From owner-freebsd-security Sun Oct 10 0:32: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f297.hotmail.com [207.82.251.189]) by hub.freebsd.org (Postfix) with SMTP id 7BB88153FE for ; Sun, 10 Oct 1999 00:31:25 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 93992 invoked by uid 0); 10 Oct 1999 07:31:25 -0000 Message-ID: <19991010073125.93991.qmail@hotmail.com> Received: from 195.96.144.44 by www.hotmail.com with HTTP; Sun, 10 Oct 1999 00:31:20 PDT X-Originating-IP: [195.96.144.44] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: Port 31789 scanning and ... Date: Sun, 10 Oct 1999 00:31:20 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everybody, 1) I have IPFW and by studying its daily logs I found out that somebody scans the port 31789 of all the servers and even clients in my network. What can be potentially found on this port? 2) There was another log entry in the log files which makes no sense for me. That is as the follow: Oct 9 23:21:43 firewall /kernel: ipfw: 147 Deny TCP Y.Y.Y.Y X.X.X.X in via ed1 Fragment = 147 This log entry was repeated, some of them had a different value of Fragment. Can anybody explain that? thanks in advance, Nazila ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 1:18:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 9393915485 for ; Sun, 10 Oct 1999 01:18:23 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id SAA17649; Sun, 10 Oct 1999 18:19:59 +1000 (EST) From: Darren Reed Message-Id: <199910100819.SAA17649@cheops.anu.edu.au> Subject: Re: chroot jail in pre 4.0 To: jread@semiotek.com (Justin Wells) Date: Sun, 10 Oct 1999 18:19:59 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19991008170540.A1618@fever.semiotek.com> from "Justin Wells" at Oct 8, 99 05:05:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First, if you have "nodev" as a mount option, you may find things such as /dev/null are a problem. Given your concerns about security problems with this C program, and the resluctance of people to do anything about it, perhaps what you need is for it to be stored in the chroot'd area, as a writeable image so people can corrupt that :) Another option is to have two partitions in your chroot'd area: one is mounted read-only and another is mounted read-write. The mount option of "nochroot" should be enforced by simply running as non-root. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 8:15:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 50BE615578 for ; Sun, 10 Oct 1999 08:14:29 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.8.5/8.8.4) id MAA20954; Sun, 10 Oct 1999 12:13:25 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199910101513.MAA20954@ns1.via-net-works.net.ar> Subject: Re: chroot jail in pre 4.0 In-Reply-To: <19991008170540.A1618@fever.semiotek.com> from Justin Wells at "Oct 8, 99 05:05:40 pm" To: jread@semiotek.com (Justin Wells) Date: Sun, 10 Oct 1999 12:13:25 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Keep in mind that you still can do: sh prg.sh or perl prg.pl on a noexec partition. Regards. En un mensaje anterior, Justin Wells escribió: > > I have several daemons running chrooted on my box, and I am wondering just > how safe I can make things under 3.3/3.2. I will definately be using jail() > once that's available to me, but currently it's not.. [...] Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 8:25:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from navont3.navo.navy.mil (navont3.navo.navy.mil [128.160.42.3]) by hub.freebsd.org (Postfix) with ESMTP id A1A7D1558C for ; Sun, 10 Oct 1999 08:24:20 -0700 (PDT) (envelope-from binghamd@navo.navy.mil) Received: from m45432 (argus-p3.navo.hpc.mil [204.222.179.82]) by navont3.navo.navy.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 42CB0HCM; Sun, 10 Oct 1999 10:21:43 -0500 Reply-To: From: "Dell bingham" To: "'Theo Purmer (Tepucom)'" Cc: "'Jim Flowers'" , , "'freebsd-security@freebsd.org'" Subject: RE: skip basic procedure Date: Sun, 10 Oct 1999 10:22:33 -0500 Message-ID: <00e501bf1333$46fbf340$f2d9decc@m45432.navo.navy.mil> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 In-Reply-To: <37FAD4C7.15678404@arsin.com> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Me 2............ Dell Bingham Computer Engineer 1002 Balch Blvd. Stennis Space Center, MS 39522 > *COML: (228)688-5952 DSN: 485-5952 FAX 4168 > *binghamd@navo.navy.mil > -----Original Message----- From: Chandra Ravi [mailto:cravi@arsin.com] Sent: Tuesday, October 05, 1999 23:49 To: Theo Purmer (Tepucom) Cc: 'Jim Flowers'; skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' Subject: Re: skip basic procedure Hi Guys! Get me out of your mailing list. Thanks, Theo Purmer (Tepucom) wrote: > Thanks Jim fo the help. > > Ive got a skip session running between > two machines and the rfc1918 network > is connected what i found to be the problem > is that skip leaves the rfc1918 sender address > in the packet even if it goes through the > tunnel. The routers and firewalls in between dont > allow a rfc1918 sender or receiver address so > the packets dont arrive at the other end > > In the archives john capo has the same problem > he sent me some data to change the source with > so that doesnt happen anymore. im working on > that now. > > Do you have any idea as to who maintains the skip > website. Maybe its a good idea to publish this on > the website when ive got it running. > > thanks agian > > theo purmer > ---------- > Van: Jim Flowers[SMTP:jflowers@ezo.net] > Verzonden: maandag 4 oktober 1999 16:38 > Aan: Theo Purmer (Tepucom) > CC: skip-info@skip-vpn.org; 'freebsd-security@freebsd.org' > Onderwerp: Re: skip basic procedure > > Skip doesn't do routing. You have to use something else. Mostly I use > static routes. Generally, the inside inetrace (rfc 1918) will create a > route to the internal network. > > However, It sounds like you don't really have a SKIP connection. Can you > verify in skipd.log? Use tcpdump to verify skip (proto 57) packets on the > incoming interface and equivalent cleartext packets on the internal > interface. Assumes you have multi-homed skiphost. > > What I have found to work best is: > > 1. With skip turned off, verify that the two skiphosts can communicate with > each other. > 2. Setup skip on each of the skiphosts by running skiplocal export on the > opposite end skiphost and then executing it as a shell script. > 3. Set default in cleartext (`skiphost -a default`) and turn it on at each > end (`skiphost -o on`). > 4. Debug this configuration. Is the time correct on each skiphost? Are the > keys valid? Good idea is to telnet to a third machine and from > there to the far end so that the session will continue even if skip > doesn't work. Use skiplog to see if there are errors > 5. Once you get 4. working, add the RFC1918 networks using the far end > skiphost as the tunnel entrance. > 6. Use tcpdump on the external and internal interfaces of each skiphost to > debug. > > It is also instructive to run the skiptool if you have xwindows. When you > enable the skip interface it offers suggestions on addresses that should be > allowed in cleartext. > > Have DNS set up and working properly so that skiphost can find all the > reverse lookups or you will wait for what seems like forever. > > Search the freebsd-security list for skip, I posted stuff like this lots of > times. > > ----- Original Message ----- > From: Theo Purmer (Tepucom) > To: > Sent: Saturday, October 02, 1999 8:45 AM > Subject: skip > > > Hi Jim > > > > hope you dont mind me sending you some email > > about skip. In some archive i found your name on > > a message where you said you had good experiences > > with skip on freebsd > > > > im having some trouble getting a vpn with skip running > > and i was wondering if you could give me a hint on > > the skip config file. > > > > im trying to route 2 rfc 1918 networks over two skip > > machines via the internet but data does arrive but > > isnt routed to the second (rfc1918) nic in the machine > > > > some help would be greatly appreciated > > > > thanks > > > > theo purmer > > theo@tepucom.nl > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 13:38: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id A054214CEA for ; Sun, 10 Oct 1999 13:37:53 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id OAA06537; Sun, 10 Oct 1999 14:37:52 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id OAA11369; Sun, 10 Oct 1999 14:37:51 -0600 Date: Sun, 10 Oct 1999 14:37:51 -0600 Message-Id: <199910102037.OAA11369@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "N. N.M" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 31789 scanning and ... In-Reply-To: <19991010073125.93991.qmail@hotmail.com> References: <19991010073125.93991.qmail@hotmail.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 1) I have IPFW and by studying its daily logs I found out that somebody > scans the port 31789 of all the servers and even clients in my network. What > can be potentially found on this port? If it's a UDP packet, it's probably someone running traceroute. > 2) There was another log entry in the log files which makes no sense for me. > That is as the follow: > > Oct 9 23:21:43 firewall /kernel: ipfw: 147 Deny TCP Y.Y.Y.Y X.X.X.X in via > ed1 Fragment = 147 This happens with buggy stacks, and is common. I see it often from my Win95 boxes.... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 14:23:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from xwin.nmhtech.com (xwin.nmhtech.com [208.138.46.10]) by hub.freebsd.org (Postfix) with ESMTP id 2E1B514C9E for ; Sun, 10 Oct 1999 14:23:41 -0700 (PDT) (envelope-from altera@xwin.nmhtech.com) Received: by xwin.nmhtech.com (Postfix, from userid 1015) id A31C32EE1A; Sun, 10 Oct 1999 14:23:41 -0700 (PDT) Content-Length: 1600 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199910102037.OAA11369@mt.sri.com> Date: Sun, 10 Oct 1999 14:23:41 -0700 (PDT) From: "Nicole H." To: freebsd-security@FreeBSD.ORG Subject: scanning of port 12345 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why on earth would someone be scanning port 12345? Is this a new backdoor port? Oct 10 02:25:26 krell portsentry[14796]: attackalert: Connect from host: 195.235.210.171/195.235.210.171 to TCP port: 12345 Nicole nicole@unixgirl.com |\ __ /| (`\ http://www.unixgirl.com/ webmistress@dangermouse.org | o_o |__ ) ) http://www.dangermouse.org/ // \\ ---------------------------(((---(((----------------------------------------- -- Powered by Coka-Cola and FreeBSD -- -- Stong enough for a man - But made for a Woman -- -- Microsoft: What bug would you like today? -- ------------------------------------------------------------------------------- -- As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. Remember: Echelon is listening! FBI CIA NSA IRS ATF BATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG HORIUCHI KORESH DAVIDIAN KAHL POSSE COMITATUS RANDY WEAVER VICKIE WEAVER SPECIAL FORCES LINDA THOMPSON SPECIAL OPERATIONS GROUP SOG SOF DELTA FORCE CONSTITUTION BILL OF RIGHTS WHITEWATER POM PARK ON METER ARKANSIDE IRAN CONTRAS OLIVER NORTH VINCE FOSTER PROMIS KILL MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST TASK FORCE 160 SPECIAL OPS 12TH GROUP 5TH GROUP SF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 15:40: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (Postfix) with ESMTP id 8446814E72 for ; Sun, 10 Oct 1999 15:39:44 -0700 (PDT) (envelope-from brooks@one-eyed-alien.net) Received: from localhost (brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) with ESMTP id PAA08864; Sun, 10 Oct 1999 15:39:38 -0700 (PDT) X-Authentication-Warning: orion.ac.hmc.edu: brdavis owned process doing -bs Date: Sun, 10 Oct 1999 15:39:37 -0700 (PDT) From: Brooks Davis X-Sender: brdavis@orion.ac.hmc.edu To: "Nicole H." Cc: freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 10 Oct 1999, Nicole H. wrote: > Why on earth would someone be scanning port 12345? Is this a new backdoor > port? > > Oct 10 02:25:26 krell portsentry[14796]: attackalert: Connect from host: > 195.235.210.171/195.235.210.171 to TCP port: 12345 That's the default port for netbus, a BackOriface like tool (the only real difference is that it's shareware instead of free). --Brooks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 17: 6:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 698D314FE7 for ; Sun, 10 Oct 1999 17:06:51 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1587 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 10 Oct 1999 19:03:37 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Sun, 10 Oct 1999 19:03:36 -0500 (CDT) From: James Wyatt To: Brooks Davis Cc: "Nicole H." , freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Shareware hacking tool, what a concept if you think about it... (Yeah, can be used for good too, but most...) If you get into someone's machine with it, you have to send the password to the authors? A copy of the user's quicken files? You sign their name to the crack? My mind is reeling, but that ain't hard nowadays... Jy@ On Sun, 10 Oct 1999, Brooks Davis wrote: > On Sun, 10 Oct 1999, Nicole H. wrote: > > Why on earth would someone be scanning port 12345? Is this a new backdoor > > port? > > > > Oct 10 02:25:26 krell portsentry[14796]: attackalert: Connect from host: > > 195.235.210.171/195.235.210.171 to TCP port: 12345 > > That's the default port for netbus, a BackOriface like tool (the only real > difference is that it's shareware instead of free). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 17:50:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from neptune.psn.net (neptune.psn.net [207.211.58.16]) by hub.freebsd.org (Postfix) with ESMTP id 069101561A for ; Sun, 10 Oct 1999 17:50:22 -0700 (PDT) (envelope-from will@shadow.blackdawn.com) Received: from 5042-243.008.popsite.net ([209.224.140.243] helo=shadow.blackdawn.com) by neptune.psn.net with esmtp (PSN Internet Service 2.12 #3) id 11aTf8-0002LJ-00; Sun, 10 Oct 1999 17:50:07 -0700 Received: (from will@localhost) by shadow.blackdawn.com (8.9.3/8.9.3) id UAA10251; Sun, 10 Oct 1999 20:48:45 -0400 (EDT) (envelope-from will) Date: Sun, 10 Oct 1999 20:48:44 -0400 From: Will Andrews To: Justin Wells Cc: freebsd-security@FreeBSD.ORG Subject: Re: chroot jail in pre 4.0 Message-ID: <19991010204844.A9523@shadow.blackdawn.com> References: <19991008170540.A1618@fever.semiotek.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="WIyZ46R2i8wDzkSu" X-Mailer: Mutt 1.0pre3i In-Reply-To: <19991008170540.A1618@fever.semiotek.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii On Fri, Oct 08, 1999 at 05:05:40PM -0400, Justin Wells wrote: > > I have several daemons running chrooted on my box, and I am wondering just > how safe I can make things under 3.3/3.2. I will definately be using jail() > once that's available to me, but currently it's not.. Actually.. Jacques Vidrine is in the process of (has finished?) backporting jail(2,8) to -STABLE. This is currently being discussed on freebsd-stable@FreeBSD.ORG. So far, however, I'm pretty certain that the developers will choose not to commit due to a small chance that the commit may break binaries (KLD's) built by third-party vendors (if any). Jacques questions whether there are any or not.. please see freebsd-stable@FreeBSD.ORG mailing list archives. --Will (newbie mutt user, gotta add .procmailrc now ;) --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=".signature.simplest" -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 18:11: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (Postfix) with ESMTP id AC3861562D for ; Sun, 10 Oct 1999 18:10:51 -0700 (PDT) (envelope-from brooks@one-eyed-alien.net) Received: from localhost (brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) with ESMTP id SAA29197; Sun, 10 Oct 1999 18:10:40 -0700 (PDT) X-Authentication-Warning: orion.ac.hmc.edu: brdavis owned process doing -bs Date: Sun, 10 Oct 1999 18:10:40 -0700 (PDT) From: Brooks Davis X-Sender: brdavis@orion.ac.hmc.edu To: James Wyatt Cc: Brooks Davis , "Nicole H." , freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 10 Oct 1999, James Wyatt wrote: > Shareware hacking tool, what a concept if you think about it... (Yeah, can > be used for good too, but most...) > > If you get into someone's machine with it, you have to send the password > to the authors? A copy of the user's quicken files? You sign their name to > the crack? My mind is reeling, but that ain't hard nowadays... Jy@ Neither Netbus or BackOriface provide any machanisms for attacking a machine. Netbus is sold just like any other remote monitoring and admin tool including several that cost thousands of dollars. CDC (the authors of BO) have a webpage pointing out that there is almost no difference between their product that the Microsoft System Management Server. It's at http://www.cultdeadcow.com/news/pr19990719.html. Basicaly the fundimental difference is that BO2K is free and SMS is really expensive. --- Brooks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 19:26:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 4150314C2A for ; Sun, 10 Oct 1999 19:26:47 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id UAA27694; Sun, 10 Oct 1999 20:26:29 -0600 (MDT) Message-Id: <4.2.0.58.19991010202528.042c0b70@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 10 Oct 1999 20:26:27 -0600 To: Brooks Davis , James Wyatt From: Brett Glass Subject: Re: scanning of port 12345 Cc: Brooks Davis , "Nicole H." , freebsd-security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:10 PM 10/10/99 -0700, Brooks Davis wrote: >Neither Netbus or BackOriface provide any machanisms for attacking a >machine. Not so. A remote sniffer is a great way to get passwords. > Netbus is sold just like any other remote monitoring and admin >tool including several that cost thousands of dollars. CDC (the authors >of BO) have a webpage pointing out that there is almost no difference >between their product that the Microsoft System Management Server. And you believe them? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 19:41:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.third-rail.net (mail2.third-rail.net [208.153.2.13]) by hub.freebsd.org (Postfix) with ESMTP id 5C95214EB5 for ; Sun, 10 Oct 1999 19:41:50 -0700 (PDT) (envelope-from psion@geekspace.com) Received: from geekspace.com ([208.154.207.131]) by news.third-rail.net (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-44653U100L2S100) with ESMTP id AAA169; Sun, 10 Oct 1999 22:37:38 -0400 Message-ID: <38014EC5.C2541B08@geekspace.com> Date: Sun, 10 Oct 1999 22:43:17 -0400 From: Chris Williams X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.3-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 References: <4.2.0.58.19991010202528.042c0b70@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >Neither Netbus or BackOriface provide any machanisms for attacking a > >machine. > Not so. A remote sniffer is a great way to get passwords. Note: SMS includes a remote sniffer utility. > > Netbus is sold just like any other remote monitoring and admin > >tool including several that cost thousands of dollars. CDC (the authors > >of BO) have a webpage pointing out that there is almost no difference > >between their product that the Microsoft System Management Server. > And you believe them? It's not a matter of belief, it's a matter of fact. Having used SMS, it does in fact have most of the same capabilities as BO. It's also easier to install on a large number of machines without users' knowledge, and harder to remove. The only argument I can think of that you could make for SMS as a fundamentally more 'legit' remote admin tool is that it uses the domain security model for authentication. But, since SMS remote tools can be run against a machine using the local admin credentails, which is to say, without a valid domain login, even that point is pretty weak. How in the world did we end up on this in freebsd-security, anyhow? