply-to: junkmale@xtra.co.nz CC: In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990203042535.GQQH682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2 Feb 99, at 17:10, ira miller wrote: > I appreciate it...the machine is up and running with freebsd. One question > though, I have an Intel Etherexpress pro 100mb card in the machine, and it > was listed in the kernel config. How do I get the machine to recognize the > network? (the network uses TCP/IP only) we have a router out to the > internet also. I thought I did it correctly, but I don't know unix well > enough to figure out how to check. You are welcome. And welcome to FreeBSD! I don't know. But I'll cc this reply to the questions mailing list and it might be answered there. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:35:54 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA12960 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:35:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA12947; Tue, 2 Feb 1999 20:35:52 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id XAA25416; Tue, 2 Feb 1999 23:35:48 -0500 (EST) Date: Tue, 2 Feb 1999 23:35:47 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jordan K. Hubbard" cc: "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? > > And before everyone screams "That would not be BSD!" let me just > note that NetBSD and probably OpenBSD (haven't looked) already do > this. I'd love to see this. This would enable applications like DHCP out of the box, which is probably desirable from a notebook perspective. As Matt points out, the security limitations are not very clear: the securelevel code generally requires a lot of modifications to the base system, so my temptation is to ignore the issue, but create a securelevel man page that discusses "things to do in making a securelevel-friendly system", and add to it: disable bpf. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:38:04 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA13558 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:38:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA13456 for ; Tue, 2 Feb 1999 20:37:59 -0800 (PST) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40350>; Wed, 3 Feb 1999 15:27:50 +1100 Date: Wed, 3 Feb 1999 15:37:34 +1100 From: Peter Jeremy Subject: Re: tcpdump To: jkh@zippy.cdrom.com Cc: security@FreeBSD.ORG Message-Id: <99Feb3.152750est.40350@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jordan K. Hubbard" wrote: >OK, time to raise this topic again. What to people think about >enabling bpfilter by default in GENERIC? I personally think it would be a good idea. AFAIK, bpfilter is needed for: a) network debugging (eg using tcpdump) b) network monitoring (eg using ethereal) c) DHCP client My understanding is that FreeBSD is trying to reach the point where a `typical' user without any wierd peripherals never needs to compile a kernel - GENERIC combined with the boot-time configuration editor is sufficient to customise the kernel. I think it's a bit anomolous that tcpdump is part of the base system, but the system needs to be re-configured to use it. I don't believe there are any other utilities in this class. This is also a tool that a user is likely to be asked to use if he asks a tricky network- related question. Similarly, I believe that the use of DHCP is going to increase (with things like cable-modems becoming more common). It's worthwhile noting that there was recently a posting on ISC's dhcp-client mailing list which noted that FreeBSD's default configuration generates regular mail from FreeBSD people having problems with dhcpd (because there's no bpfilter by default). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:43:42 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA14569 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:43:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA14563; Tue, 2 Feb 1999 20:43:41 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.2/8.9.2) with ESMTP id UAA10032; Tue, 2 Feb 1999 20:44:19 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Robert Watson cc: "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-reply-to: Your message of "Tue, 02 Feb 1999 23:35:47 EST." Date: Tue, 02 Feb 1999 20:44:19 -0800 Message-ID: <10028.918017059@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, Garrett is quite against it but I will note that it's the DHCP people complaining to me that they were getting FreeBSD tech support calls where they didn't get any for NetBSD that got me thinking about it again. Since the guy doing DHCP support is also Ted Lemon, he probably just tells them to load NetBSD and stop dinking with a toy operating system. :-) Actually, I'm sure that Ted doesn't say this, but it'd still be a shame if we ended up losing this functionality issue on security arguments when and if it later became clear that no real security was being imparted (the old "leave the window open and the door locked" fallacy). - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:46:58 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA15044 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:46:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA15034; Tue, 2 Feb 1999 20:46:55 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id XAA23158; Tue, 2 Feb 1999 23:46:47 -0500 (EST) (envelope-from wollman) Date: Tue, 2 Feb 1999 23:46:47 -0500 (EST) From: Garrett Wollman Message-Id: <199902030446.XAA23158@khavrinen.lcs.mit.edu> To: Matthew Dillon Cc: "Jordan K. Hubbard" , "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <199902030352.TAA42425@apollo.backplane.com> References: <9575.918011566@zippy.cdrom.com> <199902030352.TAA42425@apollo.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Well, not having bpfilter enabled by default doesn't > really enhance security since the kernel module loader > *is* enabled by default. It still appears to be beyond the pale of the script kiddies to rewrite an Ethernet driver in order to enable it to hand off packets to BPF. Hopefully it will stay that way for a little while longer. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 20:58:40 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA17355 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:58:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA17348; Tue, 2 Feb 1999 20:58:38 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.2/8.9.2) with ESMTP id UAA10093; Tue, 2 Feb 1999 20:59:04 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Garrett Wollman cc: Matthew Dillon , "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-reply-to: Your message of "Tue, 02 Feb 1999 23:46:47 EST." <199902030446.XAA23158@khavrinen.lcs.mit.edu> Date: Tue, 02 Feb 1999 20:59:04 -0800 Message-ID: <10089.918017944@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It still appears to be beyond the pale of the script kiddies to > rewrite an Ethernet driver in order to enable it to hand off packets > to BPF. Hopefully it will stay that way for a little while longer. Ummmm. Let me just note for the record that the skill of the script kiddies is essentially irrelevant here since their defining attribute is to use scripts that others have written. All it will take is one semi-intelligent cracker type to write a exploit and associated LKD module, then the rest will just run it blindly or whenever they've gained root by other means. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 21:06:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA18774 for freebsd-security-outgoing; Tue, 2 Feb 1999 21:06:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from goliath.camtech.net.au (goliath.camtech.net.au [203.5.73.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA18709; Tue, 2 Feb 1999 21:06:24 -0800 (PST) (envelope-from newton@camtech.com.au) Received: from sebastion.sa.camtech.com.au (sebastion.sa.camtech.com.au [203.28.3.2]) by goliath.camtech.net.au (8.8.5/8.8.2) with ESMTP id PAA17999; Wed, 3 Feb 1999 15:34:59 +1030 (CST) Received: (from smtp@localhost) by sebastion.sa.camtech.com.au (8.8.5/8.8.7) id PAA22932; Wed, 3 Feb 1999 15:35:59 +1030 (CST) Received: from slingshot(192.168.1.2) by sebastion via smap (V2.0) id xma022930; Wed, 3 Feb 99 15:35:49 +1030 Received: from frenzy.ct (newton@frenzy.ct [192.168.4.65]) by slingshot.ct (8.9.1/8.9.1) with ESMTP id PAA01574; Wed, 3 Feb 1999 15:35:46 +1030 (CST) From: Mark Newton Received: (from newton@localhost) by frenzy.ct (8.8.8/8.8.8) id PAA19809; Wed, 3 Feb 1999 15:35:44 +1030 (CDT) Message-Id: <199902030505.PAA19809@frenzy.ct> Subject: Re: tcpdump In-Reply-To: from Robert Watson at "Feb 2, 99 11:35:47 pm" To: robert+freebsd@cyrus.watson.org Date: Wed, 3 Feb 1999 15:35:44 +1030 (CDT) Cc: jkh@zippy.cdrom.com, jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > As Matt points out, the security limitations are not very clear: the > securelevel code generally requires a lot of modifications to the base > system, so my temptation is to ignore the issue, but create a securelevel > man page that discusses "things to do in making a securelevel-friendly > system", and add to it: disable bpf. In case this hasn't already been suggested (and apologies if it has): Make opens on /dev/bpf* fail if securelevel > 0 - mark --- Mark Newton Email: newton@camtech.com.au Systems Engineer and Senior Trainer Phone: +61-8-8303-3300 Camtech (SA), a member of the Fax: +61-8-8303-4403 CAMTECH group of companies WWW: http://www.camtech.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 21:07:03 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA18874 for freebsd-security-outgoing; Tue, 2 Feb 1999 21:07:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA18860; Tue, 2 Feb 1999 21:07:01 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.2/8.9.1) id VAA42930; Tue, 2 Feb 1999 21:06:57 -0800 (PST) (envelope-from dillon) Date: Tue, 2 Feb 1999 21:06:57 -0800 (PST) From: Matthew Dillon Message-Id: <199902030506.VAA42930@apollo.backplane.com> To: "Jordan K. Hubbard" Cc: Garrett Wollman , "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump References: <10089.918017944@zippy.cdrom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :> It still appears to be beyond the pale of the script kiddies to :> rewrite an Ethernet driver in order to enable it to hand off packets :> to BPF. Hopefully it will stay that way for a little while longer. : :Ummmm. Let me just note for the record that the skill of the script :kiddies is essentially irrelevant here since their defining attribute :is to use scripts that others have written. All it will take is one :semi-intelligent cracker type to write a exploit and associated LKD :module, then the rest will just run it blindly or whenever they've :gained root by other means. : :- Jordan I can clear this up instantly: I've seen the scripts to do it. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 21:31:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA23074 for freebsd-security-outgoing; Tue, 2 Feb 1999 21:31:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA23055 for ; Tue, 2 Feb 1999 21:31:41 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990203053136.HCBX682101.mta1-rme@wocker>; Wed, 3 Feb 1999 18:31:36 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: "Dan Langille" Date: Wed, 3 Feb 1999 18:31:33 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Thanks!! :) Reply-to: junkmale@xtra.co.nz CC: References: In-reply-to: <19990203042535.GQQH682101.mta1-rme@wocker> X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990203053136.HCBX682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 3 Feb 99, at 17:25, Dan Langille wrote: > I don't know. But I'll cc this reply to the questions mailing list and it > might be answered there. I've noticed my mistake and sent a copy to -questions. Sorry. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 21:43:29 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA24762 for freebsd-security-outgoing; Tue, 2 Feb 1999 21:43:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA24750; Tue, 2 Feb 1999 21:43:27 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id AAA26301; Wed, 3 Feb 1999 00:43:13 -0500 (EST) Date: Wed, 3 Feb 1999 00:43:13 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mark Newton cc: jkh@zippy.cdrom.com, jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <199902030505.PAA19809@frenzy.ct> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999, Mark Newton wrote: > Robert Watson wrote: > > > As Matt points out, the security limitations are not very clear: the > > securelevel code generally requires a lot of modifications to the base > > system, so my temptation is to ignore the issue, but create a securelevel > > man page that discusses "things to do in making a securelevel-friendly > > system", and add to it: disable bpf. > > In case this hasn't already been suggested (and apologies if it has): > Make opens on /dev/bpf* fail if securelevel > 0 It has been suggested, but I'm not sure that there are adequate advantages to this method. Let us consider two cases: a) dhcpd or dhclient is run *before* bumping securelevel so that it may continue to use bpf afterwards. This increases the running of risky code before securelvels are enacted, and if the daemon dies, you have to reboot. b) Nasty malicious process comes along after securelevel is bumped, and attaches to dhcpd/dhclient with a debugger to take advantage of it, or manipulates its cache files, etc. In both cases, securelevels and this feature alone have not helped you. Keep in mind that securelevels are designed to protect the kernel against root users, not to prevent access to the network layer. It is not clear to me that the desired bpf functionality is consistent with the goals of securelevels, nor that it may be implemented in a consistent way. Bpf does not put the kernel at risk (except if we're running entirely diskless, and I suspect that then your protocols should be protecting you, not the lack of sniffing via Bpf). All it takes is one host on an ethernet broken into to render the bpf protection useless on any host. I suggest we restrict securelevels to preventing the installation trojan horses and manipulation of base system files. Securelevels are generally not about protecting the running system against attacks in as much as limiting the damage in the long run. Without adding yet more features (protected processes, etc) the Bpf restriction is fairly useless (see a above); let's first implement those others and then see how Bpf fits into the scheme once the framework is in place. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 21:45:16 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA25120 for freebsd-security-outgoing; Tue, 2 Feb 1999 21:45:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA25114 for ; Tue, 2 Feb 1999 21:45:13 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2899 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 2 Feb 1999 23:32:12 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Tue, 2 Feb 1999 23:32:12 -0600 (CST) From: James Wyatt To: Peter Jeremy cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <99Feb3.103940est.40334@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999, Peter Jeremy wrote: > James Wyatt wrote: > >Don't make more BPFs than you need (usually 1) > If you use multiple network interfaces (including ppp/lpip), having a > second BPF can be useful when you're trying to resolve routing problems. > If you're using DHCP, you'll need a spare BPF for dhcpd. The line you quote above says make two if you need two. We don't have DHCP on this campus yet, but will 99Q2. Thanks for the hint about dhcpd... > > and leave tcpdump running > >to lock it. If someone gets in and gets rootly, they can use it to sniff > This doesn't buy you anything: > 1) Anyone with root access can kill your tcpdump to grab the BPF > (or just run ktrace on it to grab the output without alerting you). Most folks who get in and run scripts, don't ktrace and the load would be noticable, but you are right about the vulnerability. I was more stating that if they have to kill something, you might notice the dead session... > 2) Anyone with physical access to your network can achieve the same > thing with sniffer software on a laptop. Absoulutely. I've had folks ask about locking MAC addresses on managed hubs for this reason. Doesn't help when you have desktop hubs, though. It is another reason to unpatch unused ENet outlets as well. They can also install a Win32 sniffer on office boxes with Back Orifice (a really cool tool at times). I do what I can on my hosts and firewall the rest, but I'm not deluded into thinking I'm solving the world's problems. btw: If *I* have it on *my* laptop that's a feature... 8{) > Running tcpdump (especially in promiscuous mode) can substantially > increase the load on your system. You _don't_ want to do this if > your machine is on a heavily loaded network. Restricting tcpdump by host/port/protocol/etc can help this a lot, but the card and driver still consume more CPU in promiscuous mode. On the laptop, we have to restrict or it drops packets with the 486. 8{( > I've seen suggestions (I can't recall where) that you might as well > "chmod 666 /dev/bpf*" to more accurately reflect the difficulty of > network snooping (although I think this is going too far). As currently set, you still have to break root on a host that has the interfaces you want. In a switched environment, try for a boundry host. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 21:51:22 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA26099 for freebsd-security-outgoing; Tue, 2 Feb 1999 21:51:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA26079 for ; Tue, 2 Feb 1999 21:51:16 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id AAA26332; Wed, 3 Feb 1999 00:48:34 -0500 (EST) Date: Wed, 3 Feb 1999 00:48:34 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Michael Richards <026809r@dragon.acadiau.ca> cc: "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999, Michael Richards wrote: > On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > > > OK, time to raise this topic again. What to people think about > > enabling bpfilter by default in GENERIC? > > I would think that the majority of us do not use the bpfilter by default. > My personal opinion (whether correct or not) is that it is more secure > this way. Many kiddiez have scripts to automate tcpdumping for passwords > and other such nasties and having to compile a bpf module and load it is > beyond many people. (I admit I'd have to go find some instructions) Security by obscurity in that form works only until the first script-author writes script-kiddie-script-#20 which automates the process. And it's not such a complicated task that some bored hacker won't write it into tomorrow's rootkit. Bpfilter is a useful piece of functionality required for dhcp, a service that is increasingly popular. Even *Windows* ships with DHCP as a basic supported service, and as such, many public networks assume DHCP as a capability. Since Windows also tends to require DHCP servers for correct functioning, having FreeBSD capable of serving DHCP without a kernel recompile also sounds useful. It also makes a great debugging tool (we leave lots of debugging tools in place in the default install). Additionally, in the default install securelevels protect against few if any attacks that they are designed to prevent. The kernel may have the schg flag set, but /etc/rc doesn't out of the box. And I suspect that arguing it should out of the box is asking for trouble when joe-new-user can't set up rc.conf because *it* also has to be schg. I suspect still what we need is a man 8 securelevel (or something) with a list of guidelines, possibly based in the security -howto, etc. I am all for securing the base system; I just suspect that not enabling bpfilter by default does little to help without a more concerted security context, but does prevent basic necessary functionality. