From owner-freebsd-security Sun Oct 3 10:16:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from pinochet.cityline.ru (pinochet.cityline.ru [195.46.160.34]) by hub.freebsd.org (Postfix) with ESMTP id E97BB14DB5 for ; Sun, 3 Oct 1999 10:16:12 -0700 (PDT) (envelope-from ratebor@cityline.ru) Received: from 68.165.26.dn.dialup.cityline.ru (68.165.26.dn.dialup.cityline.ru [195.46.165.68]) by pinochet.cityline.ru (8.9.2/t/08-Oct-1998) with ESMTP id VAA21511 for ; Sun, 3 Oct 1999 21:13:13 +0400 (MSD) Date: Sun, 3 Oct 1999 21:10:38 +0300 From: Dmitriy Bokiy X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Dmitriy Bokiy Organization: IPCP X-Priority: 3 (Normal) Message-ID: <10882.991003@cityline.ru> To: FreeBSD Security ML Subject: anti-spoofing Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know it was discussed earlier but I failed to find it in archives. Besides IANA site is not very clear about it. Where can I find _the complete_ list of addresses to be blocked? Should I follow http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space and block all "IANA - Reserved" and "IANA - Multicast" and what else? Thanks, -Dmitriy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 10:16:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from pinochet.cityline.ru (pinochet.cityline.ru [195.46.160.34]) by hub.freebsd.org (Postfix) with ESMTP id D3C1E14EB0 for ; Sun, 3 Oct 1999 10:16:12 -0700 (PDT) (envelope-from ratebor@cityline.ru) Received: from 68.165.26.dn.dialup.cityline.ru (68.165.26.dn.dialup.cityline.ru [195.46.165.68]) by pinochet.cityline.ru (8.9.2/t/08-Oct-1998) with ESMTP id VAA21519 for ; Sun, 3 Oct 1999 21:13:15 +0400 (MSD) Date: Sun, 3 Oct 1999 21:11:00 +0300 From: Dmitriy Bokiy X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Dmitriy Bokiy Organization: IPCP X-Priority: 3 (Normal) Message-ID: <18882.991003@cityline.ru> To: FreeBSD Security ML Subject: natd -deny_incoming Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just to be completely sure. Is it correct that if I don`t run natd with "-deny_incoming" option turned on it`s going to accept external connections to RFC addresses which at the moment have an entry in NATd`s internal translation table? If that`s so is there some ground under it or is it just a "feature"? In other words: why do we need this option at all if "deny incoming to RFCs" could be default behavior? Or do I miss anything? Thanks, -Dmitriy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 12:51:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id BBA9814A21 for ; Sun, 3 Oct 1999 12:51:23 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id MAA75431; Sun, 3 Oct 1999 12:51:34 -0700 (PDT) Date: Sun, 3 Oct 1999 12:51:34 -0700 (PDT) From: "f.johan.beisser" To: Dmitriy Bokiy Cc: FreeBSD Security ML Subject: Re: natd -deny_incoming In-Reply-To: <18882.991003@cityline.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 3 Oct 1999, Dmitriy Bokiy wrote: > Just to be completely sure. Is it correct that if I don`t run natd > with "-deny_incoming" option turned on it`s going to accept external > connections to RFC addresses which at the moment have an entry in NATd`s > internal translation table? no, it shouldn't. because of how TCP/IP works, even if the request is on a port that is open (natd will drop it anyway) the daemon holding the port open will renegotiate it anyway. natd can do port forwarding though, and map certain ports over to other machines in the internal network. natd also dosen't care about the RFC networks. it plays dumb, and just listens to its designated interface. > If that`s so is there some ground under it or is it just a "feature"? > In other words: why do we need this option at all if "deny incoming to > RFCs" could be default behavior? well, the problem with dening the unroutable networks (RFC 1918, 192.168.0.0, 10.0.0.0, 172.16.0.0) from natd is that some folks (in my lab, included) will want to have an unrouteable network inside of an unroutable. > Or do I miss anything? no, i don't think so. if you're really worried about spoofing coming through, i'd suggest using IPFW or IPFILTER to stop the spoofing. it's just two lines in the IPFW to stop it. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 12:53:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id 0A05914F5E for ; Sun, 3 Oct 1999 12:53:12 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id MAA75435; Sun, 3 Oct 1999 12:53:32 -0700 (PDT) Date: Sun, 3 Oct 1999 12:53:32 -0700 (PDT) From: "f.johan.beisser" To: Dmitriy Bokiy Cc: FreeBSD Security ML Subject: Re: anti-spoofing In-Reply-To: <10882.991003@cityline.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org check RFC 1918. i *think* it's in there, but, i'm not sure. On Sun, 3 Oct 1999, Dmitriy Bokiy wrote: > I know it was discussed earlier but I failed to find it in archives. > Besides IANA site is not very clear about it. > > Where can I find _the complete_ list of addresses to be blocked? > Should I follow http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space > and block all "IANA - Reserved" and "IANA - Multicast" and what else? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 13: 5:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from saturn.psn.net (saturn.psn.net [207.211.58.15]) by hub.freebsd.org (Postfix) with ESMTP id 50F5114BB8 for ; Sun, 3 Oct 1999 13:05:23 -0700 (PDT) (envelope-from will@blackdawn.com) Received: from shadow.blackdawn.com (5042-243.008.popsite.net [209.224.140.243]) by saturn.psn.net (8.9.3/8.9.3) with ESMTP id NAA23300; Sun, 3 Oct 1999 13:14:55 -0700 (MST) Received: (from will@localhost) by shadow.blackdawn.com (8.9.3/8.9.3) id QAA03020; Sun, 3 Oct 1999 16:05:02 -0400 (EDT) (envelope-from will) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <10882.991003@cityline.ru> Date: Sun, 03 Oct 1999 16:05:02 -0400 (EDT) Reply-To: Will Andrews From: Will Andrews To: Dmitriy Bokiy Subject: RE: anti-spoofing Cc: FreeBSD Security ML Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 03-Oct-99 Dmitriy Bokiy wrote: > I know it was discussed earlier but I failed to find it in archives. > Besides IANA site is not very clear about it. > > Where can I find _the complete_ list of addresses to be blocked? > Should I follow > http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space > and block all "IANA - Reserved" and "IANA - Multicast" and what else? At a minimum, the RFC1918 (unregistered source addresses RFC) IP addresses should be blocked from passing through your outside interface: 192.168.0.1:255.255.0.0 (192.168.0.1 -> 192.168.255.255) 172.16.0.1:255.16.0.0 (172.16.0.1 -> 172.31.255.255) 10.0.0.1:255.0.0.0 (10.0.0.1 -> 10.255.255.255) See the RFC for more information. You could also consider consulting the mailing list archives for freebsd-security@FreeBSD.ORG. -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 19:52: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 4FD3514D35 for ; Sun, 3 Oct 1999 19:52:03 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id UAA10104 for ; Sun, 3 Oct 1999 20:51:59 -0600 (MDT) Message-Id: <4.2.0.58.19991003205127.04175e80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 03 Oct 1999 20:51:55 -0600 To: security@freebsd.org From: Brett Glass Subject: Of interest (I think): Fear and Flooding in Las Vegas Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My September "Mean Streets" column, from BoardWatch Magazine, has just appeared online. It contains a collection philosophical musings catalyzed by Def Con 7, the underground hacker party at which Back Orifice 2000 (among other things) was announced. The version that's posted on the Web has a few cosmetic flaws -- in particular, spelling and continuity errors which appear to have been introduced during the magazine's copy editing process. (I NEVER would have written "illusive" instead of "elusive," for example.) Nonetheless, the column raises some issues concerning "hacker ethics" which I believe merit further discussion. See http://boardwatch.internet.com/mag/99/sep/bwm62.html --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 20:13: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 0535F14D35 for ; Sun, 3 Oct 1999 20:13:01 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id FAA08240 for freebsd-security@FreeBSD.ORG; Mon, 4 Oct 1999 05:12:59 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id BD8A187A6; Mon, 4 Oct 1999 00:10:28 +0200 (CEST) Date: Mon, 4 Oct 1999 00:10:28 +0200 From: Ollivier Robert To: FreeBSD Security ML Subject: Re: anti-spoofing Message-ID: <19991004001028.A1795@keltia.freenix.fr> Mail-Followup-To: FreeBSD Security ML References: <10882.991003@cityline.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <10882.991003@cityline.ru> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Dmitriy Bokiy: > Where can I find _the complete_ list of addresses to be blocked? RFC-1918. It includes the following networks: 10.0.0.0/8 (in old pre-CIDR world, a A-class network) 172.16.0.0/12 (in old pre-CIDR world, 16 B-class networks) 192.168.0.0/16 (in old pre-CIDR world, 256 C-class networks). Don't forget to refuse your own prefixes on your incoming interface... That is, if you have a.b.c.d/n, you need to refuse this prefix on the incoming interface of your router. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 21:36:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 941A614D46 for ; Sun, 3 Oct 1999 21:36:29 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from localhost (IDENT:shelton@localhost.granch.ru [127.0.0.1]) by sentry.granch.ru (8.9.3/8.9.3) with ESMTP id LAA09905 for ; Mon, 4 Oct 1999 11:36:23 +0700 (NOVST) Date: Mon, 4 Oct 1999 11:36:23 +0700 (NOVST) From: "Rashid N. Achilov" To: freebsd-security@freebsd.org Subject: Long username/password Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD 3.3-STABLE. What can I make usernames and passwords longer than 8 bytes? With Best Regards. Rashid N. Achilov (RNA1-RIPE), Cert. ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 3 22:20:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from h2o.riss-telecom.ru (Relay1-ET0.riss-telecom.ru [195.239.105.2]) by hub.freebsd.org (Postfix) with SMTP id 7651A14D2B for ; Sun, 3 Oct 1999 22:20:41 -0700 (PDT) (envelope-from bsdl@h2o.riss-telecom.ru) Received: (qmail 91435 invoked by uid 1007); 4 Oct 1999 05:20:30 -0000 Date: Mon, 4 Oct 1999 12:20:29 +0700 (NOVST) From: Vitaly V Belekhov To: "Rashid N. Achilov" Cc: freebsd-security@freebsd.org Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! On Mon, 4 Oct 1999, Rashid N. Achilov wrote: > FreeBSD 3.3-STABLE. What can I make usernames and passwords longer than 8 > bytes? 3.3 already has support for long passwords and upto 16 characters long usernames. -- Vitaly Belekhov RISS-Telecom Networking Center, Novosibirsk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 2:36:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.rtsnet.ru (bravo.rtsnet.ru [194.247.132.8]) by hub.freebsd.org (Postfix) with ESMTP id 899D6150A1 for ; Mon, 4 Oct 1999 02:36:36 -0700 (PDT) (envelope-from igor@rtsnet.ru) Received: from shogun.rtsnet.ru (shogun.rtsnet.ru [172.16.4.32]) by relay.rtsnet.ru (Postfix) with ESMTP id 18C43198C43 for ; Mon, 4 Oct 1999 13:36:36 +0400 (MSD) Received: (from igor@localhost) by shogun.rtsnet.ru (8.9.3/8.9.3/Zynaps) id NAA13376 for freebsd-security@freebsd.org; Mon, 4 Oct 1999 13:36:35 +0400 (MSD) Date: Mon, 4 Oct 1999 13:36:35 +0400 From: Igor Vinokurov To: freebsd-security@freebsd.org Subject: ssh 1.2.27 vulnerability Message-ID: <19991004133635.A13349@shogun.rtsnet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. Can someone from FreeBSD Team prove to be true/deny presence of a problem? And if the problem is - to recommend workaround? -- Igor Vinokurov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 5:27:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail4s.biglobe.ne.jp (mail4s.biglobe.ne.jp [210.147.14.249]) by hub.freebsd.org (Postfix) with ESMTP id 2813214CA3; Mon, 4 Oct 1999 05:27:13 -0700 (PDT) (envelope-from sei2@muh.biglobe.ne.jp) Received: from mail-gw.biglobe.ne.jp (mailsv17.biglobe.ne.jp [133.205.12.239] (may be forged)) by mail4s.biglobe.ne.jp (8.9.1+3.1W/3.7W-99081617) with ESMTP id VAA13628; Mon, 4 Oct 1999 21:27:12 +0900 (JST) Received: from mail-relay.biglobe.ne.jp by mail-gw.biglobe.ne.jp (3.7W-INET_GW) id VAA22856; Mon, 4 Oct 1999 21:24:48 +0900 (JST) Received: from pop208.biglobe.ne.jp by mail-relay.biglobe.ne.jp (8.8.8/3.7W-BIGLOBE-relay) id VAA18823; Mon, 4 Oct 1999 21:24:36 +0900 (JST) X-Biglobe-Sender: sei2@muh.biglobe.ne.jp X-Biglobe-Date: Mon, 4 Oct 1999 21:24:08 +0900 Message-ID: <003c01bf0e62$e1308320$648acd85@BVM38641> From: "sei2" To: Subject: =?iso-2022-jp?B?GyRCQW1MMyEmOS1KcyQ0QzRFdjxUTU0hIT83JTclZyVDJVQlcyUwGyhC?= =?iso-2022-jp?B?GyRCJWIhPCVrIVYjTiNFI08bKEIgGyRCI0MjSSNUI1khVyROJDQbKEI=?= =?iso-2022-jp?B?GyRCMEZGYhsoQg==?= Date: Mon, 4 Oct 1999 21:20:16 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org $B!z#C#D!]#R#O#MHG%7%g%C%T%s%0%b!<%k!V#N#E#O(B $B#C#I#T#Y!W$N$40FFb!z(B $B!A8f!&IJ$NG'CNEY%"%C%W(B $B!!?7%7%g%C%T%s%0%b!<%k!V#N#E#O(B $B#C#I#T#Y!W$OA49q$N=qE95Z$SM-L>%Q%=%3%s%7(B $B%g%C%W$G(B10$BK|It$N#C#D(B-$B#R#O#M$rG[I[$7$^$9!#(B $B!!%f!<%6!<$O8!:w%(%s%8%s$G%7%g%C%T%s%0%b!<%k$rC5$9&IJ$N9XF~!&>pJs$N<}=8$H%O%C%-%j$7$F$*$j!"8f&IJ$NG'CNEY(B $B5Z$S!"%"%/%;%9?t%"%C%W$KD>7k$5$;$^$9!#(B ------------------------------------------------------------------------- $B!|Dc4D6-$Ge$2$^$9$H!"(B $B!&=PE9HqMQ(B:$B#5K|1_!?7n(B($B=i2s$O%*!<%W%K%s%02A3J!A(B3$BK|1_(B)$B!\>CHq@G(B $B8fe$G(B $B%[!<%`%Z!<%88!:w$9$kJ$-!"#C#D(B-$B#R#O#MFb$K%[!<%`%Z!<%8$N>pJs$r$h$j(B $B%3%s%Q%/%H$K$^$H$a$?$b$N$G$9!#$3$l$K$h$j%Q%=%3%s=i?4&IJ5Z$SEE2=@=IJ!"%W%m%P%$%@Ey$N>pJs(B $B!&=q@R$H#C#D!!!!!!!&!&!&=q@R!"#D#V#D!"%S%G%*!&%"%K%aEy$N>pJs(B $B!&H~MF$H7r9/!!!!!!!&!&!&2=>QIJ!"7r9/?)IJ!"?26q!"%@%$%(%C%HEy$N>pJs(B $B!&%U%!%C%7%g%s!!!!!&!&!&%S%8%M%9%"%$%F%`!";~7W!"%+%8%e%"%k!"%V%i%s%IEy$N>pJs(B $B!&@83h$Hp(B $BJs(B $B!&N99T$H%$%Y%s%H!!!&!&!&N99T!&%[%F%k!"%F!<%^%Q!<%/!"%(%"%i%$%sEy$N>pJs(B $B!&?)IJ$H0{NA!!!!!!!&!&!&FC;:IJ!"M-5!Ln:Z!"COp(B $BJs!!(B $B!&=P2q$$!!!!!!!!!!!&!&!&%A%c%C%HCg4V!"%a!<%k%U%l%s%I!"7k:'<0>lEy$N>pJs(B $B!&5a?M$H%9%/!<%k!!!&!&!&="?&!"E>?&!"3FpJs(B $B!&7n$4$H$NFC=8(B $B!!(B $B!&!&!&$=$N7n$4$H$N=\$N>pJs(B ------------------------------------------------------------------------- $B!|;22hNA6b(B $BDL>o!?7n3[#5K|1_(B($B@):nHq9~$_(B)$B!\>CHq@G(B 11$B7n(B25$BF|H/Gd9f$K8B$j%*!<%W%K%s%02A3J#3K|1_!\>CHq@G(B $BH>G/7@Ls(B(10$B!s#O#F#F(B) 1$BG/7@Ls(B(20$B!s#O#F#F(B) $BCN$j9g$$$N4k6H$5$^Ey$r$4>R2pD:$/$H5$C$F$*$j$^$9!#(B($B=PE9NA6bBN7O$O7n3[8GDjNA6b$H$J$C$F$*$j!"Gd>e%^!<%8%s$O(B $BD:$$$F$*$j$^$;$s!#(B) ------------------------------------------------------------------------ $B!|$*?=$79~$_J}K!(B $B!!#N#E#O(B $B#C#I#T#Y$X$N=PE9$K$O!"=PE9?=9~=q$r$4Ds=P$7$FD:$/I,MW$,$"$j(B $B$^$9!#$^$:$OJ@IpDL?.; Mon, 4 Oct 1999 05:33:47 -0700 (PDT) (envelope-from freebsd-security@progressive-comp.com) Received: (from docs@localhost) by mailer.progressive-comp.com with œ id IAA14566; Mon, 4 Oct 1999 08:26:04 -0400 Date: Mon, 4 Oct 1999 08:26:04 -0400 From: freebsd-security@progressive-comp.com Message-Id: <199910041226.IAA14566@mailer.progressive-comp.com> Reply-To: Hank Leininger To: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] X-Shameless-Plug: Check out http://www.progressive-comp.com/Lists/ X-Warning: This mail posted via a web gateway at www.progressive-comp.com X-Warning: Report any violation of list policy to abuse@progressive-comp.com X-Posted-By: Hank Leininger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-10-02, "Michael Bryan" wrote: > On 9/29/99 at 10:01 PM Warner Losh wrote: > > > > FreeBSD should follow symlinks. In fact in the base system we have > > /dev/log which points to /var/run/log. > Would it make sense to have the following behaviour when bind() > encounters a symlink? > 1) If a symlink exists and points to a valid Unix-domain > socket, go ahead and follow the link. > 2) If a symlink points to something other than a valid > Unix-domain socket, including a filename that does > not yet exist, then do not follow the symlink, and > return an appropriate error. > This still allows /dev/log -> /var/run/log to work, but prevents > abuse in cases of poor code like in ssh. Hm, or more generally, modify the kernel such that no symlink in a world- writeable and/or +t directory will be followed by a process unless it is owned by root or the UID/EUID of the process. This is what Solar Designer's patches for Linux have done for some time now. It seems to break little (nothing, except POSIX? ;) and is quite effective. SolarD's patches are at http://www.openwall.com/, but here's the appropriate snippet as a teaser, since code (albeit linux-specific, of course) speaks louder than words: in fs/namei.c:follow_link(): +#ifdef CONFIG_SECURE_LINK +/* + * Don't follow links that we don't own in +t directories, unless the link + * is owned by root. + */ + if (S_ISLNK(inode->i_mode) && (dir->i_mode & S_ISVTX) && + inode->i_uid && + current->fsuid != inode->i_uid) { + security_alert("not followed symlink of %d.%d " + "by UID %d, EUID %d, process %s:%d", + "symlinks not followed", + inode->i_uid, inode->i_gid, + current->uid, current->euid, + current->comm, current->pid); + iput(dir); + iput(inode); + *res_inode = NULL; + return -EPERM; + } +#endif -- Hank Leininger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 6:20:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id EDCDE14EFD for ; Mon, 4 Oct 1999 06:18:47 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id LAA33643; Mon, 4 Oct 1999 11:53:08 +0300 (EEST) (envelope-from ru) Date: Mon, 4 Oct 1999 11:53:08 +0300 From: Ruslan Ermilov To: Dmitriy Bokiy Cc: FreeBSD Security ML Subject: Re: natd -deny_incoming Message-ID: <19991004115308.B1662@relay.ucb.crimea.ua> Mail-Followup-To: Dmitriy Bokiy , FreeBSD Security ML References: <18882.991003@cityline.