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 20: 6:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 29CD814A08 for ; Sun, 10 Oct 1999 20:06:48 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2174 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 10 Oct 1999 21:59:48 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Sun, 10 Oct 1999 21:59:48 -0500 (CDT) From: James Wyatt To: Brooks Davis Cc: "Nicole H." , freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org By themselves, yes. Step one is to send it in a Trojan or installit during an open cmd/shell session after an overflow attack. I *know* what the tool is and think it is a *cool* tool. I also love vnc and BO for remote admin tools. As I parethesized (new word?), it is usable both ways. The main differences are in intent and whether the machine owner knows it's used... Some more differences bteween SMS and BO2K are reliability and disk space consumed... I like these as admin tools too, but small, efficient, quiet tools get added to crack scripts first. - Jy@ On Sun, 10 Oct 1999, Brooks Davis wrote: > On Sun, 10 Oct 1999, James Wyatt wrote: > > Shareware hacking tool, what a concept if you think about it... (Yeah, can > > be used for good too, but most...) > > > > If you get into someone's machine with it, you have to send the password > > to the authors? A copy of the user's quicken files? You sign their name to > > the crack? My mind is reeling, but that ain't hard nowadays... Jy@ > > Neither Netbus or BackOriface provide any machanisms for attacking a > machine. Netbus is sold just like any other remote monitoring and admin > tool including several that cost thousands of dollars. CDC (the authors > of BO) have a webpage pointing out that there is almost no difference > between their product that the Microsoft System Management Server. It's > at http://www.cultdeadcow.com/news/pr19990719.html. Basicaly the > fundimental difference is that BO2K is free and SMS is really expensive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 10 20:33:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from vasquez.zip.com.au (vasquez.zip.com.au [203.12.97.41]) by hub.freebsd.org (Postfix) with ESMTP id 2C06714C3D for ; Sun, 10 Oct 1999 20:33:40 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from zipperii.zip.com.au (ncb@zipperii.zip.com.au [203.12.97.87]) by vasquez.zip.com.au (8.9.2/8.9.1) with ESMTP id NAA05951; Mon, 11 Oct 1999 13:16:02 +1000 (EST) Date: Mon, 11 Oct 1999 13:33:28 +1000 (EST) From: Nicholas Brawn To: Brett Glass Cc: Brooks Davis , James Wyatt , "Nicole H." , freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: <4.2.0.58.19991010202528.042c0b70@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 10 Oct 1999, Brett Glass wrote: > At 06:10 PM 10/10/99 -0700, Brooks Davis wrote: > > >Neither Netbus or BackOriface provide any machanisms for attacking a > >machine. > > Not so. A remote sniffer is a great way to get passwords. > > > Netbus is sold just like any other remote monitoring and admin > >tool including several that cost thousands of dollars. CDC (the authors > >of BO) have a webpage pointing out that there is almost no difference > >between their product that the Microsoft System Management Server. > > And you believe them? The more powerful the remote administration tool, the more potential for abuse. Remote administration tools can be used by by legitimate and illegitimate parties for various tasks. It's almost like (imho) flaming the authors of tcpdump for making such a powerful sniffer. My $0.02 Nick -- Email: ncb@zip.com.au (or) nicholas.brawn@hushmail.com Key fingerprint = 71C5 2EA8 903B 0BC4 8EEE 9122 7349 EADC 49C1 424E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 1:10:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from planlos.crew-kg.net (planlos.crew-kg.NET [192.76.134.49]) by hub.freebsd.org (Postfix) with ESMTP id 3590514FA6 for ; Mon, 11 Oct 1999 01:10:09 -0700 (PDT) (envelope-from soenksen@planlos.hanse.de) Received: by planlos.crew-kg.net (Postfix, from userid 1001) id 1924BAF; Mon, 11 Oct 1999 10:11:05 +0200 (CEST) Date: Mon, 11 Oct 1999 10:11:05 +0200 From: Sebastian Soenksen To: freebsd-security@freebsd.org Subject: PAM and LDAP again Message-ID: <19991011101105.A381@planlos.crew-kg.net> Reply-To: soenksen@planlos.hanse.de Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Anybody compiled the LDAP-module (available on www.padl.com) for PAM successfully under FreeBSD? It compiled well here, but my syslog says: Oct 11 10:06:36 planlos login: unable to resolve symbol: pam_sm_authenticate Oct 11 10:06:36 planlos login: unable to resolve symbol: pam_sm_setcred Oct 11 10:06:37 planlos login: auth_pam: Module is unknown Anybody got some idea? :) Bye -- Sebastian Soenksen ; http://www.planlos.hanse.de/ ; pgpkey available To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 2:51:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail0.mco.bellsouth.net (mail0.mco.bellsouth.net [205.152.48.12]) by hub.freebsd.org (Postfix) with ESMTP id 5C4DA14CE4 for ; Mon, 11 Oct 1999 02:51:13 -0700 (PDT) (envelope-from bertke@bellsouth.net) Received: from bellsouth.net (adsl-78-196-151.sdf.bellsouth.net [216.78.196.151]) by mail0.mco.bellsouth.net (3.3.4alt/0.75.2) with ESMTP id FAA02803; Mon, 11 Oct 1999 05:51:29 -0400 (EDT) Message-ID: <3801B35F.4451ED2F@bellsouth.net> Date: Mon, 11 Oct 1999 09:52:31 +0000 From: bK X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: "N. N.M" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 31789 scanning and ... References: <19991010073125.93991.qmail@hotmail.com> <199910102037.OAA11369@mt.sri.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org By default a traceroute uses 33435 as the first packet. "udp", IPPROTO_UDP, sizeof(struct udphdr), 32768 + 666, udp_prep, udp_check It is initialized at 33434 but is incremented by one before being sent to make 33435. Of course someone could use the -p option with traceroute to alter the destination port. OTOH straight from: http://www.robertgraham.com/pubs/firewall-seen.html 31789 Hack-a-tack UDP traffic on this port is currently being seen due to the "Hack-a-tack" RAT (Remote Access Trojan). Looks some kiddies might be loose. As always keep your virus software updated; it might not hurt to look at the data in the UDP packets and research this trojan more. Bert Nate Williams wrote: > > 1) I have IPFW and by studying its daily logs I found out that somebody > > scans the port 31789 of all the servers and even clients in my network. What > > can be potentially found on this port? > > If it's a UDP packet, it's probably someone running traceroute. > > > 2) There was another log entry in the log files which makes no sense for me. > > That is as the follow: > > > > Oct 9 23:21:43 firewall /kernel: ipfw: 147 Deny TCP Y.Y.Y.Y X.X.X.X in via > > ed1 Fragment = 147 > > This happens with buggy stacks, and is common. I see it often from my > Win95 boxes.... > > Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 3:29:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law2-f70.hotmail.com [216.32.181.70]) by hub.freebsd.org (Postfix) with SMTP id 972B014D76 for ; Mon, 11 Oct 1999 03:29:24 -0700 (PDT) (envelope-from redhat_list@hotmail.com) Received: (qmail 59806 invoked by uid 0); 11 Oct 1999 10:29:24 -0000 Message-ID: <19991011102924.59805.qmail@hotmail.com> Received: from 203.41.163.240 by www.hotmail.com with HTTP; Mon, 11 Oct 1999 03:29:23 PDT X-Originating-IP: [203.41.163.240] From: "Greg W" To: freebsd-security@FreeBSD.ORG Subject: RE: skip basic procedure Date: Mon, 11 Oct 1999 10:29:23 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well yes, why would anyone want to be on a list that clearly cant read ? did anyone see this in any post ======= >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ======= >From: "Dell bingham" >Subject: RE: skip basic procedure >Date: Sun, 10 Oct 1999 10:22:33 -0500 > >Me 2............ > >Dell Bingham >Computer Engineer >1002 Balch Blvd. >Stennis Space Center, MS 39522 > > *COML: (228)688-5952 DSN: 485-5952 FAX 4168 > > *binghamd@navo.navy.mil > > > > >-----Original Message----- >From: Chandra Ravi [mailto:cravi@arsin.com] >Sent: Tuesday, October 05, 1999 23:49 >To: Theo Purmer (Tepucom) >Cc: 'Jim Flowers'; skip-info@skip-vpn.org; >'freebsd-security@freebsd.org' >Subject: Re: skip basic procedure > > >Hi Guys! > >Get me out of your mailing list. > >Thanks, > >Theo Purmer (Tepucom) wrote: > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 4:57:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5686114D7A for ; Mon, 11 Oct 1999 04:57:15 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA17549; Mon, 11 Oct 1999 13:57:12 +0200 (CEST) (envelope-from des) To: "Greg W" Cc: freebsd-security@FreeBSD.ORG Subject: Re: skip basic procedure References: <19991011102924.59805.qmail@hotmail.com> From: Dag-Erling Smorgrav Date: 11 Oct 1999 13:57:12 +0200 In-Reply-To: "Greg W"'s message of "Mon, 11 Oct 1999 10:29:23 GMT" Message-ID: Lines: 8 X-Mailer: Gnus v5.7/Emacs 20.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Greg W" writes: > Well yes, why would anyone want to be on a list that clearly cant read ? The thread was cross-posted to at least one other list. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 5:17:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [209.98.143.44]) by hub.freebsd.org (Postfix) with ESMTP id B11BC14E39; Mon, 11 Oct 1999 05:17:22 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from bone.nectar.com (bone.nectar.com [10.0.0.105]) by gw.nectar.com (Postfix) with ESMTP id 019BEC006; Mon, 11 Oct 1999 07:17:21 -0500 (CDT) Received: from bone.nectar.com (localhost [127.0.0.1]) by bone.nectar.com (Postfix) with ESMTP id 5D58C1D8D; Mon, 11 Oct 1999 07:17:21 -0500 (CDT) X-Mailer: exmh version 2.0.2 2/24/98 X-Exmh-Isig-CompType: repl X-Exmh-Isig-Folder: mlist/freebsd/security X-PGP-RSAfprint: 00 F9 E6 A2 C5 4D 0A 76 26 8B 8B 57 73 D0 DE EE X-PGP-RSAkey: http://www.nectar.com/nectar-rsa.txt X-PGP-DSSfprint: AB2F 8D71 A4F4 467D 352E 8A41 5D79 22E4 71A2 8C73 X-PGP-DHfprint: 2D50 12E5 AB38 60BA AF4B 0778 7242 4460 1C32 F6B1 X-PGP-DH-DSSkey: http://www.nectar.com/nectar-dh-dss.txt From: Jacques Vidrine To: Will Andrews Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Reply-To: freebsd-stable@FreeBSD.ORG In-reply-to: <19991010204844.A9523@shadow.blackdawn.com> References: <19991008170540.A1618@fever.semiotek.com> <19991010204844.A9523@shadow.blackdawn.com> Subject: Re: chroot jail in pre 4.0 Mime-Version: 1.0 Content-Type: text/plain Date: Mon, 11 Oct 1999 07:17:21 -0500 Message-Id: <19991011121721.5D58C1D8D@bone.nectar.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Crossposting to -stable and -security, but Reply-To: set to -stable.] On 10 October 1999 at 20:48, Will Andrews wrote: > On Fri, Oct 08, 1999 at 05:05:40PM -0400, Justin Wells wrote: > Actually.. Jacques Vidrine is in the process of (has > finished?) backporting jail(2,8) to -STABLE. Patches for -STABLE can be found at http://www.nectar.com/freebsd/jail.html. > This is currently being > discussed on freebsd-stable@FreeBSD.ORG. So far, however, I'm pretty > certain that the developers will choose not to commit due to a small > chance that the commit may break binaries (KLD's) built by third-party > vendors (if any). Jacques questions whether there are any or not.. please > see freebsd-stable@FreeBSD.ORG mailing list archives. So far, the community on -STABLE has identified one third-party KLD (from 4Front), but it does not use suser and therefore wouldn't be broken. For the sake of discussion, I've also made a set of patches that retain binary compatibility. It demonstrates the cost of binary compatibility well. One would have to traverse the process list on every call to suser. (You need to access the proc structure to implement the jail functionality, but suser only gets the ucred structure). At the moment, I'm of the opinion that binary compatibility with 3rd party KLDs is unimportant, given the number of KLDs that use suser that I know of (zero). Time will tell if there are more. Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 8:16: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 35739159E0 for ; Mon, 11 Oct 1999 08:16:06 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id LAA31237 for freebsd-security@freebsd.org; Mon, 11 Oct 1999 11:19:15 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199910111519.LAA31237@cc942873-a.ewndsr1.nj.home.com> Subject: Identifying an Unresolvable IP To: freebsd-security@freebsd.org Date: Mon, 11 Oct 1999 11:19:15 -0400 (EDT) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Connections from two different, but close (consecutive class C nets), IP addresses showed up in some of my daily security logs. The addresses do not reverse-lookup, but I would still like to know who owns the addresses (my guess it is a valid user's 3rd party ISP, but I want to be sure). What tools or references are easily accessible for determining who owns a block of IPs? I have not been able figure out how to coax the info from DNS or whois. A web search, somewhat to my surprise, did not immediately pop up a site that will tell you this info when you slip in an IP address. Thanks for any help. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 8:39:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 46A5A14C94 for ; Mon, 11 Oct 1999 08:39:48 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id A962124D03; Mon, 11 Oct 1999 11:39:44 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id 5320C18605; Mon, 11 Oct 1999 11:39:44 -0400 (EDT) Date: Mon, 11 Oct 1999 11:39:44 -0400 From: Keith Stevenson To: freebsd-security@freebsd.org Cc: cjclark@home.com Subject: Re: Identifying an Unresolvable IP Message-ID: <19991011113944.A18725@osaka.louisville.edu> References: <199910111519.LAA31237@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <199910111519.LAA31237@cc942873-a.ewndsr1.nj.home.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Oct 11, 1999 at 11:19:15AM -0400, Crist J. Clark wrote: > > What tools or references are easily accessible for determining who > owns a block of IPs? I have not been able figure out how to coax the > info from DNS or whois. A web search, somewhat to my surprise, did not > immediately pop up a site that will tell you this info when you slip in > an IP address. whois -a Check out the whois(1) man page. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 8:40: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx2.imaginet.fr (artemis.imaginet.fr [195.68.75.24]) by hub.freebsd.org (Postfix) with ESMTP id 78902150AF for ; Mon, 11 Oct 1999 08:39:53 -0700 (PDT) (envelope-from michael.hallgren@fisystem.fr) Received: from corpo01.imaginet.fr (corpo01.imaginet.fr [195.68.75.105]) by mx2.imaginet.fr (8.9.3/8.8.8) with ESMTP id RAA04054; Mon, 11 Oct 1999 17:39:16 +0200 (MET DST) Received: from roam (janus.fisystem.fr [195.68.32.60]) by corpo01.imaginet.fr (8.8.8/8.8.8) with SMTP id RAA25371; Mon, 11 Oct 1999 17:39:00 +0200 (MET DST) Message-ID: <003301bf13fe$fe84cc00$5b014b0a@asf.fr> From: "Michael Hallgren" To: , References: <199910111519.LAA31237@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Identifying an Unresolvable IP Date: Mon, 11 Oct 1999 17:40:46 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > Connections from two different, but close (consecutive class C nets), > IP addresses showed up in some of my daily security logs. The > addresses do not reverse-lookup, but I would still like to know who > owns the addresses (my guess it is a valid user's 3rd party ISP, but I > want to be sure). > > What tools or references are easily accessible for determining who > owns a block of IPs? > I have not been able figure out how to coax the > info from DNS or whois. A whois lookup (RIPE and friends), should give the owner of the block in question. For example, say that you're trying to track down 195.90.34.69. A whois -h whois.ripe.net gives you inetnum: 195.90.34.0 - 195.90.34.255 netname: GRAPHNET-PARIS descr: Graphnet Inc. Paris node country: FR admin-c: GIS-ORG tech-c: XH15-RIPE tech-c: GIS-ORG rev-srv: ns.fr.graphnet.net rev-srv: ns.globalis.net status: ASSIGNED PA mnt-by: GNET-MNT changed: mh@graphnet.com 19990201 changed: geno@graphnet.com 19990721 source: RIPE So, you know that Graphnet's responsible for that IP address. (Now, maybe Graphnet's been allocating some IP space including 195.90.34.69 to some customer ? That's no big deal for you, since you may contact Graphnet for details...) > A web search, somewhat to my surprise, did not > immediately pop up a site that will tell you this info when you slip in > an IP address. > Go http://www.ripe.net/ , for example Cheers Michael > Thanks for any help. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 8:43:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx2.imaginet.fr (artemis.imaginet.fr [195.68.75.24]) by hub.freebsd.org (Postfix) with ESMTP id CD22214C94 for ; Mon, 11 Oct 1999 08:43:17 -0700 (PDT) (envelope-from michael.hallgren@fisystem.fr) Received: from corpo01.imaginet.fr (corpo01.imaginet.fr [195.68.75.105]) by mx2.imaginet.fr (8.9.3/8.8.8) with ESMTP id RAA04272; Mon, 11 Oct 1999 17:42:38 +0200 (MET DST) Received: from roam (janus.fisystem.fr [195.68.32.60]) by corpo01.imaginet.fr (8.8.8/8.8.8) with SMTP id RAA25975; Mon, 11 Oct 1999 17:42:20 +0200 (MET DST) Message-ID: <004d01bf13ff$756c8e20$5b014b0a@asf.fr> From: "Michael Hallgren" To: "Michael Hallgren" , , Subject: Re: Identifying an Unresolvable IP Date: Mon, 11 Oct 1999 17:44:08 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or, from the shell, # whois -a which gives you a cross search over the databases. mh > Hi, > > > Connections from two different, but close (consecutive class C nets), > > IP addresses showed up in some of my daily security logs. The > > addresses do not reverse-lookup, but I would still like to know who > > owns the addresses (my guess it is a valid user's 3rd party ISP, but I > > want to be sure). > > > > What tools or references are easily accessible for determining who > > owns a block of IPs? > > I have not been able figure out how to coax the > > info from DNS or whois. > > A whois lookup (RIPE and friends), should give the owner of the block in > question. > > For example, say that you're trying to track down 195.90.34.69. A whois -h > whois.ripe.net gives you > > inetnum: 195.90.34.0 - 195.90.34.255 > netname: GRAPHNET-PARIS > descr: Graphnet Inc. Paris node > country: FR > admin-c: GIS-ORG > tech-c: XH15-RIPE > tech-c: GIS-ORG > rev-srv: ns.fr.graphnet.net > rev-srv: ns.globalis.net > status: ASSIGNED PA > mnt-by: GNET-MNT > changed: mh@graphnet.com 19990201 > changed: geno@graphnet.com 19990721 > source: RIPE > > > So, you know that Graphnet's responsible for that IP address. (Now, maybe > Graphnet's been allocating some IP space including 195.90.34.69 to some > customer ? That's no big deal for you, since you may contact Graphnet for > details...) > > > A web search, somewhat to my surprise, did not > > immediately pop up a site that will tell you this info when you slip in > > an IP address. > > > > Go http://www.ripe.net/ , for example > > > > Cheers > > Michael > > Thanks for any help. > > -- > > Crist J. Clark cjclark@home.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 8:54: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from netbox.com (home.netbox.com [206.24.105.130]) by hub.freebsd.org (Postfix) with ESMTP id 79EAD15162 for ; Mon, 11 Oct 1999 08:54:00 -0700 (PDT) (envelope-from jwgray@netbox.com) Received: from localhost (jwgray@localhost) by netbox.com (8.8.8/8.8.7) with ESMTP id IAA04933; Mon, 11 Oct 1999 08:52:43 -0700 (PDT) (envelope-from jwgray@netbox.com) Date: Mon, 11 Oct 1999 08:52:43 -0700 (PDT) From: Jeff Gray To: cjclark@home.