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 21:56:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA26964 for freebsd-security-outgoing; Tue, 2 Feb 1999 21:56:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA26946; Tue, 2 Feb 1999 21:56:28 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id VAA20742; Tue, 2 Feb 1999 21:55:46 -0800 (PST) Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0) id xma020738; Tue, 2 Feb 99 21:55:25 -0800 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id VAA11963; Tue, 2 Feb 1999 21:55:24 -0800 (PST) From: Archie Cobbs Message-Id: <199902030555.VAA11963@bubba.whistle.com> Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> from "Jordan K. Hubbard" at "Feb 2, 99 07:12:46 pm" To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Date: Tue, 2 Feb 1999 21:55:24 -0800 (PST) Cc: jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan K. Hubbard writes: > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? > > And before everyone screams "That would not be BSD!" let me just > note that NetBSD and probably OpenBSD (haven't looked) already do > this. I would vote for including it (you have to be root to use it though, right?)... why not? -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 22:27:28 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA03172 for freebsd-security-outgoing; Tue, 2 Feb 1999 22:27:28 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA03161 for ; Tue, 2 Feb 1999 22:27:25 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id BAA22764; Wed, 3 Feb 1999 01:27:12 -0500 (EST) Date: Wed, 3 Feb 1999 01:27:12 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? I like it better the way it is; I think enabling bpfilter by default is too friendly to crackers. I also like Matt's idea of not allowing open()s on the bpf device when the securelevel is greater than 0. Sniffing the network is definitely not something everyone needs to do, and setting it up is not so difficult anyway. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 2 22:29:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA03731 for freebsd-security-outgoing; Tue, 2 Feb 1999 22:29:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cscfx.sytex.com (cscfx.sytex.com [205.147.190.131]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id WAA03725 for ; Tue, 2 Feb 1999 22:29:42 -0800 (PST) (envelope-from rwc@cscfx.sytex.com) Received: (from rwc@localhost) by cscfx.sytex.com (8.6.12/8.6.9) id BAA01462; Wed, 3 Feb 1999 01:28:43 -0500 From: Richard Cramer Message-Id: <199902030628.BAA01462@cscfx.sytex.com> Subject: Re: tcpdump inclusion in GENERIC To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Date: Wed, 3 Feb 1999 01:28:43 -0500 (EST) Cc: freebsd-security@FreeBSD.ORG Reply-To: rcramer@sytex.net In-Reply-To: <9575.918011566@zippy.cdrom.com> from "Jordan K. Hubbard" at Feb 2, 99 07:12:46 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? I vote YES. Greater then 50% of rebuilding the kernel is to include bpfilter. Dick --- Richard Cramer rcramer@sytex.net Phone: 703-425-2515 President Fax: 703-425-4585 SytexNet(tm) Sytex Access Ltd. POB 2385, Fairfax, VA 22031-0385 e To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 00:08:26 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA20145 for freebsd-security-outgoing; Wed, 3 Feb 1999 00:08:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.gamespot.com (ns2.gamespot.com [206.169.18.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA20137 for ; Wed, 3 Feb 1999 00:08:23 -0800 (PST) (envelope-from ian@gamespot.com) Received: from localhost (ian@localhost) by mail.gamespot.com (8.9.0/8.9.0) with SMTP id AAA04040 for ; Wed, 3 Feb 1999 00:08:20 -0800 (PST) Date: Wed, 3 Feb 1999 00:08:20 -0800 (PST) From: Ian Kallen To: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For whatever my .02 are worth in all this, I think the point made below is a key point. On Wed, 3 Feb 1999, Robert Watson wrote: :I am all for securing the base system; I just suspect that not enabling :bpfilter by default does little to help without a more concerted security :context, but does prevent basic necessary functionality. If the context includes a system with wrappers installed by default, configured in inetd.conf, ALL:ALL in hosts.deny copiously commented with how to populate hosts.allow (and include one with commented examples), a more demanding passwd program (and one of these days I'll send in my patch to useradd that enforces good passwords and sets password and account expirations :), maybe tripwire installed & run by default and other beefing up measures, I'd be all for having bpf on board out of the box. Since a growing number people who are new to Unix are installing, I think a conservative stance needs to be taken. I keep hearing of people who've been rooted 'cause they heard about these great non-MS OS in the popular press and they blithely install not realizing that their fly is down when they connect to the network. 'course, the victims are usually using very old distribution CD's (complete with old poppers and imapd) or Linux but since we can, I'd rather err on the side of conservatism anyway. -- Ian Kallen ICQ: 17073910 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 00:48:32 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25106 for freebsd-security-outgoing; Wed, 3 Feb 1999 00:48:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA25087; Wed, 3 Feb 1999 00:48:26 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id TAA25279; Wed, 3 Feb 1999 19:48:03 +1100 (EDT) From: Darren Reed Message-Id: <199902030848.TAA25279@cheops.anu.edu.au> Subject: Re: tcpdump To: dillon@apollo.backplane.com (Matthew Dillon) Date: Wed, 3 Feb 1999 19:48:03 +1100 (EDT) Cc: jkh@zippy.cdrom.com, jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG In-Reply-To: <199902030352.TAA42425@apollo.backplane.com> from "Matthew Dillon" at Feb 2, 99 07:52:13 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Matthew Dillon, sie said: > > :OK, time to raise this topic again. What to people think about > :enabling bpfilter by default in GENERIC? > : > :And before everyone screams "That would not be BSD!" let me just > :note that NetBSD and probably OpenBSD (haven't looked) already do > :this. > : > :- Jordan > > Well, not having bpfilter enabled by default doesn't > really enhance security since the kernel module loader > *is* enabled by default. Still, perhaps it would be > a good idea to lockout new open()'s on bpf when the > secure level is > 0. The module loader already disables > itself when securelevel > 0. I think not. *maybe* disallow promiscous mode. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 00:50:31 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25393 for freebsd-security-outgoing; Wed, 3 Feb 1999 00:50:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA25385; Wed, 3 Feb 1999 00:50:27 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id TAA25314; Wed, 3 Feb 1999 19:50:19 +1100 (EDT) From: Darren Reed Message-Id: <199902030850.TAA25314@cheops.anu.edu.au> Subject: Re: tcpdump To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Date: Wed, 3 Feb 1999 19:50:18 +1100 (EDT) Cc: jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG In-Reply-To: <9575.918011566@zippy.cdrom.com> from "Jordan K. Hubbard" at Feb 2, 99 07:12:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jordan K. Hubbard, sie said: > > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? What are the implications for the kernel size for boot floppies ? Any repercussions for low memory pc's ? IMHO, that is the only reason (oh, and stability) for enabling/disabling things in GENERIC. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 00:51:01 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25465 for freebsd-security-outgoing; Wed, 3 Feb 1999 00:51:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from suburbia.net (gw.iq.org [203.4.184.233]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA25456 for ; Wed, 3 Feb 1999 00:50:56 -0800 (PST) (envelope-from proff@suburbia.net) From: proff@suburbia.net Received: (qmail 1689 invoked by uid 110); 3 Feb 1999 08:50:51 -0000 Message-ID: <19990203085051.1688.qmail@suburbia.net> Subject: Re: tcpdump In-Reply-To: <99Feb3.152750est.40350@border.alcanet.com.au> from Peter Jeremy at "Feb 3, 99 03:37:34 pm" To: peter.jeremy@auss2.alcatel.com.au (Peter Jeremy) Date: Wed, 3 Feb 1999 19:50:51 +1100 (EST) Cc: jkh@zippy.cdrom.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > AFAIK, bpfilter is needed for: > a) network debugging (eg using tcpdump) > b) network monitoring (eg using ethereal) > c) DHCP client d) rarpd e) ntop f) trafshow g) nmap h) no doubt others Frankly I'm sick of seeing anal security idiots undermining useful functionality. I don't see why we should let this useless, winging segment of the network community, which spends all its time working out new ways to prevent people doing anything, shove their uncreative bankrupt, and wholly paranoid philosophy down everyone else's throats. Julian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 00:54:27 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA26138 for freebsd-security-outgoing; Wed, 3 Feb 1999 00:54:27 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA26114 for ; Wed, 3 Feb 1999 00:54:20 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id TAA25368; Wed, 3 Feb 1999 19:54:05 +1100 (EDT) From: Darren Reed Message-Id: <199902030854.TAA25368@cheops.anu.edu.au> Subject: Re: Looking for something like tcpdump To: kingjedi@gzero.org (KingJedi) Date: Wed, 3 Feb 1999 19:54:04 +1100 (EDT) Cc: security@FreeBSD.ORG In-Reply-To: <002301be4f10$a82dd6c0$010101c6@webhosting.asd> from "KingJedi" at Feb 2, 99 07:00:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from KingJedi, sie said: > > Im wondering if someone knows of a program that could help me that is = > secure and free ;), Im looking for a program that will tell me how much = > net traffic an IP is getting, sending and recieving. The reason I ask is = > that i want to charge my webspace customers for traffic they generate. = > And to help keep an eye out for any nasty abusers who might put up some = > warez or something else that is illegal. There used to be a package called "nnstat" which sampled traffic and generated extrapolated reports. I don't know if that's still used now, most people just use counters from their routers, etc, these days.A IF you need this to run on FreeBSD, install IP Filter and use the accounting rules. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 01:30:42 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA01950 for freebsd-security-outgoing; Wed, 3 Feb 1999 01:30:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA01926 for ; Wed, 3 Feb 1999 01:30:33 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id KAA23465; Wed, 3 Feb 1999 10:29:16 +0100 (CET) To: Peter Jeremy cc: jkh@zippy.cdrom.com, security@FreeBSD.ORG Subject: Re: tcpdump In-reply-to: Your message of "Wed, 03 Feb 1999 15:37:34 +1100." <99Feb3.152750est.40350@border.alcanet.com.au> Date: Wed, 03 Feb 1999 10:29:16 +0100 Message-ID: <23463.918034156@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <99Feb3.152750est.40350@border.alcanet.com.au>, Peter Jeremy writes: >"Jordan K. Hubbard" wrote: >>OK, time to raise this topic again. What to people think about >>enabling bpfilter by default in GENERIC? > >I personally think it would be a good idea. I'm for. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 02:33:21 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA08205 for freebsd-security-outgoing; Wed, 3 Feb 1999 02:33:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mailbox2.ucsd.edu (mailbox2.ucsd.edu [132.239.1.54]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA08199 for ; Wed, 3 Feb 1999 02:33:20 -0800 (PST) (envelope-from rjdawes@physics.ucsd.edu) Received: from physics.ucsd.edu (leucadia.ucsd.edu [132.239.69.130]) by mailbox2.ucsd.edu (8.9.1a/8.9.1) with SMTP id CAA26926 for ; Wed, 3 Feb 1999 02:33:19 -0800 (PST) Received: from localhost by physics.ucsd.edu (SMI-8.6/SMI-SVR4) id CAA21641; Wed, 3 Feb 1999 02:31:36 -0800 Date: Wed, 3 Feb 1999 02:31:36 -0800 (PST) From: "Richard J. Dawes" X-Sender: rjdawes@leucadia Reply-To: Richard Dawes To: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <199902030850.TAA25314@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From "LINT": "The `bpfilter' pseudo-device enables the Berkely Packet Filter. Be aware of the LEGAL and administrative consequences of enabling this option." [emphasis mine] That there isn't word one about security implications notwithstanding, I am forced to wonder if there were not some more legalistic reason behind the decision to leave `bpfilter' unenabled in GENERIC. Interestingly, neither bpf.c nor bpf(4) is any more enlightening, on either point. ======================================== Richard J. Dawes rdawes@ucsd.edu ======================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 04:03:12 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA19006 for freebsd-security-outgoing; Wed, 3 Feb 1999 04:03:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA18998 for ; Wed, 3 Feb 1999 04:03:07 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id NAA16718; Wed, 3 Feb 1999 13:03:03 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id NAA18873; Wed, 3 Feb 1999 13:03:01 +0100 (MET) Date: Wed, 3 Feb 1999 13:03:01 +0100 From: Eivind Eklund To: "Jordan K. Hubbard" Cc: Robert Watson , security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <19990203130301.J8749@bitbox.follo.net> References: <10028.918017059@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <10028.918017059@zippy.cdrom.com>; from Jordan K. Hubbard on Tue, Feb 02, 1999 at 08:44:19PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 02, 1999 at 08:44:19PM -0800, Jordan K. Hubbard wrote: > Well, Garrett is quite against it but I will note that it's the DHCP > people complaining to me that they were getting FreeBSD tech support > calls where they didn't get any for NetBSD that got me thinking about > it again. Since the guy doing DHCP support is also Ted Lemon, he > probably just tells them to load NetBSD and stop dinking with a toy > operating system. :-) > > Actually, I'm sure that Ted doesn't say this, but it'd still be a > shame if we ended up losing this functionality issue on security > arguments when and if it later became clear that no real security was > being imparted (the old "leave the window open and the door locked" > fallacy). There is one way around this that give us most of the advantages at reasonably low security cost. Add a securelevel-like knob for bpf, and default to turning it off somewhat into rc - after running rc.conf. This forces crackers to reboot the machine to get at bpf, which at least is much more likely to be noticed. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 04:23:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA23388 for freebsd-security-outgoing; Wed, 3 Feb 1999 04:23:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA23371 for ; Wed, 3 Feb 1999 04:23:26 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id NAA18362; Wed, 3 Feb 1999 13:23:22 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id NAA18941; Wed, 3 Feb 1999 13:23:22 +0100 (MET) Date: Wed, 3 Feb 1999 13:23:21 +0100 From: Eivind Eklund To: Robert Watson Cc: Michael Richards <026809r@dragon.acadiau.ca>, "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <19990203132321.K8749@bitbox.follo.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Robert Watson on Wed, Feb 03, 1999 at 12:48:34AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 03, 1999 at 12:48:34AM -0500, Robert Watson wrote: > On Wed, 3 Feb 1999, Michael Richards wrote: > > > On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > > > > > OK, time to raise this topic again. What to people think about > > > enabling bpfilter by default in GENERIC? > > > > I would think that the majority of us do not use the bpfilter by default. > > My personal opinion (whether correct or not) is that it is more secure > > this way. Many kiddiez have scripts to automate tcpdumping for passwords > > and other such nasties and having to compile a bpf module and load it is > > beyond many people. (I admit I'd have to go find some instructions) > > Security by obscurity in that form works only until the first > script-author writes script-kiddie-script-#20 which automates the process. > And it's not such a complicated task that some bored hacker won't write it > into tomorrow's rootkit. This is not correct. Having BPF support in the kernel also add code to the drivers to support it. It is not possible to compile up as a module without also replacing the drivers. Don't take this as me being against 'pseudo-device bpfilter' in GENERIC; I'm agnostic on that issue. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 04:47:11 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA26401 for freebsd-security-outgoing; Wed, 3 Feb 1999 04:47:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA26394; Wed, 3 Feb 1999 04:47:09 -0800 (PST) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id HAA22702; Wed, 3 Feb 1999 07:58:55 -0500 (EST) Message-ID: <19990203075855.A22692@weathership.homeport.org> Date: Wed, 3 Feb 1999 07:58:55 -0500 From: Adam Shostack To: Robert Watson , "Jordan K. Hubbard" Cc: "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump References: <9575.918011566@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Robert Watson on Tue, Feb 02, 1999 at 11:35:47PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 02, 1999 at 11:35:47PM -0500, Robert Watson wrote: | securelevel code generally requires a lot of modifications to the base | system, so my temptation is to ignore the issue, but create a securelevel | man page that discusses "things to do in making a securelevel-friendly | system", and add to it: disable bpf. The OpenBSD folks have done all the work needed to run a 'normal' system with securelevel 1. Its not a very agressive implementation at the level of what the attributes are set to, but its a baseline that FreeBSD could work from. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 05:42:12 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA06253 for freebsd-security-outgoing; Wed, 3 Feb 1999 05:42:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bsf.alcatel.fr (laposte.bsf.alcatel.fr [193.104.128.