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <18882.991003@cityline.ru>; from Dmitriy Bokiy on Sun, Oct 03, 1999 at 09:11:00PM +0300 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Oct 03, 1999 at 09:11:00PM +0300, Dmitriy Bokiy wrote: > Just to be completely sure. Is it correct that if I don`t run natd > with "-deny_incoming" option turned on it`s going to accept external > connections to RFC addresses which at the moment have an entry in NATd`s > internal translation table? > First, the option `-deny_incoming' has nothing to do with RFC1918 addresses, it makes no distinction for them. This option could be used to implement so called one-way firewall, i.e. it will reject connections initiated externally (read: no entry in the internal table), but allow connections originated locally. As for natd rules for accepting external connections. Natd is a simple program, it will either rewrite the packet, leave it untouched, or drop it (if `-deny_incoming' was given). Without `-deny_incoming', if natd(8) sees an incoming TCP packet (not certainly with RFC1918 destination address), for which no entry could be found in the internal table (searching by {alias_addr,alias_port,remote_addr,remote_port}), such a packet is left untouched by natd. If you turn `-deny_incoming' on, it is dropped. > If that`s so is there some ground under it or is it just a "feature"? > In other words: why do we need this option at all if "deny incoming to > RFCs" could be default behavior? > We need this option for two reasons. First, as I said above, it could be used to implement a simple one-way firewall. Second, I don't want "deny incoming to RFC1918" be default behavior. If you need such a level of functionality, use ipfw(8). > Or do I miss anything? > Yes, you do. You miss ipfw(8) :-) -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 7:41:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id B48C7154C9 for ; Mon, 4 Oct 1999 07:41:30 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from crocus (c3-1f194.neo.rr.com [24.93.235.194]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id KAA13484; Mon, 4 Oct 1999 10:40:56 -0400 (EDT) Message-ID: <002e01bf0e76$18410f70$23b197ce@ezo.net> From: "Jim Flowers" To: "Theo Purmer (Tepucom)" Cc: , "'freebsd-security@freebsd.org'" References: <01BF0CE4.D6279BA0.theo@tepucom.nl> Subject: Re: skip basic procedure Date: Mon, 4 Oct 1999 10:38:14 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Skip doesn't do routing. You have to use something else. Mostly I use static routes. Generally, the inside inetrace (rfc 1918) will create a route to the internal network. However, It sounds like you don't really have a SKIP connection. Can you verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the incoming interface and equivalent cleartext packets on the internal interface. Assumes you have multi-homed skiphost. What I have found to work best is: 1. With skip turned off, verify that the two skiphosts can communicate with each other. 2. Setup skip on each of the skiphosts by running skiplocal export on the opposite end skiphost and then executing it as a shell script. 3. Set default in cleartext (`skiphost -a default`) and turn it on at each end (`skiphost -o on`). 4. Debug this configuration. Is the time correct on each skiphost? Are the keys valid? Good idea is to telnet to a third machine and from there to the far end so that the session will continue even if skip doesn't work. Use skiplog to see if there are errors 5. Once you get 4. working, add the RFC1918 networks using the far end skiphost as the tunnel entrance. 6. Use tcpdump on the external and internal interfaces of each skiphost to debug. It is also instructive to run the skiptool if you have xwindows. When you enable the skip interface it offers suggestions on addresses that should be allowed in cleartext. Have DNS set up and working properly so that skiphost can find all the reverse lookups or you will wait for what seems like forever. Search the freebsd-security list for skip, I posted stuff like this lots of times. ----- Original Message ----- From: Theo Purmer (Tepucom) To: Sent: Saturday, October 02, 1999 8:45 AM Subject: skip > Hi Jim > > hope you dont mind me sending you some email > about skip. In some archive i found your name on > a message where you said you had good experiences > with skip on freebsd > > im having some trouble getting a vpn with skip running > and i was wondering if you could give me a hint on > the skip config file. > > im trying to route 2 rfc 1918 networks over two skip > machines via the internet but data does arrive but > isnt routed to the second (rfc1918) nic in the machine > > some help would be greatly appreciated > > thanks > > theo purmer > theo@tepucom.nl > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 10:15:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from bomber.avantgo.com (ws1.avantgo.com [207.214.200.194]) by hub.freebsd.org (Postfix) with ESMTP id 1BF2814A08 for ; Mon, 4 Oct 1999 10:15:16 -0700 (PDT) (envelope-from scott@avantgo.com) Received: from river ([10.0.128.30]) by bomber.avantgo.com (Netscape Messaging Server 3.5) with SMTP id 262; Mon, 4 Oct 1999 10:10:37 -0700 Message-ID: <05b301bf0e8b$e5ca32e0$1e80000a@avantgo.com> From: "Scott Hess" To: "Michael Bryan" , References: <199909291352.GAA31310@cwsys.cwsent.com><199909300401.WAA08495@harmony.village.org> <199910020846310710.17F35F81@quaggy.ursine.com> Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Date: Mon, 4 Oct 1999 10:14:20 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Bryan wrote: > On 9/29/99 at 10:01 PM Warner Losh wrote: > >FreeBSD should follow symlinks. In fact in the base system we have > >/dev/log which points to /var/run/log. > > Would it make sense to have the following behaviour when bind() > encounters a symlink? > > 1) If a symlink exists and points to a valid Unix-domain > socket, go ahead and follow the link. Presumably a valid Unix-domain socket owned by the bind()'ing user? > This still allows /dev/log -> /var/run/log to work, but prevents > abuse in cases of poor code like in ssh. Why not just fix the problem? We can add code via the patches in the ssh port, which will later work its way back into ssh. Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 11:40: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id CB83B154E2; Mon, 4 Oct 1999 11:40:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 622AF1CD46D; Mon, 4 Oct 1999 11:40:01 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 4 Oct 1999 11:40:01 -0700 (PDT) From: Kris Kennaway To: "Rashid N. Achilov" Cc: freebsd-security@freebsd.org Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 4 Oct 1999, Rashid N. Achilov wrote: > FreeBSD 3.3-STABLE. What can I make usernames and passwords longer than 8 > bytes? Don't install the DES libcrypt libraries; DES passwords are 8 characters, MD5 are (effectively) infinite. Long user names are already supported, I do believe. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 11:46:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 22F7D154BF; Mon, 4 Oct 1999 11:46:34 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id OAA29874; Mon, 4 Oct 1999 14:46:33 -0400 (EDT) Message-Id: <3.0.5.32.19991004144542.010443b0@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 04 Oct 1999 14:45:42 -0400 To: Kris Kennaway From: Mike Tancsa Subject: Re: Long username/password Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:40 AM 10/4/99 -0700, Kris Kennaway wrote: >On Mon, 4 Oct 1999, Rashid N. Achilov wrote: > >> FreeBSD 3.3-STABLE. What can I make usernames and passwords longer than 8 >> bytes? > >Don't install the DES libcrypt libraries; DES passwords are 8 characters, >MD5 are (effectively) infinite. Long user names are already supported, I >do believe. Infinite ? I thought they only honoured the first 16 chars in this case ? ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 12: 4:23 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9BD371551C; Mon, 4 Oct 1999 12:03:39 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 8F9EE1CD473; Mon, 4 Oct 1999 12:03:39 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 4 Oct 1999 12:03:39 -0700 (PDT) From: Kris Kennaway To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Long username/password In-Reply-To: <3.0.5.32.19991004144542.010443b0@staff.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 4 Oct 1999, Mike Tancsa wrote: > >Don't install the DES libcrypt libraries; DES passwords are 8 characters, > >MD5 are (effectively) infinite. Long user names are already supported, I > >do believe. > > Infinite ? I thought they only honoured the first 16 chars in this case ? Well, I wasn't quite correct here. PASSWORD_LEN = 128 MD5 (i.e. crypt() if you don't have the DES libraries, or you're using my libcrypt replacement) just does a hash over whatever string is presented to it, which passwd(1) limits to a max of PASSWORD_LEN characters. crypt() can deal with effectively infinite passwords, but passwd(1) puts a wrapper around it. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 12: 6:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from indyio.rz.uni-sb.de (indyio.rz.uni-sb.de [134.96.7.3]) by hub.freebsd.org (Postfix) with ESMTP id 89ECC15527 for ; Mon, 4 Oct 1999 12:06:14 -0700 (PDT) (envelope-from netchild@Vodix.CS.Uni-SB.de) Received: from mars.rz.uni-sb.de (ns0.rz.uni-sb.de [134.96.7.5]) by indyio.rz.uni-sb.de (8.9.3/8.9.3) with ESMTP id VAA5658897; Mon, 4 Oct 1999 21:05:28 +0200 (CST) Received: from work.net.local (maxtnt-196.telip.uni-sb.de [134.96.71.67]) by mars.rz.uni-sb.de (8.8.8/8.8.4/8.8.2) with ESMTP id VAA00815; Mon, 4 Oct 1999 21:05:25 +0200 (CST) Received: from Vodix.CS.Uni-SB.de (netchild@localhost.net.local [127.0.0.1]) by work.net.local (8.9.3/8.9.3) with ESMTP id UAA01028; Mon, 4 Oct 1999 20:16:50 +0200 (CEST) (envelope-from netchild@Vodix.CS.Uni-SB.de) Message-Id: <199910041816.UAA01028@work.net.local> Date: Mon, 4 Oct 1999 20:16:48 +0200 (CEST) From: A.Leidinger@WJPServer.CS.Uni-SB.de Subject: Re: Long username/password To: Vitaly V Belekhov Cc: "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 4 Okt, Vitaly V Belekhov wrote: >> FreeBSD 3.3-STABLE. What can I make usernames and passwords longer than 8 >> bytes? > > 3.3 already has support for long passwords and upto 16 characters long > usernames. If there hasn't something changed since I've checked it, it didn't use long passwords as default (it accepts long passwords as input but only uses the first eight characters, at least this is my experience with 3.2). You have to use e.g. vipw(8), clear the password field and insert "$1$". After this you have to change the (now empty) password. If I remember correctly it uses SHA1 after this change (but I could be wrong with this). Bye, Alexander. P.S.: I did *not* found this information in a man-page (I've checked passwd(5), passwd(1) and security(7)), so if there is a man-page (or something else) which gives a better explanation please drop me a note. -- People who are wrong the most are wrong the loudest. http://netchild.home.pages.de A.Leidinger+Home @ WJPServer.CS.Uni-SB.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 12:17:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 1DA4B154FB for ; Mon, 4 Oct 1999 12:16:59 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id VAA19882 for freebsd-security@freebsd.org; Mon, 4 Oct 1999 21:16:55 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 3B76B87A6; Mon, 4 Oct 1999 20:22:29 +0200 (CEST) Date: Mon, 4 Oct 1999 20:22:29 +0200 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: ssh 1.2.27 vulnerability Message-ID: <19991004202229.A8873@keltia.freenix.fr> Mail-Followup-To: freebsd-security@freebsd.org References: <19991004133635.A13349@shogun.rtsnet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <19991004133635.A13349@shogun.rtsnet.ru> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Igor Vinokurov: > Can someone from FreeBSD Team prove to be true/deny presence > of a problem? And if the problem is - to recommend workaround? AFAIK the problem is on SSH side but a workaround to this problem was committed in FreeBSD recently. Watch the commit logs. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 14:22:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 45AED152B8 for ; Mon, 4 Oct 1999 14:22:28 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id XAA29142; Mon, 4 Oct 1999 23:22:22 +0200 (CEST) (envelope-from des) To: A.Leidinger@WJPServer.CS.Uni-SB.de Cc: Vitaly V Belekhov , "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: Long username/password References: <199910041816.UAA01028@work.net.local> From: Dag-Erling Smorgrav Date: 04 Oct 1999 23:22:22 +0200 In-Reply-To: A.Leidinger@WJPServer.CS.Uni-SB.de's message of "Mon, 4 Oct 1999 20:16:48 +0200 (CEST)" Message-ID: Lines: 20 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A.Leidinger@WJPServer.CS.Uni-SB.de writes: > If there hasn't something changed since I've checked it, it didn't use > long passwords as default (it accepts long passwords as input but only > uses the first eight characters, at least this is my experience with > 3.2). It *does* support 128-character passwords unless you install the DES libraries. The only reason you'd want to do that is compatibility with other Unices (especially when running NIS). > You have to use e.g. vipw(8), clear the password field and insert "$1$". > After this you have to change the (now empty) password. If I remember > correctly it uses SHA1 after this change (but I could be wrong with > this). MD5. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 14:44: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id A530F155D1 for ; Mon, 4 Oct 1999 14:42:29 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.3) with ESMTP id OAA19953 for ; Mon, 4 Oct 1999 14:42:30 -0700 (PDT) Message-ID: <199910041442290320.2386AC1A@quaggy.ursine.com> In-Reply-To: <05b301bf0e8b$e5ca32e0$1e80000a@avantgo.com> References: <199909291352.GAA31310@cwsys.cwsent.com> <199909300401.WAA08495@harmony.village.org> <199910020846310710.17F35F81@quaggy.ursine.com> <05b301bf0e8b$e5ca32e0$1e80000a@avantgo.com> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Mon, 04 Oct 1999 14:42:29 -0700 From: "Michael Bryan" To: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> This still allows /dev/log -> /var/run/log to work, but prevents >> abuse in cases of poor code like in ssh. > >Why not just fix the problem? We can add code via the patches in the ssh >port, which will later work its way back into ssh. Fixing ssh makes sense, but modifying the kernel behaviour also makes sense, as it prevents abuse for any other programs that have the same coding error. Other OS's are already implementing this type of check in the kernel. If there is needed functionality which is lost by such a kernel mod then it would be less desireable, of course. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 19:57: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 0576E14A2E; Mon, 4 Oct 1999 19:56:34 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from localhost (IDENT:shelton@localhost.granch.ru [127.0.0.1]) by sentry.granch.ru (8.9.3/8.9.3) with ESMTP id JAA02718; Tue, 5 Oct 1999 09:56:24 +0700 (NOVST) Date: Tue, 5 Oct 1999 09:56:24 +0700 (NOVST) From: "Rashid N. Achilov" To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 4 Oct 1999, Kris Kennaway wrote: > > FreeBSD 3.3-STABLE. What can I make usernames and passwords longer than 8 > > bytes? > > Don't install the DES libcrypt libraries; DES passwords are 8 characters, > MD5 are (effectively) infinite. Long user names are already supported, I > do believe. I think, DES isn't default crypt to passwords. I check password validation - used password at 11 chars, made mistake at last - login incorrect (2.2.8 say "correct" :-) ). At installation I install DES base libraries, than sometime I found one software, demand at it. With Best Regards. Rashid N. Achilov (RNA1-RIPE), Cert. ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 22: 9:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A73E815002; Mon, 4 Oct 1999 22:07:52 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id HAA30428; Tue, 5 Oct 1999 07:05:06 +0200 (CEST) (envelope-from des) To: "Rashid N. Achilov" Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Long username/password References: From: Dag-Erling Smorgrav Date: 05 Oct 1999 07:05:05 +0200 In-Reply-To: "Rashid N. Achilov"'s message of "Tue, 5 Oct 1999 09:56:24 +0700 (NOVST)" Message-ID: Lines: 10 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rashid N. Achilov" writes: > I think, DES isn't default crypt to passwords. DES *is* the default if the DES libraries are installed, unless the user in question already has an MD5 password (in which case the system will keep using MD5 every time he/she changes his/her password) DES (the committer, not the library) -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 22: 9:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from firewall.itsec-debis.de (gatekeeper.itsec-debis.de [195.227.50.26]) by hub.freebsd.org (Postfix) with ESMTP id 531541504E for ; Mon, 4 Oct 1999 22:09:22 -0700 (PDT) (envelope-from rhs@itsec-debis.de) Received: by firewall.itsec-debis.de œid GAA04558; Tue, 5 Oct 1999 06:29:31 GMT Received: by firewall.itsec-debis.de via smap id xma004556; Tue, 5 Oct 99 06:29:15 GMT Received: by itsec-debis.de id HAA09724; Tue, 5 Oct 1999 07:27:24 +0200 Message-ID: <19991005072724.A9642@merlin.itsec-debis.de> Date: Tue, 5 Oct 1999 07:27:24 +0200 From: Randolf-Heiko Skerka To: freebsd-security@FreeBSD.ORG Subject: Re: Syslog over serial References: <4.1.19990928190928.0097cf00@mail.thegrid.net> <3.0.5.32.19990930061015.007ded30@pop.wanadoo.fr> <4.1.19991002145813.0094ca10@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: <4.1.19991002145813.0094ca10@mail.thegrid.net>; from The Mad Scientist on Sat, Oct 02, 1999 at 03:02:37PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Oct 02, 1999 at 03:02:37PM -0700, The Mad Scientist wrote: > >>I've always seen this as the "recommended" way to do things. How do you > >>set logging over serial lines up? Do I log to something like /dev/cuaa1? > >>What do i set up on the other side? > > > >quite simply.. > >just establish a p-t-p IP connection.. through /dev/lp0 for example. > >use a reserved ip for this.. > > Great, thanks. What about connecting a few machines to a central logging > server with this setup? Will I have to get a board for the logging server > with a number of parallel ports? Can I get whatever hardware that is used > to hook up multiple printers to a single machine? Well the idea is quite good, but dangerous! The intention to send syslog over a serial line is not to have an IP connection betwen the sender (normaly a server in a dmz) and a logging host. So if you establish a p-t-p IP connection, it's easier to use an ethernet wire ... just to keep in mind. Randolf -- +------------------------------------------------------------------------+ | Randolf Skerka debis IT Security Services | | Tel. +49-228-9841-510 Rabinstrasse 8, 53111 Bonn | | 2 weeks free trial: Security news every day www.dcert.de | +------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 23:14:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id 82C411551F for ; Mon, 4 Oct 1999 23:14:03 -0700 (PDT) (envelope-from theo@tepucom.nl) Received: from administratie (administratie.tepucom.nl [192.168.1.20]) by mail.tepucom.nl (8.9.3/8.9.3) with SMTP id IAA40317; Tue, 5 Oct 1999 08:12:41 +0200 (CEST) (envelope-from theo@tepucom.nl) Received: by localhost with Microsoft MAPI; Tue, 5 Oct 1999 08:05:18 +0200 Message-ID: <01BF0F08.5D32D270.theo@tepucom.nl> From: "Theo Purmer (Tepucom)" To: "Theo Purmer (Tepucom)" , "'Jim Flowers'" Cc: "skip-info@skip-vpn.org" , "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure Date: Tue, 5 Oct 1999 08:05:18 +0200 X-Mailer: Microsoft Internet-e-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks Jim fo the help. Ive got a skip session running between two machines and the rfc1918 network is connected what i found to be the problem is that skip leaves the rfc1918 sender address in the packet even if it goes through the tunnel. The routers and firewalls in between dont allow a rfc1918 sender or receiver address so the packets dont arrive at the other end In the archives john capo has the same problem he sent me some data to change the source with so that doesnt happen anymore. im working on that now. Do you have any idea as to who maintains the skip website. Maybe its a good idea to publish this on the website when ive got it running. thanks agian theo purmer ---------- Van: Jim Flowers[SMTP:jflowers@ezo.net] Verzonden: maandag 4 oktober 1999 16:38 Aan: Theo Purmer (Tepucom) CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' Onderwerp: Re: skip basic procedure Skip doesn't do routing. You have to use something else. Mostly I use static routes. Generally, the inside inetrace (rfc 1918) will create a route to the internal network. However, It sounds like you don't really have a SKIP connection. Can you verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the incoming interface and equivalent cleartext packets on the internal interface. Assumes you have multi-homed skiphost. What I have found to work best is: 1. With skip turned off, verify that the two skiphosts can communicate with each other. 