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Identifying an Unresolvable IP In-Reply-To: <199910111519.LAA31237@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Did you try dig -x IP_address Jeff On Mon, 11 Oct 1999, Crist J. Clark wrote: > Connections from two different, but close (consecutive class C nets), > IP addresses showed up in some of my daily security logs. The > addresses do not reverse-lookup, but I would still like to know who > owns the addresses (my guess it is a valid user's 3rd party ISP, but I > want to be sure). > > What tools or references are easily accessible for determining who > owns a block of IPs? I have not been able figure out how to coax the > info from DNS or whois. A web search, somewhat to my surprise, did not > immediately pop up a site that will tell you this info when you slip in > an IP address. > > Thanks for any help. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 20:53:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from web109.yahoomail.com (web109.yahoomail.com [205.180.60.76]) by hub.freebsd.org (Postfix) with SMTP id D8BC414E51 for ; Mon, 11 Oct 1999 20:53:12 -0700 (PDT) (envelope-from tmcb1971@yahoo.com) Message-ID: <19991012035516.7083.rocketmail@web109.yahoomail.com> Received: from [207.215.8.122] by web109.yahoomail.com; Mon, 11 Oct 1999 20:55:16 PDT Date: Mon, 11 Oct 1999 20:55:16 -0700 (PDT) From: tom brown Subject: Is it just me or is the ssh port broken for Release 3.3? To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So as I have done many times before I go to the ports collection and try to make ssh. As always it takes an eternity to download from finland. Then it fails to find rsaref20, and backtracks to get it... and i wait and wait until make times out. I have two points realy. 1. Why is such an importaint package as rasref20 broken?(Is it to allow the NSA to trojan it?) 2. Now the US govenment have dropped the export control law's, can we have these components ether on the CD-ROM or the the main website? Tom Brown ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 21: 9: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id DB6FC14F63; Mon, 11 Oct 1999 21:09:00 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id CE16C1CD482; Mon, 11 Oct 1999 21:09:00 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 11 Oct 1999 21:09:00 -0700 (PDT) From: Kris Kennaway To: tom brown Cc: security@freebsd.org Subject: Re: Is it just me or is the ssh port broken for Release 3.3? In-Reply-To: <19991012035516.7083.rocketmail@web109.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Oct 1999, tom brown wrote: > I have two points realy. > > 1. Why is such an importaint package as rasref20 > broken?(Is it to allow the NSA to trojan it?) Yes :-) > 2. Now the US govenment have dropped the export > control law's, can we have these components ether on > the CD-ROM or the the main website? They have not been dropped. As far as it effects FreeBSD, things are the same as they always have been. Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 22: 5: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id D334E14D19 for ; Mon, 11 Oct 1999 22:05:06 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA09762; Mon, 11 Oct 1999 23:04:59 -0600 (MDT) Message-Id: <4.2.0.58.19991011230120.042c4cd0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 X-Priority: 1 (Highest) Date: Mon, 11 Oct 1999 23:04:57 -0600 To: tom brown , security@FreeBSD.ORG From: Brett Glass Subject: Re: Is it just me or is the ssh port broken for Release 3.3? In-Reply-To: <19991012035516.7083.rocketmail@web109.yahoomail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:55 PM 10/11/99 -0700, tom brown wrote: >2. Now the US govenment have dropped the export >control law's, can we have these components ether on >the CD-ROM or the the main website? They were never "laws" -- they were regulations imposed by the Commerce Department. And they haven't been "dropped" -- though it is CLAIMED that they may be loosened. Worse still for FreeBSD and kin, the Commerce Department says it plans to loosen the regulations only for closed source products. See: http://www.nytimes.com/library/tech/99/10/biztech/articles/11code.html This is a MUST READ for anyone who cares about crypto. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 22: 9: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from netbox.com (home.netbox.com [206.24.105.130]) by hub.freebsd.org (Postfix) with ESMTP id 1C90814D19 for ; Mon, 11 Oct 1999 22:09:04 -0700 (PDT) (envelope-from jwgray@netbox.com) Received: from localhost (jwgray@localhost) by netbox.com (8.8.8/8.8.7) with ESMTP id WAA23791; Mon, 11 Oct 1999 22:09:03 -0700 (PDT) (envelope-from jwgray@netbox.com) Date: Mon, 11 Oct 1999 22:09:03 -0700 (PDT) From: Jeff Gray To: tom brown Cc: security@FreeBSD.ORG Subject: Re: Is it just me or is the ssh port broken for Release 3.3? In-Reply-To: <19991012035516.7083.rocketmail@web109.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmmm..... I am running 3.3 Release and just happened to install, today, ssh from the ports. Did nothing unusual, just make make install Tested it out by connecting to two other servers and it appears to be working correctly. Jeff On Mon, 11 Oct 1999, tom brown wrote: > So as I have done many times before I go to the ports > collection and try to make ssh. > > > > ===== > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 22:34: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from pinhead.parag.codegen.com (207-44-235-154.CodeGen.COM [207.44.235.154]) by hub.freebsd.org (Postfix) with ESMTP id B0D5C14E1E for ; Mon, 11 Oct 1999 22:34:06 -0700 (PDT) (envelope-from parag@pinhead.parag.codegen.com) Received: from pinhead.parag.codegen.com (parag@localhost.parag.codegen.com [127.0.0.1]) by pinhead.parag.codegen.com (8.9.3/8.9.3) with ESMTP id WAA64296; Mon, 11 Oct 1999 22:34:04 -0700 (PDT) (envelope-from parag@pinhead.parag.codegen.com) To: tom brown Cc: security@FreeBSD.ORG Subject: Re: Is it just me or is the ssh port broken for Release 3.3? In-Reply-To: Message from tom brown of "Mon, 11 Oct 1999 20:55:16 PDT." <19991012035516.7083.rocketmail@web109.yahoomail.com> X-Image-URL: http://www.codegen.com/images/CG-logo-only.gif X-URL: http://www.codegen.com X-Face: =O'Kj74icvU|oS*<7gS/8'\Pbpm}okVj*@UC!IgkmZQAO!W[|iBiMs*|)n*`X ]pW%m>Oz_mK^Gdazsr.Z0/JsFS1uF8gBVIoChGwOy{EK=<6g?aHE`[\S]C]T0Wm Date: Mon, 11 Oct 1999 22:34:04 -0700 Message-ID: <64292.939706444@pinhead.parag.codegen.com> From: Parag Patel Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One could always engage in a bit of civil disobediance and comment out the line that says "USA_RESIDENT=yes" in /etc/make.conf... -- Parag Patel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 11 23:10:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 3913A15180 for ; Mon, 11 Oct 1999 23:10:14 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id XAA02592; Mon, 11 Oct 1999 23:10:42 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: tom brown Cc: security@FreeBSD.ORG Subject: Re: Is it just me or is the ssh port broken for Release 3.3? In-reply-to: Your message of "Mon, 11 Oct 1999 20:55:16 PDT." <19991012035516.7083.rocketmail@web109.yahoomail.com> Date: Mon, 11 Oct 1999 23:10:42 -0700 Message-ID: <2588.939708642@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So as I have done many times before I go to the ports > collection and try to make ssh. > > As always it takes an eternity to download from > finland. It always works for me, so it's probably premature to start suspecting the involvement of black helicopters and such here. > 1. Why is such an importaint package as rasref20 > broken?(Is it to allow the NSA to trojan it?) It's not broken. > 2. Now the US govenment have dropped the export > control law's, can we have these components ether on > the CD-ROM or the the main website? 1. The US government has done no such thing. Go read the press on this again and you'll find that you still need to *apply* for export privileges, something we've done but will only affect FreeBSD in any case and not rsaref. 2. rsaref isn't restricted due to export controls, it's restricted due to PATENT issues with RSA. Until RSA's patent expires, Clinton's administration can relax export controls all they want and it won't affect rsaref one bit. People need to do a bit more homework in informing themselves before reaching for conspiracy theories. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 2:59:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from zerlargal.humbug.org.au (zerlargal.humbug.org.au [203.18.94.161]) by hub.freebsd.org (Postfix) with ESMTP id 1B55415237 for ; Tue, 12 Oct 1999 02:59:15 -0700 (PDT) (envelope-from bc@thehub.com.au) Received: from localhost ([127.0.0.1] helo=zerlargal.humbug.org.au) by zerlargal.humbug.org.au with smtp (Exim 2.12 #2) id 11ayfM-000N8J-00; Tue, 12 Oct 1999 19:56:20 +1000 Date: Tue, 12 Oct 1999 19:56:20 +1000 (EST) From: Bruce Campbell X-Sender: bc@zerlargal.humbug.org.au To: freebsd-security@FreeBSD.ORG Cc: cjclark@home.com Subject: Re: Identifying an Unresolvable IP In-Reply-To: <19991011113944.A18725@osaka.louisville.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Oct 1999, Keith Stevenson wrote: > On Mon, Oct 11, 1999 at 11:19:15AM -0400, Crist J. Clark wrote: > > > > What tools or references are easily accessible for determining who > > owns a block of IPs? I have not been able figure out how to coax the > > whois -a > Check out the whois(1) man page. See also, http://www.apnic.net/db/RIRs.html . This lists which Regional Internet Registry is nominally authoritative for which IP addresses. If you are bored (and the IP address is in the APNIC ranges), try doing a whois against whois.apnic.net for the appropriate in-addr.arpa . --==-- Bruce. BC666-AP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 4:11:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 944A614EF0 for ; Tue, 12 Oct 1999 04:11:49 -0700 (PDT) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id HAA49539; Tue, 12 Oct 1999 07:11:39 -0400 (EDT) (envelope-from matt@zigg.com) Date: Tue, 12 Oct 1999 07:11:39 -0400 (EDT) From: Matt Behrens To: Parag Patel Cc: tom brown , security@FreeBSD.ORG Subject: Re: Is it just me or is the ssh port broken for Release 3.3? In-Reply-To: <64292.939706444@pinhead.parag.codegen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Oct 1999, Parag Patel wrote: : One could always engage in a bit of civil disobediance and comment out : the line that says "USA_RESIDENT=yes" in /etc/make.conf... Along those lines, are packages like ssh and openssl faster when _not_ linked with rsaref? It seems to me they might be, because they're actively maintained and generally developed with Linux, so they might have some x86 optimizations. I honestly haven't looked into it though :-) Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 5:44:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from ares.maths.adelaide.edu.au (ares.maths.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 4960C14C8A for ; Tue, 12 Oct 1999 05:44:22 -0700 (PDT) (envelope-from glewis@ares.maths.adelaide.edu.au) Received: (from glewis@localhost) by ares.maths.adelaide.edu.au (8.9.3/8.9.3) id WAA55449 for freebsd-security@freebsd.org; Tue, 12 Oct 1999 22:14:18 +0930 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <199910121244.WAA55449@ares.maths.adelaide.edu.au> Subject: Re: Is it just me or is the ssh port broken for Release 3.3? In-Reply-To: <19991012035516.7083.rocketmail@web109.yahoomail.com> from tom brown at "Oct 11, 1999 08:55:16 pm" To: freebsd-security@freebsd.org Date: Tue, 12 Oct 1999 22:14:18 +0930 (CST) X-Mailer: ELM [version 2.4ME+ PL56 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I find it installs ok for me. On a slightly off the track note, do the FreeBSD folks have any plans to similarly incorporate the ssh release that OpenBSD folks have recently merged into their base install? I'm not sure of the exact details, but I believe they have an earlier version of ssh (1.2.12?) which was under a BSD like license that they are putting into the OpenBSD base install (presumably with some bugfixing and possibly with the removal of some of the encryption algorithms to make it more export/import friendly). -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 6:39: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 4DC021533C for ; Tue, 12 Oct 1999 06:39:00 -0700 (PDT) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id HAA05231; Tue, 12 Oct 1999 07:38:38 -0600 (MDT) From: David G Andersen Message-Id: <199910121338.HAA05231@faith.cs.utah.edu> Subject: Re: Identifying an Unresolvable IP To: bc@thehub.com.au (Bruce Campbell) Date: Tue, 12 Oct 1999 07:38:38 -0600 (MDT) Cc: freebsd-security@FreeBSD.ORG, cjclark@home.com In-Reply-To: from "Bruce Campbell" at Oct 12, 99 07:56:20 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or just use geektools: whois -h www.geektools.com
They'll automatically recurse to the proper registry for you. It's pretty convenient when you're a lazy bum like myself. :) -Dave Lo and behold, Bruce Campbell once said: > > See also, http://www.apnic.net/db/RIRs.html . > > This lists which Regional Internet Registry is nominally authoritative for > which IP addresses. > > If you are bored (and the IP address is in the APNIC ranges), try doing a > whois against whois.apnic.net for the appropriate in-addr.arpa . -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 7:17: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from srv1.thuntek.net (srv1.thuntek.net [206.206.98.18]) by hub.freebsd.org (Postfix) with ESMTP id 1B51914EF9 for ; Tue, 12 Oct 1999 07:16:52 -0700 (PDT) (envelope-from dwilde1@thuntek.net) Received: from thuntek.net (abq-138.thuntek.net [207.66.52.138]) by srv1.thuntek.net (8.9.1/8.6.12TNT1.0) with ESMTP id IAA22977 for ; Tue, 12 Oct 1999 08:16:51 -0600 (MDT) Message-ID: <3803441B.83DBFD83@thuntek.net> Date: Tue, 12 Oct 1999 08:22:19 -0600 From: Donald Wilde Reply-To: dwilde1@thuntek.net Organization: Wilde Media X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 3.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: MD5 systems interacting with DES systems Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, folks - After reading the ML archives, I only get a few hints as to the answer to my question, so I'll shout it out for the world to hear. I am building an international network which will have machines here and abroad, and I want to create secure socket connections between the systems. I saw a hint that some routines (rlogin, etc.) will not work unless DES is installed both ways. Are there low level (transport level) routines which we can use with MD5 systems, or is my best answer to do the encrypt/decrypt at the user level? I don't mind making all systems MD5. I'm not subscribesd, please reply directly. -- Donald Wilde "Linking Minds and Micros" ================= S i l v e r L y n x =================== PMB 117, 1380 Rio Rancho Blvd SE v: 505-771-0709 f: 771-1356 Rio Rancho, New Mexico 87124 web: http://www.Wilde-Media.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 9:37:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 5763315A59 for ; Tue, 12 Oct 1999 09:36:27 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.9.2/8.9.2) with ESMTP id NAA08191 for ; Tue, 12 Oct 1999 13:43:38 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 12 Oct 1999 13:43:38 -0300 (ART) From: Fernando Gleiser To: freebsd-security@freebsd.org Subject: ipfilter and securelevels Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While configuring a FreeBSD Box as a firewall with IPFilter, I've noticed that you can still change the filter rules even if securelevel > 1. I have merged the changes made by the OpenBSD people to prevent this into ip_fil.c, and I will fill a PR with the patch unless there is a reason to leave ipfilter as it is now. Here's the patch: ----------------8< cut here ---------------------------------------- *** ip_fil.c.orig Sun Oct 10 21:31:12 1999 --- ip_fil.c Sun Oct 10 21:43:32 1999 *************** *** 364,367 **** --- 364,396 ---- #endif + # if defined(__OpenBSD__) || defined (__FreeBSD__) + if (securelevel > 1) { + switch (cmd) { + # ifndef IPFILTER_LKM + case SIOCFRENB: + # endif + case SIOCSETFF: + case SIOCADAFR: + case SIOCADIFR: + case SIOCINAFR: + case SIOCINIFR: + case SIOCRMAFR: + case SIOCRMIFR: + case SIOCZRLST: + case SIOCSWAPA: + case SIOCFRZST: + case SIOCIPFFL: + # ifdef IPFILTER_LOG + case SIOCIPFFB: + # endif + case SIOCADNAT: + case SIOCRMNAT: + case SIOCFLNAT: + case SIOCCNATL: + return EPERM; + } + } + # endif + SPL_NET(s); ----------------8< cut here ---------------------------------------- Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 11:19:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from nemesis.psionic.com (mcn-0220.aus.tx.bbnow.net [24.219.84.220]) by hub.freebsd.org (Postfix) with ESMTP id A6E1A151DB for ; Tue, 12 Oct 1999 11:19:45 -0700 (PDT) (envelope-from crowland@psionic.com) Received: from dolemite.psionic.com (unknown [192.168.2.10]) by nemesis.psionic.com (Postfix) with ESMTP id 9BAE551B5; Sun, 10 Oct 1999 19:57:53 -0500 (CDT) Date: Sun, 10 Oct 1999 19:49:06 -0500 (CDT) From: "Craig H. Rowland" To: "Nicole H." Cc: freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Older versions of NetBus (A Windows trojan horse/remote control program) are on this port... -- Craig On Sun, 10 Oct 1999, Nicole H. wrote: > > Why on earth would someone be scanning port 12345? Is this a new backdoor > port? > > Oct 10 02:25:26 krell portsentry[14796]: attackalert: Connect from host: > 195.235.210.171/195.235.210.171 to TCP port: 12345 > > > Nicole > > > > > nicole@unixgirl.com |\ __ /| (`\ http://www.unixgirl.com/ > webmistress@dangermouse.org | o_o |__ ) ) http://www.dangermouse.org/ > // \\ > ---------------------------(((---(((----------------------------------------- > > -- Powered by Coka-Cola and FreeBSD -- > -- Stong enough for a man - But made for a Woman -- > -- Microsoft: What bug would you like today? -- > > ------------------------------------------------------------------------------- > -- As a computing professional, I believe it would be unethical for me to > advise, recommend, or support the use (save possibly for personal > amusement) of any product that is or depends on any Microsoft product. > > Remember: Echelon is listening! > FBI CIA NSA IRS ATF BATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN > HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG HORIUCHI KORESH DAVIDIAN > KAHL POSSE COMITATUS RANDY WEAVER VICKIE WEAVER SPECIAL FORCES LINDA > THOMPSON SPECIAL OPERATIONS GROUP SOG SOF DELTA FORCE CONSTITUTION BILL OF > RIGHTS WHITEWATER POM PARK ON METER ARKANSIDE IRAN CONTRAS OLIVER NORTH VINCE > FOSTER PROMIS KILL MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION > CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST TASK FORCE > 160 SPECIAL OPS 12TH GROUP 5TH GROUP SF > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 11:30:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from xwin.nmhtech.com (xwin.nmhtech.com [208.138.46.10]) by hub.freebsd.org (Postfix) with ESMTP id 9F6E3151EA for ; Tue, 12 Oct 1999 11:30:47 -0700 (PDT) (envelope-from altera@xwin.nmhtech.com) Received: by xwin.nmhtech.com (Postfix, from userid 1015) id 0D71B2EE1A; Tue, 12 Oct 1999 11:30:47 -0700 (PDT) Content-Length: 3700 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Tue, 12 Oct 1999 11:30:46 -0700 (PDT) From: "Nicole H." To: "Craig H. Rowland" Subject: Re: scanning of port 12345 Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 11-Oct-99 Craig H. Rowland wrote: > Older versions of NetBus (A Windows trojan horse/remote control > program) are on this port... > > -- Craig So far I have logged 6 more attempts at this port! Six! This hack must be getting fairly popular with the script kiddies. Nicole > > > > On Sun, 10 Oct 1999, Nicole H. wrote: > >> >> Why on earth would someone be scanning port 12345? Is this a new backdoor >> port? >> >> Oct 10 02:25:26 krell portsentry[14796]: attackalert: Connect from host: >> 195.235.210.171/195.235.210.171 