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA06231; Wed, 3 Feb 1999 05:42:02 -0800 (PST) (envelope-from guilloux@col.bsf.alcatel.fr) Received: from cabsimp1 (cabsimp1.col.bsf.alcatel.fr [155.132.46.160]) by bsf.alcatel.fr (8.8.8/8.8.8) with SMTP id OAA05398; Wed, 3 Feb 1999 14:44:49 +0100 (MET) Received: from cabs40.clb by cabsimp1 (SMI-8.6/SMI-4.1) id OAA16178; Wed, 3 Feb 1999 14:38:17 +0100 Received: from c4s25.clb by cabs40.clb (SMI-8.6/SMI-SVR4) id OAA05634; Wed, 3 Feb 1999 14:34:50 +0100 Received: by c4s25.clb (5.x/SMI-SVR4) id AA24546; Wed, 3 Feb 1999 14:36:23 +0100 Date: Wed, 3 Feb 1999 14:36:23 +0100 Message-Id: <9902031336.AA24546@c4s25.clb> From: Stephan Guilloux To: adam@homeport.org Cc: robert+freebsd@cyrus.watson.org, jkh@zippy.cdrom.com, jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG In-Reply-To: <19990203075855.A22692@weathership.homeport.org> (message from Adam Shostack on Wed, 3 Feb 1999 07:58:55 -0500) Subject: Re: tcpdump Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org J'en profite pour te confirmer mon numero de portable: 06.82.18.45.52 Comme ca m'arrive de l'oublier chez moi, je me suis colle un pense-bete. Mais je pense qu'il va falloir que je fasse un noeud a mon mouchoir pour me rappeler que j'ai un pense-bete :-) Steph. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 06:14:19 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA10010 for freebsd-security-outgoing; Wed, 3 Feb 1999 06:14:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zed.ludd.luth.se (zed.ludd.luth.se [130.240.16.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA10001; Wed, 3 Feb 1999 06:14:14 -0800 (PST) (envelope-from gozer@ludd.luth.se) Received: from speedy.ludd.luth.se (gozer@speedy.ludd.luth.se [130.240.16.164]) by zed.ludd.luth.se (8.8.5/8.8.5) with ESMTP id PAA22567; Wed, 3 Feb 1999 15:12:51 +0100 Date: Wed, 3 Feb 1999 15:12:50 +0100 (CET) From: Johan Larsson To: Stephan Guilloux cc: adam@homeport.org, robert+freebsd@cyrus.watson.org, jkh@zippy.cdrom.com, jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9902031336.AA24546@c4s25.clb> Message-ID: X-uri: http://www.ludd.luth.se/~gozer/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oh, yes, i understand perfectly what you say... *NOT* Please, speak english on international lists. On Wed, 3 Feb 1999, Stephan Guilloux wrote: > J'en profite pour te confirmer mon numero de portable: > 06.82.18.45.52 > > Comme ca m'arrive de l'oublier chez moi, je me suis colle un pense-bete. > Mais je pense qu'il va falloir que je fasse un noeud a mon mouchoir pour me > rappeler que j'ai un pense-bete :-) > > Steph. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > Johan -- * mailto:gozer@ludd.luth.se * http://www.ludd.luth.se/users/gozer/ * * Powered by FreeBSD. http://www.se.freebsd.org/ +-+-+-+-+-+-+-+-+ * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 06:32:12 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA14456 for freebsd-security-outgoing; Wed, 3 Feb 1999 06:32:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bsf.alcatel.fr (laposte.bsf.alcatel.fr [193.104.128.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA14449; Wed, 3 Feb 1999 06:32:05 -0800 (PST) (envelope-from guilloux@col.bsf.alcatel.fr) Received: from cabsimp1 (cabsimp1.col.bsf.alcatel.fr [155.132.46.160]) by bsf.alcatel.fr (8.8.8/8.8.8) with SMTP id PAA20844; Wed, 3 Feb 1999 15:35:27 +0100 (MET) Received: from cabs40.clb by cabsimp1 (SMI-8.6/SMI-4.1) id PAA21404; Wed, 3 Feb 1999 15:28:55 +0100 Received: from c4s25.clb by cabs40.clb (SMI-8.6/SMI-SVR4) id PAA08460; Wed, 3 Feb 1999 15:26:22 +0100 Received: by c4s25.clb (5.x/SMI-SVR4) id AA24660; Wed, 3 Feb 1999 15:27:56 +0100 Date: Wed, 3 Feb 1999 15:27:56 +0100 Message-Id: <9902031427.AA24660@c4s25.clb> From: Stephan Guilloux To: gozer@ludd.luth.se Cc: adam@homeport.org, robert+freebsd@cyrus.watson.org, jkh@zippy.cdrom.com, jmb@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG In-Reply-To: (message from Johan Larsson on Wed, 3 Feb 1999 15:12:50 +0100 (CET)) Subject: Re: tcpdump Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> J'en profite pour te confirmer mon numero de portable: >>[...] >> Steph. Sorry for that last. Was a mistake. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 06:37:29 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA14928 for freebsd-security-outgoing; Wed, 3 Feb 1999 06:37:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA14917; Wed, 3 Feb 1999 06:37:17 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA27848; Wed, 3 Feb 1999 09:29:19 -0500 (EST) Date: Wed, 3 Feb 1999 09:29:19 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Eivind Eklund cc: Michael Richards <026809r@dragon.acadiau.ca>, "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <19990203132321.K8749@bitbox.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999, Eivind Eklund wrote: > On Wed, Feb 03, 1999 at 12:48:34AM -0500, Robert Watson wrote: > > On Wed, 3 Feb 1999, Michael Richards wrote: > > > > > On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > > > > > > > OK, time to raise this topic again. What to people think about > > > > enabling bpfilter by default in GENERIC? > > > > > > I would think that the majority of us do not use the bpfilter by default. > > > My personal opinion (whether correct or not) is that it is more secure > > > this way. Many kiddiez have scripts to automate tcpdumping for passwords > > > and other such nasties and having to compile a bpf module and load it is > > > beyond many people. (I admit I'd have to go find some instructions) > > > > Security by obscurity in that form works only until the first > > script-author writes script-kiddie-script-#20 which automates the process. > > And it's not such a complicated task that some bored hacker won't write it > > into tomorrow's rootkit. > > This is not correct. Having BPF support in the kernel also add code > to the drivers to support it. It is not possible to compile up as a > module without also replacing the drivers. > > Don't take this as me being against 'pseudo-device bpfilter' in > GENERIC; I'm agnostic on that issue. Alright then--assuming netgraph arrives in -CURRENT somday, then this would be feasible. In the mean time, they load up an lkm/kld that remaps the code page containing the ip_input and ip_output routines as writable, then replaces some of the machine code with jumps to the lkm/kld versions of the same routines; these routines effectively are bpfilter-esque. This is the nice thing about programmable computers... :) Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 06:53:00 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA17256 for freebsd-security-outgoing; Wed, 3 Feb 1999 06:53:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA17240; Wed, 3 Feb 1999 06:52:52 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA27922; Wed, 3 Feb 1999 09:52:50 -0500 (EST) Date: Wed, 3 Feb 1999 09:52:50 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson cc: Eivind Eklund , Michael Richards <026809r@dragon.acadiau.ca>, "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Alright then--assuming netgraph arrives in -CURRENT somday, then this > would be feasible. In the mean time, they load up an lkm/kld that remaps > the code page containing the ip_input and ip_output routines as writable, > then replaces some of the machine code with jumps to the lkm/kld versions > of the same routines; these routines effectively are bpfilter-esque. This > is the nice thing about programmable computers... :) I over-simplify. That's what I get for rolling out of bed and in front of the computer on the way to taking a shower :). In the mean time, as I was saying, they load up a lkm/kld that includes code tailored to their ethernet device to put the device into promiscuous mode, and then patches the ether_ routines pulling packets off the wire so they can be sniffed before they pass through the ARP code. Needless to say, this would suck like sniffing on linux without some spiffy BPF code, so either they don't mind it being slow (they're crackers), or they also write the module to include a BPF-like interface. So it is definitely non-trivial; on the other hand, with modification of the running kernel as a tool, I'm not sure it's too bad. One solution that no-one has suggested is limiting the capabilities of BPF in a more-fine grained way in securelevel. So BPF works by adding a simple state machine that is programmable; by virtue of not allowing loops, it is not Turing complete, and also has a predictable termination by virtue of limits to program length. Libpcap presumbably builds these BPF programs based on the requests passed to it (I know about BPF, but not libpcap :). If you want to allow only DHCP to run, then you just add a policy to the kernel that only specific programs are allowed. For example, by hard configuring into the kernel, or by pushing the policy up as part of a sysctl or the like. Something like the following: if (securelevel > 0) { push_bpf(allow_dhcpc_program); push_bpf(allow_dhcpd_program); push_bpf(allow_appletalksniffing); } etc. This would increase the cost associated with loading a new program into a bpfilter, but would not increase the cost of actual sniffing. It would require space for policies to be stored (i.e., allow this program, etc), but would provide a fine-grained restriction on how bpf could be used. This would require that DHCP and other restricted uses of bpf consistently use the same filter; I assume that this is the case; if not, then this mechanism would not help. If it does work, then we can continue to allow processes to open/close bpf devices once the securelevel is raised. This would allow DHCP (and other programs like it) to be started after the securelevel is raised, be restartable, and protect against nasties involving debuggers attaching to processes using bpf, or other subversion of such processes via files in the file system. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 06:57:51 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA18184 for freebsd-security-outgoing; Wed, 3 Feb 1999 06:57:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from carp.gbr.epa.gov (carp.gbr.epa.gov [204.46.159.110]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA18179 for ; Wed, 3 Feb 1999 06:57:47 -0800 (PST) (envelope-from mjenkins@carp.gbr.epa.gov) Received: (from mjenkins@localhost) by carp.gbr.epa.gov (8.8.8/8.8.8) id IAA05247; Wed, 3 Feb 1999 08:57:23 -0600 (CST) (envelope-from mjenkins) Date: Wed, 3 Feb 1999 08:57:23 -0600 (CST) From: Mike Jenkins Message-Id: <199902031457.IAA05247@carp.gbr.epa.gov> To: jkh@zippy.cdrom.com Subject: Re: tcpdump Cc: security@FreeBSD.ORG In-Reply-To: <9575.918011566@zippy.cdrom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 02 Feb 1999 "Jordan K. Hubbard" wrote: > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? When I switched from Linux to FreeBSD, it was disappointing to find that tcpdump did not work. It had worked fine under Linux. I vote to enable bpfilter. BTW, the "/dev/bpf0: Device not configured" problem is in the FAQ. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 06:58:07 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA18315 for freebsd-security-outgoing; Wed, 3 Feb 1999 06:58:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA18309 for ; Wed, 3 Feb 1999 06:58:05 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA27955; Wed, 3 Feb 1999 09:57:56 -0500 (EST) Date: Wed, 3 Feb 1999 09:57:55 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: James Wyatt cc: Peter Jeremy , security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, James Wyatt wrote: > On Wed, 3 Feb 1999, Peter Jeremy wrote: > > James Wyatt wrote: > > > 2) Anyone with physical access to your network can achieve the same > > thing with sniffer software on a laptop. > Absoulutely. I've had folks ask about locking MAC addresses on managed > hubs for this reason. Doesn't help when you have desktop hubs, though. It > is another reason to unpatch unused ENet outlets as well. They can also > install a Win32 sniffer on office boxes with Back Orifice (a really cool > tool at times). I do what I can on my hosts and firewall the rest, but I'm > not deluded into thinking I'm solving the world's problems. btw: If *I* > have it on *my* laptop that's a feature... 8{) Keep in mind also that ethernet-layer switching doesn't protect against IP-layer spoofing and sniffing. I.e., while the switch can indeed prevent packets destined for another ethernet address from going down the wire, unless it speaks IP, it can't prevent me from ARPing claiming to be another host. Now while that is easy to detect (look for strange ARPs, hard code MACs on each host instead of using ARP, and watch for nasty console messages :), it still works just fine in most environments where people feel they are secure because of switching. Similarly, ICMP redirects are fun in those environments. > > I've seen suggestions (I can't recall where) that you might as well > > "chmod 666 /dev/bpf*" to more accurately reflect the difficulty of > > network snooping (although I think this is going too far). > As currently set, you still have to break root on a host that has the > interfaces you want. In a switched environment, try for a boundry host. Presumably at this point, it would be best if we relied on cryptography instead of wire-security. However, I understand the limitations to that (availability, CPU effects, etc). With a bpf available to a normal user, then you do face problems with sniffing of the localhost interface and otherwise hard-to-get-to-interfaces, and possibly better spoofing capability. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 07:09:37 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20671 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:09:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20664 for ; Wed, 3 Feb 1999 07:09:34 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA28015; Wed, 3 Feb 1999 10:09:00 -0500 (EST) Date: Wed, 3 Feb 1999 10:09:00 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: proff@suburbia.net cc: Peter Jeremy , jkh@zippy.cdrom.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <19990203085051.1688.qmail@suburbia.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999 proff@suburbia.net wrote: > Frankly I'm sick of seeing anal security idiots undermining useful > functionality. I don't see why we should let this useless, winging > segment of the network community, which spends all its time working > out new ways to prevent people doing anything, shove their uncreative > bankrupt, and wholly paranoid philosophy down everyone else's throats. Come now, I resent that :). I consider myself an anal security.. er.. person :). My feeling is that it is actually very important that system designers impose security features on an operating system: they are in the best position to do so while maintaining maximum flexibility and functionality. They have the best understanding of the system and what its limitations are. Patching security on afterwards is almost always a disaster. However, you'll note that some of the argument here has been about whether limiting access to bpfilter actually improves security, or whether it just makes access to the packets more obscure. And it is quickly clear that with capabilities such as lkm/kld that it is merely obscurity in low securelevels. Similarly open/close limitations are not sufficient in securelevels because of other operating system features that require modification to understand these limits. A trully paranoid security philosophy requires seeing the whole picture, not just the parts; incorrect slapping on of limiting security patches that have no real effect on the actual security of the system are of no use. As such I welcome a truly paranoid security idiot who wants to be involved in FreeBSD :-). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 07:11:57 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA21077 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:11:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from login.binary.nu (login.binary.nu [193.215.31.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA21066; Wed, 3 Feb 1999 07:11:53 -0800 (PST) (envelope-from chaos@binary.nu) Received: from dark-mystique (mp-214-224.daxnet.no [193.216.214.224]) by login.binary.nu (8.9.1/8.9.1) with SMTP id QAA17372; Wed, 3 Feb 1999 16:02:10 +0100 Message-ID: <007c01be4f86$14c32d60$d95afea9@dark-mystique> From: "Kai A. Stensson" To: "Stephan Guilloux" , Cc: , , , , Subject: Re: tcpdump Date: Wed, 3 Feb 1999 16:01:26 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >J'en profite pour te confirmer mon numero de portable: > 06.82.18.45.52 > >Comme ca m'arrive de l'oublier chez moi, je me suis colle un pense-bete. >Mais je pense qu'il va falloir que je fasse un noeud a mon mouchoir pour me >rappeler que j'ai un pense-bete :-) > > Steph. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > Ehhh. yeah right..... what ever Steph.... try it in english next time.!! -Chaos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 07:29:36 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA23997 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:29:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA23989 for ; Wed, 3 Feb 1999 07:29:32 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id KAA20049; Wed, 3 Feb 1999 10:29:33 -0500 (EST) Date: Wed, 3 Feb 1999 10:29:33 -0500 (EST) To: Dan Langille cc: freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Dan Langille wrote: > Tonight I found these entries in my log files. What were they looking > for? Was this a spammer looking for exploits? Yes. > ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" > 404 164 Extremely popular (and outdated, I assume they were searching for this just to see if you were stupid ;) exploit that used to allow access to critical system files (passwd, etc.). > ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi > HTTP/1.0" 404 169 [snip] Wow, looks like they were bored... just trying to see what you have, I presume... attempting to find out more about your system. Many of these are default scripts installed in /usr/local/www/cgi-bin by Apache. > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl [snip] ...Or script names with known, previous exploitable holes. > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com No real exploit here... Looks like tcpd is doing it's job. Did you have the phf script open to world? What version of Apache are you running? I'd suggest enabling (access.conf) the automatic logging of phf attempts. Uncomment the following: deny from all ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] As usual, I'd attempt to forward records of these attempts to all related administrative accounts of cvvm.com (root, hostmaster, names listed as Whois contacts, etc.). Their system may merely be a hostile host, or it may be a hacked site being used as a source for more hacks.... in which case the real admin's may have no clue about what's going on. What version of sendmail are you running? Not sure about the null connection bit... unless they're just, again, trying to see what you're running (since older versions were exploit ridden). Good luck... -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 07:48:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA27122 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:48:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA27114 for ; Wed, 3 Feb 1999 07:48:06 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id KAA03849; Wed, 3 Feb 1999 10:47:56 -0500 (EST) Date: Wed, 3 Feb 1999 10:47:56 -0500 (EST) To: Bill Woodford cc: ML FreeBSD Security Subject: Re: tcpdump In-Reply-To: <19990202153458.A1152@cc181716-a.hwrd1.md.