2. Setup skip on each of the skiphosts by running skiplocal export on the opposite end skiphost and then executing it as a shell script. 3. Set default in cleartext (`skiphost -a default`) and turn it on at each end (`skiphost -o on`). 4. Debug this configuration. Is the time correct on each skiphost? Are the keys valid? Good idea is to telnet to a third machine and from there to the far end so that the session will continue even if skip doesn't work. Use skiplog to see if there are errors 5. Once you get 4. working, add the RFC1918 networks using the far end skiphost as the tunnel entrance. 6. Use tcpdump on the external and internal interfaces of each skiphost to debug. It is also instructive to run the skiptool if you have xwindows. When you enable the skip interface it offers suggestions on addresses that should be allowed in cleartext. Have DNS set up and working properly so that skiphost can find all the reverse lookups or you will wait for what seems like forever. Search the freebsd-security list for skip, I posted stuff like this lots of times. ----- Original Message ----- From: Theo Purmer (Tepucom) To: Sent: Saturday, October 02, 1999 8:45 AM Subject: skip > Hi Jim > > hope you dont mind me sending you some email > about skip. In some archive i found your name on > a message where you said you had good experiences > with skip on freebsd > > im having some trouble getting a vpn with skip running > and i was wondering if you could give me a hint on > the skip config file. > > im trying to route 2 rfc 1918 networks over two skip > machines via the internet but data does arrive but > isnt routed to the second (rfc1918) nic in the machine > > some help would be greatly appreciated > > thanks > > theo purmer > theo@tepucom.nl > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 23:38: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from pojmail03.poj.usace.army.mil (pojmail03.poj.usace.army.mil [207.133.201.13]) by hub.freebsd.org (Postfix) with ESMTP id CA9D5152B7 for ; Mon, 4 Oct 1999 23:37:44 -0700 (PDT) (envelope-from Michael.H.Austin@poj.usace.army.mil) Received: by pojmail03.poj.usace.army.mil with Internet Mail Service (5.5.2650.10) id <4G4262Y6>; Tue, 5 Oct 1999 15:37:32 +0900 Message-ID: From: "Austin, Michael H POJ" To: "'Theo Purmer (Tepucom)'" , 'Jim Flowers' Cc: skip-info@skip-vpn.org, "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure Date: Tue, 5 Oct 1999 15:37:31 +0900 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Theo, If I understand your problem correctly your packets get dropped because your source address is a rfc1918 address. To get around that problem you can have skip change the source address to the "legal" address you are using on the skip host's public interface by using the "-f " option. I don't think it's mentioned in the skiphost man page but I recall seeing it in a post on this mailing list. I use it and it works. Michael Austin -----Original Message----- From: Theo Purmer (Tepucom) [mailto:theo@tepucom.nl] Sent: Tuesday, October 05, 1999 3:05 PM To: Theo Purmer (Tepucom); 'Jim Flowers' Cc: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' Subject: RE: skip basic procedure Thanks Jim fo the help. Ive got a skip session running between two machines and the rfc1918 network is connected what i found to be the problem is that skip leaves the rfc1918 sender address in the packet even if it goes through the tunnel. The routers and firewalls in between dont allow a rfc1918 sender or receiver address so the packets dont arrive at the other end In the archives john capo has the same problem he sent me some data to change the source with so that doesnt happen anymore. im working on that now. Do you have any idea as to who maintains the skip website. Maybe its a good idea to publish this on the website when ive got it running. thanks agian theo purmer ---------- Van: Jim Flowers[SMTP:jflowers@ezo.net] Verzonden: maandag 4 oktober 1999 16:38 Aan: Theo Purmer (Tepucom) CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' Onderwerp: Re: skip basic procedure Skip doesn't do routing. You have to use something else. Mostly I use static routes. Generally, the inside inetrace (rfc 1918) will create a route to the internal network. However, It sounds like you don't really have a SKIP connection. Can you verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the incoming interface and equivalent cleartext packets on the internal interface. Assumes you have multi-homed skiphost. What I have found to work best is: 1. With skip turned off, verify that the two skiphosts can communicate with each other. 2. Setup skip on each of the skiphosts by running skiplocal export on the opposite end skiphost and then executing it as a shell script. 3. Set default in cleartext (`skiphost -a default`) and turn it on at each end (`skiphost -o on`). 4. Debug this configuration. Is the time correct on each skiphost? Are the keys valid? Good idea is to telnet to a third machine and from there to the far end so that the session will continue even if skip doesn't work. Use skiplog to see if there are errors 5. Once you get 4. working, add the RFC1918 networks using the far end skiphost as the tunnel entrance. 6. Use tcpdump on the external and internal interfaces of each skiphost to debug. It is also instructive to run the skiptool if you have xwindows. When you enable the skip interface it offers suggestions on addresses that should be allowed in cleartext. Have DNS set up and working properly so that skiphost can find all the reverse lookups or you will wait for what seems like forever. Search the freebsd-security list for skip, I posted stuff like this lots of times. ----- Original Message ----- From: Theo Purmer (Tepucom) To: Sent: Saturday, October 02, 1999 8:45 AM Subject: skip > Hi Jim > > hope you dont mind me sending you some email > about skip. In some archive i found your name on > a message where you said you had good experiences > with skip on freebsd > > im having some trouble getting a vpn with skip running > and i was wondering if you could give me a hint on > the skip config file. > > im trying to route 2 rfc 1918 networks over two skip > machines via the internet but data does arrive but > isnt routed to the second (rfc1918) nic in the machine > > some help would be greatly appreciated > > thanks > > theo purmer > theo@tepucom.nl > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 23:44:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.rtsnet.ru (bravo.rtsnet.ru [194.247.132.8]) by hub.freebsd.org (Postfix) with ESMTP id 2EE51154BA for ; Mon, 4 Oct 1999 23:44:26 -0700 (PDT) (envelope-from igor@rtsnet.ru) Received: from shogun.rtsnet.ru (shogun.rtsnet.ru [172.16.4.32]) by relay.rtsnet.ru (Postfix) with ESMTP id DDF97198D0E for ; Tue, 5 Oct 1999 10:44:24 +0400 (MSD) Received: (from igor@localhost) by shogun.rtsnet.ru (8.9.3/8.9.3/Zynaps) id KAA18234 for freebsd-security@freebsd.org; Tue, 5 Oct 1999 10:44:24 +0400 (MSD) Date: Tue, 5 Oct 1999 10:44:24 +0400 From: Igor Vinokurov To: freebsd-security@freebsd.org Subject: Re: ssh 1.2.27 vulnerability Message-ID: <19991005104423.A18207@shogun.rtsnet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ollivier Robert wrote: > > Can someone from FreeBSD Team prove to be true/deny presence > > of a problem? And if the problem is - to recommend workaround? > > AFAIK the problem is on SSH side but a workaround to this problem was > committed in FreeBSD recently. Watch the commit logs. Thank you. --- From: Guido van Rooij Message-ID: <199909292109.OAA00913@freefall.freebsd.org> Date: Wed, 29 Sep 1999 14:09:42 -0700 (PDT) Subject: cvs commit: src/sys/kern uipc_usrreq.c guido 1999/09/29 14:09:42 PDT Modified files: sys/kern uipc_usrreq.c Log: Do not follow symlinks when binding a unix domain socket. This fixes the ssh 1.2.27 vulnerability as reported in bugtraq. Revision Changes Path 1.49 +2 -2 src/sys/kern/uipc_usrreq.c --- -- Igor Vinokurov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 23:46:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 5B6631534F; Mon, 4 Oct 1999 23:46:09 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from localhost (IDENT:shelton@localhost.granch.ru [127.0.0.1]) by sentry.granch.ru (8.9.3/8.9.3) with ESMTP id NAA03158; Tue, 5 Oct 1999 13:44:24 +0700 (NOVST) Date: Tue, 5 Oct 1999 13:44:23 +0700 (NOVST) From: "Rashid N. Achilov" To: Dag-Erling Smorgrav Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 5 Oct 1999, Dag-Erling Smorgrav wrote: > > I think, DES isn't default crypt to passwords. > > DES *is* the default if the DES libraries are installed, unless the > user in question already has an MD5 password (in which case the system > will keep using MD5 every time he/she changes his/her password) What can I really check, which passwd length is supported, and what can I revert to MD5, if need? With Best Regards. Rashid N. Achilov (RNA1-RIPE), Cert. ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 4 23:52:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id 1746A15200 for ; Mon, 4 Oct 1999 23:52:42 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id CAA30901; Tue, 5 Oct 1999 02:52:27 -0400 Date: Tue, 5 Oct 1999 02:52:27 -0400 (EDT) From: Mike Nowlin To: Hank Leininger Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-Reply-To: <199910041226.IAA14566@mailer.progressive-comp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > owned by root or the UID/EUID of the process. This is what Solar > Designer's patches for Linux have done for some time now. It seems to > break little (nothing, except POSIX? ;) and is quite effective. SolarD's Not sure if your comment SAID that it breaks POSIX or not, but in this day and age of trying to come up with a standard that people can both believe in and rely on, "breaking POSIX" isn't something that should be taken too lightly. Although there's a lot of quirks and overall dumbness in POSIX, the rules were meant for a reason. I don't claim to be a POSIX expert, but if this did break one of the guidelines, it would be a shame to have to come back in three or four years and say "Linux and FreeBSD? Well, they're sort of POSIX-compliant, but they screwed it up by....." Maybe there's some other (better) way to solve this problem? --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 6:43:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id A85AE1563C for ; Tue, 5 Oct 1999 06:42:44 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id JAA26510; Tue, 5 Oct 1999 09:42:15 -0400 (EDT) Date: Tue, 5 Oct 1999 09:42:15 -0400 (EDT) From: Jim Flowers To: "Theo Purmer (Tepucom)" Cc: "Theo Purmer (Tepucom)" , "skip-info@skip-vpn.org" , "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure In-Reply-To: <01BF0F08.5D32D270.theo@tepucom.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You don't have to go to all that trouble to hack the code. Just use Stephanie Wheners -f flag to change the source address to what your provider expects to see (eg. the address of the near side skiphost). Jim Flowers #4 ISP on C|NET, #1 in Ohio On Tue, 5 Oct 1999, Theo Purmer (Tepucom) wrote: > Thanks Jim fo the help. > > Ive got a skip session running between > two machines and the rfc1918 network > is connected what i found to be the problem > is that skip leaves the rfc1918 sender address > in the packet even if it goes through the > tunnel. The routers and firewalls in between dont > allow a rfc1918 sender or receiver address so > the packets dont arrive at the other end > > In the archives john capo has the same problem > he sent me some data to change the source with > so that doesnt happen anymore. im working on > that now. > > Do you have any idea as to who maintains the skip > website. Maybe its a good idea to publish this on > the website when ive got it running. > > thanks agian > > theo purmer > ---------- > Van: Jim Flowers[SMTP:jflowers@ezo.net] > Verzonden: maandag 4 oktober 1999 16:38 > Aan: Theo Purmer (Tepucom) > CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' > Onderwerp: Re: skip basic procedure > > > Skip doesn't do routing. You have to use something else. Mostly I use > static routes. Generally, the inside inetrace (rfc 1918) will create a > route to the internal network. > > However, It sounds like you don't really have a SKIP connection. Can you > verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the > incoming interface and equivalent cleartext packets on the internal > interface. Assumes you have multi-homed skiphost. > > What I have found to work best is: > > 1. With skip turned off, verify that the two skiphosts can communicate with > each other. > 2. Setup skip on each of the skiphosts by running skiplocal export on the > opposite end skiphost and then executing it as a shell script. > 3. Set default in cleartext (`skiphost -a default`) and turn it on at each > end (`skiphost -o on`). > 4. Debug this configuration. Is the time correct on each skiphost? Are the > keys valid? Good idea is to telnet to a third machine and from > there to the far end so that the session will continue even if skip > doesn't work. Use skiplog to see if there are errors > 5. Once you get 4. working, add the RFC1918 networks using the far end > skiphost as the tunnel entrance. > 6. Use tcpdump on the external and internal interfaces of each skiphost to > debug. > > It is also instructive to run the skiptool if you have xwindows. When you > enable the skip interface it offers suggestions on addresses that should be > allowed in cleartext. > > Have DNS set up and working properly so that skiphost can find all the > reverse lookups or you will wait for what seems like forever. > > Search the freebsd-security list for skip, I posted stuff like this lots of > times. > > ----- Original Message ----- > From: Theo Purmer (Tepucom) > To: > Sent: Saturday, October 02, 1999 8:45 AM > Subject: skip > > > > Hi Jim > > > > hope you dont mind me sending you some email > > about skip. In some archive i found your name on > > a message where you said you had good experiences > > with skip on freebsd > > > > im having some trouble getting a vpn with skip running > > and i was wondering if you could give me a hint on > > the skip config file. > > > > im trying to route 2 rfc 1918 networks over two skip > > machines via the internet but data does arrive but > > isnt routed to the second (rfc1918) nic in the machine > > > > some help would be greatly appreciated > > > > thanks > > > > theo purmer > > theo@tepucom.nl > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 6:45:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 1FB4D15827 for ; Tue, 5 Oct 1999 06:45:42 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id JAA26599; Tue, 5 Oct 1999 09:45:16 -0400 (EDT) Date: Tue, 5 Oct 1999 09:45:16 -0400 (EDT) From: Jim Flowers To: "Theo Purmer (Tepucom)" Cc: "Theo Purmer (Tepucom)" , "skip-info@skip-vpn.org" , "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure In-Reply-To: <01BF0F08.5D32D270.theo@tepucom.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe whatever maintenance is done is by someone at Sun in a spare moment. Just posting to skip-info is probably the best that can be done. They don't seem to be assigning much in the way of resources. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Tue, 5 Oct 1999, Theo Purmer (Tepucom) wrote: > Thanks Jim fo the help. > > Ive got a skip session running between > two machines and the rfc1918 network > is connected what i found to be the problem > is that skip leaves the rfc1918 sender address > in the packet even if it goes through the > tunnel. The routers and firewalls in between dont > allow a rfc1918 sender or receiver address so > the packets dont arrive at the other end > > In the archives john capo has the same problem > he sent me some data to change the source with > so that doesnt happen anymore. im working on > that now. > > Do you have any idea as to who maintains the skip > website. Maybe its a good idea to publish this on > the website when ive got it running. > > thanks agian > > theo purmer > ---------- > Van: Jim Flowers[SMTP:jflowers@ezo.net] > Verzonden: maandag 4 oktober 1999 16:38 > Aan: Theo Purmer (Tepucom) > CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' > Onderwerp: Re: skip basic procedure > > > Skip doesn't do routing. You have to use something else. Mostly I use > static routes. Generally, the inside inetrace (rfc 1918) will create a > route to the internal network. > > However, It sounds like you don't really have a SKIP connection. Can you > verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the > incoming interface and equivalent cleartext packets on the internal > interface. Assumes you have multi-homed skiphost. > > What I have found to work best is: > > 1. With skip turned off, verify that the two skiphosts can communicate with > each other. > 2. Setup skip on each of the skiphosts by running skiplocal export on the > opposite end skiphost and then executing it as a shell script. > 3. Set default in cleartext (`skiphost -a default`) and turn it on at each > end (`skiphost -o on`). > 4. Debug this configuration. Is the time correct on each skiphost? Are the > keys valid? Good idea is to telnet to a third machine and from > there to the far end so that the session will continue even if skip > doesn't work. Use skiplog to see if there are errors > 5. Once you get 4. working, add the RFC1918 networks using the far end > skiphost as the tunnel entrance. > 6. Use tcpdump on the external and internal interfaces of each skiphost to > debug. > > It is also instructive to run the skiptool if you have xwindows. When you > enable the skip interface it offers suggestions on addresses that should be > allowed in cleartext. > > Have DNS set up and working properly so that skiphost can find all the > reverse lookups or you will wait for what seems like forever. > > Search the freebsd-security list for skip, I posted stuff like this lots of > times. > > ----- Original Message ----- > From: Theo Purmer (Tepucom) > To: > Sent: Saturday, October 02, 1999 8:45 AM > Subject: skip > > > > Hi Jim > > > > hope you dont mind me sending you some email > > about skip. In some archive i found your name on > > a message where you said you had good experiences > > with skip on freebsd > > > > im having some trouble getting a vpn with skip running > > and i was wondering if you could give me a hint on > > the skip config file. > > > > im trying to route 2 rfc 1918 networks over two skip > > machines via the internet but data does arrive but > > isnt routed to the second (rfc1918) nic in the machine > > > > some help would be greatly appreciated > > > > thanks > > > > theo purmer > > theo@tepucom.nl > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 6:50:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0DFF614F8A for ; Tue, 5 Oct 1999 06:50:42 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA22353; Tue, 5 Oct 1999 06:49:40 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda22351; Tue Oct 5 06:49:34 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id GAA17277; Tue, 5 Oct 1999 06:49:28 -0700 (PDT) Message-Id: <199910051349.GAA17277@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdv17273; Tue Oct 5 06:48:57 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Mike Nowlin Cc: Hank Leininger , freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-reply-to: Your message of "Tue, 05 Oct 1999 02:52:27 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 05 Oct 1999 06:48:57 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mike Now lin writes: > > > owned by root or the UID/EUID of the process. This is what Solar > > Designer's patches for Linux have done for some time now. It seems to > > break little (nothing, except POSIX? ;) and is quite effective. SolarD's > > Not sure if your comment SAID that it breaks POSIX or not, but in this day > and age of trying to come up with a standard that people can both believe > in and rely on, "breaking POSIX" isn't something that should be taken too > lightly. Although there's a lot of quirks and overall dumbness in POSIX, > the rules were meant for a reason. I don't claim to be a POSIX expert, > but if this did break one of the guidelines, it would be a shame to have > to come back in three or four years and say "Linux and FreeBSD? Well, > they're sort of POSIX-compliant, but they screwed it up by....." > > Maybe there's some other (better) way to solve this problem? Any justified deviations from POSIX should have a sysctl or login.conf knob and be documented or even produce a warning when an insecure POSIX feature is enabled. I think this way we can have our cake and eat it too. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 7: 6: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by hub.freebsd.org (Postfix) with ESMTP id 4CFB9152BF for ; Tue, 5 Oct 1999 07:05:51 -0700 (PDT) (envelope-from cameron@ctc.com) Received: by drawbridge.ctc.com; id KAA07473; Tue, 5 Oct 1999 10:03:25 -0400 (EDT) Received: from server2.ctc.com(147.160.1.4) by drawbridge.ctc.com via smap (V2.0) id xma007394; Tue, 5 Oct 99 10:02:55 -0400 Received: from ctcjst-mail1.ctc.com (ctcjst-mail1.ctc.com [147.160.34.4]) by server2.ctc.com (980427.SGI.8.8.8/970903.SGI.AUTOCF) via ESMTP id KAA27641; Tue, 5 Oct 1999 10:02:54 -0400 (EDT) Received: by ctcjst-mail1.ctc.com with Internet Mail Service (5.5.2448.0) id ; Tue, 5 Oct 1999 10:01:00 -0400 Message-ID: <604CC98C4E6BD311AEF900A0C9EA54E1878ACD@ctcjst-mail1.ctc.com> From: "Cameron, Frank" To: freebsd-security@FreeBSD.ORG Cc: "'Dag-Erling Smorgrav'" Subject: RE: Long username/password Date: Tue, 5 Oct 1999 10:00:59 -0400 X-Mailer: Internet Mail Service (5.5.2448.0) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is it possible to change a user from DES to MD5 and/or make MD5 the default? (I recently noticed that my password on one of my FreeBSD boxes is restricted to eight characters. I wasn't sure what was going on; but, now I realize that I must have mistakenly installed DES on the box.) Thanks. Frank > -----Original Message----- > From: Dag-Erling Smorgrav [SMTP:des@flood.ping.uio.no] > Sent: Tuesday, October 05, 1999 1:05 AM > To: Rashid N. Achilov > Cc: Kris Kennaway; freebsd-security@FreeBSD.ORG > Subject: Re: Long username/password > > "Rashid N. Achilov" writes: > > I think, DES isn't default crypt to passwords. > > DES *is* the default if the DES libraries are installed, unless the > user in question already has an MD5 password (in which case the system > will keep using MD5 every time he/she changes his/her password) > > DES (the committer, not the library) > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 7:17:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 900CB15217 for ; Tue, 5 Oct 1999 07:17:39 -0700 (PDT) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id IAA01309; Tue, 5 Oct 1999 08:17:31 -0600 (MDT) From: David G Andersen Message-Id: <199910051417.IAA01309@faith.cs.utah.edu> Subject: Re: Syslog over serial To: rh-skerka@itsec-debis.de (Randolf-Heiko Skerka) Date: Tue, 5 Oct 1999 08:17:31 -0600 (MDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19991005072724.A9642@merlin.itsec-debis.de> from "Randolf-Heiko Skerka" at Oct 5, 99 07:27:24 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Right. An alternate way to do this is simply to set it up as a null modem between the two, and have a logger process on the other end of it. The folks at Utah use a setup exactly like this (with cyclades boards) for monitoring their test network; works like a charm. I'm sure that they could be convinced to release the source to 'capture' if asked nicely. :) (If someone wants it) -Dave Lo and behold, Randolf-Heiko Skerka once said: > > Well the idea is quite good, but dangerous! > > The intention to send syslog over a serial line is not to have an IP > connection betwen the sender (normaly a server in a dmz) and a logging host. > So if you establish a p-t-p IP connection, it's easier to use an ethernet > wire ... just to keep in mind. > > Randolf > > -- > +------------------------------------------------------------------------+ > | Randolf Skerka debis IT Security Services | > | Tel. +49-228-9841-510 Rabinstrasse 8, 53111 Bonn | > | 2 weeks free trial: Security news every day www.dcert.de | > +------------------------------------------------------------------------+ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 7:43: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from filer4.isc.rit.edu (filer4.isc.rit.edu [129.21.3.73]) by hub.freebsd.org (Postfix) with ESMTP id 3F54314A19 for ; Tue, 5 Oct 1999 07:43:05 -0700 (PDT) (envelope-from jcptch@osfmail.isc.rit.edu) Received: from grace ("port 4918"@[129.21.3.102]) by osfmail.isc.rit.edu (PMDF V5.2-32 #21576) with SMTP id <0FJ400L8LWPKPJ@osfmail.isc.rit.edu> for freebsd-security@FreeBSD.ORG; Tue, 5 Oct 1999 10:39:21 -0400 (EDT) Received: by grace (5.65v4.0/1.1.19.2/21Sep98-0910AM) id AA18489; Tue, 05 Oct 1999 10:39:19 -0400 Date: Tue, 05 Oct 1999 10:39:19 -0400 From: Jon Parise Subject: Re: Long username/password In-reply-to: ; from des@flood.ping.uio.no on Tue, Oct 05, 1999 at 07:05:05AM +0200 To: freebsd-security@FreeBSD.ORG Mail-followup-to: freebsd-security@FreeBSD.ORG Message-id: <19991005103919.A17991@osfmail.isc.rit.edu> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.3i X-Operating-System: OSF1 V4.0 (alpha) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 05, 1999 at 07:05:05AM +0200, Dag-Erling Smorgrav wrote: > DES *is* the default if the DES libraries are installed, unless the > user in question already has an MD5 password (in which case the system > will keep using MD5 every time he/she changes his/her password) If the DES libraries are already installed on a system, is there a way to still use MD5 passwords by default? -- Jon Parise (parise@pobox.com) . Rochester Inst. of Technology http://www.pobox.com/~parise/ : Computer Science House Member To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 8: 7:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id 366AC14D66 for ; Tue, 5 Oct 1999 08:07:06 -0700 (PDT) (envelope-from patrick-fl-security@mindstep.com) Received: (qmail 824 invoked from network); 5 Oct 1999 06:15:18 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 5 Oct 1999 06:15:18 -0000 Message-ID: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> Reply-To: "Patrick Bihan-Faou" From: "Patrick Bihan-Faou" To: Subject: Re: default rc.firewall Date: Tue, 5 Oct 1999 11:05:46 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, Sorry for the long delay in that post (from the original thread), but I had some problems with my mailer... This message is about the appropriatness of the current rc.firewall script. I would like to have as many suggestions as possible... Thanks, Patrick. ----- Original Message ----- From: Brett Glass Sent: Friday, September 24, 1999 3:06 PM Subject: Re: default rc.firewall > The default rc.firewall's "simple" ruleset lets through so little that it > is not a good default for most users -- especially users who are creating > a NAT router. (Of course, it does not work at all unless you set the > variables near the beginning of the ruleset properly.) [...] > Remember that if you have more than one external IP you will > need to duplicate many rules. On that note, I don't really like the fact that you have to modify the "rc.firewall" script to set up even a "simple" firewall. I worked a bit on a new version of the "rc.firewall" script that takes all its configuration from variables that you set in rc.conf. I guess that the script does not qualify as simple anymore, but I think this is a bit cleaner. A couple of examples: We are using (like many other I guess) FreeBSD as a NAT gateway on a cable-modem connection. I modified the rc.firewall script to use variables such as: firewall_public_if="vr0" firewall_private_if="ed0" firewall_allow_active_ftp="YES" firewall_allow_incoming_tcp="80,21,20" firewall_allow_incoming_tcp_log="22" And it sets up the proper rules: ipfw add allow tcp from any to any 20 setup in recv $oif ipfw add allow tcp from any to $oip 80,21,20 setup in recv $oif ipfw add allow log tcp from any to $oip 22 setup in recv $oif Where $oif, $oip etc are recovered automatically from ifconfig. The other advantage is that when we get a new IP address through DHCP from our cable provider, we only need to re-run the rc.firewall script and all the rules are updated to match the new IP address. I still need to clean up a few issues with my rc.firewall script, but overall I believe that it would be a great enhancement to the current distribution. Any thoughts ? Patrick. -- MindStep Corporation www.mindstep.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 10: 4: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id 54F1F14C29 for ; Tue, 5 Oct 1999 10:03:53 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id KAA78576; Tue, 5 Oct 1999 10:02:40 -0700 (PDT) Date: Tue, 5 Oct 1999 10:02:40 -0700 (PDT) From: "f.johan.beisser" To: Patrick Bihan-Faou Cc: freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall In-Reply-To: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Oct 1999, Patrick Bihan-Faou wrote: > On that note, I don't really like the fact that you have to modify the > "rc.firewall" script to set up even a "simple" firewall. I worked a bit on a > new version of the "rc.firewall" script that takes all its configuration > from variables that you set in rc.conf. I guess that the script does not > qualify as simple anymore, but I think this is a bit cleaner. A couple of > examples: > > We are using (like many other I guess) FreeBSD as a NAT gateway on a > cable-modem connection. I modified the rc.firewall script to use variables > such as: i've found that the rc.firewall is not really nessassary for the NAT gateways. basically, i set everything from the natd(8), and use the rc.firewall for logging certain kinds of transactions, or bandwidth control. basically: natd -interface fxp0 -deny_incoming -use_sockets -same_ports if you need to map something back to an internal machine, you can set this from the natd itself. check the man pages on natd(8). > > And it sets up the proper rules: > > ipfw add allow tcp from any to any 20 setup in recv $oif > ipfw add allow tcp from any to $oip 80,21,20 setup in recv $oif > ipfw add allow log tcp from any to $oip 22 setup in recv $oif > > Where $oif, $oip etc are recovered automatically from ifconfig. > > The other advantage is that when we get a new IP address through DHCP from > our cable provider, we only need to re-run the rc.firewall script and all > the rules are updated to match the new IP address. natd(8) also supports DHCP assigned addresses, and you should just need to let it negotiate the new IP. if you filter based off of the eathernet connection (i.e. - fxp0) instead of the IP, you should be fine. > I still need to clean up a few issues with my rc.firewall script, but > overall I believe that it would be a great enhancement to the current > distribution. > > Any thoughts ? i consider FWing from NATd(8) a bit easier than using IPFW for it. the NATd can do just about anything the IPFW can, but, it prefers to represent the network. use the IPFW to prevent any kind of spoofing, incoming or outgoing, and perhaps to filter out incoming ICMP (if you really want) from unknown hosts. if you have more than one IP address inside the nat that has to be represented by the natd, it can do it. the trick with this, is that natd does allow certain kinds of incoming connections, and it's not foolproof. the simple changes to rc.firewall is that you will need to have $fwcmd add divert natd ip from any to any via ${oif} in your rc.firewall. it should be the first line in it. FBSD 3.3 has it in there, and it takes the flags from rc.conf. the /etc/services line for it exists aswell, making the natd port 8668. anyhow, hope this helps.. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 11:54:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 190DB1563B; Tue, 5 Oct 1999 11:53:26 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id LAA73007; Tue, 5 Oct 1999 11:52:04 -0700 (PDT) From: Archie Cobbs Message-Id: <199910051852.LAA73007@bubba.whistle.com> Subject: Re: Long username/password In-Reply-To: <19991005103919.A17991@osfmail.isc.rit.edu> from Jon Parise at "Oct 5, 1999 10:39:19 am" To: jcptch@osfmail.isc.rit.edu (Jon Parise) Date: Tue, 5 Oct 1999 11:52:04 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG, jkh@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jon Parise writes: > > DES *is* the default if the DES libraries are installed, unless the > > user in question already has an MD5 password (in which case the system > > will keep using MD5 every time he/she changes his/her password) > > If the DES libraries are already installed on a system, is there a > way to still use MD5 passwords by default? I've complained about this before, and I'll do it again :-) The following two things are NOT the same thing: 1. I want and am allowed to install DES on my system 2. I want DES encrypted passwords The FreeBSD installer seems to not know the difference (the last time I checked, anyway). -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 14: 0:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from dvutavr.carrier.kiev.ua (dvutavr.carrier.kiev.ua [193.193.193.120]) by hub.freebsd.org (Postfix) with ESMTP id EDF9D15660 for ; Tue, 5 Oct 1999 14:00:06 -0700 (PDT) (envelope-from nfb@nn.kiev.ua) Received: from kozlik.carrier.kiev.ua (kozlik.carrier.kiev.ua [193.193.193.111]) by dvutavr.carrier.kiev.ua (8.Who.Cares/Kilkenny_is_better) with ESMTP id AAA29188 for ; Wed, 6 Oct 1999 00:00:04 +0300 (EEST) (envelope-from nfb@nn.kiev.ua) Received: from nn.UUCP (uucp@localhost) by kozlik.carrier.kiev.ua (8.The.Best/UUCP_FOREVER) with UUCP id XWY20836 for freebsd-security@freebsd.org; Tue, 5 Oct 1999 23:59:39 +0300 (EEST) (envelope-from nfb@nn.kiev.ua) Received: from nn.UUCP (uucp@localhost) by kozlik.carrier.kiev.ua (rmail mypid=20835 childpid=20836) with UUCP; Tue, 05 Oct 1999 20:59:39 +0000 GMT Received: by nn.kiev.ua (UUPC/@ v7.00, 29Jul97) id AA06197; Tue, 5 Oct 1999 23:49:51 +0300 (EDT) To: freebsd-security@freebsd.org X-Comment-To: Kris Kennaway References: Message-ID: From: "Valentin Nechayev" Date: Tue, 5 Oct 1999 23:49:51 +0300 (EDT) X-Mailer: dMail [Demos Mail for DOS v2.06] Subject: Re: Long username/password MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 18 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > FreeBSD 3.3-STABLE. What can I make usernames and passwords longer than 8 > > bytes? > > Don't install the DES libcrypt libraries; DES passwords are 8 characters, > MD5 are (effectively) infinite. Long user names are already supported, I > do believe. Why current code creates new crypts in DES by default, when DES library is present? Suppose that one must support DES crypts but want create only MD5 crypts, or create MD5 crypts in cases of password absence. Imho such situation is typical and normal. -- NN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 14:15:49 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8ED181565F; Tue, 5 Oct 1999 14:15:25 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 863E01CD46D; Tue, 5 Oct 1999 14:15:25 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 5 Oct 1999 14:15:25 -0700 (PDT) From: Kris Kennaway To: "Rashid N. Achilov" Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Oct 1999, Rashid N. Achilov wrote: > > DES *is* the default if the DES libraries are installed, unless the > > user in question already has an MD5 password (in which case the system > > will keep using MD5 every time he/she changes his/her password) > > What can I really check, which passwd length is supported, and what can I > revert to MD5, if need? As DES pointed out (we really need a committer with initials MD5 just for symmetry :-) once you have an MD5 password for your account it will remain MD5 when you next change it. The easiest way to do this is to go to a machine which has MD5 passwords, generate any password, and then cut-n-paste it from /etc/master.passwd into your /etc/master.passwd. Then you can change your password again and it will stay MD5. Alternatively, you can generate an MD5 password by removing the /usr/lib/libcrypt.