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Bill Woodford wrote: > tcpdump: /dev/bpf0: Device not configured Compile your kernel with pseudo-device bpf. See LINT (as usual) for extended details. -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 07:50:14 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA27510 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:50:14 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA27505 for ; Wed, 3 Feb 1999 07:50:10 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id KAA24669; Wed, 3 Feb 1999 10:49:45 -0500 (EST) (envelope-from wollman) Date: Wed, 3 Feb 1999 10:49:45 -0500 (EST) From: Garrett Wollman Message-Id: <199902031549.KAA24669@khavrinen.lcs.mit.edu> To: Robert Watson Cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Bpfilter is a useful piece of functionality required for dhcp, a service > that is increasingly popular. Actually, it is not required for DHCP. However, the implementational requirements of DHCP currently run afoul of bugs (or misfeatures) in the IP stack which currently require DHCP programs to circumvent IP in order to operate. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 07:56:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA28962 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:56:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA28956 for ; Wed, 3 Feb 1999 07:56:47 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id KAA24680; Wed, 3 Feb 1999 10:56:33 -0500 (EST) (envelope-from wollman) Date: Wed, 3 Feb 1999 10:56:33 -0500 (EST) From: Garrett Wollman Message-Id: <199902031556.KAA24680@khavrinen.lcs.mit.edu> To: proff@suburbia.net Cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <19990203085051.1688.qmail@suburbia.net> References: <99Feb3.152750est.40350@border.alcanet.com.au> <19990203085051.1688.qmail@suburbia.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < Frankly I'm sick of seeing anal security idiots undermining useful > functionality. I don't see why we should let this useless, winging > segment of the network community, which spends all its time working > out new ways to prevent people doing anything, shove their uncreative > bankrupt, and wholly paranoid philosophy down everyone else's throats. You ever managed a network with 500 Linux machines on it? I thought not. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 08:01:13 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA29582 for freebsd-security-outgoing; Wed, 3 Feb 1999 08:01:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA29577 for ; Wed, 3 Feb 1999 08:01:12 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id LAA24689; Wed, 3 Feb 1999 11:01:09 -0500 (EST) (envelope-from wollman) Date: Wed, 3 Feb 1999 11:01:09 -0500 (EST) From: Garrett Wollman Message-Id: <199902031601.LAA24689@khavrinen.lcs.mit.edu> To: Richard Dawes Cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: References: <199902030850.TAA25314@cheops.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> From "LINT": > "The `bpfilter' pseudo-device enables the Berkely Packet Filter. Be > aware of the LEGAL and administrative consequences of enabling this > option." [emphasis mine] > forced to wonder if there were not some more legalistic reason behind the I wrote that text. It was intended as a CYA since network eavesdropping (the only thing people used BPF for at the time) is probably regulated by law and/or company policies in many places. (For example, depending on the circumstances, the US Privacy Act might apply. IANAL; if it matters to you, hire one.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 08:18:15 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA02700 for freebsd-security-outgoing; Wed, 3 Feb 1999 08:18:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mtiwmhc05.worldnet.att.net (mtiwmhc05.worldnet.att.net [204.127.131.40]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA02693; Wed, 3 Feb 1999 08:18:12 -0800 (PST) (envelope-from gryphon@healer.com) Received: from healer.com ([12.77.216.204]) by mtiwmhc05.worldnet.att.net (InterMail v03.02.07 118 124) with ESMTP id <19990203161810.ITMS11325@healer.com>; Wed, 3 Feb 1999 16:18:10 +0000 Message-ID: <36B8A52C.87FC356@healer.com> Date: Wed, 03 Feb 1999 11:36:12 -0800 From: Coranth Gryphon X-Mailer: Mozilla 4.05 [en] (Win95; U) MIME-Version: 1.0 To: "Jordan K. Hubbard" CC: Garrett Wollman , Matthew Dillon , "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump References: <10089.918017944@zippy.cdrom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps it's worth revisting the GENERIC issue from another direction. What if FreeBSD shipped with two pre-built kernels, one with most of the options (LKM, BPF, etc) turned on by default and the other reasonable locked down (ie SECURE). Seems to me that most people fall within one camp or the other. This would allow people to choose which 'version' they prefer without having to recompile an entire new kernel. -coranth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 09:18:03 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA13484 for freebsd-security-outgoing; Wed, 3 Feb 1999 09:18:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA13440; Wed, 3 Feb 1999 09:17:59 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id KAA19122; Wed, 3 Feb 1999 10:17:49 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id KAA29988; Wed, 3 Feb 1999 10:17:47 -0700 Date: Wed, 3 Feb 1999 10:17:47 -0700 Message-Id: <199902031717.KAA29988@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Jordan K. Hubbard" Cc: "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> References: <199902022137.NAA07900@hub.freebsd.org> <9575.918011566@zippy.cdrom.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? > > And before everyone screams "That would not be BSD!" let me just > note that NetBSD and probably OpenBSD (haven't looked) already do > this. I doubt OpenBSD does, since it's a security hole waiting to happen. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 09:39:52 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16887 for freebsd-security-outgoing; Wed, 3 Feb 1999 09:39:52 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA16881 for ; Wed, 3 Feb 1999 09:39:50 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA28673; Wed, 3 Feb 1999 12:39:43 -0500 (EST) Date: Wed, 3 Feb 1999 12:39:43 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Garrett Wollman cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <199902031549.KAA24669@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999, Garrett Wollman wrote: > > Bpfilter is a useful piece of functionality required for dhcp, a service > > that is increasingly popular. > > Actually, it is not required for DHCP. However, the implementational > requirements of DHCP currently run afoul of bugs (or misfeatures) in > the IP stack which currently require DHCP programs to circumvent IP in > order to operate. So, I forget--it has been a while since I attended the DHCP working group (I worked on DHCPsec for a while, hence my being there). Here's RFC 2131's take on the whole thing: (stolen from RFC 2131) 1. The client broadcasts a DHCPDISCOVER message on its local physical subnet. The DHCPDISCOVER message MAY include options that suggest values for the network address and lease duration. BOOTP relay agents may pass the message on to DHCP servers not on the same physical subnet. 2. Each server may respond with a DHCPOFFER message that includes an available network address in the 'yiaddr' field (and other configuration parameters in DHCP options). Servers need not reserve the offered network address, although the protocol will work more efficiently if the server avoids allocating the offered network address to another client. When allocating a new address, servers SHOULD check that the offered network address is not already in use; e.g., the server may probe the offered address with an ICMP Echo Request. Servers SHOULD be implemented so that network administrators MAY choose to disable probes of newly allocated addresses. The server transmits the DHCPOFFER message to the client, using the BOOTP relay agent if necessary. 3. The client receives one or more DHCPOFFER messages from one or more servers. The client may choose to wait for multiple responses. The client chooses one server from which to request configuration parameters, based on the configuration parameters offered in the DHCPOFFER messages. The client broadcasts a DHCPREQUEST message that MUST include the 'server identifier' option to indicate which server it has selected, and that MAY include other options specifying desired configuration values. The 'requested IP address' option MUST be set to the value of 'yiaddr' in the DHCPOFFER message from the server. This DHCPREQUEST message is broadcast and relayed through DHCP/BOOTP relay agents. To help ensure that any BOOTP relay agents forward the DHCPREQUEST message to the same set of DHCP servers that received the original DHCPDISCOVER message, the DHCPREQUEST message MUST use the same value in the DHCP message header's 'secs' field and be sent to the same IP broadcast address as the original DHCPDISCOVER message. The client times out and retransmits the DHCPDISCOVER message if the client receives no DHCPOFFER messages. 4. ... DHCPACK or DHCPNAK (see RFC for more and pretty diagrams) So the phase currently requiring BPF is presumably the bit where the client picks up the broadcast response as it doesn't have an IP address yet. The DHCP client also requires that it can set the source IP address for the outgoing requests. What changes to the protocol stack do you recommend to allow the reception of messages for the 0.0.0.0 (or whatever) address, and sending of appropriate packets? Could one use the existing ifconfig alias technique to add reception of those messages? For sending, presumably a raw IP socket would work? Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 09:52:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19089 for freebsd-security-outgoing; Wed, 3 Feb 1999 09:52:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19074 for ; Wed, 3 Feb 1999 09:52:46 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990203175238.KHCJ682101.mta1-rme@wocker>; Thu, 4 Feb 1999 06:52:38 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: Date: Thu, 4 Feb 1999 06:52:35 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: what were these probes? Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG References: <19990202055804.YRQY682101.mta1-rme@wocker> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990203175238.KHCJ682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 3 Feb 99, at 10:29, mike@seidata.com wrote: > > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com > > No real exploit here... Looks like tcpd is doing it's job. Did you > have the phf script open to world? What version of Apache are you > running? I'd suggest enabling (access.conf) the automatic logging of > phf attempts. Uncomment the following: > > > deny from all > ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi > My cgi-bin directory is empty. And I'm running Apache 1.3 with FP extentions. > > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > > root@ns.cvvm.com [139.142.106.131] > > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > > root@ns.cvvm.com [139.142.106.131] > > As usual, I'd attempt to forward records of these attempts to all > related administrative accounts of cvvm.com (root, hostmaster, names > listed as Whois contacts, etc.). Their system may merely be a hostile > host, or it may be a hacked site being used as a source for more > hacks.... in which case the real admin's may have no clue about > what's going on. This was done. > What version of sendmail are you running? Not sure about the null > connection bit... unless they're just, again, trying to see what > you're running (since older versions were exploit ridden). sendmail 8.9.2 > Good luck... Thanks. > Mike Hoskins FWIW: We have a guy by this name who does our National Radio news. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 09:56:49 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19689 for freebsd-security-outgoing; Wed, 3 Feb 1999 09:56:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19679; Wed, 3 Feb 1999 09:56:47 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.2/8.9.1) id JAA74538; Wed, 3 Feb 1999 09:56:43 -0800 (PST) (envelope-from dillon) Date: Wed, 3 Feb 1999 09:56:43 -0800 (PST) From: Matthew Dillon Message-Id: <199902031756.JAA74538@apollo.backplane.com> To: "Jordan K. Hubbard" , "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump References: <199902022137.NAA07900@hub.freebsd.org> <9575.918011566@zippy.cdrom.com> <199902031717.KAA29988@mt.sri.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> OK, time to raise this topic again. What to people think about :> enabling bpfilter by default in GENERIC? :> :> And before everyone screams "That would not be BSD!" let me just :> note that NetBSD and probably OpenBSD (haven't looked) already do :> this. What if we extended the ipfw rules to cover bpf sockets? This way we could enable bpf yet still restrict its use. Even better, what if we were able to impose a bpf filter 'in front' of any filter specified by a bpf user? We could then impose a filter that only allows through packets related to the services we wish to support via bpf. When securelevel is > 0, this imposed filter becomes locked. We could also have a toggle to enable/disable promiscuous mode which could be compiled into the kernel and/or made programmable. I admit it is somewhat a silly argument - nobody should be using unencrypted network connections for sensitive work these days. I don't even have telnetd or rlogind ( or friends ) enabled on any of my systems - it's sshd or nothing. It is *FAR* more dangerous for a hacker to monitor pty's then it is for a hacker to monitor a network. So at the very least we should enable bpf in GENERIC and then work on a followup solution to help w/ security. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 10:10:18 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA22495 for freebsd-security-outgoing; Wed, 3 Feb 1999 10:10:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA22485 for ; Wed, 3 Feb 1999 10:10:16 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id NAA25118; Wed, 3 Feb 1999 13:10:11 -0500 (EST) (envelope-from wollman) Date: Wed, 3 Feb 1999 13:10:11 -0500 (EST) From: Garrett Wollman Message-Id: <199902031810.NAA25118@khavrinen.lcs.mit.edu> To: Robert Watson Cc: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: References: <199902031549.KAA24669@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > So the phase currently requiring BPF is presumably the bit where the > client picks up the broadcast response as it doesn't have an IP address > yet. The DHCP client also requires that it can set the source IP address > for the outgoing requests. What changes to the protocol stack do you > recommend to allow the reception of messages for the 0.0.0.0 (or whatever) > address, and sending of appropriate packets? There are several places in the code where it currently checks if there are addresses configured, which need to be set up accept broadcasts and multicasts; e.g., from netinet/ip_input.c: /* * If no IP addresses have been set yet but the interfaces * are receiving, can't do anything with incoming packets yet. * XXX This is broken! We should be able to receive broadcasts * and multicasts even without any local addresses configured. */ if (TAILQ_EMPTY(&in_ifaddrhead)) goto bad; (I wrote that comment about four years ago.) There are similar tests in the top half, which also need to be fixed so a normal socket can be bound by the DHCP client, and so that IP packets can be sent with a source of 0.0.0.0 (which is fairly easy but needs to be done in multiple places since we don't yet have ILP and some of the checks are repeated at the IP layer). This may be easier to fix by simply rewriting the UDP code (which I did most of several years ago). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 10:26:32 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA25224 for freebsd-security-outgoing; Wed, 3 Feb 1999 10:26:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bridge.millstream.net (bridge.millstream.net [208.12.120.194]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA25211 for ; Wed, 3 Feb 1999 10:26:21 -0800 (PST) (envelope-from rsw@vsat.net) Received: from localhost (rsw@localhost) by bridge.millstream.net (8.8.8/8.8.8) with SMTP id SAA28640 for ; Wed, 3 Feb 1999 18:29:07 GMT (envelope-from rsw@vsat.net) X-Authentication-Warning: bridge.millstream.net: rsw owned process doing -bs Date: Wed, 3 Feb 1999 12:29:07 -0600 (CST) From: Robert Wall X-Sender: rsw@bridge.millstream.net To: security@FreeBSD.ORG Subject: Perl and file locking Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I noticed something interesting the other day - I'm writing a perl script to add users to my master.passwd file, and I'm attempting to use exclusive locks (flock filename, 2). During my test run of the script, another program was accessing the file. My program paused and stuck until it could get the exclusive lock for the file (~20 seconds), then finished executing normally. Is this a bug, a feature, or just general weirdness? More importantly - can this behavior be counted upon, and are there any known security risks to processes that are suid root being queued up waiting for a file to become available? I'd appreciate any advice you might have. --------------------------------------- Robert Wall (rsw@vsat.net) Systems Technician Intellicom, Inc. http://www.vsat.net/ v. (715) 720-1760 f. (715) 720-1762 --------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 10:32:12 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA25960 for freebsd-security-outgoing; Wed, 3 Feb 1999 10:32:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from norn.ca.eu.org (cr164328-a.abtsfd1.bc.wave.home.com [24.112.125.94]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA25951; Wed, 3 Feb 1999 10:32:05 -0800 (PST) (envelope-from norn@norn.ca.eu.org) Received: (from norn@localhost) by norn.ca.eu.org (8.9.2/8.9.2) id KAA00540; Wed, 3 Feb 1999 10:32:05 -0800 (PST) (envelope-from norn) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199902031717.KAA29988@mt.sri.com> Date: Wed, 03 Feb 1999 10:32:05 -0800 (PST) Reply-To: Chris Piazza From: Chris Piazza To: Nate Williams Subject: Re: tcpdump Cc: security@FreeBSD.ORG, woodford@cc181716-a.hwrd1.md.home.com, "Jonathan M. Bresler" , "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 03-Feb-99 Nate Williams wrote: >> OK, time to raise this topic again. What to people think about >> enabling bpfilter by default in GENERIC? >> >> And before everyone screams "That would not be BSD!" let me just >> note that NetBSD and probably OpenBSD (haven't looked) already do >> this. > > I doubt OpenBSD does, since it's a security hole waiting to happen. > > > Nate > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/conf/GENERIC?rev=1.41 (referenced by all architectures - ) which includes: pseudo-device bpfilter 8 # packet filter -- Chris Piazza Abbotsford, BC, Canada cpiazza@home.net finger norn@norn.ca.eu.org for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 10:40:40 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA27589 for freebsd-security-outgoing; Wed, 3 Feb 1999 10:40:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA27578; Wed, 3 Feb 1999 10:40:38 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id NAA20052; Wed, 3 Feb 1999 13:40:25 -0500 (EST) Date: Wed, 3 Feb 1999 13:40:25 -0500 (EST) To: Nate Williams cc: "Jordan K. Hubbard" , "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <199902031717.KAA29988@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999, Nate Williams wrote: > I doubt OpenBSD does, since it's a security hole waiting to happen. Yeah... I don't like the idea of having NICs in promisc mode without people even knowing wtf bpf is... or how to turn it off... etc. -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 10:56:28 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA00844 for freebsd-security-outgoing; Wed, 3 Feb 1999 10:56:28 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA00835 for ; Wed, 3 Feb 1999 10:56:22 -0800 (PST) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id OAA05296 for ; Wed, 3 Feb 1999 14:56:09 -0400 (AST) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id OAA20399 for ; Wed, 3 Feb 1999 14:56:07 -0400 (AST) Date: Wed, 3 Feb 1999 14:56:07 -0400 (AST) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <36B8A52C.87FC356@healer.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999, Coranth Gryphon wrote: > This would allow people to choose which 'version' they prefer without > having to recompile an entire new kernel. Could just be me, but unless you've running linux or something, compiling a kernel in FreeBSD is not all that nightmarish. Even when I knew nothing about FreeBSD, it took me no more than 9 minutes from start to finish. -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 11:18:40 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA05383 for freebsd-security-outgoing; Wed, 3 Feb 1999 11:18:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA05367; Wed, 3 Feb 1999 11:18:38 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id OAA13256; Wed, 3 Feb 1999 14:18:17 -0500 (EST) (envelope-from wollman) Date: Wed, 3 Feb 1999 14:18:17 -0500 (EST) From: Garrett Wollman Message-Id: <199902031918.OAA13256@khavrinen.lcs.mit.edu> To: Matthew Dillon Cc: "Jordan K. Hubbard" , "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <199902031756.JAA74538@apollo.backplane.com> References: <199902022137.NAA07900@hub.freebsd.org> <9575.918011566@zippy.cdrom.com> <199902031717.KAA29988@mt.sri.com> <199902031756.JAA74538@apollo.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > What if we extended the ipfw rules to cover bpf sockets? This way > we could enable bpf yet still restrict its use. Absolutely vile. > Even better, what if we were able to impose a bpf filter 'in front' of > any filter specified by a bpf user? We could then impose a filter that > only allows through packets related to the services we wish to support > via bpf. When securelevel is > 0, this imposed filter becomes locked. This, on the other hand, is not a bad idea -- and not very different from how DPF is used in the Exokernel to support secure networking outside the kernel. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 12:01:29 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA12877 for freebsd-security-outgoing; Wed, 3 Feb 1999 12:01:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from the.oneinsane.net (the.oneinsane.net [207.113.133.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA12862 for ; Wed, 3 Feb 1999 12:01:24 -0800 (PST) (envelope-from insane@the.oneinsane.net) Received: (from insane@localhost) by the.oneinsane.net (8.9.1/8.9.1) id MAA01820 for security@FreeBSD.ORG; Wed, 3 Feb 1999 12:01:22 -0800 (PST) Date: Wed, 3 Feb 1999 12:01:21 -0800 From: "Ron 'The InSaNe One' Rosson" To: security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <19990203120121.B27993@the.oneinsane.net> Reply-To: insane@oneinsane.net References: <36B8A52C.87FC356@healer.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Michael Richards on Wed, Feb 03, 1999 at 02:56:07PM -0400 X-Operating-System: FreeBSD the.oneinsane.net 2.2.8-STABLE X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net X-PGP-KEY: http://www.oneinsane.net/~insane/insane-pgp5i.txt X-Uptime: 11:59AM up 6 days, 3:19, 7 users, load averages: 0.81, 0.84, 0.88 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dumb Idea, but It is an idea and this thread has gotten quite long. Is there anyway to turn on DHCP via the rc.conf and when that is done somehow open up the bpf to allow it to be used in a limited fashion. Just and Idea Ron On Wed, Feb 03, 1999 at 02:56:07PM -0400, Michael Richards wrote: > On Wed, 3 Feb 1999, Coranth Gryphon wrote: > > > This would allow people to choose which 'version' they prefer without > > having to recompile an entire new kernel. > > Could just be me, but unless you've running linux or something, compiling > a kernel in FreeBSD is not all that nightmarish. Even when I knew nothing > about FreeBSD, it took me no more than 9 minutes from start to finish. > -- ------------------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was null and void ------------------------------------------------------------------- It's so nice to be insane, nobody asks you to explain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 12:59:13 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA21445 for freebsd-security-outgoing; Wed, 3 Feb 1999 12:59:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dashells.net ([209.54.66.120]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21437; Wed, 3 Feb 1999 12:59:11 -0800 (PST) (envelope-from hideaway@dashells.net) Received: from localhost (hideaway@localhost) by dashells.net (8.9.1/8.9.1) with ESMTP id QAA00878; Wed, 3 Feb 1999 16:00:43 -0500 (EST) Date: Wed, 3 Feb 1999 16:00:43 -0500 (EST) From: Pete To: "Jordan K. Hubbard" cc: "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes I mean, why the hell not? heh On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: >OK, time to raise this topic again. What to people think about >enabling bpfilter by default in GENERIC? > >And before everyone screams "That would not be BSD!" let me just >note that NetBSD and probably OpenBSD (haven't looked) already do >this. > >- Jordan > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 13:08:22 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA22787 for freebsd-security-outgoing; Wed, 3 Feb 1999 13:08:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA22762 for ; Wed, 3 Feb 1999 13:08:02 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.11 #1) id 1089WJ-0006pt-00; Wed, 3 Feb 1999 23:07:35 +0200 From: Sheldon Hearn To: Coranth Gryphon cc: security@FreeBSD.ORG Subject: Re: tcpdump In-reply-to: Your message of "Wed, 03 Feb 1999 11:36:12 PST." <36B8A52C.87FC356@healer.com> Date: Wed, 03 Feb 1999 23:07:34 +0200 Message-ID: <26280.918076054@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 03 Feb 1999 11:36:12 PST, Coranth Gryphon wrote: > Perhaps it's worth revisting the GENERIC issue from another direction. > What if FreeBSD shipped with two pre-built kernels, one with > most of the options (LKM, BPF, etc) turned on by default and > the other reasonable locked down (ie SECURE). I think the discussion has moved on from "should we ship a bpf-enabled kernel", which is the issue you seem to be addressing with your suggestion. I think the issue being discussed is really "is a bpf-enabled kernel any less secure than one without bpf?" I think once that's decided, the rest will fall into place. What does worry me a little is the idea of making bpf's operation dependant on the running securelevel. I thought securelevel restricted messing around _inside_ my box. What's that got to do with what my box can do with my wire, I wonder? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 13:16:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA23858 for freebsd-security-outgoing; Wed, 3 Feb 1999 13:16:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mtiwmhc05.worldnet.att.net (mtiwmhc05.worldnet.att.net [204.127.131.40]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA23853 for ; Wed, 3 Feb 1999 13:16:46 -0800 (PST) (envelope-from gryphon@healer.com) Received: from healer.com ([12.77.216.135]) by mtiwmhc05.worldnet.att.net (InterMail v03.02.07 118 124) with ESMTP id <19990203211643.CAUP4917@healer.com> for ; Wed, 3 Feb 1999 21:16:43 +0000 Message-ID: <36B8EB27.689D17BF@healer.com> Date: Wed, 03 Feb 1999 16:34:47 -0800 From: Coranth Gryphon X-Mailer: Mozilla 4.05 [en] (Win95; U) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: tcpdump References: <26280.918076054@axl.noc.iafrica.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Hearn was heard to say: > the discussion has moved on from "should we ship a bpf-enabled kernel" > I think the issue being discussed is really "is a bpf-enabled kernel > less secure than one without bpf?" I think once that's decided, the > rest will fall into place. Granted, but that was my point. Given that there is a lot of disagreement whether it is or is not secure and given that (quoting someone else, I forget who): > over have the kernel rebuilts are to add bpf While it may be "10 minutes work" for most people, there are a lot out there who are not confident enough of their skills to be willing to do a rebuild. Besides, why make half the people out there spend those 10 minutes? By shipping two kernels, we also solve a lot of other 'security' vs. 'ease of use' debates. The security-conscious folk can tighten down the secure kernel to the minimum reasonable level for safe operation, while the other kernel can have most of the fun/intersting stuff turned on for those who want to play. If you want to think about it another way, consider it one step towards shipping a "Hardening Kit" for FreeBSD. -coranth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 13:32:16 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA26534 for freebsd-security-outgoing; Wed, 3 Feb 1999 13:32:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA26518 for ; Wed, 3 Feb 1999 13:32:08 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.11 #1) id 1089tX-000DUE-00; Wed, 3 Feb 1999 23:31:35 +0200 From: Sheldon Hearn To: Robert Wall cc: security@FreeBSD.ORG Subject: Re: Perl and file locking In-reply-to: Your message of "Wed, 03 Feb 1999 12:29:07 CST." Date: Wed, 03 Feb 1999 23:31:34 +0200 Message-ID: <51845.918077494@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 03 Feb 1999 12:29:07 CST, Robert Wall wrote: > I noticed something interesting the other day - I'm writing a perl script > to add users to my master.passwd file, and I'm attempting to use exclusive > locks (flock filename, 2). During my test run of the script, another > program was accessing the file. My program paused and stuck until it > could get the exclusive lock for the file (~20 seconds), then finished > executing normally. Is this a bug, a feature, or just general weirdness? You need your lock attempt to be non-blocking: use Fcntl ':flock'; flock(HANDLE, LOCK_EX | LOCK_NB) or warn("Can't lock right now, will try again soon\n"); See flock(2) and perlfunc(1). Ciao, Sheldon. PS: Your question should really have gone to a perl-specific list, rather than a freebsd-specific list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 15:42:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA18377 for freebsd-security-outgoing; Wed, 3 Feb 1999 15:42:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA18371 for ; Wed, 3 Feb 1999 15:42:32 -0800 (PST) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.1a/8.9.1) with ESMTP id AAA26191 for ; Thu, 4 Feb 1999 00:42:28 +0100 (CET) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m108D5B-000VYvC; Thu, 4 Feb 1999 01:55:49 +0100 (CET) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id AAA07470 for security@FreeBSD.ORG; Thu, 4 Feb 1999 00:37:04 +0100 (CET) (envelope-from ripley) Date: Thu, 4 Feb 1999 00:37:03 +0100 From: "H. Eckert" To: security@FreeBSD.ORG Subject: Re: hosts.allow and deny! Message-ID: <19990204003703.F7397@nortobor.nostromo.in-berlin.de> References: <36b7a502.193777517@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95i In-Reply-To: <36b7a502.193777517@mail.sentex.net>; from Mike Tancsa on Wed, Feb 03, 1999 at 01:32:25AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Mike Tancsa (mike@sentex.net): > Then in /usr/local/etc/hosts.deny > ALL:ALL > In /usr/local/etc/hosts.allow > goodhost.com I seem to remember that tcp_wrapper was configured slightly different but the manpage didn't reflect the change for the newer version. I didn't succeed at all with a hosts.deny but see my hosts.allow below for my configuratiion. I use it in combination with a firewalling rule: ipfw add 2200 reset tcp from any to pop3 setup via ipi0 The result is that I can run qpopper on my machine without having to worry about exploits. It can be acessed from machines inside my local net but not from outside and the machines in the inner net are able to pop3 to foreign servers, too. (The "ipi0" in the rule is my outside interface, a dialup isdn link) ====8<==== /usr/local/etc/hosts.allow ==== # Wed Oct 7 03:00:00 CEST 1998 popper : LOCAL 10.175. : allow popper : ALL : deny ALL : ALL Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 16:42:39 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA00672 for freebsd-security-outgoing; Wed, 3 Feb 1999 16:42:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mx01-ext.netapp.com (mx01-ext.netapp.com [198.95.224.34]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA00666 for ; Wed, 3 Feb 1999 16:42:36 -0800 (PST) (envelope-from garth@netapp.com) Received: (qmail 22253 invoked from network); 4 Feb 1999 01:15:40 -0000 Received: from herra.netapp.com (HELO herra.corp.netapp.com) (198.95.224.184) by mx01-ext.netapp.com with SMTP; 4 Feb 1999 01:15:40 -0000 Received: from gtk-lap (GTK-LAP.dialus.netapp.com [192.168.200.28] (may be forged)) by herra.corp.netapp.com (8.8.7/8.8.7/GNAC-GW-2.1) with SMTP id QAA18360; Wed, 3 Feb 1999 16:42:22 -0800 (PST) From: "Garth T Kidd" To: , "Peter Jeremy" Cc: , Subject: RE: tcpdump Date: Thu, 4 Feb 1999 11:42:17 +1100 Message-ID: <000501be4fd7$371c0a20$164b00ca@gtk-lap.netapp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: <19990203085051.1688.qmail@suburbia.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Frankly I'm sick of seeing anal security idiots undermining useful > functionality. I don't see why we should let this useless, winging > segment of the network community, which spends all its time working > out new ways to prevent people doing anything, shove their uncreative > bankrupt, and wholly paranoid philosophy down everyone else's throats. That's productive commentary. Seems to me we can head all of this off pretty easily, guys. All it takes is an install option: Relative Paranoia Julian here can select "take away all the safeguards" mode. :) Personally, I'll probably select "as secure as is practical without seriously getting in my way". Those "Anal, useless, whining security idiots" out there can select "wholly paranoid" mode. Now, can we leave the ad hominem attacks out of this and get on with it? :) Regards, Garth. -- Garth T Kidd Network Appliance: Systems Engineer, Australia & NZ Fast. Simple. Reliable. Multiprotocol. Mobile: +61-414-300-213 http://www.netapp.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 17:53:11 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA09864 for freebsd-security-outgoing; Wed, 3 Feb 1999 17:53:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA09840 for ; Wed, 3 Feb 1999 17:53:08 -0800 (PST) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40344>; Thu, 4 Feb 1999 12:43:01 +1100 Date: Thu, 4 Feb 1999 12:52:54 +1100 From: Peter Jeremy Subject: Re: tcpdump To: robert+freebsd@cyrus.watson.org Cc: security@FreeBSD.ORG Message-Id: <99Feb4.124301est.40344@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: >Keep in mind also that ethernet-layer switching doesn't protect against >IP-layer spoofing and sniffing. In my experience, switches tend to leak packets anyway: On a switched segment, I regularly see unicast packets intended for other ports - in one test, I found around 2% of the packets were leakage. This is likely to be highly variable depending on the particular switch, switch firmware and network load. [I originally found this by accident, but since then, I have checked a couple of different switches and firmware versions with similar results each time.] Basically, don't rely on a MAC-level switch to provide security. They are generally designed to enhance performance (by getting unnecessary traffic off the wire), rather than security. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 18:22:24 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA15316 for freebsd-security-outgoing; Wed, 3 Feb 1999 18:22:24 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vespucci.advicom.net (vespucci.advicom.net [199.170.120.42]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA15300; Wed, 3 Feb 1999 18:22:22 -0800 (PST) (envelope-from avalon@vespucci.advicom.net) Received: from localhost (avalon@localhost) by vespucci.advicom.net (8.8.8/8.8.5) with ESMTP id UAA04843; Wed, 3 Feb 1999 20:22:06 -0600 (CST) X-Envelope-Recipient: security@FreeBSD.ORG Date: Wed, 3 Feb 1999 20:22:05 -0600 (CST) From: Avalon Books To: "Jordan K. Hubbard" cc: "Jonathan M. Bresler" , woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <9575.918011566@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? > > And before everyone screams "That would not be BSD!" let me just > note that NetBSD and probably OpenBSD (haven't looked) already do > this. Cool. It has my vote. --R. Pelletier Sys Admin, House Galiagante We are a Micro$oft-free site To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 19:35:58 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA29681 for freebsd-security-outgoing; Wed, 3 Feb 1999 19:35:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29673 for ; Wed, 3 Feb 1999 19:35:57 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.2/8.9.2/best.sh) id TAA13511; Wed, 3 Feb 1999 19:35:24 -0800 (PST) Message-ID: <19990203193523.A13011@best.com> Date: Wed, 3 Feb 1999 19:35:23 -0800 From: "Jan B. Koum " To: Peter Jeremy , robert+freebsd@cyrus.watson.org Cc: security@FreeBSD.ORG Subject: Re: tcpdump References: <99Feb4.124301est.40344@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <99Feb4.124301est.40344@border.alcanet.com.au>; from Peter Jeremy on Thu, Feb 04, 1999 at 12:52:54PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 04, 1999 at 12:52:54PM +1100, Peter Jeremy wrote: > Robert Watson wrote: > >Keep in mind also that ethernet-layer switching doesn't protect against > >IP-layer spoofing and sniffing. > > In my experience, switches tend to leak packets anyway: On a switched > segment, I regularly see unicast packets intended for other ports - in > one test, I found around 2% of the packets were leakage. This is > likely to be highly variable depending on the particular switch, > switch firmware and network load. [I originally found this by accident, > but since then, I have checked a couple of different switches and > firmware versions with similar results each time.] > > Basically, don't rely on a MAC-level switch to provide security. They > are generally designed to enhance performance (by getting unnecessary > traffic off the wire), rather than security. > > Peter > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message This is normal I think. This is because switches need to learn about MAC address and they don't keep MAC-to-Switch_Port table forever in memory. Everytime they don't know about where to send a frame, they will send it to every port and see from which port an answer comes back. Then update table entry. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 3 22:45:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA24992 for freebsd-security-outgoing; Wed, 3 Feb 1999 22:45:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA24976 for ; Wed, 3 Feb 1999 22:45:04 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1380 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 4 Feb 1999 00:20:42 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 4 Feb 1999 00:20:36 -0600 (CST) From: James Wyatt To: rcramer@sytex.net cc: "Jordan K. Hubbard" , freebsd-security@FreeBSD.ORG Subject: Re: tcpdump inclusion in GENERIC In-Reply-To: <199902030628.BAA01462@cscfx.sytex.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Someone wrote: > OK, time to raise this topic again. What to people think about > enabling bpfilter by default in GENERIC? On Wed, 3 Feb 1999, Richard Cramer answered: > I vote YES. Greater then 50% of rebuilding the kernel is to > include bpfilter. Wow! I'd really like to know where *that* number came from. I could have sworn it was 42.8% with another 44.3% going to turning-on divert for natd usage. 8{) I like the idea of making a kernel work without rebuild for most folks. What do other folks usually need to rebuild a kernel for? (besides server tuning stuff like MAX_USERS, etc...) FWIW: I'm for turning them both on, but 2 bpfs to save memory rather than LINT's 4. You don't really take the CPU hit until you open them, anyway... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 00:30:22 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA07410 for freebsd-security-outgoing; Thu, 4 Feb 1999 00:30:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA07402 for ; Thu, 4 Feb 1999 00:30:20 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id TAA13906; Thu, 4 Feb 1999 19:30:04 +1100 (EDT) From: Darren Reed Message-Id: <199902040830.TAA13906@cheops.anu.edu.au> Subject: Re: tcpdump To: gryphon@healer.com (Coranth Gryphon) Date: Thu, 4 Feb 1999 19:30:03 +1100 (EDT) Cc: security@FreeBSD.ORG In-Reply-To: <36B8EB27.689D17BF@healer.com> from "Coranth Gryphon" at Feb 3, 99 04:34:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Coranth Gryphon, sie said: [...] > If you want to think about it another way, consider it one step > towards shipping a "Hardening Kit" for FreeBSD. How much more rubbish do we have to read about bpf impacting the security of a system ? If someone can get root then it is "game over" if you are serious about security and haven't taken reasonable precautions (i.e. using tripwire across everything except user files, along with securelevel and file flags for everything but user files). BPF [not] being present will not matter. I think the decision has been made, anyway, to include BPF, which is a good thing. If you want to include multiple kernels for distribution, then include useful variations (i.e. different drivers enabled, etc). If you're _that_ desperate to distribute a `secure' kernel, create a config file and add it to the conf directory. Oh, and don't forget to include digital signatures of all distributed files on CD! That's what's really missing - oh, and a similar mechanism added to the pkg system to (you can get it now with RPM's). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 00:32:18 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA07593 for freebsd-security-outgoing; Thu, 4 Feb 1999 00:32:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA07588 for ; Thu, 4 Feb 1999 00:32:16 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id TAA13922; Thu, 4 Feb 1999 19:31:38 +1100 (EDT) From: Darren Reed Message-Id: <199902040831.TAA13922@cheops.anu.edu.au> Subject: Re: tcpdump To: axl@iafrica.com (Sheldon Hearn) Date: Thu, 4 Feb 1999 19:31:37 +1100 (EDT) Cc: gryphon@healer.com, security@FreeBSD.ORG In-Reply-To: <26280.918076054@axl.noc.iafrica.com> from "Sheldon Hearn" at Feb 3, 99 11:07:34 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Sheldon Hearn, sie said: [...] > What does worry me a little is the idea of making bpf's operation > dependant on the running securelevel. I thought securelevel restricted > messing around _inside_ my box. What's that got to do with what my box > can do with my wire, I wonder? Nothing. Similar to how relevant Orange Book ratings are to networked computers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 01:07:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA12225 for freebsd-security-outgoing; Thu, 4 Feb 1999 01:07:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.babel.dk (slut.babel.dk [194.255.106.129] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA12217 for ; Thu, 4 Feb 1999 01:07:43 -0800 (PST) (envelope-from vader@vader.dk) Received: from localhost (vader@localhost) by www.babel.dk (8.9.1a/8.9.1) with SMTP id KAA26104 for ; Thu, 4 Feb 1999 10:07:34 +0100 (CET) Date: Thu, 4 Feb 1999 10:07:34 +0100 (CET) From: Chris Larsen X-Sender: vader@www.babel.dk To: security@FreeBSD.ORG Subject: Enabling bpf device in kernel (was: Re: tcpdump) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id BAA12218 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all.. just wanted to put in my word: Now there's been pro's and con's against enabling bpf in GENERIC. As for security. Yes its bad that bpf is enabled on a vanilla install, not all *bsd users are ethical about their use of promiscious mode NIC. Its a little bit on the edge of having security or not. I'm rather concerned about the discussion about should bpf warrant a kernel compile or not. The issue for me is clear here. If you enable bpf, you must also enable ipfw, natd etc etc. Where should one stop ? The goal with GENERIC is to have a minimal kernel with most driver supported. Is bpf critical in getting a system up and running ? i think not. Is ipfw ? not either. If you are tuning your system, you will recompile your kernel, if you dont recompile your kernel, you should not be running unix. The goal is always to get the smallest possible kernel executable with the least code in it, to do its job. I would think every admin has its own idea of how its *bsd kernel should be configured for best performance for what that machine should be used for. Now you may say, well we've got 400 Mhz machines these days, a couple of cpu clock cycles isnt gonna cost much.. Yeah well, doing 100000 iterations costs a multiplier thereof. GENERIC should be stable, most hardware support, less fluff. If you ever gonna do good with *bsd, you recompile your kernel anyway. just my 0.02$ worth on the issue. darth@vader.dk | Internet Café : Babel vader@babel.dk | Frederiksborggade 33 Chris Larsen | Phone # +45 33 33 93 38 System Manager | Open: 14-23 Mon - Sat PGP-key id: 0x137993A5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 02:35:41 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21862 for freebsd-security-outgoing; Thu, 4 Feb 1999 02:35:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21855 for ; Thu, 4 Feb 1999 02:35:34 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.11 #1) id 108M6T-000EIx-00; Thu, 4 Feb 1999 12:33:45 +0200 From: Sheldon Hearn To: Chris Larsen cc: security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-reply-to: Your message of "Thu, 04 Feb 1999 10:07:34 +0100." Date: Thu, 04 Feb 1999 12:33:45 +0200 Message-ID: <54990.918124425@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 04 Feb 1999 10:07:34 +0100, Chris Larsen wrote: > As for security.=20 > Yes its bad that bpf is enabled on a vanilla install, not > all *bsd users are ethical about their use of promiscious mode NIC. Sorry, I _still_ don't think I understand why bpf is "bad for security". The only thing I can think of is that "bpf is bad for security when root is hacked on the box". I'm wrong if promiscuous mode is available to non-root users. Looking at the arguments put forward on this issue so far, I'd suggest that the following is reasonable: 1) It's unlikely that root on a brand new box is going to be cracked into within the first few minutes of its life. If it is, you have a very unpleasant "leak" in your admin team. 2) Even if the box is _not_ bpf-enabled, a root break-in will change all that with a single reboot. It's easy to guess a time at which such a reboot is likely to go unnoticed for a while. If you're happy with that, then this whole issue becomes really simple. It all boils down to a choice: 1) Do we try to protect lame admins from horrible things that may happen later on if root is hacked on the box by taking bpf out of the GENERIC kernel? 2) Do we accept that the kind of lame admin who doesn't understand the risks involved in using a bpf-enabled kernel is unlikely to notice the reboot that enables bpf after some unfortunate sniffing, and therefore the damage we wanted to protect him from in the first place, has been done? I think that we'll find this issue easy to resolve by focusing on those two questions. Specifically, I think the focus should be on _who_ we are trying to serve best, the cluefull or the lame. It's my opinion that what we gain by shipping a bpf-less kernel does not measure up to the loss of functionality imposed. Remember, we only gain for lame admins. I hope I've made a useful contribution to this thread, since I'd really like for a final decision to come out of it, one way or another. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 03:11:01 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA25804 for freebsd-security-outgoing; Thu, 4 Feb 1999 03:11:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nomad.dataplex.net (nomad.dataplex.net [208.2.87.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA25799 for ; Thu, 4 Feb 1999 03:10:59 -0800 (PST) (envelope-from rkw@dataplex.net) Received: from localhost (rkw@localhost) by nomad.dataplex.net (8.9.1/8.9.1) with ESMTP id FAA66188; Thu, 4 Feb 1999 05:10:40 -0600 (CST) (envelope-from rkw@dataplex.net) Date: Thu, 4 Feb 1999 05:10:40 -0600 (CST) From: Richard Wackerbarth To: Chris Larsen cc: security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a dhcp environment, it (presently) is! I think that the world is moving toward dhcp as the primary method of learning appropriate IP configuration data. Cable modems systems, etc. require it. We need the dhcp client in /sbin and enabled by default. It is always possible to override this with static addresses. The inverse is not true. On Thu, 4 Feb 1999, Chris Larsen wrote: > Is bpf critical in getting a system up and running ? i think > not. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 06:45:17 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA23924 for freebsd-security-outgoing; Thu, 4 Feb 1999 06:45:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA23912 for ; Thu, 4 Feb 1999 06:45:13 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1465 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 4 Feb 1999 08:33:41 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 4 Feb 1999 08:33:41 -0600 (CST) From: James Wyatt To: Darren Reed cc: freebsd-security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <199902040830.TAA13906@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 4 Feb 1999, Darren Reed wrote: > In some mail from Coranth Gryphon, sie said: > [...] > > If you want to think about it another way, consider it one step > > towards shipping a "Hardening Kit" for FreeBSD. > > How much more rubbish do we have to read about bpf impacting the > security of a system ? [ ... several useful points deleted, but you remember, right? ... ] Hate to sound like the 60's, but "Right On, Man!". I would hate to see us with dozens of Kernel disks (like Linux), but I like the config file idea. It would allow a simple SB16 setup without including another kernel or explaining LINT v.s. GENERIC and vi operations to some of my friends. Linux kernel config menu is nice, though. The crypto-sigs on the ROM would be better than TripWire sigs on a floppy for the standard executables. For packages, would you have a list w/the pkg and a sig for the lists? Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 06:55:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA25275 for freebsd-security-outgoing; Thu, 4 Feb 1999 06:55:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA25260 for ; Thu, 4 Feb 1999 06:55:32 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1548 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 4 Feb 1999 08:45:19 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 4 Feb 1999 08:44:58 -0600 (CST) From: James Wyatt To: Sheldon Hearn cc: Chris Larsen , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: <54990.918124425@axl.noc.iafrica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 4 Feb 1999, Sheldon Hearn wrote: [ ... ] > I think that we'll find this issue easy to resolve by focusing on those > two questions. Specifically, I think the focus should be on _who_ we are > trying to serve best, the cluefull or the lame. While I understand your point, it smacks of elitism. Many of the admins clue-level started at the lame-level hacking on their own machine. Some got appointed by mgmt when they had plenty 'o clue in another area and someone good was needed *fast* to do admin stuff. (Some self-appoint and get what they deserve. 8{) As I've said, I'm for adding, but I count on our audiance to grow up with us - especially if they read the lists and a doc or two. Adding BPF isn't like putting the RedHat CD on my Multia and seeing it install NFS and portmap by default. Ulgh! (And leaving some of NFS alive when you turn it off in the GUI. Bad dog, no biscut!) It did install well, though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 07:20:20 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA29005 for freebsd-security-outgoing; Thu, 4 Feb 1999 07:20:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA28980 for ; Thu, 4 Feb 1999 07:20:10 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.11 #1) id 108QY0-000EeY-00; Thu, 4 Feb 1999 17:18:28 +0200 From: Sheldon Hearn To: James Wyatt cc: Chris Larsen , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-reply-to: Your message of "Thu, 04 Feb 1999 08:44:58 CST." Date: Thu, 04 Feb 1999 17:18:28 +0200 Message-ID: <56329.918141508@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 04 Feb 1999 08:44:58 CST, James Wyatt wrote: > While I understand your point, it smacks of elitism. Many of the admins > clue-level started at the lame-level hacking on their own machine. I hope that's not what _everyone_ saw in my mail. :-) What I was getting at is that bpf-less kernels gain something specific which I believe is of very little benefit to the only people who might not turn bpf off themselves. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 07:23:33 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA29445 for freebsd-security-outgoing; Thu, 4 Feb 1999 07:23:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dworkin.amber.org (dworkin.amber.org [209.31.146.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA29440 for ; Thu, 4 Feb 1999 07:23:31 -0800 (PST) (envelope-from petrilli@dworkin.amber.org) Received: (from petrilli@localhost) by dworkin.amber.org (8.9.0/8.9.0) id KAA03647; Thu, 4 Feb 1999 10:23:23 -0500 (EST) Message-ID: <19990204102322.28863@amber.org> Date: Thu, 4 Feb 1999 10:23:22 -0500 From: "Christopher G. Petrilli" To: Richard Wackerbarth Cc: security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Richard Wackerbarth on Thu, Feb 04, 1999 at 05:10:40AM -0600 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 04, 1999 at 05:10:40AM -0600, Richard Wackerbarth wrote: > I think that the world is moving toward dhcp as the primary method of > learning appropriate IP configuration data. I would agree that this is true for clients, but I don't believe it will ever be true for servers... and remember, FreeBSD is a server first, and more often than it is a client I think... at least that our experience with it. I'm the only person who has a FreeBSD box on their desk as a client, but we have dozens of them as servers. > We need the dhcp client in /sbin and enabled by default. No, not enabled by default. > It is always possible to override this with static addresses. > The inverse is not true. Ick, I've never had anything but sickness with DHCP on Unices... I understand it's value, and in fact one of my FreeBSD boxes is a DHCP server for several hundered Wintel boxes... Hmm, I'm just affraid that we need to differentiate between clients and server installations. Maybe this should just be a sepearete installation option? "Are you installing a client or a server?" And based on this it decides what to do... DHCP default v. static, named running, v., not, etc... Chris -- | Christopher Petrilli | petrilli@amber.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 07:54:45 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA04983 for freebsd-security-outgoing; Thu, 4 Feb 1999 07:54:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA04977 for ; Thu, 4 Feb 1999 07:54:43 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id KAA16479; Thu, 4 Feb 1999 10:54:40 -0500 (EST) (envelope-from wollman) Date: Thu, 4 Feb 1999 10:54:40 -0500 (EST) From: Garrett Wollman Message-Id: <199902041554.KAA16479@khavrinen.lcs.mit.edu> To: James Wyatt Cc: freebsd-security@FreeBSD.ORG Subject: Signatures on installation media (was: Re: tcpdump) In-Reply-To: References: <199902040830.TAA13906@cheops.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > The crypto-sigs on the ROM would be better than TripWire sigs on a floppy > for the standard executables. For packages, would you have a list w/the > pkg and a sig for the lists? The CD-ROM already has MD5 digests for every file which can be installed (except X). There's not much point in signing something, since the verification key would have to be distributed on the same medium. You'll just have to trust your CD-ROM vendor. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 08:00:20 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA05582 for freebsd-security-outgoing; Thu, 4 Feb 1999 08:00:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA05553 for ; Thu, 4 Feb 1999 08:00:11 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id RAA07296; Thu, 4 Feb 1999 17:00:08 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id RAA26665; Thu, 4 Feb 1999 17:00:08 +0100 (MET) Date: Thu, 4 Feb 1999 17:00:07 +0100 From: Eivind Eklund To: Darren Reed Cc: Coranth Gryphon , security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <19990204170007.B8749@bitbox.follo.net> References: <36B8EB27.689D17BF@healer.com> <199902040830.TAA13906@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199902040830.TAA13906@cheops.anu.edu.au>; from Darren Reed on Thu, Feb 04, 1999 at 07:30:03PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 04, 1999 at 07:30:03PM +1100, Darren Reed wrote: > If you're _that_ desperate to distribute a `secure' kernel, create a > config file and add it to the conf directory. Oh, and don't forget > to include digital signatures of all distributed files on CD! That's > what's really missing - oh, and a similar mechanism added to the pkg > system to (you can get it now with RPM's). I have code to do this; integrating it with the pkg_* family is on my TODO-list. It's taken a lot of time before I finally got my co-worker to actually sit down and tar up that code to give it to me, and I've not had time to look it over and clean it up for integration since. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 08:37:00 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA11621 for freebsd-security-outgoing; Thu, 4 Feb 1999 08:37:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA11611 for ; Thu, 4 Feb 1999 08:36:55 -0800 (PST) (envelope-from ingham@socrates.i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.9.1/8.9.1) id JAA03008; Thu, 4 Feb 1999 09:35:47 -0700 Message-ID: <19990204093547.A3001@socrates.i-pi.com> Date: Thu, 4 Feb 1999 09:35:47 -0700 From: Kenneth Ingham To: "Christopher G. Petrilli" , Richard Wackerbarth Cc: security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) References: <19990204102322.28863@amber.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2 In-Reply-To: <19990204102322.28863@amber.org>; from Christopher G. Petrilli on Thu, Feb 04, 1999 at 10:23:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Ick, I've never had anything but sickness with DHCP on Unices... I've run several with DHCP (including FreeBSD, Linux, and IRIX) and they all run fine. The idea of a question at install time to decide whether to use DHCP or a statis IP addr sounds good to me, as does making ISC DCHP part of the normal distribution (it's what I always use as a UNIX client). Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 09:37:17 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA21338 for freebsd-security-outgoing; Thu, 4 Feb 1999 09:37:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta2-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA21331 for ; Thu, 4 Feb 1999 09:37:10 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990204173804.XFLS678125.mta2-rme@wocker>; Fri, 5 Feb 1999 06:38:04 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: Kenneth Ingham Date: Fri, 5 Feb 1999 06:37:02 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) Reply-to: junkmale@xtra.co.nz CC: security@FreeBSD.ORG In-reply-to: <19990204093547.A3001@socrates.i-pi.com> References: <19990204102322.28863@amber.org>; from Christopher G. Petrilli on Thu, Feb 04, 1999 at 10:23:22AM -0500 X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990204173804.XFLS678125.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 4 Feb 99, at 9:35, Kenneth Ingham wrote: > The idea of a question at install time to decide whether to use DHCP or > a statis IP addr sounds good to me, as does making ISC DCHP part of the > normal distribution (it's what I always use as a UNIX client). This reminds me of a question that came to mind yesterday. When I was first installing FreeBSD, I had a devil of time getting DHCP installed. I did not have the CDs and had to FTP it from my local LAN. If I was running standalone, how would I have gotten DHCP installed? It's a chicken and egg situation. I can't access the net until I get DHCP installed and I can't get DHCP without net access. Given that, I strongly support what Kenneth just said. Unless of course someone can show me how I could have installed DHCP without CDs and on a standalone computer? -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 10:54:55 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA02216 for freebsd-security-outgoing; Thu, 4 Feb 1999 10:54:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from netmug.org (netmug.org [204.188.144.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA02178 for ; Thu, 4 Feb 1999 10:54:47 -0800 (PST) (envelope-from perl@netmug.org) Received: from localhost (perl@localhost) by netmug.org (8.8.8/NetMUG_1.0.0) with ESMTP id KAA19473; Thu, 4 Feb 1999 10:53:43 -0800 (PST) Date: Thu, 4 Feb 1999 10:53:43 -0800 (PST) From: perl To: Dan Langille cc: Kenneth Ingham , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: <19990204173804.XFLS678125.mta2-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not sure how much free space is on the boot floppy, but is there any chance of getting a dhcp client on it? Installing FreeBSD over a network which uses DHCP isn't possible (as far as I know) with the current boot floppy. Maybe it would fit if we removed the "upgrade" option, whatever that does, from sysinstall? Michael On Fri, 5 Feb 1999, Dan Langille wrote: > On 4 Feb 99, at 9:35, Kenneth Ingham wrote: > > > The idea of a question at install time to decide whether to use DHCP or > > a statis IP addr sounds good to me, as does making ISC DCHP part of the > > normal distribution (it's what I always use as a UNIX client). > > This reminds me of a question that came to mind yesterday. When I was > first installing FreeBSD, I had a devil of time getting DHCP installed. I > did not have the CDs and had to FTP it from my local LAN. If I was > running standalone, how would I have gotten DHCP installed? It's > a chicken and egg situation. I can't access the net until I get DHCP > installed and I can't get DHCP without net access. > > Given that, I strongly support what Kenneth just said. Unless of course > someone can show me how I could have installed DHCP without CDs and on a > standalone computer? > > -- > Dan Langille To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 11:23:45 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA06193 for freebsd-security-outgoing; Thu, 4 Feb 1999 11:23:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA06186 for ; Thu, 4 Feb 1999 11:23:43 -0800 (PST) (envelope-from ftobin@bigfoot.com) Received: (qmail 2965 invoked by uid 1000); 4 Feb 1999 19:23:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Feb 1999 19:23:40 -0000 Date: Thu, 4 Feb 1999 13:23:40 -0600 (CST) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu To: security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: <19990204173804.XFLS678125.mta2-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 5 Feb 1999, Dan Langille wrote: > Given that, I strongly support what Kenneth just said. Unless of course > someone can show me how I could have installed DHCP without CDs and on a > standalone computer? Given all this talk about DHCP has raised a few questions in my mind about why we need bpf for DHCP, when by spec DHCP is supposed to be backwards compatible with BootP, and bpf is not needed for BootP. Am I missing something here? I myself using BootP to connect to a DHCP server, and I don't have bpf installed. Please forgive the simplicity of this question. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve If you use Pine and PGP 5.0(i), try pgpenvelope. http://www.bigfoot.com/~ftobin/resources.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 11:55:58 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA11370 for freebsd-security-outgoing; Thu, 4 Feb 1999 11:55:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA11362 for ; Thu, 4 Feb 1999 11:55:55 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id OAA27662; Thu, 4 Feb 1999 14:55:25 -0500 (EST) Date: Thu, 4 Feb 1999 14:55:25 -0500 (EST) To: James Wyatt cc: Sheldon Hearn , Chris Larsen , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 4 Feb 1999, James Wyatt wrote: > While I understand your point, it smacks of elitism. Many of the admins > clue-level started at the lame-level hacking on their own machine. Some No, it doesn't 'smack[..] of elitism', it makes a very good point: many of the users of FreeBSD (or any OS) will have to clue what bpf is - or how to disable it if they do not want it running. It is not wise to put tools in the hands or people without their knowing what those tools are or how to use them - especially something with bpf's implications. As it is now, one must research bpf and LEARN something before mindlessly enabling it... the approach you suggest removes all effort from the process. As for a GENERIC kernel that has numerous non-needed options enabled and is overly-bloated, might I suggest http://www.microsoft.com. The main argument I have heard for including bpf is, 'it will reduce kernel compile time'. Bologna. I don't want bpf running on my production Internet machines, so I will be compiling far more just to remove the bpf support. The reduced or increased kernel compile time is not the issue, anyway... since anyone who has used FreeBSD (or any Unix) for long at all will be re-compiling their kernel. It is no harder to add 'pseudo-device bpf 2' than it is to remove 'pseudo-device bpf 2'. The issue is remembering what GENERIC is for. It's not meant to hold every possible kernel option under then sun... Heck, why not just mv LINT GENERIC? > us - especially if they read the lists and a doc or two. Adding BPF isn't > like putting the RedHat CD on my Multia and seeing it install NFS and Actually, it's heading down the same slippery slope... enable as much by default as possible so the unknowing user can utilize as many utilities as possible... Down side? Loss of efficiency and lack of security. -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 12:40:24 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA17800 for freebsd-security-outgoing; Thu, 4 Feb 1999 12:40:24 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA17780 for ; Thu, 4 Feb 1999 12:40:18 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id HAA19936; Fri, 5 Feb 1999 07:39:04 +1100 (EDT) From: Darren Reed Message-Id: <199902042039.HAA19936@cheops.anu.edu.au> Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) To: mike@seidata.com Date: Fri, 5 Feb 1999 07:39:04 +1100 (EDT) Cc: jwyatt@RWSystems.net, axl@iafrica.com, vader@vader.dk, security@FreeBSD.ORG In-Reply-To: from "mike@seidata.com" at Feb 4, 99 02:55:25 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from mike@seidata.com, sie said: [...] > Actually, it's heading down the same slippery slope... enable as much > by default as possible so the unknowing user can utilize as many > utilities as possible... Down side? Loss of efficiency and lack of > security. It has *NO* impact on security. Get that through your head! The cost is space on the boot floppy, memory used and a small, very small, overhead for networking (if anyone is really convinced of this then they should go ahead and do some testing to quantify the overhead in terms of ms per packet). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 12:45:22 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA18559 for freebsd-security-outgoing; Thu, 4 Feb 1999 12:45:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA18535 for ; Thu, 4 Feb 1999 12:45:17 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2204 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 4 Feb 1999 14:17:06 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 4 Feb 1999 14:16:54 -0600 (CST) From: James Wyatt To: "Christopher G. Petrilli" cc: Richard Wackerbarth , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: <19990204102322.28863@amber.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 04, 1999 at 05:10:40AM -0600, Richard Wackerbarth wrote: > I think that the world is moving toward dhcp as the primary method of > learning appropriate IP configuration data. On Thu, 4 Feb 1999, Christopher G. Petrilli wrote: > I would agree that this is true for clients, but I don't believe it will > ever be true for servers... and remember, FreeBSD is a server first, and > more often than it is a client I think... at least that our experience > with it. I'm the only person who has a FreeBSD box on their desk as a > client, but we have dozens of them as servers. *This* might be a good split for boot floppies. Not dozens w/different hardware, just two for server v.s. client. The server would have higher MAX_USER, no dhcpd. The client could have dhcp, bpf, and maybe sound. Of course, this means more work for the folks who bring us FreeBSD. What do they think? OTOH: I usually build server kernels by hand anyway to tune RAM/users/ptys/etc and carefully spec drivers and options. I have begun building most kernels on one box and FTP-ing them anyway. > Ick, I've never had anything but sickness with DHCP on Unices... I > understand it's value, and in fact one of my FreeBSD boxes is a DHCP > server for several hundered Wintel boxes... Hmm, I'm just affraid that It's not so bad. We had to do it for one guy who had DHCP on hist CableModem, though some use static addresses. Amazing how different two CM setups a few miles apart on the same company can be. Does anyone get anything 'interesting' running a bpf on one? 8{) - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 13:45:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA25562 for freebsd-security-outgoing; Thu, 4 Feb 1999 13:45:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA25550 for ; Thu, 4 Feb 1999 13:45:05 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (5429 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 4 Feb 1999 15:19:57 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 4 Feb 1999 15:19:56 -0600 (CST) From: James Wyatt To: mike@seidata.com cc: Sheldon Hearn , Chris Larsen , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 4 Feb 1999 mike@seidata.com wrote: > On Thu, 4 Feb 1999, James Wyatt wrote: > > While I understand your point, it smacks of elitism. Many of the admins > > clue-level started at the lame-level hacking on their own machine. Some > > No, it doesn't 'smack[..] of elitism', it makes a very good point: > many of the users of FreeBSD (or any OS) will have to clue what bpf is > - or how to disable it if they do not want it running. It is not wise > to put tools in the hands or people without their knowing what those > tools are or how to use them - especially something with bpf's > implications. As it is now, one must research bpf and LEARN something > before mindlessly enabling it... the approach you suggest removes all > effort from the process. Please quote the original material when refuting, especially if you didn't write it, know what the author had in his mind, and how the reader took it. The choice of words just struck me wrong, that's all. 8{( If it is so easy to add (just another few lines in the hack script), we aren't making it much safer leaving it out. DHCP is rapidly appearing everywhere and our stack can't handle it w/o BPF until it is reworked or repaired. Lots of folks are using FreeBSD as a client and the server folks often have to rebuild their kernels anyway. My main concernis ae fitting on one floppy and works-everywhere. I'm happy with generic, but would like more. > As for a GENERIC kernel that has numerous non-needed options enabled > and is overly-bloated, might I suggest http://www.microsoft.com. I wasn't aware they had a GENERIC BSD kernel available, could run on my hardware and customer mix, or shipped anything I could trust naked on The Net. I wasn't aware that any 'if you don't like it go to The Devil in Redmond' comments were apropo around here. ('You can go to Linux' is just as bad.) I run numerous OSs around here, but most are behind a FreeBSD firewall. Besides, XBoing doesn't run on Win32. 8{) > The main argument I have heard for including bpf is, 'it will reduce > kernel compile time'. Bologna. I don't want bpf running on my > production Internet machines, so I will be compiling far more just to > remove the bpf support. Since you hint you can run all your servers w/GENERIC if bpf is not in it, why not build a standard kernel and install it after you load FreeBSD? It's what I have gone to here to get divert-sockets for natd clients. What I am concerned about is the boot floppy and base install. Can I put a floppy in the system hooked to DHCP-administrated interface (CableMode, office LAN, etc...), and FTP/CDROM load FreeBSD and be up-on-the-air? btw: When I help friends get a 486 FreeBSD online, a precompiled kernel saves about 40/50 min each! It is about 3.5 on a K6/II. I usually convert the old machine they had before Win32 and use Pentium/K6/etc for uSoft client machine since it sucks so much CPU/RAM. > The reduced or increased kernel compile time is not the issue, > anyway... since anyone who has used FreeBSD (or any Unix) for long at > all will be re-compiling their kernel. It is no harder to add > 'pseudo-device bpf 2' than it is to remove 'pseudo-device bpf 2'. The > issue is remembering what GENERIC is for. It's not meant to hold > every possible kernel option under then sun... Remember LKMs? We are working on getting away from rebuilding kernels where we can. It is one more thing in a machine-restore and something else folks learning Unix can misconfigure. VeryFAQs sometimes point to things that should change. > Heck, why not just mv LINT GENERIC? Because the comments on lines 7 to 9 suggest against it. Because it won't fit on the boot floppy. Because it won't load on 16MB RAM with reasonable swap. Because it will enable conflicting drivers. Because it enables the wrong CPUs. Because USER_LDT is not a good default. Because extra debug and profile code will *really* slow things down *always*. Because NFS in installed. Because quotas are enabled. Because snp means the console can be snooped. Because the world would rotate in reverse. Because my cat would explode. Oh, this was another GENERIC statement... > > us - especially if they read the lists and a doc or two. Adding BPF isn't > > like putting the RedHat CD on my Multia and seeing it install NFS and > > Actually, it's heading down the same slippery slope... enable as much > by default as possible so the unknowing user can utilize as many > utilities as possible... Down side? Loss of efficiency and lack of > security. That *is* worth worrying about and why I'm still listening closely to what others on this list, incuding yourself, have to say. Thanks! - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 13:48:12 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA26272 for freebsd-security-outgoing; Thu, 4 Feb 1999 13:48:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from atdot.dotat.org (atdot.dotat.org [203.23.150.