* symlinks and repoint them to /usr/liblibscrypt - this will temporarily switch off DES encryption, so you might want to do this in single-user mode. Then just generate a new password using passwd(1) as normal, and it will be MD5 since DES support is no longer enabled. Then you can switch back on the DES libraries if you really need them. This is kind of crufty - probably someone should just add a temporary switch to passwd(1) which lets you choose whether to use MD5 if you have DES installed. I have code which fixes things properly, but it's not quite commit-worthy and I'm exiled in the land of the "free". Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 14:27:17 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 0BDA7151E6; Tue, 5 Oct 1999 14:27:07 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 00DBB1CD423; Tue, 5 Oct 1999 14:27:06 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 5 Oct 1999 14:27:06 -0700 (PDT) From: Kris Kennaway To: Jon Parise Cc: freebsd-security@FreeBSD.ORG Subject: Re: Long username/password In-Reply-To: <19991005103919.A17991@osfmail.isc.rit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Oct 1999, Jon Parise wrote: > > DES *is* the default if the DES libraries are installed, unless the > > user in question already has an MD5 password (in which case the system > > will keep using MD5 every time he/she changes his/her password) > > If the DES libraries are already installed on a system, is there a > way to still use MD5 passwords by default? No. Unless you make a trivial change to passwd(1). Adding a command-line switch to do this would probably be a welcome feature. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 14:28:36 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 70EE715679; Tue, 5 Oct 1999 14:27:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6247B1CD423; Tue, 5 Oct 1999 14:27:49 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 5 Oct 1999 14:27:49 -0700 (PDT) From: Kris Kennaway To: "Cameron, Frank" Cc: freebsd-security@FreeBSD.ORG, 'Dag-Erling Smorgrav' Subject: RE: Long username/password In-Reply-To: <604CC98C4E6BD311AEF900A0C9EA54E1878ACD@ctcjst-mail1.ctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Oct 1999, Cameron, Frank wrote: > Is it possible to change a user from DES to MD5 and/or make MD5 the default? *Sigh* Maybe I should write a FAQ entry about this. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 14:39:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 6CA5215666; Tue, 5 Oct 1999 14:38:40 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id WAA68341; Tue, 5 Oct 1999 22:38:22 +0100 (BST) (envelope-from joe) Date: Tue, 5 Oct 1999 22:38:22 +0100 From: Josef Karthauser To: Kris Kennaway Cc: "Rashid N. Achilov" , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Long username/password Message-ID: <19991005223822.F24928@florence.pavilion.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 05, 1999 at 02:15:25PM -0700, Kris Kennaway wrote: > On Tue, 5 Oct 1999, Rashid N. Achilov wrote: > > As DES pointed out (we really need a committer with initials MD5 just for > symmetry :-) once you have an MD5 password for your account it will remain > MD5 when you next change it. The easiest way to do this is to go to a > machine which has MD5 passwords, generate any password, and then > cut-n-paste it from /etc/master.passwd into your /etc/master.passwd. Then > you can change your password again and it will stay MD5. The method that I use is to use 'vipw' to edit the master password file, and manually change the password for the user to '$1$'. Then get them to type in their password on the root console using 'passwd username' (under your supervision of course ;) This generates a new MD5 password. Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 14:59:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id EB7AD152AB for ; Tue, 5 Oct 1999 14:58:59 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id QAA24173; Tue, 5 Oct 1999 16:55:40 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-56.tnt1.rac.cyberlynk.net(209.224.182.56) by peak.mountin.net via smap (V1.3) id sma024171; Tue Oct 5 16:55:31 1999 Message-Id: <3.0.3.32.19991005165043.014cfac0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 05 Oct 1999 16:50:43 -0500 To: "Cameron, Frank" , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: RE: Long username/password In-Reply-To: <604CC98C4E6BD311AEF900A0C9EA54E1878ACD@ctcjst-mail1.ctc.co m> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:00 AM 10/5/99 -0400, Cameron, Frank wrote: >Is it possible to change a user from DES to MD5 and/or make MD5 the default? This has been discussed in the past many times. Check the archives. Hint: check out /usr/lib and the *crypt* links. Note that changing the above is an all-or-nothing if you want MD5 for new accounts. Doing so means you can't use DES, period. Hack the code (or do custom code) to call libscrypt rather than libdescypt when hashing. Having a knob in login.conf (or somewhere) to choose DES or MD5 (or others) was being worked on, but no idea how far along this is. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 17: 9:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id B285F14C3D for ; Tue, 5 Oct 1999 17:09:31 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id UAA13689; Tue, 5 Oct 1999 20:12:10 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199910060012.UAA13689@cc942873-a.ewndsr1.nj.home.com> Subject: Re: natd -deny_incoming In-Reply-To: from "f.johan.beisser" at "Oct 3, 1999 12:51:34 pm" To: jan@caustic.org (f.johan.beisser) Date: Tue, 5 Oct 1999 20:12:10 -0400 (EDT) Cc: ratebor@cityline.ru (Dmitriy Bokiy), freebsd-security@FreeBSD.ORG (FreeBSD Security ML) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org f.johan.beisser wrote, > On Sun, 3 Oct 1999, Dmitriy Bokiy wrote: [snip] > > If that`s so is there some ground under it or is it just a "feature"? > > In other words: why do we need this option at all if "deny incoming to > > RFCs" could be default behavior? > > well, the problem with dening the unroutable networks (RFC 1918, > 192.168.0.0, 10.0.0.0, 172.16.0.0) from natd is that some folks (in my > lab, included) will want to have an unrouteable network inside of an > unroutable. I think the root of the original poster's confusion might be the use of such words as 'unroutable' when refering to the addresses set aside in RFC 1918. There is absolutely nothing 'unroutable' about these addresses _execpt_, to quote the RFC, an enterprise may use these addresses "without any coordination with IANA or an Internet registry." That is, these addresses have no meaning to the Internet-at-large, but you can do whatever the heck you want with them internally. You can route the heck out of 'em on your own network if you please. There is nothing unroutable about them (nor does the word 'unroutable' appear anywhere in the RFC). However, RFC 1918 recommends, "It is strongly recommended that routers which connect enterprises to external networks are set up with appropriate packet and routing filters at both ends of the link in order to prevent packet and routing information leakage. An enterprise should also filter any private networks from inbound routing information in order to protect itself from ambiguous routing situations which can occur if routes to the private address space point outside the enterprise." But this is a recommendation and not a requirement. Refering to them as 'private network numbers,' 'unregistered numbers,' or as the RFC says, 'private address space,' is more accurate and less confusing, IMHO. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 18:39:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by hub.freebsd.org (Postfix) with ESMTP id E0F121519E for ; Tue, 5 Oct 1999 18:39:13 -0700 (PDT) (envelope-from madscientist@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mail-gw.pacbell.net (8.9.3/8.9.3) with SMTP id SAA07711 for ; Tue, 5 Oct 1999 18:39:08 -0700 (PDT) Message-Id: <4.1.19991005182845.00973e90@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 05 Oct 1999 18:32:50 -0700 To: freebsd-security@freebsd.org From: The Mad Scientist Subject: Re: Syslog over serial In-Reply-To: <199910051417.IAA01309@faith.cs.utah.edu> References: <19991005072724.A9642@merlin.itsec-debis.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:17 AM 10/5/99 -0600, you wrote: >Right. An alternate way to do this is simply to set it up as a null modem >between the two, and have a logger process on the other end of it. The >folks at Utah use a setup exactly like this (with cyclades boards) for >monitoring their test network; works like a charm. > >I'm sure that they could be convinced to release the source to 'capture' >if asked nicely. :) (If someone wants it) > > -Dave I'd love to see it. That's exactly what I'm asking about. Thanks so much. -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 18:59:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by hub.freebsd.org (Postfix) with ESMTP id 8537B14C94 for ; Tue, 5 Oct 1999 18:59:13 -0700 (PDT) (envelope-from madscientist@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mail-gw.pacbell.net (8.9.3/8.9.3) with SMTP id SAA16315 for ; Tue, 5 Oct 1999 18:57:08 -0700 (PDT) Message-Id: <4.1.19991005185332.009763d0@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 05 Oct 1999 18:54:25 -0700 To: freebsd-security@freebsd.org From: The Mad Scientist Subject: Re: Syslog over serial Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:27 AM 10/5/99 +0200, you wrote: >> Great, thanks. What about connecting a few machines to a central logging >> server with this setup? Will I have to get a board for the logging server >> with a number of parallel ports? Can I get whatever hardware that is used >> to hook up multiple printers to a single machine? > >Well the idea is quite good, but dangerous! > >The intention to send syslog over a serial line is not to have an IP >connection betwen the sender (normaly a server in a dmz) and a logging host. >So if you establish a p-t-p IP connection, it's easier to use an ethernet >wire ... just to keep in mind. > > Randolf I figured all the normal rules of tcp/ip applied to a ptp connection over parallel. This means that I've created a connection across my inner firewall. I suppose one solution would be to run ipfw on the logging host and allow only udp-port-514-traffic in. Of course, I might as well be using ethernet. ^_^ Parallel lines add some protection from snooping though. Perhaps encrypted syslog is a better alternative. (I remember the pseudo-flame wars over secure syslog a few months ago. I'll go troll the archives) Thanks to all who replied (but don't let this email discourage you from putting in your thoughts about running syslog over serial lines.) -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 5 22: 1:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy2.ba.best.com (proxy2.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id ED4DB156CF for ; Tue, 5 Oct 1999 22:01:03 -0700 (PDT) (envelope-from cravi@arsin.com) Received: from arsin.com (dynamic50.pm08.san-jose.best.com [209.24.165.242]) by proxy2.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id VAA07044; Tue, 5 Oct 1999 21:56:30 -0700 (PDT) Message-ID: <37FAD4C7.15678404@arsin.com> Date: Tue, 05 Oct 1999 21:49:11 -0700 From: Chandra Ravi X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: "Theo Purmer (Tepucom)" Cc: "'Jim Flowers'" , "skip-info@skip-vpn.org" , "'freebsd-security@freebsd.org'" Subject: Re: skip basic procedure References: <01BF0F08.5D32D270.theo@tepucom.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Guys! Get me out of your mailing list. Thanks, Theo Purmer (Tepucom) wrote: > Thanks Jim fo the help. > > Ive got a skip session running between > two machines and the rfc1918 network > is connected what i found to be the problem > is that skip leaves the rfc1918 sender address > in the packet even if it goes through the > tunnel. The routers and firewalls in between dont > allow a rfc1918 sender or receiver address so > the packets dont arrive at the other end > > In the archives john capo has the same problem > he sent me some data to change the source with > so that doesnt happen anymore. im working on > that now. > > Do you have any idea as to who maintains the skip > website. Maybe its a good idea to publish this on > the website when ive got it running. > > thanks agian > > theo purmer > ---------- > Van: Jim Flowers[SMTP:jflowers@ezo.net] > Verzonden: maandag 4 oktober 1999 16:38 > Aan: Theo Purmer (Tepucom) > CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' > Onderwerp: Re: skip basic procedure > > Skip doesn't do routing. You have to use something else. Mostly I use > static routes. Generally, the inside inetrace (rfc 1918) will create a > route to the internal network. > > However, It sounds like you don't really have a SKIP connection. Can you > verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the > incoming interface and equivalent cleartext packets on the internal > interface. Assumes you have multi-homed skiphost. > > What I have found to work best is: > > 1. With skip turned off, verify that the two skiphosts can communicate with > each other. > 2. Setup skip on each of the skiphosts by running skiplocal export on the > opposite end skiphost and then executing it as a shell script. > 3. Set default in cleartext (`skiphost -a default`) and turn it on at each > end (`skiphost -o on`). > 4. Debug this configuration. Is the time correct on each skiphost? Are the > keys valid? Good idea is to telnet to a third machine and from > there to the far end so that the session will continue even if skip > doesn't work. Use skiplog to see if there are errors > 5. Once you get 4. working, add the RFC1918 networks using the far end > skiphost as the tunnel entrance. > 6. Use tcpdump on the external and internal interfaces of each skiphost to > debug. > > It is also instructive to run the skiptool if you have xwindows. When you > enable the skip interface it offers suggestions on addresses that should be > allowed in cleartext. > > Have DNS set up and working properly so that skiphost can find all the > reverse lookups or you will wait for what seems like forever. > > Search the freebsd-security list for skip, I posted stuff like this lots of > times. > > ----- Original Message ----- > From: Theo Purmer (Tepucom) > To: > Sent: Saturday, October 02, 1999 8:45 AM > Subject: skip > > > Hi Jim > > > > hope you dont mind me sending you some email > > about skip. In some archive i found your name on > > a message where you said you had good experiences > > with skip on freebsd > > > > im having some trouble getting a vpn with skip running > > and i was wondering if you could give me a hint on > > the skip config file. > > > > im trying to route 2 rfc 1918 networks over two skip > > machines via the internet but data does arrive but > > isnt routed to the second (rfc1918) nic in the machine > > > > some help would be greatly appreciated > > > > thanks > > > > theo purmer > > theo@tepucom.nl > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 0:28:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id 9713B14BDA for ; Wed, 6 Oct 1999 00:28:09 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id DAA16078; Wed, 6 Oct 1999 03:27:34 -0400 Date: Wed, 6 Oct 1999 03:27:26 -0400 (EDT) From: Mike Nowlin To: The Mad Scientist Cc: freebsd-security@FreeBSD.ORG Subject: Re: Syslog over serial In-Reply-To: <4.1.19991005185332.009763d0@mail.thegrid.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I figured all the normal rules of tcp/ip applied to a ptp connection over > parallel. This means that I've created a connection across my inner > firewall. I suppose one solution would be to run ipfw on the logging host > and allow only udp-port-514-traffic in. Of course, I might as well be > using ethernet. ^_^ Parallel lines add some protection from snooping > though. Perhaps encrypted syslog is a better alternative. (I remember the > pseudo-flame wars over secure syslog a few months ago. I'll go troll the > archives) > Thanks to all who replied (but don't let this email discourage you from > putting in your thoughts about running syslog over serial lines.) > -Dean As a general rule, if you can ping it, the IP rules do apply... One of the nice things about syslog is that you can have messages go to multiple places, although sometimes it takes a little creativity to make it work... All of the machines at work log to a common host using standard "*.* @1.2.3.4" notation in syslog.conf -- the common host records everything to a (really big) disk file, in addition to breaking it down depending on syslog facility into separate log files. The "/var/log/biglog" that syslog creates has a program running against it that does the equivalent of "tail -f", sent over an encrypted socket to one of the machines at my home. In addition, the common logger sends all the messages out via a serial line to a dumb terminal sitting behind my my chair - quick viewability (?) to keep track of what's going on, and the attached printer lets me grab stuff if I need to. (Two keystrokes to turn the printer on/off.) Along with all of this, the three big machines that I'm really concerned about each have a serial line connected to a serial line-buffering multiplexer, which is in turn connected to a DOS box that records everything they send out. This has been extremely beneficial in the past during breakins, etc. where Mr. Intruder thought he'd play it safe by wiping the log files -- good luck.... :) Serial comms play a big part in this scheme, but none of them run IP (except the serial line to the CSU/DSU to my home network). One of the key points to keep in mind when dealing with serial logging over IP is that if somebody trashes your IPFW rules or other essential info, your IP serial line suddenly goes dead, and your logging quickly stops. --mike P.S. - As a side idea, would IPFW rules blocking IP keep PPP from doing it's every-so-often handshaking? If not, PPP would happily keep running, while the IP layer of it would block syslog entries from being transmitted..... I know SLIP would do this......... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 0:47:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 1E9BC14CB9 for ; Wed, 6 Oct 1999 00:47:30 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id RAA07368; Wed, 6 Oct 1999 17:46:39 +1000 (EST) From: Darren Reed Message-Id: <199910060746.RAA07368@cheops.anu.edu.au> Subject: Re: Syslog over serial To: mike@argos.org (Mike Nowlin) Date: Wed, 6 Oct 1999 17:46:38 +1000 (EST) Cc: madscientist@thegrid.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "Mike Nowlin" at Oct 6, 99 03:27:26 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Mike Nowlin, sie said: [...] > One of the nice things about syslog is that you can have messages go to > multiple places, although sometimes it takes a little creativity to make > it work... All of the machines at work log to a common host using > standard "*.