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA26260 for ; Thu, 4 Feb 1999 13:48:08 -0800 (PST) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.2/8.7) id IAA02973; Fri, 5 Feb 1999 08:16:44 +1030 (CST) From: Mark Newton Message-Id: <199902042146.IAA02973@atdot.dotat.org> Subject: Re: tcpdump To: jwyatt@RWSystems.net (James Wyatt) Date: Fri, 5 Feb 1999 08:16:44 +1030 (CST) Cc: avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.ORG In-Reply-To: from "James Wyatt" at Feb 4, 99 08:33:41 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt wrote: > Hate to sound like the 60's, but "Right On, Man!". I would hate to see us > with dozens of Kernel disks (like Linux), but I like the config file idea. I *know* this has been discussed before: Why not add one more tarball to the installation distribution: One full of "common-case" kernels, and perhaps skeleton rc.conf files full of defaults to match the common cases. The kernel you want can be selected by picking radio-buttons in sysinstall: Should this system be optimized for use as: ( ) A workstation (*) A server ( ) A firewall ( ) A public web server [ OK ] [ Help ] The kernels can have pre-optimized tuning parameters, appropriate support (like bpf in the "server" configuration), etc. The "Help" button on that dialog box would explain the consequences of choosing each one (i.e.: pointing out BPF, or saying Linux is turned on by default in the workstation case, etc). - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1958-3414 ------------- Fax: +61-8-83034403 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 17:02:45 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA24772 for freebsd-security-outgoing; Thu, 4 Feb 1999 17:02:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dworkin.amber.org (dworkin.amber.org [209.31.146.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA24766 for ; Thu, 4 Feb 1999 17:02:42 -0800 (PST) (envelope-from petrilli@dworkin.amber.org) Received: (from petrilli@localhost) by dworkin.amber.org (8.9.0/8.9.0) id UAA11608; Thu, 4 Feb 1999 20:02:36 -0500 (EST) Message-ID: <19990204200236.30021@amber.org> Date: Thu, 4 Feb 1999 20:02:36 -0500 From: "Christopher G. Petrilli" To: James Wyatt Cc: security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) References: <19990204102322.28863@amber.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from James Wyatt on Thu, Feb 04, 1999 at 02:16:54PM -0600 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 04, 1999 at 02:16:54PM -0600, James Wyatt wrote: > On Thu, Feb 04, 1999 at 05:10:40AM -0600, Richard Wackerbarth wrote: > > I think that the world is moving toward dhcp as the primary method of > > learning appropriate IP configuration data. > > On Thu, 4 Feb 1999, Christopher G. Petrilli wrote: > > I would agree that this is true for clients, but I don't believe it will > > ever be true for servers... and remember, FreeBSD is a server first, and > > more often than it is a client I think... at least that our experience > > with it. I'm the only person who has a FreeBSD box on their desk as a > > client, but we have dozens of them as servers. > > *This* might be a good split for boot floppies. Not dozens w/different > hardware, just two for server v.s. client. The server would have higher > MAX_USER, no dhcpd. The client could have dhcp, bpf, and maybe sound. Of > course, this means more work for the folks who bring us FreeBSD. What do > they think? OTOH: I usually build server kernels by hand anyway to tune > RAM/users/ptys/etc and carefully spec drivers and options. I have begun > building most kernels on one box and FTP-ing them anyway. Call it an epiphany, but I think this is probably how the intall process should diverge... I haven't looked yet, so this is all hand-waving, but what would be nice is to be able ot simply have a "build file" that is used to generate the individual boot disks. I can think of many things (NFS?) that wouldn't necessarily be done the same in each setup... lots of things that should be turned off by default in clients, but turned on in servers, etc... Chris -- | Christopher Petrilli | petrilli@amber.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 17:30:53 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA28115 for freebsd-security-outgoing; Thu, 4 Feb 1999 17:30:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nomad.dataplex.net (nomad.dataplex.net [208.2.87.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA28110 for ; Thu, 4 Feb 1999 17:30:51 -0800 (PST) (envelope-from rkw@dataplex.net) Received: from localhost (rkw@localhost) by nomad.dataplex.net (8.9.1/8.9.1) with ESMTP id TAA02879; Thu, 4 Feb 1999 19:30:28 -0600 (CST) (envelope-from rkw@dataplex.net) Date: Thu, 4 Feb 1999 19:30:28 -0600 (CST) From: Richard Wackerbarth To: Sheldon Hearn cc: James Wyatt , Chris Larsen , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) In-Reply-To: <56329.918141508@axl.noc.iafrica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 4 Feb 1999, Sheldon Hearn wrote: > What I was getting at is that bpf-less kernels gain something specific > which I believe is of very little benefit to the only people who might > not turn bpf off themselves. OTOH, bpf-less kernels will totally stop an ever-growing population who require it. I would opt for putting in bpf just as we put all kinds of NIC drivers that are (to most people) worthless. -- But critical to the few who need it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 17:42:02 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA29640 for freebsd-security-outgoing; Thu, 4 Feb 1999 17:42:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ch3.chiaher.com.tw ([210.59.156.129]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA29597 for ; Thu, 4 Feb 1999 17:41:56 -0800 (PST) (envelope-from csw@chiaher.com.tw) Received: from IP001-018 ([172.18.1.18]) by ch3.chiaher.com.tw with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id DTMLLDLM; Fri, 5 Feb 1999 09:39:39 +0800 Message-ID: <015501be50a9$14d43820$120112ac@ip001-018> From: "Max Wong" To: "Security" Subject: About security Date: Fri, 5 Feb 1999 09:44:34 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I am running ipfw on Freebsd 2.2.8 box. I changed the telnet port number 23 to 9999 and I add a rule '$ipfwcmd pass tcp from ${inet}:${imask} to any 9999. After I done it, I couldn't telnet Freebsd. The error message on console is "host routed[72]:punt RTM_LOSING without gateway". I have two ethernet card ed0 ed1 on the box and I have the router_enable="YES". How can I do with that? I also got another question about how to use a port by user defined in /etc/services. Thanks, Max To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 17:54:17 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA02074 for freebsd-security-outgoing; Thu, 4 Feb 1999 17:54:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA01954 for ; Thu, 4 Feb 1999 17:54:13 -0800 (PST) (envelope-from pajarola@cybertime.ch) Received: from tiamat.dlc.cybertime.ch (tiamat.dlc.cybertime.ch [194.191.120.143]) by ppc1.cybertime.ch (8.9.2/8.9.2) with SMTP id CAA15270 for ; Fri, 5 Feb 1999 02:54:13 +0100 Message-Id: <3.0.32.19990205024540.00874db0@shrike.overmind.ch> X-Sender: pajarola@shrike.overmind.ch X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 05 Feb 1999 02:54:01 +0100 To: security@FreeBSD.ORG From: Rico Pajarola Subject: Re: tcpdump Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I vote for bpf in GENERIC Maybe it is true that most people who need bpf for tcpdumping on a regular basis are of the type who compile their own kernel anyway, and that it can compromise security (I don't really believe that), but there are some increasingly important 'legal' reasons to use it for joe averageuser: if he ever has strange networking problems, he'll almost certainly be asked for tcpdump, and most people who set up FreeBSD in a windoze environment will need dhcp (and tell me how many networks are not m$ contaminated) All commercial U*** I know have bpf (or something similar) enabled by default (AIX and Solaris for sure, I am not sure for SCO, HP and Digital). I'd also be for not allowing open() of bpf* in securelevel >0. I think this is consistent with other restrictions in high securelevels, and if anything screws up, you'll most certainly have to reboot anyway. And if you don't like it, just compile your own kernel without bpf (the same as we who like/need it have to recompile now). Rico Pajarola To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 18:02:41 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA03537 for freebsd-security-outgoing; Thu, 4 Feb 1999 18:02:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA03519 for ; Thu, 4 Feb 1999 18:02:37 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id SAA25017; Thu, 4 Feb 1999 18:01:36 -0800 (PST) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id SAA25039; Thu, 4 Feb 1999 18:01:36 -0800 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id TAA28618; Thu, 4 Feb 1999 19:01:35 -0700 Message-ID: <36BA50FF.7E74C979@softweyr.com> Date: Thu, 04 Feb 1999 19:01:35 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Christopher G. Petrilli" CC: James Wyatt , security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) References: <19990204102322.28863@amber.org> <19990204200236.30021@amber.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Christopher G. Petrilli" wrote: > > On Thu, Feb 04, 1999 at 02:16:54PM -0600, James Wyatt wrote: > > On Thu, Feb 04, 1999 at 05:10:40AM -0600, Richard Wackerbarth wrote: > > > I think that the world is moving toward dhcp as the primary method of > > > learning appropriate IP configuration data. > > > > On Thu, 4 Feb 1999, Christopher G. Petrilli wrote: > > > I would agree that this is true for clients, but I don't believe it will > > > ever be true for servers... and remember, FreeBSD is a server first, and > > > more often than it is a client I think... at least that our experience > > > with it. I'm the only person who has a FreeBSD box on their desk as a > > > client, but we have dozens of them as servers. > > > > *This* might be a good split for boot floppies. Not dozens w/different > > hardware, just two for server v.s. client. The server would have higher > > MAX_USER, no dhcpd. The client could have dhcp, bpf, and maybe sound. Of > > course, this means more work for the folks who bring us FreeBSD. What do > > they think? OTOH: I usually build server kernels by hand anyway to tune > > RAM/users/ptys/etc and carefully spec drivers and options. I have begun > > building most kernels on one box and FTP-ing them anyway. > > Call it an epiphany, but I think this is probably how the intall process > should diverge... I haven't looked yet, so this is all hand-waving, but > what would be nice is to be able ot simply have a "build file" that is > used to generate the individual boot disks. Well, this silly conversation has gone rocketing through my mailbox like crap through a goose for long enough. Let me point out a few factoids here: 1) DHCP is popular for a reason; it makes administering TCP/IP networks a little less work. 2) DHCP is quite useful for simple, single-homed FreeBSD workstations to pick up their IP addresses. 3) Sites who use DHCP for workstations are going to need to have at least one DHCP server, too. This pretty much knocks off the 'bpf for workstations but not servers' argument. To those who see bpf as a giant, gaping security hole, I agree with you. If allowed to be misused, it can be dangerous, nearly as dangerouss as putting a WinPC on your network. ;^) That said, DECIDE IF DHCP IS ENOUGH REASON TO PUT BPF IN THE DEFAULT KERNEL AND GET OVER IT! Thank you for your calm, rational support. I will now return you to your usual .00000000035264 S/N ratio. (I really oughtta get some sleep before reading my mail today...) -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 4 18:47:16 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA09710 for freebsd-security-outgoing; Thu, 4 Feb 1999 18:47:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from set.scient.com (set.Scient.COM [208.29.209.254]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA09703 for ; Thu, 4 Feb 1999 18:47:12 -0800 (PST) (envelope-from enkhyl@scient.com) Received: by set.scient.com; (5.65v4.0/1.3/10May95) id AA19656; Thu, 4 Feb 1999 18:47:10 -0800 Received: from somewhere by smtpxd Date: Thu, 4 Feb 1999 18:46:58 -0800 (PST) From: Christopher Nielsen X-Sender: enkhyl@ender.sf.scient.com Reply-To: Christopher Nielsen To: freebsd-security@FreeBSD.ORG Subject: Secure Remote Password protocol Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone taken a look at this? It looks very interesting, and a prime candidate for a PAM module. Anyone thinking of or already working on this? http://srp.stanford.edu/srp/ -- Christopher Nielsen Scient: The eBusiness Systems Innovator cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 5 12:47:33 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA28345 for freebsd-security-outgoing; Fri, 5 Feb 1999 12:47:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from milehigh.denver.net (milehigh.denver.net [204.144.180.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28336 for ; Fri, 5 Feb 1999 12:47:30 -0800 (PST) (envelope-from jdc@milehigh.denver.net) Received: (from jdc@localhost) by milehigh.denver.net (8.8.8/8.8.8) id KAA29674; Fri, 5 Feb 1999 10:53:29 -0700 (MST) Message-ID: <19990205105329.60781@denver.net> Date: Fri, 5 Feb 1999 10:53:29 -0700 From: John-David Childs To: security@FreeBSD.ORG Subject: Log Analysis for Feb 4 on host www.example.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.79 Organization: Enterprise Internet Solutions Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Two days ago I discovered that one of my machines was hacked. I've been seeing "[telnetd] ttloop: peer died" daily log entries like the one below for weeks, but I initially assumed that it was from one of the employees running WhatsUp Gold (whenever that program connects to port 23 and then disconnects, I get that same ttloop message). On Monday I began to get suspicious about the possibility of hackers, and the next day discovered that indeed the system was hacked (commands appeared via lastcomm as run by root from a tttyv device, yet no one was logged into the machine according to the last command (suggesting that a hacker/s wiped /var/log/wtmp, but not /var/account/acct) The only users who are allowed shell accounts on the system are four-six employees of the company. While the possibility that another system on the network (i.e. NT) was compromised and a password sniffer installed... do you know how/why I would see all these ttloop peer died messages from faraway locations to the telnet port? Is this typical of a root-kit'd FreeBSD telnetd? -----Forwarded message from Charlie Root ----- From: Charlie Root Message-Id: <199902050902.CAA13399@www.example.net> Subject: Log Analysis for Feb 4 on host www.example.net Apparently-To: root@www.example.net Critical Events Authorization Events Authpriv events Daemon events Feb 4 01:24:14 www inetd[118]: telnet from 128.123.33.197 Feb 4 01:24:14 www inetd[118]: telnet from 128.123.33.197 Feb 4 01:24:19 www telnetd[8695]: ttloop: peer died: Undefined error: 0 Feb 4 04:04:28 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:04:28 www telnetd[11535]: ttloop: peer died: Undefined error: 0 Feb 4 04:04:28 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:50:44 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:50:44 www telnetd[12320]: ttloop: peer died: Undefined error: 0 Feb 4 04:50:44 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:54:27 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:54:27 www telnetd[12383]: ttloop: peer died: Undefined error: 0 Feb 4 04:54:27 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:15:00 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:15:01 www telnetd[13968]: ttloop: peer died: Undefined error: 0 Feb 4 06:15:01 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:43:57 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:43:57 www telnetd[14586]: ttloop: peer died: Undefined error: 0 Feb 4 06:43:58 www inetd[118]: telnet from 128.123.33.197 Feb 4 08:27:00 www inetd[118]: telnet from 206.19.202.81 Feb 4 08:31:02 www inetd[118]: telnet from 206.19.202.81 Feb 4 10:04:43 www inetd[118]: telnet from 206.19.202.105 Feb 4 10:17:16 www inetd[118]: telnet from 206.19.200.11 Feb 4 10:34:53 www inetd[118]: telnet from 206.19.202.81 Feb 4 10:46:33 www inetd[118]: telnet from 206.19.202.103 Feb 4 11:15:39 www inetd[118]: ftp from 166.93.82.58 Feb 4 11:16:32 www inetd[118]: ftp from 166.93.82.58 Feb 4 11:39:51 www inetd[118]: ftp from 206.19.201.9 Feb 4 11:40:29 www inetd[118]: telnet from 206.19.202.106 Feb 4 12:29:16 www inetd[118]: ftp from 206.19.202.81 Feb 4 12:30:34 www inetd[118]: ftp from 206.19.200.12 Feb 4 12:30:49 www inetd[118]: ftp from 206.19.200.12 Feb 4 12:32:18 www inetd[118]: ftp from 206.19.200.12 Feb 4 13:20:31 www inetd[118]: telnet from 206.19.202.81 Feb 4 13:41:08 www inetd[118]: ftp from 206.19.202.81 Feb 4 13:41:26 www inetd[118]: ftp from 206.19.202.81 Feb 4 13:52:03 www inetd[118]: ftp from 206.19.202.81 Feb 4 13:56:20 www inetd[118]: telnet from 206.19.202.81 Feb 4 16:20:09 www inetd[118]: ftp from 206.19.202.81 Feb 4 16:22:02 www inetd[118]: ftp from 206.19.202.105 Feb 4 16:46:50 www inetd[118]: telnet from 206.19.202.81 Feb 4 21:30:34 www inetd[118]: ftp from 206.214.78.149 -- John-David Childs (JC612) Enterprise Internet Solutions Systems Administration http://www.nterprise.net & Network Engineering 8707 E. Florida Ave #814 Denver, CO 80231 Losing your drivers' license is just God's way of saying "BOOGA, BOOGA!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 5 22:21:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA29019 for freebsd-security-outgoing; Fri, 5 Feb 1999 22:21:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from students.itb.ac.id (students.ITB.ac.id [167.205.22.114]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id WAA28868 for ; Fri, 5 Feb 1999 22:20:41 -0800 (PST) (envelope-from ujang@students.itb.ac.id) Received: (qmail 15836 invoked by uid 1045); 6 Feb 1999 06:20:09 -0000 Date: Sat, 6 Feb 1999 13:20:07 +0700 (JAVT) From: "Pajar R. Achmad" To: Security Subject: Re: About security In-Reply-To: <015501be50a9$14d43820$120112ac@ip001-018> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 5 Feb 1999, Max Wong wrote: > I am running ipfw on Freebsd 2.2.8 box. > I changed the telnet port number 23 to 9999 and I add a rule '$ipfwcmd pass > tcp from ${inet}:${imask} to any 9999. > After I done it, I couldn't telnet Freebsd. The error message on console is > "host routed[72]:punt RTM_LOSING without gateway". > I have two ethernet card ed0 ed1 on the box and I have the > router_enable="YES". execute 'ipfw l' then see what is the result .. - Pajar R. Achmad Pajar@ITB.ac.id http://xxx.itb.ac.id/~pajar ----- Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message