* @1.2.3.4" notation in syslog.conf -- the common host records > everything to a (really big) disk file, in addition to breaking it down > depending on syslog facility into separate log files. The > "/var/log/biglog" that syslog creates has a program running against it > that does the equivalent of "tail -f", sent over an encrypted socket to > one of the machines at my home. In addition, the common logger sends all > the messages out via a serial line to a dumb terminal sitting behind my > my chair - quick viewability (?) to keep track of what's going on, and the > attached printer lets me grab stuff if I need to. (Two keystrokes to turn > the printer on/off.) Along with all of this, the three big machines that > I'm really concerned about each have a serial line connected to a serial > line-buffering multiplexer, which is in turn connected to a DOS box that > records everything they send out. This has been extremely beneficial in > the past during breakins, etc. where Mr. Intruder thought he'd play it > safe by wiping the log files -- good luck.... :) [...] [shameless plug] Were you using nsyslogd you could have the TCP/IP connection and encryption done using SSL without needing multiple programs. You are also protected from logfile tampering by message hashing. Darren http://coombs.anu.edu.au/~avalon/nsyslog.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 1:32:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from dvutavr.carrier.kiev.ua (dvutavr.carrier.kiev.ua [193.193.193.120]) by hub.freebsd.org (Postfix) with ESMTP id D619D14CE4; Wed, 6 Oct 1999 01:32:30 -0700 (PDT) (envelope-from nfb@nn.kiev.ua) Received: from kozlik.carrier.kiev.ua (kozlik.carrier.kiev.ua [193.193.193.111]) by dvutavr.carrier.kiev.ua (8.Who.Cares/Kilkenny_is_better) with ESMTP id LLQ44046; Wed, 6 Oct 1999 11:30:15 +0300 (EEST) (envelope-from nfb@nn.kiev.ua) Received: from nn.UUCP (uucp@localhost) by kozlik.carrier.kiev.ua (8.The.Best/UUCP_FOREVER) with UUCP id LLB00895; Wed, 6 Oct 1999 11:28:44 +0300 (EEST) (envelope-from nfb@nn.kiev.ua) Received: from nn.UUCP (uucp@localhost) by kozlik.carrier.kiev.ua (rmail mypid=00894 childpid=00895) with UUCP; Wed, 06 Oct 1999 08:28:44 +0000 GMT Received: by nn.kiev.ua (UUPC/@ v7.00, 29Jul97) id AA06197; Wed, 6 Oct 1999 11:18:31 +0300 (EDT) To: freebsd-security@freebsd.org, kris@hub.freebsd.org X-Comment-To: Kris Kennaway References: Message-ID: From: "Valentin Nechayev" Date: Wed, 6 Oct 1999 11:18:31 +0300 (EDT) X-Mailer: dMail [Demos Mail for DOS v2.06] Subject: Re: Long username/password MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 29 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > If the DES libraries are already installed on a system, is there a > > way to still use MD5 passwords by default? > > No. Unless you make a trivial change to passwd(1). Adding a command-line > switch to do this would probably be a welcome feature. Possibly, not command-line switch - this should be host policy. I'd prefer something similar to /etc/malloc_options. It is quite easy to read link. This link must be used at least by pw(1) and passwd(1). Possible definitions: 'M' - always create new crypts as MD5 '5' - create crypts for new accounts, or cases of empty password or '*' in pw_passwd field (in code - all cases of first two characters of crypt not in [A-Za-z0-9./] ) Is it acceptable? P.S. There were some rumours about totally new libcrypt. What is the state of it? -- NN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 4: 6:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4F38714DFC for ; Wed, 6 Oct 1999 04:06:13 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA38050; Wed, 6 Oct 1999 13:05:00 +0200 (CEST) (envelope-from des) To: "Cameron, Frank" Cc: freebsd-security@FreeBSD.ORG, "'Dag-Erling Smorgrav'" Subject: Re: Long username/password References: <604CC98C4E6BD311AEF900A0C9EA54E1878ACD@ctcjst-mail1.ctc.com> From: Dag-Erling Smorgrav Date: 06 Oct 1999 13:04:59 +0200 In-Reply-To: "Cameron, Frank"'s message of "Tue, 5 Oct 1999 10:00:59 -0400" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Cameron, Frank" writes: > Is it possible to change a user from DES to MD5 and/or make MD5 the > default? Respectively, no and yes. You can make MD5 the default by switching over the /usr/lib/libcrypt* symlinks to point to libscrypt instead of libdescrypt. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 6:40:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id DF5EB15086 for ; Wed, 6 Oct 1999 06:40:02 -0700 (PDT) (envelope-from patrick-fl-security@mindstep.com) Received: (qmail 2275 invoked from network); 6 Oct 1999 13:40:01 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 6 Oct 1999 13:40:01 -0000 Message-ID: <007e01bf1000$49935520$190aa8c0@local.mindstep.com> Reply-To: "Patrick Bihan-Faou" From: "Patrick Bihan-Faou" To: "\"f.johan.beisser\"" , References: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> Subject: Re: default rc.firewall Date: Wed, 6 Oct 1999 09:40:00 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > i've found that the rc.firewall is not really nessassary for the NAT > gateways. basically, i set everything from the natd(8), and use the > rc.firewall for logging certain kinds of transactions, or bandwidth > control. I think you missed my point. I am not arguing whether NATD can do what IPFW does. You scheme is fine, bu if you also want to run services on the gateway, it becomes cumbersome. What I want to do is a "rc.firewall" script that behaves mostly like the "rc.network" script: you don't modify the script yourself, you change some variables in "rc.conf" to do what you need done. This goes beyond the NAT router. > This is the mild snippage that goes in "rc.conf"... ;-) Just for the record here it is again: firewall_public_if="ed2" firewall_allow_passive_ftp="YES" firewall_allow_tcp="80,21,20" firewall_allow_tcp_log="22" And this is the side-effect of rc.firewall using the variables in rc.conf. ipfw add allow tcp from any to any 20 setup in recv ed2 ipfw add allow tcp from any to 1.2.3.4 80,21,20 setup in recv ed2 ipfw add allow log tcp from any to 1.2.3.4 22 setup in recv ed2 Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 7:39:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from inbox.org (inbox.org [216.22.145.8]) by hub.freebsd.org (Postfix) with ESMTP id E239B14BE7 for ; Wed, 6 Oct 1999 07:39:22 -0700 (PDT) (envelope-from bsd@a.servers.aozilla.com) Received: from localhost (bsd@localhost) by inbox.org (8.9.3/8.9.3) with ESMTP id KAA13735; Wed, 6 Oct 1999 10:37:10 -0400 (EDT) Date: Wed, 6 Oct 1999 10:37:10 -0400 (EDT) From: "Mr. K." X-Sender: bsd@inbox.org To: Dag-Erling Smorgrav Cc: "Cameron, Frank" , freebsd-security@FreeBSD.ORG Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org if you set the passwords to expire on the next login, will this accomplish switching from DES to MD5, or will the old format be kept? On 6 Oct 1999, Dag-Erling Smorgrav wrote: > "Cameron, Frank" writes: > > Is it possible to change a user from DES to MD5 and/or make MD5 the > > default? > > Respectively, no and yes. You can make MD5 the default by switching > over the /usr/lib/libcrypt* symlinks to point to libscrypt instead of > libdescrypt. > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 7:39:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id E95DF14BE7 for ; Wed, 6 Oct 1999 07:39:33 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id IAA08754 for ; Wed, 6 Oct 1999 08:38:56 -0600 (MDT) Message-Id: <4.2.0.58.19991006083634.046fcd10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 06 Oct 1999 08:38:52 -0600 To: security@freebsd.org From: Brett Glass Subject: What's this message mean? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This past week, we've encountered more scans of our network and machines than usual; fortunately, we haven't detected any break-ins (yet). However, I did find one log message I've never seen before. Can anyone tell me why I might see > arp_rtrequest: bad gateway value in the logs? Is this due to a sniffing or spoofing attack? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 10:22:49 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 7775815729; Wed, 6 Oct 1999 10:22:28 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6A9501CD432; Wed, 6 Oct 1999 10:22:28 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Wed, 6 Oct 1999 10:22:28 -0700 (PDT) From: Kris Kennaway To: Valentin Nechayev Cc: freebsd-security@freebsd.org Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 6 Oct 1999, Valentin Nechayev wrote: > > No. Unless you make a trivial change to passwd(1). Adding a command-line > > switch to do this would probably be a welcome feature. > > Possibly, not command-line switch - this should be host policy. > I'd prefer something similar to /etc/malloc_options. > It is quite easy to read link. Aarg, dangling symlinks are EVIL! :) The malloc.conf one is only done for efficiency because it's read so often. The right way to do this is by login class in login.conf, but it's slightly less trivial to implement (i.e. not a 2-line patch), and this is only intended as a temporary fix for convenience so people can actually do this without having to munge their system by hand, until we can get a better replacement in. > P.S. There were some rumours about totally new libcrypt. What is the > state of it? http://www.physics.adelaide.edu.au/~kkennawa/crypt-990725.tar.gz I've been told there's a missing header file or something which prevents it from compiling, but haven't looked into that. Modulo compilation issues, as far as I know, it's quite functional except for not allowing plugin modules for statically-linked binaries (only supports the builtin DES and MD5 schemes as now). What I'll probably have to do now that I'm in the ITARed States of America is remove the Blowfish/DES modules from my official distribution, and rely on someone else to keep up with any API changes I make (which shouldn't be major). I might have time to work on this again in a month or so, pending PhD workload. Side note - ideally we'd be able to use dlopen() in the static case as well, which would solve that problem and PAM's (PAM cheats by compiling in a fixed set of modules into the static library, so as far as I know you can't add a new PAM module to a statically-linked binary without recompilation) - I saw an openbsd commit message float past a while back which claimed to provide support for this, but haven't had the chance to look into how (or if) they did it. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 14:52:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from ctg-nt.ctg.albany.edu (ctg-nt.ctg.albany.edu [169.226.80.32]) by hub.freebsd.org (Postfix) with ESMTP id 6BA7C1576C for ; Wed, 6 Oct 1999 14:52:48 -0700 (PDT) (envelope-from dwerthmu@ctg.albany.edu) Received: by ctg-nt.ctg.albany.edu with Internet Mail Service (5.5.2448.0) id ; Wed, 6 Oct 1999 17:54:20 -0400 Message-ID: <7A71D0D43B9ED1119EC10008C756C30418F68A@ctg-nt.ctg.albany.edu> From: Derek Werthmuller To: freebsd-security@FreeBSD.ORG Cc: Derek Werthmuller Subject: Authenticate ppp users via Kerberos ? Date: Wed, 6 Oct 1999 17:54:11 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is it possible and/or has anyone been able to setup a FBSD ppp server and authenticate dialin users via PAP and Kerberos ? Here is what I was thinking. KDC server PPP server (PICOBSD ?) Remote dialup server (Windows) xxxxxxx xxxxxxx xxxxx |-------------Ethernet -------------| |------modem--------------Phone lines--------modem------| All accounts are on the KDC the username password exchange is PAP between the windows and PPP server. Ideas Comments Thanks Derek Center for Technology in Government To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 16: 8:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id DBE1715793 for ; Wed, 6 Oct 1999 16:08:05 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40325>; Thu, 7 Oct 1999 09:03:56 +1000 Content-return: prohibited Date: Thu, 7 Oct 1999 09:07:24 +1000 From: Peter Jeremy Subject: Re: Syslog over serial In-reply-to: To: Mike Nowlin Cc: freebsd-security@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Oct7.090356est.40325@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <4.1.19991005185332.009763d0@mail.thegrid.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Oct-06 17:27:26 +1000, Mike Nowlin wrote: >P.S. - As a side idea, would IPFW rules blocking IP keep PPP from doing >it's every-so-often handshaking? No. PPP handshaking is at a lower level (normally LCP) and won't go anywhere near the IP stack (or IPFW). > If not, PPP would happily keep running, >while the IP layer of it would block syslog entries from being >transmitted..... True. Another reason not to use PPP for syslog. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 19:40:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id 4FCEC14C88 for ; Wed, 6 Oct 1999 19:40:38 -0700 (PDT) (envelope-from patrick-fl-security@mindstep.com) Received: (qmail 3546 invoked from network); 7 Oct 1999 02:40:25 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 7 Oct 1999 02:40:25 -0000 Message-ID: <008901bf106d$4f227080$190aa8c0@local.mindstep.com> Reply-To: "Patrick Bihan-Faou" From: "Patrick Bihan-Faou" To: "Thomas Keusch" Cc: References: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> <19991006223750.A2232@dante.visionaire.net> Subject: Re: default rc.firewall Date: Wed, 6 Oct 1999 22:40:25 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Apparently this message did not make it to the list... (this is resent with the permission of Thomas). ----- Original Message ----- From: Thomas Keusch To: Patrick Bihan-Faou Cc: US FreeBSD Security Mailing List Sent: Wednesday, October 06, 1999 4:37 PM Subject: Re: default rc.firewall On Tue, Oct 05, 1999 at 11:05:46AM -0400, Patrick Bihan-Faou wrote: Ha Patrick, > This message is about the appropriatness of the current rc.firewall script. > I would like to have as many suggestions as possible... > On that note, I don't really like the fact that you have to modify the > "rc.firewall" script to set up even a "simple" firewall. I worked a bit on a > new version of the "rc.firewall" script that takes all its configuration > from variables that you set in rc.conf. I guess that the script does not > qualify as simple anymore, but I think this is a bit cleaner. A couple of > examples: I think this is generally a good idea, but there come a few ideas to mind where you have no choice but to edit rc.firewall anyway. > We are using (like many other I guess) FreeBSD as a NAT gateway on a > cable-modem connection. I modified the rc.firewall script to use variables > such as: > > firewall_public_if="vr0" > firewall_private_if="ed0" > firewall_allow_active_ftp="YES" > firewall_allow_incoming_tcp="80,21,20" > firewall_allow_incoming_tcp_log="22" > > And it sets up the proper rules: > > ipfw add allow tcp from any to any 20 setup in recv $oif > ipfw add allow tcp from any to $oip 80,21,20 setup in recv $oif > ipfw add allow log tcp from any to $oip 22 setup in recv $oif > > Where $oif, $oip etc are recovered automatically from ifconfig. This IMHO is a good solution if there is exactly *one* inside and *one* outside interface. If one has a setup with more internal/external interfaces, given your implementation above, one needs to edit the rc script nevertheless. I don't know if there is a way to implement some robustness concerning such issues without making rc.firewall overwhelmingly complex. Besides that, I think there is a limit in the number of ports you can pass to ipfw (I think it's around 10) (I can't check right now, as I'm in Linux now), so if one sets firewall_allow_incoming_tcp to "1,3,5,7,9,11,13,15,17,19,21,23,25,28" it would have to be split and several ipfw commands would have to be executed. This problem would have to be dealt with, either in ipfw or in rc.firewall. So, basically, to adress these two problems within rc.firewall, the script would get very complex and confusing, and maybe harder to maintain. Another point is, if the script becomes that complex, newbies lose an important (local) resource of information on how to use ipfw, as I think it would be very hard to understand some given ipfw commands if you don't understand the context in which they are executed. > The other advantage is that when we get a new IP address through DHCP from > our cable provider, we only need to re-run the rc.firewall script and all > the rules are updated to match the new IP address. Though I have a static IP, I have to admit that this would be a pretty useful feature. :-) > I still need to clean up a few issues with my rc.firewall script, but > overall I believe that it would be a great enhancement to the current > distribution. > Any thoughts ? I have not reached anything near mastery in shell scripting, but if it is possible to work around the issues mentioned above without have rc.firewall beyond 1 Meg in size, I think this would a great improvement over the current situation, well worth to think about. -- thomas. .powered.by.debian/linux. .served.by.FreeBSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 20:52:45 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3E16814D19; Wed, 6 Oct 1999 20:52:44 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 341651CD451; Wed, 6 Oct 1999 20:52:44 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Wed, 6 Oct 1999 20:52:44 -0700 (PDT) From: Kris Kennaway To: "Mr. K." Cc: Dag-Erling Smorgrav , "Cameron, Frank" , freebsd-security@FreeBSD.ORG Subject: Re: Long username/password In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 6 Oct 1999, Mr. K. wrote: > if you set the passwords to expire on the next login, will this accomplish > switching from DES to MD5, or will the old format be kept? If you still have the DES libraries, you will generate new DES passwords If you don't have the DES libraries, your system cannot generate DES passwords, and you will get MD5 passwords. It's no different. Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 6 21:24:52 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5407614C06; Wed, 6 Oct 1999 21:24:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 497EF1CD471; Wed, 6 Oct 1999 21:24:51 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Wed, 6 Oct 1999 21:24:51 -0700 (PDT) From: Kris Kennaway To: Derek Werthmuller Cc: freebsd-security@FreeBSD.ORG Subject: Re: Authenticate ppp users via Kerberos ? In-Reply-To: <7A71D0D43B9ED1119EC10008C756C30418F68A@ctg-nt.ctg.albany.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 6 Oct 1999, Derek Werthmuller wrote: > Is it possible and/or has anyone been able to setup a FBSD ppp server and > authenticate dialin users via PAP and Kerberos ? What springs to mind is using kernel-mode PPP (a.k.a pppd), with PAM support compiled in, and a PAM kerberos module. I haven't heard how well the PAM support works for FreeBSD - it should, since we use the same codebase as the linux folks, but you may need to grab the most recent copy of the pppd code and compile it yourself - I've suggested it to a few people in the past but haven't heard how they went with it. You could certainly get this working with PicoBSD (which would be very cool!), but it might take a bit of doing since PicoBSD doesn't do dynamic linking, and PAM likes it best if you can dynamically load in the modules. However, you should be able to get the kerberos PAM module compiled into the static PAM library and from there linked into pppd (that's how it's done with the system-distributed PAM modules). Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 3:50:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.128.198]) by hub.freebsd.org (Postfix) with ESMTP id 29B9614F39 for ; Thu, 7 Oct 1999 03:50:34 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id LAA70807; Thu, 7 Oct 1999 11:49:48 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id LAA00469; Thu, 7 Oct 1999 11:50:38 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <199910071050.LAA00469@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: Derek Werthmuller Cc: freebsd-security@FreeBSD.ORG Subject: Re: Authenticate ppp users via Kerberos ? In-reply-to: Your message of "Wed, 06 Oct 1999 17:54:11 EDT." <7A71D0D43B9ED1119EC10008C756C30418F68A@ctg-nt.ctg.albany.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 07 Oct 1999 11:50:37 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is it possible and/or has anyone been able to setup a FBSD ppp server and > authenticate dialin users via PAP and Kerberos ? [.....] If you configure your password authentication to use kerberos and then use ``enable pap passwdauth'' in ppp.conf, things should work. Ppp doesn't have direct PAM support - just pw_*() support (which may use PAM itself). > Thanks > Derek > > Center for Technology in Government -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 5:38:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with ESMTP id B019914C2E for ; Thu, 7 Oct 1999 05:37:47 -0700 (PDT) (envelope-from paulo@nlink.com.br) Received: from localhost (paulo@localhost) by mirage.nlink.com.br (8.9.3/8.9.1) with SMTP id KAA25018; Thu, 7 Oct 1999 10:37:03 -0200 (EDT) Date: Thu, 7 Oct 1999 10:37:03 -0200 (EDT) From: Paulo Fragoso To: Igor Vinokurov Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh 1.2.27 vulnerability In-Reply-To: <19991005104423.A18207@shogun.rtsnet.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Tue, 5 Oct 1999, Igor Vinokurov wrote: > Revision Changes Path > 1.49 +2 -2 src/sys/kern/uipc_usrreq.c > If I change this file in kernel (FBSD-3.3) source directory, it will work fine? If I change this file in FreeBSD 2.2.6-STABLE source dir? Thanks, Paulo. ------ " ... Overall we've found FreeBSD to excel in performace, stability, technical support, and of course price. Two years after discovering FreeBSD, we have yet to find a reason why we switch to anything else" -David Filo, Yahoo! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 7:32:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsd.mbp.ee (bsd.mbp.ee [194.204.12.74]) by hub.freebsd.org (Postfix) with ESMTP id 86E1815182 for ; Thu, 7 Oct 1999 07:32:15 -0700 (PDT) (envelope-from mauri@aripaev.ee) Received: from lant.mbp.ee (lant.mbp.ee [194.204.12.41]) by bsd.mbp.ee (8.9.3/8.9.3) with ESMTP id RAA55525 for ; Thu, 7 Oct 1999 17:30:18 +0300 (EEST) (envelope-from mauri@aripaev.ee) Received: by lant.mbp.ee with Internet Mail Service (5.5.2232.9) id ; Thu, 7 Oct 1999 16:28:58 +0200 Message-ID: From: Lauri Laupmaa To: "'security@freebsd.org'" Subject: guest user Date: Thu, 7 Oct 1999 16:28:56 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-4" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi how can I restrict user from changing his/her password ? TIA _____ Lauri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 10:56:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 50536157D4 for ; Thu, 7 Oct 1999 10:56:14 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA23500 for ; Thu, 7 Oct 1999 11:55:22 -0600 (MDT) Message-Id: <4.2.0.58.19991007104520.043fbbb0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 07 Oct 1999 10:55:34 -0600 To: security@freebsd.org From: Brett Glass Subject: Random malfunction or hack? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of our servers, which runs FreeBSD, began to post a log message every five minutes indicating that a cron job had bombed. They looked like this: > pid 713 (cron), uid 0: exited on signal 10 > pid 712 (cron), uid 0: exited on signal 10 > pid 718 (cron), uid 0: exited on signal 10 > pid 721 (cron), uid 0: exited on signal 10 > pid 724 (cron), uid 0: exited on signal 10 > pid 727 (cron), uid 0: exited on signal 10 > pid 731 (cron), uid 0: exited on signal 10 The problem vanished when the system was rebooted. The only thing in the standard /etc/crontab for FreeBSD which runs every five minutes is /usr/libexec/atrun, which works with the "at" command. Are there any known exploits or rootkits that might cause "at" to bomb regularly like this? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 11: 2:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from ruby.internal.looksharp.net (cc360882-a.strhg1.mi.home.com [24.2.221.22]) by hub.freebsd.org (Postfix) with ESMTP id 468C815304 for ; Thu, 7 Oct 1999 11:02:31 -0700 (PDT) (envelope-from bsdx@looksharp.net) Received: from localhost (bsdx@localhost) by ruby.internal.looksharp.net (8.9.3/8.9.1) with SMTP id OAA08031; Thu, 7 Oct 1999 14:01:00 -0400 (EDT) (envelope-from bsdx@looksharp.net) Date: Thu, 7 Oct 1999 14:00:59 -0400 (EDT) From: Adam X-Sender: bsdx@ruby To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Random malfunction or hack? In-Reply-To: <4.2.0.58.19991007104520.043fbbb0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What version of FreeBSD? Do you think you might have run low or out of swap just before these messages started appearing? Killing cron and restarting it probably would have done the trick. On Thu, 7 Oct 1999, Brett Glass wrote: >One of our servers, which runs FreeBSD, began to post a log message every >five minutes indicating that a cron job had bombed. They looked like this: > > > pid 713 (cron), uid 0: exited on signal 10 > > pid 712 (cron), uid 0: exited on signal 10 > > pid 718 (cron), uid 0: exited on signal 10 > > pid 721 (cron), uid 0: exited on signal 10 > > pid 724 (cron), uid 0: exited on signal 10 > > pid 727 (cron), uid 0: exited on signal 10 > > pid 731 (cron), uid 0: exited on signal 10 > >The problem vanished when the system was rebooted. > >The only thing in the standard /etc/crontab for FreeBSD which runs every >five minutes is /usr/libexec/atrun, which works with the "at" command. > >Are there any known exploits or rootkits that might cause "at" to bomb >regularly like this? > >--Brett Glass > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 11:16:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id B7F5714E79 for ; Thu, 7 Oct 1999 11:16:10 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id MAA23736; Thu, 7 Oct 1999 12:14:10 -0600 (MDT) Message-Id: <4.2.0.58.19991007120245.041a87d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 07 Oct 1999 12:13:47 -0600 To: Adam From: Brett Glass Subject: Re: Random malfunction or hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <4.2.0.58.19991007104520.043fbbb0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:00 PM 10/7/99 -0400, Adam wrote: >What version of FreeBSD? 2.2.8-RELEASE, with added patches to fix a known bug or three. >Do you think you might have run low or out of swap just before these >messages started appearing? The server is very lightly loaded. It was being bombarded by spam relay tests by ORBS this morning, but that didn't cause any significant load. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 13:53:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 4D9661525E for ; Thu, 7 Oct 1999 13:53:29 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id WAA16006; Thu, 7 Oct 1999 22:51:01 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id WAA34502; Thu, 7 Oct 1999 22:51:00 +0200 (MET DST) Date: Thu, 7 Oct 1999 22:50:59 +0200 From: Eivind Eklund To: Brett Glass Cc: Adam , security@FreeBSD.ORG Subject: Re: Random malfunction or hack? Message-ID: <19991007225059.P71340@bitbox.follo.net> References: <4.2.0.58.19991007104520.043fbbb0@localhost> <4.2.0.58.19991007120245.041a87d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <4.2.0.58.19991007120245.041a87d0@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Oct 07, 1999 at 12:13:47PM -0600, Brett Glass wrote: > At 02:00 PM 10/7/99 -0400, Adam wrote: > > >What version of FreeBSD? > > 2.2.8-RELEASE, with added patches to fix a known bug or three. Sound very much like a (now fixed) VM bug which triggers very seldom, which leads to page table corruption (IIRC) which trigger on fork(). If this was the case, killing and restarting cron would have fixed it. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 15: 4:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 88E761522E; Thu, 7 Oct 1999 15:04:49 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA26087; Thu, 7 Oct 1999 16:03:12 -0600 (MDT) Message-Id: <4.2.0.58.19991007155738.042ab450@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 07 Oct 1999 15:58:33 -0600 To: Eivind Eklund From: Brett Glass Subject: Re: Random malfunction or hack? Cc: Adam , security@FreeBSD.ORG In-Reply-To: <19991007225059.P71340@bitbox.follo.net> References: <4.2.0.58.19991007120245.041a87d0@localhost> <4.2.0.58.19991007104520.043fbbb0@localhost> <4.2.0.58.19991007120245.041a87d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:50 PM 10/7/99 +0200, Eivind Eklund wrote: >Sound very much like a (now fixed) VM bug which triggers very seldom, >which leads to page table corruption (IIRC) which trigger on fork(). Oooh. I knew that there were some VM problems in 2.2.8; I didn't know that this would be one of the side effects. Thank you for the heads-up! --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 15:52:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from flash.naxs.net (flash.naxs.net [216.98.64.5]) by hub.freebsd.org (Postfix) with ESMTP id BF0031546A for ; Thu, 7 Oct 1999 15:52:25 -0700 (PDT) (envelope-from dsimsik@vt.edu) Received: from data2 ([151.199.74.221]) by flash.naxs.net (8.9.3/8.8.7) with SMTP id RAA32532 for ; Thu, 7 Oct 1999 17:55:46 -0400 From: "David Simsik" To: "security@freebsd.org" Subject: Programming Contest Date: Thu, 7 Oct 1999 18:55:25 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all I was recently hired to help run a regional Programming contest that takes place every year. My job is to set up some low level security so that the contestants cannot get in contact with each other and/or someone on the outside world. To explain the structure of our site we will have two FreeBSD servers running (one on a pent200 machine and one on a pent75 machine) which will run parts of the judging software. Both servers are Ver 3.3-Release. The clients which will run the client side of the judging software will be borrowed from one of our labs. to my knowledge they are using an older version of FreeBSD running on Gateway P5-200s. The Network will be set up within the lab and the structure of the Ethernet cannot be changed. Also I do not have access to their gateway or their servers. My original plan was to set up one of the servers (P75) as a gateway/site server. This server would authenticate the users on the client machines and then would control the packets going outbound. The problem is that while using this gateway by defining it in the Client machines and a firewall on the gateway I can control what machines the clients can send packets to but cannot control the inbound packets. With this said I have two questions. : 1. If the Gateway on the client machines is my machine is there any way for the clients to get around the gateway and if there is then is there a way I can stop that? (send packets in a way so they don't go through the gateway server) 2. what daemons would you recommend I shut off so that the contestants cannot get in contact with each other. (telnetd, ftpd,...) Any recommendations for solutions are welcome. Thank you David Simsik Regional Systems Team Leader tech@midatl.cs.vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 18:12:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 8C8C114C9A for ; Thu, 7 Oct 1999 18:12:43 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA19639; Thu, 7 Oct 1999 21:15:20 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199910080115.VAA19639@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Syslog over serial In-Reply-To: <4.1.19991005185332.009763d0@mail.thegrid.net> from The Mad Scientist at "Oct 5, 1999 06:54:25 pm" To: madscientist@thegrid.net (The Mad Scientist) Date: Thu, 7 Oct 1999 21:15:20 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The Mad Scientist wrote, > I figured all the normal rules of tcp/ip applied to a ptp connection over > parallel. This means that I've created a connection across my inner > firewall. I suppose one solution would be to run ipfw on the logging host > and allow only udp-port-514-traffic in. Of course, I might as well be > using ethernet. ^_^ Parallel lines add some protection from snooping > though. How does a peer-to-peer parallel connection offer more protection from snooping that a peer-to-peer crossover cable? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 7 18:33:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.baldwin.cx (jobaldwi.campus.vt.edu [198.82.67.146]) by hub.freebsd.org (Postfix) with ESMTP id D3B0C151E2 for ; Thu, 7 Oct 1999 18:33:41 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from john.baldwin.cx (john [10.0.0.2]) by server.baldwin.cx (8.9.3/8.9.3) with ESMTP id VAA68421; Thu, 7 Oct 1999 21:33:01 -0400 (EDT) (envelope-from jobaldwi@vt.edu) Message-Id: <199910080133.VAA68421@server.baldwin.cx> X-Mailer: XFMail 1.3.1 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Thu, 07 Oct 1999 21:33:00 -0400 (EDT) From: John Baldwin To: David Simsik Subject: RE: Programming Contest Cc: "security@freebsd.org" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 07-Oct-99 David Simsik wrote: > Hello all > > to my knowledge they > are > using an older version of FreeBSD running on Gateway P5-200s. The > Network > will be set up within the lab and the structure of the Ethernet > cannot be > changed. Also I do not have access to their gateway or their > servers. They are running 3.2-stable about two weeks prior to 3.3-release. > My original plan was to set up one of the servers (P75) as a > gateway/site > server. This server would authenticate the users on the client > machines and > then would control the packets going outbound. The problem is that > while > using this gateway by defining it in the Client machines and a > firewall on > the gateway I can control what machines the clients can send packets > to but > cannot control the inbound packets. Can you change the default configuration of the workstations or not? If you can, then I would install a base client that included ipfw setup to block inbound connections and only allow outbound connections to your gateway host. I would then tunnel your connections through ssh so that you can authenticate the receiving machine and encrypt the traffic. > With this said I have two questions. : > 1. If the Gateway on the client machines is my machine is there any > way for > the clients to get around the gateway and if there is then is there a > way I > can stop that? (send packets in a way so they don't go through the > gateway > server) If the users are trying to hop from machine to machine within the lab (which is all in the same subnet) then those connections would not go through your gateway. You would need something akin to ipfw to stop this I believe. > 2. what daemons would you recommend I shut off so that the > contestants > cannot get in contact with each other. (telnetd, ftpd,...) inetd, sendmail, etc. I would only run ssh to tunnel the connections to your gateway and nothing else. > Any recommendations for solutions are welcome. Be really nice to the lab manager. :) > Thank you > David Simsik > Regional Systems Team Leader > tech@midatl.cs.vt.edu --- John Baldwin -- http://www.cslab.vt.edu/~jobaldwi/ PGP Key: http://www.cslab.vt.edu/~jobaldwi/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ Virginia Tech CS Undergraduate Lab Student Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 7:25:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 5C2D214DD9 for ; Fri, 8 Oct 1999 07:25:26 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id IAA03491; Fri, 8 Oct 1999 08:25:21 -0600 (MDT) Message-Id: <4.2.0.58.19991008082156.04464450@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 08 Oct 1999 08:24:39 -0600 To: Adam From: Brett Glass Subject: Re: Random malfunction or hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <4.2.0.58.19991007104520.043fbbb0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:00 PM 10/7/99 -0400, Adam wrote: >What version of FreeBSD? >Do you think you might have run low or out of swap just before these >messages started appearing? Nope; the machine is very lightly loaded memory-wise. It mostly works as a terminal server. However, that particular subnet is seeing lots of skript kiddie attacks lately, so I wondered at first if an attempted exploit -- possibly one that didn't let the hacker in but messed up a crucial process or two -- was to blame. Eivind's theory is the most plausible I've seen so far. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 8:38:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id 612C5158F8 for ; Fri, 8 Oct 1999 08:38:15 -0700 (PDT) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.8.8/8.8.7) with ESMTP id LAA11584 for ; Fri, 8 Oct 1999 11:38:14 -0400 (EDT) Date: Fri, 8 Oct 1999 11:38:14 -0400 (EDT) From: To: freebsd-security@freebsd.org Subject: Anyone ever seen onlin banking software for fbsd? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is probably a long shot at best, but has anyone ever seen an online banking solution for FreeBSD. Server side. A local bank client is debating going online and they like the FreeBSD boxes we have installed for them so they would like to use FreeBSD for serving their clients. I personally have never seen any banking software for BSD. But I thought I would reach out and see if anyone has. Anyone have an idea what it would cost to develop one? Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.3 is available now! | ICQ # 20016186 -----------------------------------| 1402 N. Washington, Wellington, KS 68134 FreeBSD: The power to serve! | E-Mail: scanner@jurai.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 9: 4:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 5E76F14F4B for ; Fri, 8 Oct 1999 09:04:49 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id RAA50515; Fri, 8 Oct 1999 17:04:44 +0100 (BST) (envelope-from joe) Date: Fri, 8 Oct 1999 17:04:43 +0100 From: Josef Karthauser To: scanner@jurai.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Anyone ever seen onlin banking software for fbsd? Message-ID: <19991008170443.P70248@florence.pavilion.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 08, 1999 at 11:38:14AM -0400, scanner@jurai.net wrote: > > This is probably a long shot at best, but has anyone ever seen an online > banking solution for FreeBSD. Server side. A local bank client is debating > going online and they like the FreeBSD boxes we have installed for them so > they would like to use FreeBSD for serving their clients. > I personally have never seen any banking software for BSD. But I thought I > would reach out and see if anyone has. Anyone have an idea what it would > cost to develop one? What kind of banking software are you talking about? There are vendors out there who do APACS29 and 30 protocols for authorisation and clearing under FreeBSD (or any unix). Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 10:23:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id 45B861586A for ; Fri, 8 Oct 1999 10:23:40 -0700 (PDT) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.8.8/8.8.7) with ESMTP id NAA28203; Fri, 8 Oct 1999 13:23:37 -0400 (EDT) Date: Fri, 8 Oct 1999 13:23:37 -0400 (EDT) From: To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG Subject: Re: Anyone ever seen onlin banking software for fbsd? In-Reply-To: <19991008170443.P70248@florence.pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Oct 1999, Josef Karthauser wrote: > What kind of banking software are you talking about? There are vendors > out there who do APACS29 and 30 protocols for authorisation and clearing > under FreeBSD (or any unix). Sorry, I whould have been more clear. I was trying to find a complete solution non-NT that does your typical on-line bank functions. The banks customer browses then banks secure web site, enters their account information, checks their account balance, pays bills online, does wire transfers, etc.. What wells fargo and intrustbank.com are doing. But they all appear to be running NT. Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.3 is available now! | ICQ # 20016186 -----------------------------------| 1402 N. Washington, Wellington, KS 68134 FreeBSD: The power to serve! | E-Mail: scanner@jurai.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 11:27:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id F220414A29 for ; Fri, 8 Oct 1999 11:27:19 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id TAA74253; Fri, 8 Oct 1999 19:27:16 +0100 (BST) (envelope-from joe) Date: Fri, 8 Oct 1999 19:27:16 +0100 From: Josef Karthauser To: scanner@jurai.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Anyone ever seen onlin banking software for fbsd? Message-ID: <19991008192716.R70248@florence.pavilion.net> References: <19991008170443.P70248@florence.pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 08, 1999 at 01:23:37PM -0400, scanner@jurai.net wrote: > > What wells fargo and intrustbank.com are doing. But they all appear to be > running NT. I would imagine that they are developing their own software. Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 12: 6:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from bud.toon.ml.org (cr66490-a.pr1.on.wave.home.com [24.112.99.151]) by hub.freebsd.org (Postfix) with ESMTP id A15EF15037 for ; Fri, 8 Oct 1999 12:06:37 -0700 (PDT) (envelope-from toonces@killhup.cx) Received: from localhost (toonces@localhost) by bud.toon.ml.org (8.9.2/8.9.1) with ESMTP id PAA72929; Fri, 8 Oct 1999 15:12:11 -0400 (EDT) Date: Fri, 8 Oct 1999 15:12:11 -0400 (EDT) From: X-Sender: toonces@bud.toon.ml.org Reply-To: kellman@killhup.cx To: Josef Karthauser Cc: scanner@jurai.net, freebsd-security@FreeBSD.ORG Subject: Re: Anyone ever seen onlin banking software for fbsd? In-Reply-To: <19991008192716.R70248@florence.pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have worked for a few financial institusions and all the software is written inhouse. If you have some good programmers around its probably your safest route. Our customers are a little paranoid about useing software they haven't coded from the ground up themselves. -Kell On Fri, 8 Oct 1999, Josef Karthauser wrote: > On Fri, Oct 08, 1999 at 01:23:37PM -0400, scanner@jurai.net wrote: > > > > What wells fargo and intrustbank.com are doing. But they all appear to be > > running NT. > > I would imagine that they are developing their own software. > Joe > -- > Josef Karthauser FreeBSD: How many times have you booted today? > Technical Manager Viagra for your server (http://www.uk.freebsd.org) > Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 12:50:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id F37351521E for ; Fri, 8 Oct 1999 12:50:48 -0700 (PDT) (envelope-from jrs@enteract.com) Received: (qmail 12689 invoked from network); 8 Oct 1999 19:50:44 -0000 Received: from shell-2.enteract.com (jrs@207.229.143.41) by pop3-3.enteract.com with SMTP; 8 Oct 1999 19:50:44 -0000 Date: Fri, 8 Oct 1999 14:50:43 -0500 (CDT) From: John Sconiers To: scanner@jurai.net Cc: Josef Karthauser , freebsd-security@FreeBSD.ORG Subject: Re: Anyone ever seen onlin banking software for fbsd? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Sorry, I whould have been more clear. I was trying to find a complete > solution non-NT that does your typical on-line bank functions. The banks > customer browses then banks secure web site, enters their account > information, checks their account balance, pays bills online, does wire > transfers, etc.. > What wells fargo and intrustbank.com are doing. But they all appear to be > running NT. From what I've seen most of that stuff is home grown using third part applications to do the processing. However there could be some commercial package available. JRS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 13:14: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx5.sac.fedex.com (mx5.sac.fedex.com [199.81.194.37]) by hub.freebsd.org (Postfix) with ESMTP id 48C5714D6A for ; Fri, 8 Oct 1999 13:13:59 -0700 (PDT) (envelope-from wam@mohawk.dpd.fedex.com) Received: from mx6.sac.fedex.com (mx6.sac.fedex.com [199.82.159.10]) by mx5.sac.fedex.com (8.9.3/8.9.3) with ESMTP id PAA39206 for ; Fri, 8 Oct 1999 15:13:58 -0500 (CDT) (envelope-from wam@mohawk.dpd.fedex.com) Received: from s07.sa.fedex.com (root@s07.sa.fedex.com [199.81.124.17]) by mx6.sac.fedex.com (8.9.3/8.9.3) with ESMTP id PAA74160 for ; Fri, 8 Oct 1999 15:13:58 -0500 (CDT) (envelope-from wam@mohawk.dpd.fedex.com) Received: from mohawk.dpd.fedex.com (mohawk.dpd.fedex.com [199.81.74.121]) by s07.sa.fedex.com (8.9.1/8.9.1) with ESMTP id PAA15012; Fri, 8 Oct 1999 15:13:52 -0500 (CDT) Message-Id: <199910082013.PAA15012@s07.sa.fedex.com> To: Lauri Laupmaa Cc: "'security@freebsd.org'" Subject: Re: guest user In-reply-to: Message id Date: Fri, 08 Oct 1999 15:08:11 +0000 From: William McVey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lauri Laupmaa wrote: >Hi >how can I restrict user from changing his/her password ? Easist way is to simply disable the 'passwd' command from the guest user. Assuming you can't disable the passwd command for everyone on the box, you could put the 'guest' user into a group all of their own (eg group 'guest'), and set the modes of the passwd command to be mode 4705 owned by root and grouped to group 'guest.' This way regular users can change their password (via the world execute bits) but the users of the guest group can't. -- William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 14: 4:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from fever.semiotek.com (H253.C225.tor.velocet.net [216.126.82.253]) by hub.freebsd.org (Postfix) with ESMTP id DD47A15284 for ; Fri, 8 Oct 1999 14:04:44 -0700 (PDT) (envelope-from jread@fever.semiotek.com) Received: (from jread@localhost) by fever.semiotek.com (8.9.3/8.9.3) id RAA01755 for freebsd-security@freebsd.org; Fri, 8 Oct 1999 17:05:40 -0400 (EDT) (envelope-from jread) Date: Fri, 8 Oct 1999 17:05:40 -0400 From: Justin Wells To: freebsd-security@freebsd.org Subject: chroot jail in pre 4.0 Message-ID: <19991008170540.A1618@fever.semiotek.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have several daemons running chrooted on my box, and I am wondering just how safe I can make things under 3.3/3.2. I will definately be using jail() once that's available to me, but currently it's not.. What I would like to do is come up with something as secure-as-possible using a combination of chflags, mount options, chroot, and exec. Something like this: -- mount /secure with nodev, nosuid, and noexec -- schg,sunlnk any libraries/binaries/config files in /secure/someroot, and sappnd,sunlink the logfiles. -- set security level high enough to enforce schg, sunlink, and sappnd -- accept a network connection (possibly with inetd, or some variant) -- chroot to /secure/someroot -- suid to a non-root user -- exec some daemon or run some process Yes, that's really paranoid, but I have to run some really bogus C code that I just don't trust, and I don't have the resources to audit it. No I'm not going to mention where it is and what it is :-) You may have noticed my problem though: if the partition is mounted noexec, then I cannot perform an exec AFTER the chroot. But that means the daemon has to start running outside the chroot, AS ROOT, and then call chroot() on its own. I don't want my bogus C code monster running as root outside its chrooted jail, at all. I also think having the partition mounted as "noexec" buys me some significant benefits--attackers cannot find ways to upload program code and exec it, because nobody can exec anything. There are actually two programs: one that needs to be run out of inetd, and another program that is a long-running server. Neither would survive five minutes of even the most incompetent security audit, in my opinion. But I have to run them... What I need is some way to combine a chroot and an exec in one simultaneous operation, so that the target partition can be noexec, so that the target of the exec doesn't have to be inside the chrooted area. Is there any way around this? What else should I do? Will jail be of any help later? Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 14:11:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from fever.semiotek.com (H253.C225.tor.velocet.net [216.126.82.253]) by hub.freebsd.org (Postfix) with ESMTP id 15CFD15284 for ; Fri, 8 Oct 1999 14:11:42 -0700 (PDT) (envelope-from jread@fever.semiotek.com) Received: (from jread@localhost) by fever.semiotek.com (8.9.3/8.9.3) id RAA01803 for freebsd-security@freebsd.org; Fri, 8 Oct 1999 17:12:38 -0400 (EDT) (envelope-from jread) Date: Fri, 8 Oct 1999 17:12:37 -0400 From: Justin Wells To: freebsd-security@freebsd.org Subject: more on chroot: "nochroot" filesystems Message-ID: <19991008171237.B1618@fever.semiotek.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One more thing, a suggestion this time... I lurked through the previous discussion of chroot and it's been sitting in my mind ever since, fermenting. Here's a possible solution that wouldn't do too much damage to the standard chroot behavior: Add an option, similar to nodev and noexec, to the UFS filesystem called "nochroot". You are only allowed to chroot if the root of the filesystem you are currently in allows chroot. Thus the first chroot (with / as its root) would succeed because / allows chroot, but its target would be inside a filesystem with the nochroot flag. Further chroots would be disallowed. This solution has zero effect by default, since by default chroot is allowed. Only people who ask for this behavior by specifying the mount option would have the restriction imposed on them. This defeats the "cd ../../../../../.. ; chroot ." trick, and many others. Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 14:16:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 295F314F3F for ; Fri, 8 Oct 1999 14:16:29 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id XAA05270; Fri, 8 Oct 1999 23:15:38 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Justin Wells Cc: freebsd-security@FreeBSD.ORG Subject: Re: more on chroot: "nochroot" filesystems In-reply-to: Your message of "Fri, 08 Oct 1999 17:12:37 EDT." <19991008171237.B1618@fever.semiotek.com> Date: Fri, 08 Oct 1999 23:15:38 +0200 Message-ID: <5268.939417338@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19991008171237.B1618@fever.semiotek.com>, Justin Wells writes: >This defeats the "cd ../../../../../.. ; chroot ." trick, and many others. I've tried hard to plug all escapes from chroot/jail in -current. You may want to consider a back port of some of those changes. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 15:28: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [209.98.143.44]) by hub.freebsd.org (Postfix) with ESMTP id D8A8914F6B for ; Fri, 8 Oct 1999 15:28:02 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from bone.nectar.com (bone.nectar.com [10.0.0.105]) by gw.nectar.com (Postfix) with ESMTP id F2A3AC006; Fri, 8 Oct 1999 17:28:01 -0500 (CDT) Received: from bone.nectar.com (localhost [127.0.0.1]) by bone.nectar.com (Postfix) with ESMTP id 8BD4B1D72; Fri, 8 Oct 1999 17:28:01 -0500 (CDT) X-Mailer: exmh version 2.0.2 2/24/98 X-Exmh-Isig-CompType: repl X-Exmh-Isig-Folder: mlist/freebsd/security X-PGP-RSAfprint: 00 F9 E6 A2 C5 4D 0A 76 26 8B 8B 57 73 D0 DE EE X-PGP-RSAkey: http://www.nectar.com/nectar-rsa.txt X-PGP-DSSfprint: AB2F 8D71 A4F4 467D 352E 8A41 5D79 22E4 71A2 8C73 X-PGP-DHfprint: 2D50 12E5 AB38 60BA AF4B 0778 7242 4460 1C32 F6B1 X-PGP-DH-DSSkey: http://www.nectar.com/nectar-dh-dss.txt From: Jacques Vidrine To: Justin Wells Cc: freebsd-security@freebsd.org In-reply-to: <19991008170540.A1618@fever.semiotek.com> References: <19991008170540.A1618@fever.semiotek.com> Subject: was Re: chroot jail in pre 4.0 Mime-Version: 1.0 Content-Type: text/plain Date: Fri, 08 Oct 1999 17:28:01 -0500 Message-Id: <19991008222801.8BD4B1D72@bone.nectar.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 8 October 1999 at 17:05, Justin Wells wrote: > I have several daemons running chrooted on my box, and I am wondering just > how safe I can make things under 3.3/3.2. I will definately be using jail() > once that's available to me, but currently it's not.. [snip] If you want to test, see http://www.freebsd.org/freebsd/jail.html. There you will find patches for 3.3-STABLE circa October 5. I hope to commit them this month after further testing. You still need to do all that other stuff I snip'd. jail is just another tool to help. Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 15:53:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [209.98.143.44]) by hub.freebsd.org (Postfix) with ESMTP id 2957C14F6B for ; Fri, 8 Oct 1999 15:53:12 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from bone.nectar.com (bone.nectar.com [10.0.0.105]) by gw.nectar.com (Postfix) with ESMTP id 9C7F3C006; Fri, 8 Oct 1999 17:53:11 -0500 (CDT) Received: from bone.nectar.com (localhost [127.0.0.1]) by bone.nectar.com (Postfix) with ESMTP id 829401D72; Fri, 8 Oct 1999 17:53:11 -0500 (CDT) X-Mailer: exmh version 2.0.2 2/24/98 X-PGP-RSAfprint: 00 F9 E6 A2 C5 4D 0A 76 26 8B 8B 57 73 D0 DE EE X-PGP-RSAkey: http://www.nectar.com/nectar-rsa.txt X-PGP-DSSfprint: AB2F 8D71 A4F4 467D 352E 8A41 5D79 22E4 71A2 8C73 X-PGP-DHfprint: 2D50 12E5 AB38 60BA AF4B 0778 7242 4460 1C32 F6B1 X-PGP-DH-DSSkey: http://www.nectar.com/nectar-dh-dss.txt From: Jacques Vidrine To: Justin Wells , freebsd-security@freebsd.org In-reply-to: <19991008222801.8BD4B1D72@bone.nectar.com> References: <19991008170540.A1618@fever.semiotek.com> <19991008222801.8BD4B1D72@bone.nectar.com> Subject: Re: was Re: chroot jail in pre 4.0 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 08 Oct 1999 17:53:11 -0500 Message-Id: <19991008225311.829401D72@bone.nectar.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 8 October 1999 at 17:28, Jacques Vidrine wrote: > On 8 October 1999 at 17:05, Justin Wells wrote: > > I have several daemons running chrooted on my box, and I am wondering just > > how safe I can make things under 3.3/3.2. I will definately be using jail() > > once that's available to me, but currently it's not.. > [snip] > > If you want to test, see http://www.freebsd.org/freebsd/jail.html. > There you will find patches for 3.3-STABLE circa October 5. I hope > to commit them this month after further testing. > > You still need to do all that other stuff I snip'd. jail is just > another tool to help. Oops, I meant: http://www.nectar.com/freebsd/jail.html FreeBSD on the mind, ya know :-) Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 8 16: 8:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from spork.cs.unm.edu (mail.cs.unm.edu [198.59.151.21]) by hub.freebsd.org (Postfix) with ESMTP id 4872814CEA for ; Fri, 8 Oct 1999 16:08:11 -0700 (PDT) (envelope-from colinj@cs.unm.edu) Received: from nobby.cs.unm.edu ([198.59.151.103] ident=mail) by spork.cs.unm.edu with esmtp (Exim 2.12 #3) id 11Zj7T-00065E-00 for freebsd-security@freebsd.org; Fri, 8 Oct 1999 17:08:11 -0600 Received: from colinj by nobby.cs.unm.edu with local-esmtp (Exim 2.05 #1 (Debian)) id 11Zj7T-0000WF-00; Fri, 8 Oct 1999 17:08:11 -0600 Date: Fri, 8 Oct 1999 17:08:11 -0600 (MDT) From: Colin Eric Johnson To: freebsd-security@FreeBSD.ORG Subject: Re: Anyone ever seen onlin banking software for fbsd? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Oct 1999, John Sconiers wrote: > > Sorry, I whould have been more clear. I was trying to find a complete > > solution non-NT that does your typical on-line bank functions. The banks > > customer browses then banks secure web site, enters their account > > information, checks their account balance, pays bills online, does wire > > transfers, etc.. > > What wells fargo and intrustbank.com are doing. But they all appear to be > > running NT. > > > From what I've seen most of that stuff is home grown using third part > applications to do the processing. However there could be some commercial > package available. It sounds like there might be a nice cottage industry here. If someone was to come up with some kind of FreeBSD based turnkey banking system could be a nice bit of work. It would certainly be a nice solution for a lot of the Credit Unions out there. Colin E. Johnson | colinj@unm.edu | http://www.unm.edu/~colinj/ A Macintosh, a Newton, and a NeXT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message