to TCP port: 12345 >> >> >> Nicole >> >> >> >> >> nicole@unixgirl.com |\ __ /| (`\ http://www.unixgirl.com/ >> webmistress@dangermouse.org | o_o |__ ) ) http://www.dangermouse.org/ >> // \\ >> ---------------------------(((---(((----------------------------------------- >> >> -- Powered by Coka-Cola and FreeBSD -- >> -- Stong enough for a man - But made for a Woman -- >> -- Microsoft: What bug would you like today? -- >> >> ---------------------------------------------------------------------------- >> --- >> -- As a computing professional, I believe it would be unethical for me to >> advise, recommend, or support the use (save possibly for personal >> amusement) of any product that is or depends on any Microsoft product. >> >> Remember: Echelon is listening! >> FBI CIA NSA IRS ATF BATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA >> GUN >> HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG HORIUCHI KORESH DAVIDIAN >> KAHL POSSE COMITATUS RANDY WEAVER VICKIE WEAVER SPECIAL FORCES LINDA >> THOMPSON SPECIAL OPERATIONS GROUP SOG SOF DELTA FORCE CONSTITUTION BILL OF >> RIGHTS WHITEWATER POM PARK ON METER ARKANSIDE IRAN CONTRAS OLIVER NORTH >> VINCE >> FOSTER PROMIS KILL MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION >> CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST TASK >> FORCE >> 160 SPECIAL OPS 12TH GROUP 5TH GROUP SF >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message nicole@unixgirl.com |\ __ /| (`\ http://www.unixgirl.com/ webmistress@dangermouse.org | o_o |__ ) ) http://www.dangermouse.org/ // \\ ---------------------------(((---(((----------------------------------------- -- Powered by Coka-Cola and FreeBSD -- -- Stong enough for a man - But made for a Woman -- -- Microsoft: What bug would you like today? -- ------------------------------------------------------------------------------- -- As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. Remember: Echelon is listening! FBI CIA NSA IRS ATF BATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG HORIUCHI KORESH DAVIDIAN KAHL POSSE COMITATUS RANDY WEAVER VICKIE WEAVER SPECIAL FORCES LINDA THOMPSON SPECIAL OPERATIONS GROUP SOG SOF DELTA FORCE CONSTITUTION BILL OF RIGHTS WHITEWATER POM PARK ON METER ARKANSIDE IRAN CONTRAS OLIVER NORTH VINCE FOSTER PROMIS KILL MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST TASK FORCE 160 SPECIAL OPS 12TH GROUP 5TH GROUP SF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 12:50: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 680D61529B for ; Tue, 12 Oct 1999 12:49:53 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (992 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 12 Oct 1999 14:44:06 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 12 Oct 1999 14:44:05 -0500 (CDT) From: James Wyatt To: "Nicole H." Cc: "Craig H. Rowland" , freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Oct 1999, Nicole H. wrote: > On 11-Oct-99 Craig H. Rowland wrote: > > Older versions of NetBus (A Windows trojan horse/remote control > > program) are on this port... > > So far I have logged 6 more attempts at this port! Six! This hack must > be getting fairly popular with the script kiddies. No, *you* are... 8{) Love your .sig! - jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 13: 0:58 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8316114C88; Tue, 12 Oct 1999 13:00:56 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6C3EA1CD471; Tue, 12 Oct 1999 13:00:56 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 12 Oct 1999 13:00:56 -0700 (PDT) From: Kris Kennaway To: Donald Wilde Cc: freebsd-security@freebsd.org Subject: Re: MD5 systems interacting with DES systems In-Reply-To: <3803441B.83DBFD83@thuntek.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Oct 1999, Donald Wilde wrote: > I saw a hint that some routines (rlogin, etc.) will not work unless DES > is installed both ways. Are there low level (transport level) routines > which we can use with MD5 systems, or is my best answer to do the > encrypt/decrypt at the user level? I don't think this is correct. rlogin and friends do no encryption or password authentication themselves, and aren't linked against libcrypt at all. So there should be no difference whether or not you have DES installed. However... > I don't mind making all systems MD5. ...this is the way to go, unless you specifically need DES passwords (e.g. sharing passwords with commercial unices). DES is just too insecure thesedays. As for encrypted transport, which it sounds like you were talking about, you want either ssh (if the license restrictions are applicable to you - or you could port the "last truly free" version which the openbsd guys have been cleaning up in their tree), or your could go for IPSec (either in the kernel - see www.kame.net), or userspace (the pipsecd port in net/). Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 13: 6:53 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 17828153AA; Tue, 12 Oct 1999 13:06:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 0C14B1CD486; Tue, 12 Oct 1999 13:06:50 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 12 Oct 1999 13:06:50 -0700 (PDT) From: Kris Kennaway To: Greg Lewis Cc: freebsd-security@freebsd.org Subject: FreeSSH (was: Re: Is it just me or is the ssh port broken for Release 3.3?) In-Reply-To: <199910121244.WAA55449@ares.maths.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Oct 1999, Greg Lewis wrote: > On a slightly off the track note, do the FreeBSD folks have any plans to > similarly incorporate the ssh release that OpenBSD folks have recently > merged into their base install? I'm not sure of the exact details, but I > believe they have an earlier version of ssh (1.2.12?) which was under a > BSD like license that they are putting into the OpenBSD base install > (presumably with some bugfixing and possibly with the removal of some of > the encryption algorithms to make it more export/import friendly). I've been keeping an eye on it - once it stabilizes a bit I might have a go porting it - it shouldn't be too hard. It would probably be as a port, though, unless we get broad consensus it should go into the src tree (*cough* *cough*, unlikely :). Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 13: 9:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.free.fr (smtp3.free.fr [212.27.32.72]) by hub.freebsd.org (Postfix) with ESMTP id 4285A14DFD; Tue, 12 Oct 1999 13:09:03 -0700 (PDT) (envelope-from m.hallgren@free.fr) Received: from roam (paris11-nas1-41-197.dial.proxad.net [212.27.41.197]) by smtp3.free.fr (8.9.3/8.9.3/Debian/GNU) with SMTP id WAA02986; Tue, 12 Oct 1999 22:08:57 +0200 Message-ID: <015101bf14ed$c4b27e60$5b014b0a@asf.fr> From: "Michael Hallgren" To: "Kris Kennaway" , "Donald Wilde" Cc: References: Subject: Re: MD5 systems interacting with DES systems Date: Tue, 12 Oct 1999 22:10:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 12 Oct 1999, Donald Wilde wrote: > > > I saw a hint that some routines (rlogin, etc.) will not work unless DES > > is installed both ways. Are there low level (transport level) routines > > which we can use with MD5 systems, or is my best answer to do the > > encrypt/decrypt at the user level? > > I don't think this is correct. rlogin and friends do no encryption or > password authentication themselves, and aren't linked against libcrypt at > all. So there should be no difference whether or not you have DES > installed. Berkeley r* authenticates over source address, if I'm not seriously mistaken... > However... > > > I don't mind making all systems MD5. > > ...this is the way to go, unless you specifically need DES passwords (e.g. > sharing passwords with commercial unices). DES is just too insecure > thesedays. Well,... yes... ... ;) > > As for encrypted transport, which it sounds like you were talking about, > you want either ssh (if the license restrictions are applicable to you - > or you could port the "last truly free" version which the openbsd guys > have been cleaning up in their tree), Yes, nice. SSH's a VERY good replacement for r* 'and a host of other needs). >or your could go for IPSec (either > in the kernel - see www.kame.net), or userspace (the pipsecd port in > net/). Anyone been trying out FreeS/WAN ? Cheers mh > > Kris > > ---- > XOR for AES -- join the campaign! > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 13:52:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from srv1.thuntek.net (srv1.thuntek.net [206.206.98.18]) by hub.freebsd.org (Postfix) with ESMTP id 2546514C32; Tue, 12 Oct 1999 13:52:25 -0700 (PDT) (envelope-from dwilde1@thuntek.net) Received: from thuntek.net (abq-145.thuntek.net [207.66.52.145]) by srv1.thuntek.net (8.9.1/8.6.12TNT1.0) with ESMTP id OAA19192; Tue, 12 Oct 1999 14:52:19 -0600 (MDT) Message-ID: <3803A0F7.DABF362F@thuntek.net> Date: Tue, 12 Oct 1999 14:58:31 -0600 From: Donald Wilde Reply-To: dwilde1@thuntek.net Organization: Wilde Media X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 3.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: MD5 systems interacting with DES systems References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > As for encrypted transport, which it sounds like you were talking about, > you want either ssh (if the license restrictions are applicable to you - > or you could port the "last truly free" version which the openbsd guys > have been cleaning up in their tree), or your could go for IPSec (either > in the kernel - see www.kame.net), or userspace (the pipsecd port in > net/). > Thanks for the tips, Kris! From what little I know of IPsec, that would be the ideal anmswer, especially as the systems and their connections multiply. However, for now, knowing that there's an ssh with no restrictions is a !!! Thanks! -- Donald Wilde "Linking Minds and Micros" ================= S i l v e r L y n x =================== PMB 117, 1380 Rio Rancho Blvd SE v: 505-771-0709 f: 771-1356 Rio Rancho, New Mexico 87124 web: http://www.Wilde-Media.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 14: 0:24 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 1833314C32; Tue, 12 Oct 1999 14:00:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id F2B8F1CD4C2; Tue, 12 Oct 1999 14:00:21 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 12 Oct 1999 14:00:21 -0700 (PDT) From: Kris Kennaway To: Michael Hallgren Cc: Donald Wilde , freebsd-security@freebsd.org Subject: Re: MD5 systems interacting with DES systems In-Reply-To: <015101bf14ed$c4b27e60$5b014b0a@asf.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Oct 1999, Michael Hallgren wrote: > > I don't think this is correct. rlogin and friends do no encryption or > > password authentication themselves, and aren't linked against libcrypt at > > all. So there should be no difference whether or not you have DES > > installed. > > Berkeley r* authenticates over source address, if I'm not seriously > mistaken... Note I said password authentication ;-) > > As for encrypted transport, which it sounds like you were talking about, > > you want either ssh (if the license restrictions are applicable to you - > > or you could port the "last truly free" version which the openbsd guys > > have been cleaning up in their tree), > > Yes, nice. SSH's a VERY good replacement for r* 'and a host of other needs). The license terms can be a bitch, though :-( > Anyone been trying out FreeS/WAN ? Not sure why you'd bother - KAME is the future for FreeBSD. Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 14: 2:22 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 497DE14C32; Tue, 12 Oct 1999 14:02:21 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 375DA1CD44F; Tue, 12 Oct 1999 14:02:21 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 12 Oct 1999 14:02:21 -0700 (PDT) From: Kris Kennaway To: Donald Wilde Cc: freebsd-security@freebsd.org Subject: Re: MD5 systems interacting with DES systems In-Reply-To: <3803A0F7.DABF362F@thuntek.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Oct 1999, Donald Wilde wrote: > Thanks for the tips, Kris! From what little I know of IPsec, that would > be the ideal anmswer, especially as the systems and their connections > multiply. However, for now, knowing that there's an ssh with no > restrictions is a !!! I should caution that I haven't read exactly what license is on this version, but it's at least free enough that the OpenBSD guys can bring it into their source tree and hack it to pieces :-) Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 14: 5:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.free.fr (smtp1.free.fr [212.27.32.5]) by hub.freebsd.org (Postfix) with ESMTP id DD98B14DE9; Tue, 12 Oct 1999 14:05:26 -0700 (PDT) (envelope-from m.hallgren@free.fr) Received: from roam (paris11-nas4-48-252.dial.proxad.net [212.27.48.252]) by smtp1.free.fr (8.9.3/8.9.3/Debian/GNU) with SMTP id XAA32493; Tue, 12 Oct 1999 23:05:24 +0200 Message-ID: <002601bf14f5$9e2178c0$5b014b0a@asf.fr> From: "Michael Hallgren" To: "Kris Kennaway" Cc: "Donald Wilde" , References: Subject: Re: MD5 systems interacting with DES systems Date: Tue, 12 Oct 1999 23:06:12 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 12 Oct 1999, Michael Hallgren wrote: > > > > I don't think this is correct. rlogin and friends do no encryption or > > > password authentication themselves, and aren't linked against libcrypt at > > > all. So there should be no difference whether or not you have DES > > > installed. > > > > Berkeley r* authenticates over source address, if I'm not seriously > > mistaken... > > Note I said password authentication ;-) Ok. Sorry, read quickly. However, passwords in cleartext over the bcast media... > > > > As for encrypted transport, which it sounds like you were talking about, > > > you want either ssh (if the license restrictions are applicable to you - > > > or you could port the "last truly free" version which the openbsd guys > > > have been cleaning up in their tree), > > > > Yes, nice. SSH's a VERY good replacement for r* 'and a host of other needs). > > The license terms can be a bitch, though :-( Yeah... ... > > > Anyone been trying out FreeS/WAN ? > > Not sure why you'd bother - KAME is the future for FreeBSD. Well, *BSD and the different bundles running over Linux are all my friends... :) mh > > Kris > > ---- > XOR for AES -- join the campaign! > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 19:58:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from ares.maths.adelaide.edu.au (ares.maths.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 7636114C95 for ; Tue, 12 Oct 1999 19:58:06 -0700 (PDT) (envelope-from glewis@ares.maths.adelaide.edu.au) Received: (from glewis@localhost) by ares.maths.adelaide.edu.au (8.9.3/8.9.3) id MAA62519 for freebsd-security@freebsd.org; Wed, 13 Oct 1999 12:28:05 +0930 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <199910130258.MAA62519@ares.maths.adelaide.edu.au> Subject: Re: FreeSSH In-Reply-To: from Kris Kennaway at "Oct 12, 1999 01:06:50 pm" To: freebsd-security@freebsd.org Date: Wed, 13 Oct 1999 12:28:04 +0930 (CST) X-Mailer: ELM [version 2.4ME+ PL56 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I've been keeping an eye on it - once it stabilizes a bit I might have a > go porting it - it shouldn't be too hard. It would probably be as a port, > though, unless we get broad consensus it should go into the src tree > (*cough* *cough*, unlikely :). > > Kris Thats good to hear Kris! I'm curious on why you believe it would be hard to get a broad consensus though. Remote login capability is something that is clearly desired (cf. telnet and rlogin being enabled in the standard install). If there is an appropriately licensed much more secure version of this functionality available then it would seem a good idea to have it in the base install too (although probably starting as being off by default except if you twiddle an rc.conf knob). Obviously with that argument there would be some other things go in, so thats not enough by itself if you want to avoid bloat. However, I'm guessing that a lot of sysadmins install ssh as their first act on a new install. Maybe when this reaches _most_ sysadmins it would be a candidate for the base system? Do folks have any thoughts on whether most people do/should install ssh? In the interests of minimising bloat we could balance its inclusion by deleting something like, say, uucp. (:-) for the uucps users) -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 20: 2:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 0BBA614C95 for ; Tue, 12 Oct 1999 20:02:23 -0700 (PDT) (envelope-from tim@futuresouth.com) Received: (from tim@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id WAA15156 for freebsd-security@FreeBSD.ORG; Tue, 12 Oct 1999 22:02:17 -0500 (CDT) Date: Tue, 12 Oct 1999 22:02:17 -0500 From: Tim Tsai To: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH Message-ID: <19991012220217.A14906@futuresouth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Do folks have any thoughts on whether most people do/should install ssh? ssh is certainly one of the first things we install on all our machines. I'd be happy with a stable port though - it seems that everytime I try to install ssh from the ports collection something goes wrong. Haven't tried in awhile though. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 12 20:39:50 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3F23414C4E; Tue, 12 Oct 1999 20:39:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 300421CD486; Tue, 12 Oct 1999 20:39:49 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 12 Oct 1999 20:39:49 -0700 (PDT) From: Kris Kennaway To: Greg Lewis Cc: freebsd-security@freebsd.org Subject: Re: FreeSSH In-Reply-To: <199910130258.MAA62519@ares.maths.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, Greg Lewis wrote: > Thats good to hear Kris! I'm curious on why you believe it would be hard > to get a broad consensus though. Remote login capability is something Well, these things which are "obviously good to have in the base system" have a tendency not be seen that way by everyone :-) This may be different - but there's no point in debating the issue now since it's not commit- or port-ready. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 3:17:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123]) by hub.freebsd.org (Postfix) with ESMTP id AA8B614E47 for ; Wed, 13 Oct 1999 03:17:20 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.9.3/ignatz) with ESMTP id DAA95821; Wed, 13 Oct 1999 03:17:43 -0700 (PDT) Date: Wed, 13 Oct 1999 03:17:43 -0700 (PDT) From: "f.johan.beisser" To: Greg Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <199910130258.MAA62519@ares.maths.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, Greg Lewis wrote: > Do folks have any thoughts on whether most people do/should install ssh? just about everyone i know does use ssh. i encourage it, VERY heavily, and have started the road at my work to using it almost exclusivly in place of telnet, rlogon, etc. we don't use SSH2 tho, even though the tools would be handy to have (sftp, as an example). for us, it's the first thing that gets installed. doesn't matter what platform it is, there is an SSH client on the machine. > In the interests of minimising bloat we could balance its inclusion by > deleting something like, say, uucp. > (:-) for the uucps users) actually, i don't think this is a good idea. there are still a few (very few.. i hope) networks and LAN's that use UUCP for mail transfer and such. in keeping FreeBSD as portable and usable by as many users as posable, it would.. well, screw them over. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 4:52:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from bg.sics.se (bg.sics.se [193.10.66.124]) by hub.freebsd.org (Postfix) with ESMTP id 364BA14BEA for ; Wed, 13 Oct 1999 04:52:00 -0700 (PDT) (envelope-from bg@bg.sics.se) Received: (from bg@localhost) by bg.sics.se (8.9.3/8.9.3) id NAA16885; Wed, 13 Oct 1999 13:52:39 +0200 (CEST) (envelope-from bg) To: Tim Tsai Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH References: <19991012220217.A14906@futuresouth.com> From: Bjoern Groenvall Date: 13 Oct 1999 13:52:38 +0200 In-Reply-To: Tim Tsai's message of Tue, 12 Oct 1999 22:02:17 -0500 Message-ID: Lines: 25 X-Mailer: Red Gnus v0.52/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tim Tsai writes: > > Do folks have any thoughts on whether most people do/should install ssh? > > ssh is certainly one of the first things we install on all our machines. > > I'd be happy with a stable port though - it seems that everytime I try > to install ssh from the ports collection something goes wrong. Haven't > tried in awhile though. If you are willing to run configure and make why don't you just fetch ftp://ftp.pdc.kth.se/pub/krypto/ossh/ossh-1.2.17.tar.gz? OSSH has no restrictions on use (if you're not in the US) and builds straight out of the box on FreeBSD machines. Cheers, Björn -- _ _ ,_______________. Bjorn Gronvall (Björn Grönvall) /_______________/| Swedish Institute of Computer Science | || PO Box 1263, S-164 29 Kista, Sweden | Schroedingers || Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/ Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 5:16: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 6724114CBB for ; Wed, 13 Oct 1999 05:15:55 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.8.5/8.8.4) id JAA03565; Wed, 13 Oct 1999 09:14:31 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199910131214.JAA03565@ns1.via-net-works.net.ar> Subject: Re: FreeSSH In-Reply-To: <199910130258.MAA62519@ares.maths.adelaide.edu.au> from Greg Lewis at "Oct 13, 99 12:28:04 pm" To: glewis@trc.adelaide.edu.au (Greg Lewis) Date: Wed, 13 Oct 1999 09:14:31 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Greg Lewis escribió: > Do folks have any thoughts on whether most people do/should install ssh? Of course they should! My only concern about distributing the stock system with built-in ssh is not getting the most current version. As far as I can recall ssh 1.2.27 replaces sprintf with snprintf, and previous versions fix bugs. That alone may be a good reason for not keeping a separate development tree of ssh within the project. Maybe the best solution would be to have sysinstall ask for it at the end of the installation procedure, just like it does with Apache or NFS. And then, of course, install the *real* package. > In the interests of minimising bloat we could balance its inclusion by > deleting something like, say, uucp. > (:-) for the uucps users) I'm a proud UUCP user, but I wouldn't mind having to install it as a package, if the final result will be the same (modulo a couple of sed -e "s@usr@usr/local@g" maybe). Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 5:49: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from barracuda.aquarium.rtci.com (barracuda.aquarium.rtci.com [208.11.247.5]) by hub.freebsd.org (Postfix) with ESMTP id 262FD14D0A; Wed, 13 Oct 1999 05:48:55 -0700 (PDT) (envelope-from tstromberg@rtci.com) Received: from rtci.com (saoshyant@asho.zarathushtra.org [208.11.244.6]) by barracuda.aquarium.rtci.com (8.9.3/8.9.3) with ESMTP id IAA19390; Wed, 13 Oct 1999 08:50:00 -0400 (EDT) Message-ID: <38047FB1.D7B282AD@rtci.com> Date: Wed, 13 Oct 1999 08:48:49 -0400 From: Thomas Stromberg X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-current@freebsd.org, freebsd-security@freebsd.org, peter@freebsd.org Subject: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ipnat/Attic/Makefile ------------------------------------------------------------------------ 1.2 Sun Oct 10 15:08:35 1999 UTC by peter CVS Tags: HEAD Diffs to 1.1 FILE REMOVED Nuke the old antique copy of ipfilter from the tree. This is old enough to be dangerous. It will better serve us as a port building a KLD, ala SKIP. ------------------------------------------------------------------------ Although a heads up in -CURRENT or -security about this would of been nice, ye old ipfilter is gone. I definitely cannot disagree with the fact that it is an antique copy, and it's a shame that no one seems to be taking care of it in the tree. At least in the past, ipfilter was for many a much better option then ipfw. Has ipfw improved to the point where it functions better as a company firewall then ipfilter? (Okay, so the group & user firewalling is neat, but not really applicable for a corporate border firewall) ipfilters website: http://coombs.anu.edu.au/~avalon/ip-filter.html For why I feel ipfilter is better then ipfw (this post was written back in December '98, ipfw may have changed greatly since): http://www.freebsd.org/cgi/getmsg.cgi?fetch=117538+122112+/usr/local/www/db/text/1998/freebsd-current/19981227.freebsd-current (the big 'wanton atticizing discussion') A summary of it being: - Multiplatform. Runs on IRIX, Solaris, Linux. Comes shipped with FreeBSD, OpenBSD, and NetBSD. Keeps us in sync with the other BSD's. - Better logging then ipfw (has ipfw improved? Thats why I switched to ipfilter in the first place) It's a shame that no one seems to want to maintain ipfilter in our tree. As far as a 'port building kld', I think this may not be the 'smartest' way, seeing as anyone who is running a serious firewall would disable kld's immediately anyhow. So my question is, what's the direction we're taking here? -- ======================================================================= Thomas Stromberg, Assistant IS Manager / Systems Guru smtp://tstromberg@rtci.com Research Triangle Commerce, Inc. pots://919.380.9771 x3210 ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 6: 1:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 4E9C914BF1; Wed, 13 Oct 1999 06:01:05 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id XAA05892; Wed, 13 Oct 1999 23:02:54 +1000 (EST) From: Darren Reed Message-Id: <199910131302.XAA05892@cheops.anu.edu.au> Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) To: tstromberg@rtci.com (Thomas Stromberg) Date: Wed, 13 Oct 1999 23:02:53 +1000 (EST) Cc: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG In-Reply-To: <38047FB1.D7B282AD@rtci.com> from "Thomas Stromberg" at Oct 13, 99 08:48:49 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, if someone had of answered my question (to cvs-committers) about getting an account fixed up on freefall(?) so I could use cvs again, it might not have been forgotten about for quite so long. Maybe I sent the question to the "wrong place", but I received no answer to even indicate that! hmpf! On a conspirital note, I think there are numerous ipfw advocates within freebsd who hate that ipfilter is better >;-) Both NetBSD and OpenBSD ship with it, and if you're serious about security, maybe you should be using OpenBSD anyway, rather than FreeBSD. Darren In some mail from Thomas Stromberg, sie said: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ipnat/Attic/Makefile > ------------------------------------------------------------------------ > 1.2 Sun Oct 10 15:08:35 1999 UTC by peter > CVS Tags: HEAD > Diffs to 1.1 > FILE REMOVED > > Nuke the old antique copy of ipfilter from the tree. This is old enough > to be dangerous. It will better serve us as a port building a KLD, > ala SKIP. > ------------------------------------------------------------------------ > > Although a heads up in -CURRENT or -security about this would of been > nice, ye old ipfilter is gone. I definitely cannot disagree with the > fact that it is an antique copy, and it's a shame that no one seems to > be taking care of it in the tree. At least in the past, ipfilter was for > many a much better option then ipfw. Has ipfw improved to the point > where it functions better as a company firewall then ipfilter? (Okay, so > the group & user firewalling is neat, but not really applicable for a > corporate border firewall) > > ipfilters website: http://coombs.anu.edu.au/~avalon/ip-filter.html > > For why I feel ipfilter is better then ipfw (this post was written back > in December '98, ipfw may have changed greatly since): > > http://www.freebsd.org/cgi/getmsg.cgi?fetch=117538+122112+/usr/local/www/db/text/1998/freebsd-current/19981227.freebsd-current > (the big 'wanton atticizing discussion') > > A summary of it being: > > - Multiplatform. Runs on IRIX, Solaris, Linux. Comes shipped with > FreeBSD, OpenBSD, and NetBSD. Keeps us in sync with the other BSD's. > - Better logging then ipfw (has ipfw improved? Thats why I switched to > ipfilter in the first place) > > It's a shame that no one seems to want to maintain ipfilter in our tree. > As far as a 'port building kld', I think this may not be the 'smartest' > way, seeing as anyone who is running a serious firewall would disable > kld's immediately anyhow. > > So my question is, what's the direction we're taking here? > > -- > ======================================================================= > Thomas Stromberg, Assistant IS Manager / Systems Guru > smtp://tstromberg@rtci.com Research Triangle Commerce, Inc. > pots://919.380.9771 x3210 > ======================================================================= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 7:21:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from ares.maths.adelaide.edu.au (ares.maths.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 17C2214F62 for ; Wed, 13 Oct 1999 07:21:18 -0700 (PDT) (envelope-from glewis@ares.maths.adelaide.edu.au) Received: (from glewis@localhost) by ares.maths.adelaide.edu.au (8.9.3/8.9.3) id XAA70912; Wed, 13 Oct 1999 23:50:56 +0930 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <199910131420.XAA70912@ares.maths.adelaide.edu.au> Subject: Re: FreeSSH In-Reply-To: <199910131214.JAA03565@ns1.via-net-works.net.ar> from Fernando Schapachnik at "Oct 13, 1999 09:14:31 am" To: Fernando Schapachnik Date: Wed, 13 Oct 1999 23:50:56 +0930 (CST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL56 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > In the interests of minimising bloat we could balance its inclusion by > > deleting something like, say, uucp. > > (:-) for the uucps users) > > I'm a proud UUCP user, but I wouldn't mind having to install it as a > package, if the final result will be the same (modulo a couple of sed > -e "s@usr@usr/local@g" maybe). I didn't mean to give any offense to uucp users -- this was a joke :) -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 7:28:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 2BCCF14D9D for ; Wed, 13 Oct 1999 07:28:49 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA11701; Wed, 13 Oct 1999 10:28:41 -0400 (EDT) (envelope-from wollman) Date: Wed, 13 Oct 1999 10:28:41 -0400 (EDT) From: Garrett Wollman Message-Id: <199910131428.KAA11701@khavrinen.lcs.mit.edu> To: Greg Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <199910130258.MAA62519@ares.maths.adelaide.edu.au> References: <199910130258.MAA62519@ares.maths.adelaide.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > If there is an appropriately licensed much more secure > version of this functionality available then it would seem a good idea > to have it in the base install too Between the US Commerce Department and the US Patent and Trademark Office, it would be very difficult to arrive at an ``appropriately licensed much more secure version''. > However, I'm guessing that a lot of > sysadmins install ssh as their first act on a new install. Maybe when > this reaches _most_ sysadmins it would be a candidate for the base > system? Most sysadmins install either bash or tcsh as their first act on a new install. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 7:29:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id C764315246 for ; Wed, 13 Oct 1999 07:29:15 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.8.5/8.8.4) id LAA10858; Wed, 13 Oct 1999 11:30:28 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199910131430.LAA10858@ns1.via-net-works.net.ar> Subject: Re: FreeSSH In-Reply-To: <199910131420.XAA70912@ares.maths.adelaide.edu.au> from Greg Lewis at "Oct 13, 99 11:50:56 pm" To: glewis@trc.adelaide.edu.au (Greg Lewis) Date: Wed, 13 Oct 1999 11:30:28 -0300 (GMT) Cc: fpscha@via-net-works.net.ar, freebsd-security@freebsd.org Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Greg Lewis escribió: > > > In the interests of minimising bloat we could balance its inclusion by > > > deleting something like, say, uucp. > > > (:-) for the uucps users) > > > > I'm a proud UUCP user, but I wouldn't mind having to install it as a > > package, if the final result will be the same (modulo a couple of sed > > -e "s@usr@usr/local@g" maybe). > > I didn't mean to give any offense to uucp users -- this was a joke :) Of course :) But I mean it. If UUCP could be turn into a package, with no real difference but having to install it appart I think no UUCP user would consider it a real loss. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 7:37: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 15044153BE for ; Wed, 13 Oct 1999 07:36:44 -0700 (PDT) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id IAA02185 for freebsd-security@freebsd.org; Wed, 13 Oct 1999 08:36:43 -0600 (MDT) From: David G Andersen Message-Id: <199910131436.IAA02185@faith.cs.utah.edu> Subject: Re: FreeSSH To: freebsd-security@freebsd.org Date: Wed, 13 Oct 1999 08:36:43 -0600 (MDT) In-Reply-To: <199910131428.KAA11701@khavrinen.lcs.mit.edu> from "Garrett Wollman" at Oct 13, 99 10:28:41 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Garrett Wollman once said: > > > However, I'm guessing that a lot of > > sysadmins install ssh as their first act on a new install. Maybe when > > this reaches _most_ sysadmins it would be a candidate for the base > > system? > > Most sysadmins install either bash or tcsh as their first act on a new > install. With SSH as a close second, but by asking this question on -security, the queryant was pretty much assured of this answer. The answers are probably much more diverse among the general population of users. Someone brought up the idea of removing 'uucp' from the collection, and this got me thinking a bit. If I set up a system that I wish to be secure (and which I'm not going to be actively maintaining), I typically go through and delete components I don't need - YP, UUCP, cu, tip, the lp subsystem, etc. (In addition to the standard "remove the setuid bit from everything that's not going to be needed" trick). It strikes me that having the base system be slightly more decomposed could be advantageous. It would be great to be able to do something like: pkg_delete lp pkg_delete yp Has anyone done/tried this in the past, and if so, what was the reaction? Or what do people think? I realize this sounds a bit like the "everything is an rpm or dpkg" methodology from Linux, but as long as the 'base' packages are handled automatically, then it shouldn't impose the same inconvenience. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 8: 2:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 5E08214C49 for ; Wed, 13 Oct 1999 08:02:52 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA11891; Wed, 13 Oct 1999 11:02:46 -0400 (EDT) (envelope-from wollman) Date: Wed, 13 Oct 1999 11:02:46 -0400 (EDT) From: Garrett Wollman Message-Id: <199910131502.LAA11891@khavrinen.lcs.mit.edu> To: David G Andersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <199910131436.IAA02185@faith.cs.utah.edu> References: <199910131428.KAA11701@khavrinen.lcs.mit.edu> <199910131436.IAA02185@faith.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > With SSH as a close second, but by asking this question on -security, > the queryant was pretty much assured of this answer. The answers are > probably much more diverse among the general population of users. Well, we use Kerberos here, so SSH has only limited utility and I don't normally install it. Now that we're upgrading to Kerberos 5, ssh becomes a bit more useful. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 8:12:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id C386815187 for ; Wed, 13 Oct 1999 08:11:53 -0700 (PDT) (envelope-from patrick@mindstep.com) Received: (qmail 3193 invoked from network); 13 Oct 1999 15:11:43 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 13 Oct 1999 15:11:43 -0000 Message-ID: <00a801bf158d$421afc20$190aa8c0@local.mindstep.com> From: "Patrick Bihan-Faou" To: "David G Andersen" Cc: , , References: <199910131428.KAA11701@khavrinen.lcs.mit.edu> <199910131436.IAA02185@faith.cs.utah.edu> Subject: Re: FreeSSH Date: Wed, 13 Oct 1999 11:11:43 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, > It strikes me that having the base system be slightly more decomposed > could be advantageous. It would be great to be able to do something like: > > pkg_delete lp > pkg_delete yp > > Has anyone done/tried this in the past, and if so, what was the > reaction? Or what do people think? I realize this sounds a bit like the > "everything is an rpm or dpkg" methodology from Linux, but as long as the > 'base' packages are handled automatically, then it shouldn't impose the > same inconvenience. I think that it would be the next best thing since the package/ports system (as well as a logical step forward). I would love to see most of the things that installed with a "make world" be also registered in the package database. This would make things like upgrading bind, removing sendmail etc a lot easier. However I think that this discussion goes beyond the scope of the "security" mailing list. I copied it to the "current" and "stable" lists as well. I guess the discussion should be held in "current"... Patrick. -- MindStep Corporation www.mindstep.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 8:13:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0F1C615428 for ; Wed, 13 Oct 1999 08:13:37 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA22106; Wed, 13 Oct 1999 11:13:12 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Wed, 13 Oct 1999 11:13:12 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: David G Andersen Cc: freebsd-security@freebsd.org Subject: Re: FreeSSH In-Reply-To: <199910131436.IAA02185@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, David G Andersen wrote: > Someone brought up the idea of removing 'uucp' from the collection, and > this got me thinking a bit. If I set up a system that I wish to be > secure (and which I'm not going to be actively maintaining), I typically > go through and delete components I don't need - YP, UUCP, cu, tip, > the lp subsystem, etc. (In addition to the standard "remove the setuid > bit from everything that's not going to be needed" trick). > > It strikes me that having the base system be slightly more decomposed > could be advantageous. It would be great to be able to do something like: > > pkg_delete lp > pkg_delete yp > > Has anyone done/tried this in the past, and if so, what was the > reaction? Or what do people think? I realize this sounds a bit like the > "everything is an rpm or dpkg" methodology from Linux, but as long as the > 'base' packages are handled automatically, then it shouldn't impose the > same inconvenience. I think this would be a great idea--on Monday, I decided to experiment with a friend of mine who had not previously installed FreeBSD. I sat him down at an e-machine I just bought, and said "install unix". The results were very interesting--I'll be submitting a set of PRs for some of the things (for example, on reboot following install, it says to remove floppies--but not the cdrom he booted off of, so it booted straight back onto the cdrom after the reboot). But the reason I raise this is that one of the confusions was the difference between "distributions" and "packages". Distributions don't remember what is installed, so the checkboxes don't appear on rerunning /stand/sysinstall, and distributions also don't do dependencies. Also, it doesn't look like packages can depend on distributions in an automated manner (netscape on compat22, for example). Moving to using packaging for more of the base system would be nice from this perspective, and from the perspective of a security todo list -- as you suggest, "remove uucp" is a lot easier to do if you can say "pkg_delete uucp" :-). It would also allow us to perhaps deal better with binary rereleases of code to patch security holes, as the rpm folk seem to do--upgrade your uucp by a minor version number, not upgrade your whole system or recompile from source with the emailed patch. This might make upgrading over security problems more accessible. Of course, it doesn't help with syncing source and binary installs, which raises to expected "now the source tree should reflect the packages"... Certainly packaging X11 makes immediate sense--turning the rest of the system into packages might require significant source restructuring? Or at least, some easy tagging in the source files to say "uucp-3.2" vs "uucp-3.2.1" so it's possible to tell what official package versions match which source versions. Or, if you're really nuts, do it at file-level granularity, and have cvs versions reflect package versions... Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 8:30:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id AAE6215240 for ; Wed, 13 Oct 1999 08:30:47 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA12034; Wed, 13 Oct 1999 11:30:45 -0400 (EDT) (envelope-from wollman) Date: Wed, 13 Oct 1999 11:30:45 -0400 (EDT) From: Garrett Wollman Message-Id: <199910131530.LAA12034@khavrinen.lcs.mit.edu> To: Robert Watson Cc: David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: References: <199910131436.IAA02185@faith.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > do--upgrade your uucp by a minor version number, not upgrade your whole > system or recompile from source with the emailed patch. [...] > tagging in the source files to say "uucp-3.2" vs "uucp-3.2.1" so it's > possible to tell what official package versions match which source > versions. This makes a lot of people very uncomfortable. We have tried very hard to avoid user-visible internal versioning -- either you have ``the version that came with FreeBSD X.X'' or you don't. What you suggest is not without merit, but it also opens up a can of worms many of us would rather see remain closed. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 8:51:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id F3C5F14BE7 for ; Wed, 13 Oct 1999 08:51:34 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id D8BD11C4D; Wed, 13 Oct 1999 10:54:30 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id C98A0381A; Wed, 13 Oct 1999 10:54:30 -0400 (EDT) Date: Wed, 13 Oct 1999 10:54:30 -0400 (EDT) From: Bill Fumerola To: Greg Lewis Cc: freebsd-security@freebsd.org Subject: Re: FreeSSH In-Reply-To: <199910130258.MAA62519@ares.maths.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, Greg Lewis wrote: > Do folks have any thoughts on whether most people do/should install ssh? The smart ones do. I'm all for ssh in the base tree, but Theo's interpretation of the license isn't enough for me to think that it's okay. I haven't looked at the license either. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 8:54:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from primary.rci.net (mail.rci.net [209.251.132.252]) by hub.freebsd.org (Postfix) with ESMTP id 09ADC15300 for ; Wed, 13 Oct 1999 08:54:31 -0700 (PDT) (envelope-from jar@mail.integratus.com) Received: from integratus.com (162.p1.dialup.gru.net [198.190.223.162]) by primary.rci.net (8.9.3/8.9.3) with ESMTP id LAA75991; Wed, 13 Oct 1999 11:53:51 -0400 (EDT) (envelope-from jar@mail.integratus.com) Message-ID: <3804AB20.2C7A97C9@integratus.com> Date: Wed, 13 Oct 1999 11:54:08 -0400 From: Jack Rusher Organization: Integratus, Inc. X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: Robert Watson , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH References: <199910131436.IAA02185@faith.cs.utah.edu> <199910131530.LAA12034@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > This makes a lot of people very uncomfortable. We have tried very > hard to avoid user-visible internal versioning -- either you have > ``the version that came with FreeBSD X.X'' or you don't. What you > suggest is not without merit, but it also opens up a can of worms many > of us would rather see remain closed. Should this thread be moved to FreeBSD-current, or FreeBSD-hackers? In either case, I think there is a potential for some really good ideas to come out of this discussion, so let's move it and keep talking about it. First, let me say that the install process for FreeBSD is sweeter than the install process for any commercial OS I have ever used; kudos to the people who built what we have now. Now, here are some thoughts (on this, and on a parallel subject): Administration would probably be greatly simplified by a "Chinese menu" approach to system configuration. It would be very useful to a lot of admins (especially the less senior ones) to be able to specify what they want with a series of check boxes which add things to a super minimal base install. It would also make removing things a hell of a lot easier for the security (and resource) conscience among us. There are certainly some non-trivial issues involved with setting up a build policy that would facilitate use of cvsup to remain in sync with the most modern version of the OS, but I think it is worth looking at. Also, I really like the Solaris model of having an /etc/system file that instructs a very minimal kernel on how to load the modules that are required to run the hardware and services that are configured for that machine. I would like to see FreeBSD move towards a modular architecture that allows new hardware to be installed without recompiling the kernel. I know a lot of work has been done in this direction (just look at the way vinum works), but it would be interesting to see how far we could push this mode of system organization. It seems to me that both the modular kernel and package oriented software install methods could be merged into a nice little dependency tree that allows very fine grained control over system configuration. Comments? -- Jack Rusher, Chief Engineer | mailto:jar@integratus.com Integratus, Inc. | http://www.integratus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 9:12:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 37F1A152BA; Wed, 13 Oct 1999 09:12:22 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 2022C1C4D; Wed, 13 Oct 1999 11:15:22 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 1C8CF381A; Wed, 13 Oct 1999 11:15:22 -0400 (EDT) Date: Wed, 13 Oct 1999 11:15:22 -0400 (EDT) From: Bill Fumerola To: Thomas Stromberg Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org, peter@freebsd.org Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) In-Reply-To: <38047FB1.D7B282AD@rtci.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, Thomas Stromberg wrote: > So my question is, what's the direction we're taking here? The author was given commit privledges to maintain this in the tree, obviously this was not done. Peter encouraged a KLD port, and I hope someone steps up and makes one. Others have eluded to upgrading it, but I never see those imports. It's a shame, but I'm glad that Peter cleared the bitrot. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 9:22:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id C143C1516E for ; Wed, 13 Oct 1999 09:22:53 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 7FE401C52; Wed, 13 Oct 1999 11:25:53 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 7B766381A; Wed, 13 Oct 1999 11:25:53 -0400 (EDT) Date: Wed, 13 Oct 1999 11:25:53 -0400 (EDT) From: Bill Fumerola To: David G Andersen Cc: freebsd-security@freebsd.org Subject: Re: FreeSSH In-Reply-To: <199910131436.IAA02185@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, David G Andersen wrote: > It strikes me that having the base system be slightly more decomposed > could be advantageous. It would be great to be able to do something like: > > pkg_delete lp > pkg_delete yp The new vaporware sysinstall / packaging stuff would do something like this. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 9:32:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from sivka.rdy.com (sivka.rdy.com [205.149.170.6]) by hub.freebsd.org (Postfix) with ESMTP id CB1D7151E3; Wed, 13 Oct 1999 09:31:07 -0700 (PDT) (envelope-from dima@sivka.rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.9.3/8.9.3) id JAA59143; Wed, 13 Oct 1999 09:29:19 -0700 (PDT) (envelope-from dima) Message-Id: <199910131629.JAA59143@sivka.rdy.com> Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) In-Reply-To: <199910131302.XAA05892@cheops.anu.edu.au> from Darren Reed at "Oct 13, 1999 11:02:53 pm" To: Darren Reed Date: Wed, 13 Oct 1999 09:29:19 -0700 (PDT) Cc: Thomas Stromberg , freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG Organization: HackerDome Reply-To: dima@rdy.com From: dima@rdy.com (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed writes: > Well, if someone had of answered my question (to cvs-committers) > about getting an account fixed up on freefall(?) so I could use > cvs again, it might not have been forgotten about for quite so > long. Maybe I sent the question to the "wrong place", but I > received no answer to even indicate that! hmpf! Well, Mark Murray sent heads up note quite a while ago about freebsd.org being converted to use krb5. Send him email and I'm sure he'll help you to fix things. > On a conspirital note, I think there are numerous ipfw advocates > within freebsd who hate that ipfilter is better >;-) Both NetBSD and > OpenBSD ship with it, and if you're serious about security, maybe > you should be using OpenBSD anyway, rather than FreeBSD. Let's not start a flame war here. You posted it to FreeBSD mailing list. I think it's fairly easy to imagine peoples reaction. > > Darren > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 9:37:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.veriguard.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with ESMTP id C94601527E for ; Wed, 13 Oct 1999 09:37:20 -0700 (PDT) (envelope-from tomb@cgf.net) Received: by relay.veriguard.com; id JAA19504; Wed, 13 Oct 1999 09:35:07 -0700 (PDT) Received: from unknown(10.5.63.100) by relay.veriguard.com via smap (4.1) id xma019483; Wed, 13 Oct 99 09:34:49 -0700 Message-ID: <3804B4A8.F16F3D07@cgf.net> Date: Wed, 13 Oct 1999 09:34:48 -0700 From: tomb X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re:FreeSSH Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm biased as I spend most of my configuration time removing the unwanted stuff from the Vanilla install. I Like to see a button that say's "Don't start/install any services, I'll set them up myself!". But that's getting back to "SecureBSD" argument. And before anyone say's anything about OpenBSD, FreeBSD is so close to being secure enough I'm not about to switch... -- Tom Brown --------- Webmaster http://www.justmust.com/ Windows have, for 400 years, been providing the devious with easy access to your possesions. At the end of the 20th centuary this truer than ever. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 10:35:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 0BDE8153D3; Wed, 13 Oct 1999 10:35:18 -0700 (PDT) (envelope-from dcs@newsguy.com) Received: from newsguy.com (p21-dn01kiryunisiki.gunma.ocn.ne.jp [210.132.6.150]) by peach.ocn.ne.jp (8.9.1a/OCN) with ESMTP id CAA07517; Thu, 14 Oct 1999 02:35:00 +0900 (JST) Message-ID: <3804BF83.A3E8D3@newsguy.com> Date: Thu, 14 Oct 1999 02:21:07 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en,pt-BR,ja MIME-Version: 1.0 To: Thomas Stromberg Cc: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) References: <38047FB1.D7B282AD@rtci.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thomas Stromberg wrote: > > It's a shame that no one seems to want to maintain ipfilter in our tree. > As far as a 'port building kld', I think this may not be the 'smartest' > way, seeing as anyone who is running a serious firewall would disable > kld's immediately anyhow. Your concerns notwithstanding, a kld is viable. A kld can be loaded by, well, the loader. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org "I always feel generous when I'm in the inner circle of a conspiracy to subvert the world order and, with a small group of allies, just defeated an alien invasion. Maybe I should value myself a little more?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 11:19:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id BB65A152D3 for ; Wed, 13 Oct 1999 11:19:30 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1281 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Wed, 13 Oct 1999 13:14:02 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Wed, 13 Oct 1999 13:14:01 -0500 (CDT) From: James Wyatt To: Greg Lewis Cc: freebsd-security@freebsd.org Subject: Re: FreeSSH In-Reply-To: <199910130258.MAA62519@ares.maths.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, Greg Lewis wrote: > In the interests of minimising bloat we could balance its inclusion by > deleting something like, say, uucp. > (:-) for the uucps users) As another heavy UUCP user on several machine here (and owner of CD sets for 2.26/2.28/3.2/3.3/etc...) I wouldn't mind a wel-done package if it still used /etc/uucp and added the UUCP user. I also would not mind it being another optinal binset on the install. I have been saving a fair amount of room on my hosts by removing the yp executables we *never* want and the 3MB+ of Japanese manpages we can't read. I'm sure there are more examples of 'things that could be default unchecked boxes in the install' things. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 13:11: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from sparc.sweb.com (ip-150-253.gw.total-web.net [209.186.150.253]) by hub.freebsd.org (Postfix) with ESMTP id 5E0DA1519C; Wed, 13 Oct 1999 13:10:52 -0700 (PDT) (envelope-from zaph0d@sparc.sweb.com) Received: from localhost by sparc.sweb.com (8.9.3/8.9.3) with SMTP id QAA12539; Wed, 13 Oct 1999 16:05:54 -0400 (EDT) Date: Wed, 13 Oct 1999 16:05:53 -0400 (EDT) From: To: Thomas Stromberg Cc: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) In-Reply-To: <38047FB1.D7B282AD@rtci.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I also must agree for many tasks, IP filter proves superior than IPFW and NATD for many things which I do. It seems much more straightforward, more configurable, and also in many respects more stable and reliable. It would not bother me in the least if they simply yanked ipfw and natd from the src tree, and included ipf/ipnat default (not in contrib). If no one else desires to doso, i'd be happy to maintain whatever communication or porting nessescary to keep it current and included in the standard FreeBSD distribution. On Wed, 13 Oct 1999, Thomas Stromberg wrote: > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ipnat/Attic/Makefile > ------------------------------------------------------------------------ > 1.2 Sun Oct 10 15:08:35 1999 UTC by peter > CVS Tags: HEAD > Diffs to 1.1 > FILE REMOVED > > Nuke the old antique copy of ipfilter from the tree. This is old enough > to be dangerous. It will better serve us as a port building a KLD, > ala SKIP. > ------------------------------------------------------------------------ > > Although a heads up in -CURRENT or -security about this would of been > nice, ye old ipfilter is gone. I definitely cannot disagree with the > fact that it is an antique copy, and it's a shame that no one seems to > be taking care of it in the tree. At least in the past, ipfilter was for > many a much better option then ipfw. Has ipfw improved to the point > where it functions better as a company firewall then ipfilter? (Okay, so > the group & user firewalling is neat, but not really applicable for a > corporate border firewall) > > ipfilters website: http://coombs.anu.edu.au/~avalon/ip-filter.html > > For why I feel ipfilter is better then ipfw (this post was written back > in December '98, ipfw may have changed greatly since): > > http://www.freebsd.org/cgi/getmsg.cgi?fetch=117538+122112+/usr/local/www/db/text/1998/freebsd-current/19981227.freebsd-current > (the big 'wanton atticizing discussion') > > A summary of it being: > > - Multiplatform. Runs on IRIX, Solaris, Linux. Comes shipped with > FreeBSD, OpenBSD, and NetBSD. Keeps us in sync with the other BSD's. > - Better logging then ipfw (has ipfw improved? Thats why I switched to > ipfilter in the first place) > > It's a shame that no one seems to want to maintain ipfilter in our tree. > As far as a 'port building kld', I think this may not be the 'smartest' > way, seeing as anyone who is running a serious firewall would disable > kld's immediately anyhow. > > So my question is, what's the direction we're taking here? > > -- > ======================================================================= > Thomas Stromberg, Assistant IS Manager / Systems Guru > smtp://tstromberg@rtci.com Research Triangle Commerce, Inc. > pots://919.380.9771 x3210 > ======================================================================= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 15:17:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id DF74514C9A for ; Wed, 13 Oct 1999 15:17:33 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id RAA27018; Wed, 13 Oct 1999 17:14:01 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Wed, 13 Oct 1999 17:14:01 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: James Wyatt Cc: Greg Lewis , freebsd-security@freebsd.org Subject: Re: FreeSSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, James Wyatt wrote: > On Wed, 13 Oct 1999, Greg Lewis wrote: > > In the interests of minimising bloat we could balance its inclusion by > > deleting something like, say, uucp. > > (:-) for the uucps users) > > As another heavy UUCP user on several machine here (and owner of CD sets > for 2.26/2.28/3.2/3.3/etc...) I wouldn't mind a wel-done package if it > still used /etc/uucp and added the UUCP user. I also would not mind it > being another optinal binset on the install. This actually raises another issue that is relevant to the packages/ports/etc system--the addition of new users for services. Some services (uucp, bind, postgres, www, etc..) require new services be added to the system. Some consistency in the allocation of uid's, and a formal policy for which uid's should be used might be nice :-). Maybe one exists and I have missed it... But adding users is clearly relevant to a system security policy. Removing users is also relevant--right now many ports that require user modification don't get packages, perhaps for this reason. But if more of the world uses packages, it would be nice to know if, say, pkg_add will overwrite a current user, or end up with a uid that already owns some files, and that pkg_delete would or would not remove the user in a consistent and complete way. Right now we encourage the use of uid's over 1000 for new users, but documenting this would be a good idea "local users SHOULD be given a unique uid >= 1000 -- values less than 1000 are reserved for built-in accounts, and for add-on packages" or the like. For the purposes of NFS, it seems desirable that when a package is installed, it use the same uid consistently? I'm not sure the correct course of action is clear in my mind, but whatever it is, it is certainly security-relevant. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 15:26:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from mug.adhesivemedia.com (mug.adhesivemedia.com [207.202.159.73]) by hub.freebsd.org (Postfix) with ESMTP id BD13915494 for ; Wed, 13 Oct 1999 15:26:37 -0700 (PDT) (envelope-from philip@adhesivemedia.com) Received: from localhost (philip@localhost) by mug.adhesivemedia.com (8.9.3/8.9.3) with ESMTP id PAA28017 for ; Wed, 13 Oct 1999 15:27:48 -0700 (PDT) (envelope-from philip@adhesivemedia.com) Date: Wed, 13 Oct 1999 15:27:48 -0700 (PDT) From: Philip Hallstrom To: freebsd-security@freebsd.org Subject: pipsecd example? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all - I'm a newbie when it comes to tunneling and I was hoping someone could help me with an example. From what I can tell pipsecd is the way to go. (I borrowed this picture from one of the posts here since it's so nice :) My setup: [---------] [---------] [ FreeBSD ] [ FreeBSD ] LAN A --[ 1 ]-- 1.1.1.1 -> INTERNET <- 2.2.2.2 --[ 2 ]-- LAN B 10.0.0.x [ 3.2 ] [ 3.2 ] 10.2.0.x [---------] [---------] I've looked through the pipsecd.conf and it baffles me. For example -- where do the values for the various keys come from? Also, a general question. If I'm on client 10.2.0.5 and telnet to 10.0.0.5, will it say that I am from 10.2.0.5 or from 2.2.2.2? Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 15:36:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id A0CB515481 for ; Wed, 13 Oct 1999 15:36:25 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (ind.alcatel.com 2.3 [OUT])) id PAA03031; Wed, 13 Oct 1999 15:36:14 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id PAA11326; Wed, 13 Oct 1999 15:36:14 -0700 Received: from softweyr.com (dyn0.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA14859; Wed, 13 Oct 99 15:35:51 PDT Message-Id: <3805095B.FA25BBA5@softweyr.com> Date: Wed, 13 Oct 1999 16:36:11 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Garrett Wollman Cc: Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH References: <199910130258.MAA62519@ares.maths.adelaide.edu.au> <199910131428.KAA11701@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > If there is an appropriately licensed much more secure > > version of this functionality available then it would seem a good idea > > to have it in the base install too > > Between the US Commerce Department and the US Patent and Trademark > Office, it would be very difficult to arrive at an ``appropriately > licensed much more secure version''. It is important to keep in mind that we would be EXPORTING the discs and the source code. This is still a tough act to pull off; the "easing of restrictions" didn't ease this restriction. > > However, I'm guessing that a lot of > > sysadmins install ssh as their first act on a new install. Maybe when > > this reaches _most_ sysadmins it would be a candidate for the base > > system? > > Most sysadmins install either bash or tcsh as their first act on a new > install. Followed by less, emacs, and xv. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 15:56:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from primary.rci.net (mail.rci.net [209.251.132.252]) by hub.freebsd.org (Postfix) with ESMTP id 00F7414F5E for ; Wed, 13 Oct 1999 15:56:11 -0700 (PDT) (envelope-from jar@mail.integratus.com) Received: from integratus.com (162.p1.dialup.gru.net [198.190.223.162]) by primary.rci.net (8.9.3/8.9.3) with ESMTP id SAA78345; Wed, 13 Oct 1999 18:55:33 -0400 (EDT) (envelope-from jar@mail.integratus.com) Message-ID: <38050DF7.768902E7@integratus.com> Date: Wed, 13 Oct 1999 18:55:51 -0400 From: Jack Rusher Organization: Integratus, Inc. X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: James Wyatt , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > > "local users SHOULD be given a unique uid >= 1000 -- values less than 1000 > are reserved for built-in accounts, and for add-on packages" or the like. > For the purposes of NFS, it seems desirable that when a package is > installed, it use the same uid consistently? > > I'm not sure the correct course of action is clear in my mind, but > whatever it is, it is certainly security-relevant. It seems to me that an /etc/services style mapping of services to UIDs would be an excellent idea. This sort of standardization would make the world work a little more smoothly. -- Jack Rusher, Chief Engineer | mailto:jar@integratus.com Integratus, Inc. | http://www.integratus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 16:28:13 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C9CCB14EC3; Wed, 13 Oct 1999 16:27:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id BB0401CD584; Wed, 13 Oct 1999 16:27:59 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Wed, 13 Oct 1999 16:27:59 -0700 (PDT) From: Kris Kennaway To: Wes Peters Cc: Garrett Wollman , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <3805095B.FA25BBA5@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, Wes Peters wrote: > > Between the US Commerce Department and the US Patent and Trademark > > Office, it would be very difficult to arrive at an ``appropriately > > licensed much more secure version''. > > It is important to keep in mind that we would be EXPORTING the discs > and the source code. This is still a tough act to pull off; the > "easing of restrictions" didn't ease this restriction. Well, it'd probably go in the src/crypto collection, so it's not really an issue there. Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 17:36:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id E4DCA14D6D for ; Wed, 13 Oct 1999 17:36:50 -0700 (PDT) (envelope-from patrick@mindstep.com) Received: (qmail 3640 invoked from network); 14 Oct 1999 00:36:49 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 14 Oct 1999 00:36:49 -0000 Message-ID: <029001bf15dc$33f44c60$190aa8c0@local.mindstep.com> From: "Patrick Bihan-Faou" To: "Philip Hallstrom" , References: Subject: Re: pipsecd example? Date: Wed, 13 Oct 1999 20:36:49 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > My setup: > > [---------] [---------] > [ FreeBSD ] [ FreeBSD ] > LAN A --[ 1 ]-- 1.1.1.1 -> INTERNET <- 2.2.2.2 --[ 2 ]-- LAN B > 10.0.0.x [ 3.2 ] [ 3.2 ] 10.2.0.x > [---------] [---------] > > > I've looked through the pipsecd.conf and it baffles me. For example -- > where do the values for the various keys come from? Your imagination... As long as one end's remote key(s) is the other end's local key(s). There is a mistake in the sample configuration file. I will correct it sometime... > Also, a general question. If I'm on client 10.2.0.5 and telnet to > 10.0.0.5, will it say that I am from 10.2.0.5 or from 2.2.2.2? Well it depends... If you are not running nat on the "tunX" interface (which should be the standard case), then you will be comming from 10.2.0.5. The "tunX" interface looks and behaves (almost) exactly as if you had a NIC card connected to a network with only 2 hosts (the local one and the remote one). The only difference is that instead of having a hardware connection (a ethernet wire), it has a software one (pipsecd). BTW, this also means that it needs an IP address on the network you chose as the "tunnel" network. Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 17:59:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (Postfix) with ESMTP id 0B9FE152C8 for ; Wed, 13 Oct 1999 17:59:31 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (MailHost/Current) with UUCP id TAA06673; Wed, 13 Oct 1999 19:59:05 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.9.3/8.9.2) with ESMTP id TAA01272; Wed, 13 Oct 1999 19:37:39 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Wed, 13 Oct 1999 19:37:39 -0500 (CDT) From: Jay Nelson To: "f.johan.beisser" Cc: Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> In the interests of minimising bloat we could balance its inclusion by >> deleting something like, say, uucp. >> (:-) for the uucps users) > >actually, i don't think this is a good idea. there are still a few (very >few.. i hope) networks and LAN's that use UUCP for mail transfer and such. >in keeping FreeBSD as portable and usable by as many users as posable, it >would.. well, screw them over. I'll second that opinion, though I have to admit, ssh is the second thing I install;) -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 18:41:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from cyberax.ru (ns.cyberax.ru [195.210.143.1]) by hub.freebsd.org (Postfix) with ESMTP id 1D058153C4 for ; Wed, 13 Oct 1999 18:40:14 -0700 (PDT) (envelope-from kostya@cyberax.ru) Received: from cyberax.ru (c2-xp142.cyberax.ru [195.210.143.142]) by cyberax.ru (8.8.8/8.8.8) with ESMTP id FAA26149 for ; Thu, 14 Oct 1999 05:42:00 +0400 (????) Message-ID: <3805348A.39EDE4C2@cyberax.ru> Date: Thu, 14 Oct 1999 05:40:26 +0400 From: "Konstantin I. Shtabalyuk-" X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: ru, en, pl MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH References: <199910131420.XAA70912@ares.maths.adelaide.edu.au> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Lewis wrote: > > > > In the interests of minimising bloat we could balance its inclusion by > > > deleting something like, say, uucp. > > > (:-) for the uucps users) > > this will be nice if you can delete something alike yp* orr uucp*, but this can't be a as package - this must be laying in another plane - or OS capability or compatibility, but don't do it as package please!. This should be look better when we got possibility do something alike option intime buildworld creating process. > > I'm a proud UUCP user, but I wouldn't mind having to install it as a > > package, if the final result will be the same (modulo a couple of sed > > -e "s@usr@usr/local@g" maybe). > I know many places where UUCP possible :(, this not joke this reality. > I didn't mean to give any offense to uucp users -- this was a joke :) > > -- > Greg Lewis glewis@trc.adelaide.edu.au > Computing Officer +61 8 8303 5083 > Teletraffic Research Centre > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Konstantin I. Shtabalyuk System Administrator at Cyberax Network. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 18:57:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 249221536D for ; Wed, 13 Oct 1999 18:57:41 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id UAA14841; Wed, 13 Oct 1999 20:57:26 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-238.tnt1.rac.cyberlynk.net(209.224.182.238) by peak.mountin.net via smap (V1.3) id sma014837; Wed Oct 13 20:57:06 1999 Message-Id: <3.0.3.32.19991013205157.015e6910@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 13 Oct 1999 20:51:57 -0500 To: Robert Watson From: "Jeffrey J. Mountin" Subject: Re: FreeSSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:14 PM 10/13/99 -0400, Robert Watson wrote: >This actually raises another issue that is relevant to the >packages/ports/etc system--the addition of new users for services. Some >services (uucp, bind, postgres, www, etc..) require new services be added >to the system. Some consistency in the allocation of uid's, and a formal >policy for which uid's should be used might be nice :-). Maybe one exists >and I have missed it... But adding users is clearly relevant to a system >security policy. Removing users is also relevant--right now many ports >that require user modification don't get packages, perhaps for this >reason. But if more of the world uses packages, it would be nice to know >if, say, pkg_add will overwrite a current user, or end up with a uid that >already owns some files, and that pkg_delete would or would not remove the >user in a consistent and complete way. Right now we encourage the use of >uid's over 1000 for new users, but documenting this would be a good idea >"local users SHOULD be given a unique uid >= 1000 -- values less than 1000 >are reserved for built-in accounts, and for add-on packages" or the like. >For the purposes of NFS, it seems desirable that when a package is >installed, it use the same uid consistently? > >I'm not sure the correct course of action is clear in my mind, but >whatever it is, it is certainly security-relevant. Many of the "users" are nologin for shell and sometimes nonexistant for their home. What risk would there be with both? In most cases there would be no files owned by them. More importantly the package installer would not have to deal with trying to add a UID that might have been added manually. Adds a certain level of complexity to a distribution packaging system. I'm all for such a system to make things more flexible and easier for new/inexperienced users, but don't need it personally. Think that most of such work should be done before sysinstall is improved. Sure jkh will agree. ;0 First thing would be too add knobs for buildworld, which has been requested several times. Then registration via the package system. At the same time doing a buildworld should then do some checking with the listings in /var/db/pkg or var/db/pkg/system, interactively most likely - something like "you installed this" and the option to add or delete others before continuing. Once that works out then sysinstall is revamped. Additions could then be done at build time or via sysinstall and should be honored either way. Allow for a minimalist approach should also help security. Most servers don't need UUCP, NIS, lp, but there are many others like sendmail, DHCP, etc. Even the libraries could be broken down, but finer granularity adds complexity and the greater chance of dependancy problems. Maybe this should be started with the most commonly unused features that have few dependancies one bite at a time and not as some huge project. If we go the other route via sysinstall, building from source would clobber manually installed packages or add unwanted ones. Not to mention that the changes would affect many more users and not those that already customize things. We all should know what that means. my .02 Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 22:36:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.enteract.com (mail.enteract.com [207.229.143.33]) by hub.freebsd.org (Postfix) with ESMTP id DDB8014F5A for ; Wed, 13 Oct 1999 22:36:34 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: from shell-1.enteract.com (dscheidt@shell-1.enteract.com [207.229.143.40]) by mail.enteract.com (8.9.3/8.9.3) with SMTP id AAA38848; Thu, 14 Oct 1999 00:36:23 -0500 (CDT) (envelope-from dscheidt@enteract.com) Date: Thu, 14 Oct 1999 00:36:23 -0500 (CDT) From: David Scheidt To: Jay Nelson Cc: "f.johan.beisser" , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Oct 1999, Jay Nelson wrote: > > >> In the interests of minimising bloat we could balance its inclusion by > >> deleting something like, say, uucp. > >> (:-) for the uucps users) > > > >actually, i don't think this is a good idea. there are still a few (very > >few.. i hope) networks and LAN's that use UUCP for mail transfer and such. Why are you hoping for very few users of UUCP? It works quite well, and is very low maintance. People who have intermittant connectivity have good reason to still use it. I use it in a couple instances over FTP, because it has spooling and logging facilities built in. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 23:19:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 5AF9D154CA for ; Wed, 13 Oct 1999 23:19:31 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1557 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 14 Oct 1999 01:12:18 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Thu, 14 Oct 1999 01:12:17 -0500 (CDT) From: James Wyatt To: David Scheidt Cc: Jay Nelson , "f.johan.beisser" , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Oct 1999, David Scheidt wrote: > Subject: Re: FreeSSH > On Wed, 13 Oct 1999, Jay Nelson wrote: > > >> In the interests of minimising bloat we could balance its inclusion by > > >> deleting something like, say, uucp. > > >> (:-) for the uucps users) > > > > > >actually, i don't think this is a good idea. there are still a few (very > > >few.. i hope) networks and LAN's that use UUCP for mail transfer and such. > > Why are you hoping for very few users of UUCP? It works quite well, and is > very low maintance. People who have intermittant connectivity have good > reason to still use it. I use it in a couple instances over FTP, because it > has spooling and logging facilities built in. And controlled execution of remote commands, but this ain't the UUCP list - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 13 23:43: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id 925001519C for ; Wed, 13 Oct 1999 23:42:57 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id CAA20001; Thu, 14 Oct 1999 02:42:42 -0400 Date: Thu, 14 Oct 1999 02:42:42 -0400 (EDT) From: Mike Nowlin To: James Wyatt Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > >actually, i don't think this is a good idea. there are still a few (very > > > >few.. i hope) networks and LAN's that use UUCP for mail transfer and such. > > > > Why are you hoping for very few users of UUCP? It works quite well, and is > > very low maintance. People who have intermittant connectivity have good > > reason to still use it. I use it in a couple instances over FTP, because it > > has spooling and logging facilities built in. (This really should move to -net or something...) If we're going to entertain the idea of making UUCP a port, we should entertain the idea of replacing it with something equally suited to moving files over a modem, and FTP+PPP doesn't qualify -- too many points of failure. I hate to admit it, but C-Kermit comes to mind. You need to have SOMETHING in there that lets you do two key things - move files, and talk directly to a serial port. Minicom works, but it relies on also having zmodem, etc. installed as well. As the maintainer of 200+ FreeBSD/Linux/Coherent (yuk!) systems spread across northern Ohio in the harshest environments I've ever seen, (nursing homes -- they make steel mills look clean :) ), having these gut-level utilities as part of a base install is really handy when some patient pours his calcium-and-sugar-rich dietary supplement into the power supply fan... Not to mention that Coherent doesn't do TCP/IP (but they DID finally get X working before they went under...:) ) mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 2: 5:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id EF40D14BFC for ; Thu, 14 Oct 1999 02:05:51 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id CAA03026; Thu, 14 Oct 1999 02:04:52 -0700 (PDT) Message-ID: <19991014020452.A2240@best.com> Date: Thu, 14 Oct 1999 02:04:52 -0700 From: "Jan B. Koum " To: Ollivier Robert , FreeBSD Security ML Subject: Re: anti-spoofing References: <10882.991003@cityline.ru> <19991004001028.A1795@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19991004001028.A1795@keltia.freenix.fr>; from Ollivier Robert on Mon, Oct 04, 1999 at 12:10:28AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [sorry about getting here few days late -- way WAY behind on my email] I think pepole should be blocking the following in addition to rfc1918: !see http://www.ietf.org/internet-drafts/draft-manning-dsua-01.txt deny ip host 0.0.0.0 any log deny ip 127.0.0.0 0.255.255.255 any log ! example.{com|net}, DHCP default and Multicast deny ip 192.0.2.0 0.0.0.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny ip 224.0.0.0 0.15.255.255 any log Above is from my cisco router. I'd say first two lines are probably more important then last three. -- Yan On Mon, Oct 04, 1999 at 12:10:28AM +0200, Ollivier Robert wrote: > According to Dmitriy Bokiy: > > Where can I find _the complete_ list of addresses to be blocked? > > RFC-1918. > > It includes the following networks: > > 10.0.0.0/8 (in old pre-CIDR world, a A-class network) > 172.16.0.0/12 (in old pre-CIDR world, 16 B-class networks) > 192.168.0.0/16 (in old pre-CIDR world, 256 C-class networks). > > Don't forget to refuse your own prefixes on your incoming interface... That > is, if you have a.b.c.d/n, you need to refuse this prefix on the incoming > interface of your router. > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 2:22:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 3B83914C19 for ; Thu, 14 Oct 1999 02:22:37 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id TAA27074; Thu, 14 Oct 1999 19:24:20 +1000 (EST) From: Darren Reed Message-Id: <199910140924.TAA27074@cheops.anu.edu.au> Subject: Re: anti-spoofing To: jkb@best.com (Jan B. Koum) Date: Thu, 14 Oct 1999 19:24:19 +1000 (EST) Cc: roberto@keltia.freenix.fr, freebsd-security@FreeBSD.ORG In-Reply-To: <19991014020452.A2240@best.com> from "Jan B. Koum" at Oct 14, 99 02:04:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jan B. Koum, sie said: [...] > deny ip 224.0.0.0 0.15.255.255 any log That's a bad range to block - well, maybe not if you have no intention of using multicast. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 2:26:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id DC5A614BFC for ; Thu, 14 Oct 1999 02:26:13 -0700 (PDT) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id LAA07585; Thu, 14 Oct 1999 11:25:57 +0200 (MET DST) Received: by bofh.enst.fr (Postfix, from userid 12426) id 658BAD226; Thu, 14 Oct 1999 11:25:57 +0200 (CEST) Message-ID: <19991014112557.B37800@enst.fr> Date: Thu, 14 Oct 1999 11:25:57 +0200 From: Pierre Beyssac To: Patrick Bihan-Faou , Philip Hallstrom , freebsd-security@FreeBSD.ORG Subject: Re: pipsecd example? References: <029001bf15dc$33f44c60$190aa8c0@local.mindstep.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <029001bf15dc$33f44c60$190aa8c0@local.mindstep.com>; from Patrick Bihan-Faou on Wed, Oct 13, 1999 at 08:36:49PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Oct 13, 1999 at 08:36:49PM -0400, Patrick Bihan-Faou wrote: > Your imagination... As long as one end's remote key(s) is the other end's > local key(s). There is a mistake in the sample configuration file. I will > correct it sometime... You're quite right, I realized that a few weeks ago: diff -r1.2 -r1.3 42c42 < sa ipesp spi=1001 enc=blowfish_cbc ekey=d00db00fd00d00d00db00fd00dc00e dest=5.6.7.8 --- > sa ipesp spi=1001 enc=blowfish_cbc ekey=d00db00fd00d00d00db00fd00dc00e Sorry about the confusion. I really have to write that manpage... > ethernet wire), it has a software one (pipsecd). BTW, this also means that > it needs an IP address on the network you chose as the "tunnel" network. Right. It's a good idea to use a RFC 1918 network number if you don't want to change your subnetting or your addressing plan. -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 2:39: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 0E67B153C2 for ; Thu, 14 Oct 1999 02:38:47 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 67023 invoked by uid 1001); 14 Oct 1999 09:38:46 +0000 (GMT) To: avalon@coombs.anu.edu.au Cc: jkb@best.com, roberto@keltia.freenix.fr, freebsd-security@FreeBSD.ORG Subject: Re: anti-spoofing From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 14 Oct 1999 19:24:19 +1000 (EST)" References: <199910140924.TAA27074@cheops.anu.edu.au> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 14 Oct 1999 11:38:46 +0200 Message-ID: <67021.939893926@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > deny ip 224.0.0.0 0.15.255.255 any log > > That's a bad range to block - well, maybe not if you have no intention of using multicast. No, it's a good range to block. Always. Because you never want to have multicast addresses as *source* address. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 2:47: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id 53B8314D75 for ; Thu, 14 Oct 1999 02:47:01 -0700 (PDT) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id LAA08931; Thu, 14 Oct 1999 11:46:49 +0200 (MET DST) Received: by bofh.enst.fr (Postfix, from userid 12426) id C5BCCD226; Thu, 14 Oct 1999 11:46:48 +0200 (CEST) Message-ID: <19991014114648.A38195@enst.fr> Date: Thu, 14 Oct 1999 11:46:48 +0200 From: Pierre Beyssac To: sthaug@nethelp.no, avalon@coombs.anu.edu.au Cc: jkb@best.com, roberto@keltia.freenix.fr, freebsd-security@FreeBSD.ORG Subject: Re: anti-spoofing References: <199910140924.TAA27074@cheops.anu.edu.au> <67021.939893926@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <67021.939893926@verdi.nethelp.no>; from sthaug@nethelp.no on Thu, Oct 14, 1999 at 11:38:46AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Oct 14, 1999 at 11:38:46AM +0200, sthaug@nethelp.no wrote: > No, it's a good range to block. Always. Because you never want to have > multicast addresses as *source* address. Furthermore, multicast is generally tunneled as IP in IP since most providers don't provide it natively; so in many cases you shouldn't see it as a destination address on a leased line either. -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 7:23:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 4D7C814C32 for ; Thu, 14 Oct 1999 07:23:11 -0700 (PDT) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id IAA09665; Thu, 14 Oct 1999 08:19:18 -0600 (MDT) From: David G Andersen Message-Id: <199910141419.IAA09665@faith.cs.utah.edu> Subject: Re: FreeSSH To: mike@argos.org (Mike Nowlin) Date: Thu, 14 Oct 1999 08:19:18 -0600 (MDT) Cc: jwyatt@rwsystems.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "Mike Nowlin" at Oct 14, 99 02:42:42 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Mike Nowlin once said: > > If we're going to entertain the idea of making UUCP a port, we should > entertain the idea of replacing it with something equally suited to moving > files over a modem, and FTP+PPP doesn't qualify -- too many points of > failure. I hate to admit it, but C-Kermit comes to mind. You need to > have SOMETHING in there that lets you do two key things - move files, and > talk directly to a serial port. Minicom works, but it relies on also > having zmodem, etc. installed as well. Note that I wasn't suggesting not making it a part of the base install - I kind of like the base install, even if it contains things I don't use. (I actually do use UUCP on one of my machines for backup email). What I *was* suggesting was a way for interested people to make slightly more fine-grained decisions about what "parts" of the base install they wanted to install. So someone going for a minimal setup would be saved the pain of later going and manually removing files and such (and then needing to do the same each time they upgrade). -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 10: 0:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from dt050n71.san.rr.com (dt050n71.san.rr.com [204.210.31.113]) by hub.freebsd.org (Postfix) with ESMTP id 80A2115032 for ; Thu, 14 Oct 1999 10:00:26 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from gateway.gorean.org (gateway.gorean.org [10.0.0.1]) by dt050n71.san.rr.com (8.9.3/8.8.8) with ESMTP id KAA08763; Thu, 14 Oct 1999 10:00:16 -0700 (PDT) (envelope-from Doug@gorean.org) Date: Thu, 14 Oct 1999 10:00:16 -0700 (PDT) From: Doug X-Sender: doug@dt050n71.san.rr.com To: "Nicole H." Cc: "Craig H. Rowland" , freebsd-security@FreeBSD.ORG Subject: Re: scanning of port 12345 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Oct 1999, Nicole H. wrote: > > On 11-Oct-99 Craig H. Rowland wrote: > > Older versions of NetBus (A Windows trojan horse/remote control > > program) are on this port... > > > > -- Craig > > So far I have logged 6 more attempts at this port! Six! This hack must > be getting fairly popular with the script kiddies. It's actually been popular for a long time. Just one more reason not to use windows (at least not without a mondo firewall protecting it :). Doug (who also loves your .sig) -- "Stop it, I'm gettin' misty." - Mel Gibson as Porter, "Payback" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 10:33:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id CC98E150D3 for ; Thu, 14 Oct 1999 10:33:22 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id TAA12941 for freebsd-security@FreeBSD.ORG; Thu, 14 Oct 1999 19:33:18 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 8CFF9878D; Thu, 14 Oct 1999 19:11:48 +0200 (CEST) Date: Thu, 14 Oct 1999 19:11:48 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH Message-ID: <19991014191148.A70611@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <19991012220217.A14906@futuresouth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Bjoern Groenvall: > If you are willing to run configure and make why don't you just fetch > ftp://ftp.pdc.kth.se/pub/krypto/ossh/ossh-1.2.17.tar.gz? OSSH has no > restrictions on use (if you're not in the US) and builds straight out The main problem is that this code base is *OLD* (1995) and a lot of things have been fixed (not only buffer overflows but protocol problems) since this version. I see backporting all the modifications from 1.2.27 as a non trivial task and maybe not worth the big effort when you can install the latest with the port... -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 11:13: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id 83C4C14F8B for ; Thu, 14 Oct 1999 11:12:57 -0700 (PDT) (envelope-from patrick@mindstep.com) Received: (qmail 6397 invoked from network); 14 Oct 1999 18:12:57 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 14 Oct 1999 18:12:57 -0000 Message-ID: <012201bf166f$bdf38fa0$190aa8c0@local.mindstep.com> From: "Patrick Bihan-Faou" To: "Ollivier Robert" , References: <19991012220217.A14906@futuresouth.com> <19991014191148.A70611@keltia.freenix.fr> Subject: Re: FreeSSH Date: Thu, 14 Oct 1999 14:12:57 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, From: Ollivier Robert : > According to Bjoern Groenvall: > > If you are willing to run configure and make why don't you just fetch > > ftp://ftp.pdc.kth.se/pub/krypto/ossh/ossh-1.2.17.tar.gz? OSSH has no > > restrictions on use (if you're not in the US) and builds straight out > > The main problem is that this code base is *OLD* (1995) and a lot of things > have been fixed (not only buffer overflows but protocol problems) since this > version. > > I see backporting all the modifications from 1.2.27 as a non trivial task and > maybe not worth the big effort when you can install the latest with the > port... Except maybe for the license. If I remember correctly you can't use the newer versions of ssh for free if you use it for commercial reasons. Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 12:54:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mug.adhesivemedia.com (mug.adhesivemedia.com [207.202.159.73]) by hub.freebsd.org (Postfix) with ESMTP id 4D61515121 for ; Thu, 14 Oct 1999 12:54:24 -0700 (PDT) (envelope-from philip@adhesivemedia.com) Received: from localhost (philip@localhost) by mug.adhesivemedia.com (8.9.3/8.9.3) with ESMTP id MAA31281; Thu, 14 Oct 1999 12:55:35 -0700 (PDT) (envelope-from philip@adhesivemedia.com) Date: Thu, 14 Oct 1999 12:55:35 -0700 (PDT) From: Philip Hallstrom To: Patrick Bihan-Faou Cc: freebsd-security@FreeBSD.ORG Subject: Re: pipsecd example? In-Reply-To: <029001bf15dc$33f44c60$190aa8c0@local.mindstep.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yahoo! I got it working. This is really cool. I've got one final question -- how can I verify that it is indeed encrypting the connection? I looked at tcpdump, but I'm not the best network packet analyzer in the world :) Thanks for everyone's help! If I get a few moments I'm going to put together a step by step and post it somewhere for others... On Wed, 13 Oct 1999, Patrick Bihan-Faou wrote: > Hi, > > > My setup: > > > > [---------] [---------] > > [ FreeBSD ] [ FreeBSD ] > > LAN A --[ 1 ]-- 1.1.1.1 -> INTERNET <- 2.2.2.2 --[ 2 ]-- LAN > B > > 10.0.0.x [ 3.2 ] [ 3.2 ] > 10.2.0.x > > [---------] [---------] > > > > > > I've looked through the pipsecd.conf and it baffles me. For example -- > > where do the values for the various keys come from? > > Your imagination... As long as one end's remote key(s) is the other end's > local key(s). There is a mistake in the sample configuration file. I will > correct it sometime... > > > > Also, a general question. If I'm on client 10.2.0.5 and telnet to > > 10.0.0.5, will it say that I am from 10.2.0.5 or from 2.2.2.2? > > Well it depends... If you are not running nat on the "tunX" interface (which > should be the standard case), then you will be comming from 10.2.0.5. > > The "tunX" interface looks and behaves (almost) exactly as if you had a NIC > card connected to a network with only 2 hosts (the local one and the remote > one). The only difference is that instead of having a hardware connection (a > ethernet wire), it has a software one (pipsecd). BTW, this also means that > it needs an IP address on the network you chose as the "tunnel" network. > > Patrick. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 13:20:12 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 04E2E14D40; Thu, 14 Oct 1999 13:20:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id EAC341CD47F; Thu, 14 Oct 1999 13:20:05 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Thu, 14 Oct 1999 13:20:05 -0700 (PDT) From: Kris Kennaway To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <19991014191148.A70611@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Oct 1999, Ollivier Robert wrote: > According to Bjoern Groenvall: > > If you are willing to run configure and make why don't you just fetch > > ftp://ftp.pdc.kth.se/pub/krypto/ossh/ossh-1.2.17.tar.gz? OSSH has no > > restrictions on use (if you're not in the US) and builds straight out > > The main problem is that this code base is *OLD* (1995) and a lot of things > have been fixed (not only buffer overflows but protocol problems) since this > version. > > I see backporting all the modifications from 1.2.27 as a non trivial task and > maybe not worth the big effort when you can install the latest with the > port... This is the version the OpenBSD guys have taken, I do believe. Hard work isn't hard at all when someone else is doing it :-) Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 21:18: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id CB99014BDE for ; Thu, 14 Oct 1999 21:18:03 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: (from shelton@localhost) by sentry.granch.ru (8.9.3/8.9.3) id LAA00525 for freebsd-security@freebsd.org; Fri, 15 Oct 1999 11:18:02 +0700 (NOVST) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Fri, 15 Oct 1999 11:18:02 +0700 (NOVST) Organization: Granch Ltd. From: "Rashid N. Achilov" To: freebsd-security@freebsd.org Subject: kern.securelevel and X Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why I can't start X with kern.securelevel more than -1? When I attempt start X with kern.securelevel 1 or 2, startx crashed with "KBENBIO (or like that): Operation not permitted" --- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Cert. ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 14 21:39:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id 230FD14D29 for ; Thu, 14 Oct 1999 21:39:56 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id AAA05394; Fri, 15 Oct 1999 00:39:37 -0400 Date: Fri, 15 Oct 1999 00:39:36 -0400 (EDT) From: Mike Nowlin To: "Rashid N. Achilov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Why I can't start X with kern.securelevel more than -1? > > When I attempt start X with kern.securelevel 1 or 2, startx crashed with > "KBENBIO (or like that): Operation not permitted" It's been a while since I read something about this, but let's see how good my memory is -- corrections welcomed.... :) When running with a >0 securelevel, X can't access the video memory due to security restrictions (probably something about letting a non-kernel process access any kind of I/O or memory port directly), so the X server can't talk to the video card -- boom. Am I right? mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 15 2:55:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from bg.sics.se (bg.sics.se [193.10.66.124]) by hub.freebsd.org (Postfix) with ESMTP id 33AE414CF9 for ; Fri, 15 Oct 1999 02:55:21 -0700 (PDT) (envelope-from bg@bg.sics.se) Received: (from bg@localhost) by bg.sics.se (8.9.3/8.9.3) id LAA18684; Fri, 15 Oct 1999 11:55:49 +0200 (CEST) (envelope-from bg) To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH References: <19991012220217.A14906@futuresouth.com> <19991014191148.A70611@keltia.freenix.fr> From: Bjoern Groenvall Date: 15 Oct 1999 11:55:49 +0200 In-Reply-To: Ollivier Robert's message of Thu, 14 Oct 1999 19:11:48 +0200 Message-ID: Lines: 16 X-Mailer: Red Gnus v0.52/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ollivier Robert writes: > According to Bjoern Groenvall: > > If you are willing to run configure and make why don't you just fetch > > ftp://ftp.pdc.kth.se/pub/krypto/ossh/ossh-1.2.17.tar.gz? OSSH has no > > restrictions on use (if you're not in the US) and builds straight out > > The main problem is that this code base is *OLD* (1995) and a lot of things > have been fixed (not only buffer overflows but protocol problems) since this > version. The code base might be old but the fixes are new. Is there any particular protocol problem that you think is not fixed in OSSH? Did you ``diff'' against ssh-1.2.12? /Björn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 15 9:46:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id CFE65150A1 for ; Fri, 15 Oct 1999 09:46:28 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id SAA12909 for freebsd-security@FreeBSD.ORG; Fri, 15 Oct 1999 18:46:27 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 56A16878D; Fri, 15 Oct 1999 12:28:24 +0200 (CEST) Date: Fri, 15 Oct 1999 12:28:24 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH Message-ID: <19991015122824.A78014@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <19991012220217.A14906@futuresouth.com> <19991014191148.A70611@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Bjoern Groenvall: > particular protocol problem that you think is not fixed in OSSH? > Did you ``diff'' against ssh-1.2.12? No, I haven't diff-ed anything. If you tell me that OSSH is at the same level of features/fixes as 1.2.27, I'd be very happy. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 15 9:54:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from mercure.IRO.UMontreal.CA (mercure.IRO.UMontreal.CA [132.204.24.67]) by hub.freebsd.org (Postfix) with ESMTP id 48B9414D95 for ; Fri, 15 Oct 1999 09:54:08 -0700 (PDT) (envelope-from beaupran@IRO.UMontreal.CA) Received: from blm30.IRO.UMontreal.CA (IDENT:root@blm30.IRO.UMontreal.CA [132.204.21.76]) by mercure.IRO.UMontreal.CA (8.9.1/8.9.3) with ESMTP id MAA07124; Fri, 15 Oct 1999 12:53:41 -0400 Received: (from beaupran@localhost) by blm30.IRO.UMontreal.CA (8.9.1/8.9.1) id MAA03439; Fri, 15 Oct 1999 12:53:40 -0400 Full-Name: Antoine Beaupre X-Authentication-Warning: blm30.IRO.UMontreal.CA: beaupran set sender to beaupran@blm30.IRO.UMontreal.CA using -f From: Antoine Beaupre MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> Date: Fri, 15 Oct 1999 12:53:39 -0400 (EDT) To: Mike Nowlin Cc: "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X References: X-Mailer: VM 6.75 under Emacs 20.3.1 Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The reference is man init: " The kernel runs with four different levels of security. Any superuser process can raise the security level, but only init can lower it. The security levels are: -1 Permanently insecure mode - always run the system in level 0 mode. This is the default initial value. 0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions. 1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted filesystems, /dev/mem, and /dev/kmem may not be opened for writing. 2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with filesystems by unmounting them, but also inhibits running newfs(8) while the system is multi-user. 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) can not be changed and dummynet configuration can not be adjusted. " (by the web manpages, 3.1-release) So that's exactly it. X cannot write to mem or kmem. I thought this was in securelevel 2, though. I guess there is no way to run X in secure level > 0, right? --- Big Brother told Mike Nowlin to write, at 00:39 of October 15: > > > Why I can't start X with kern.securelevel more than -1? > > > > When I attempt start X with kern.securelevel 1 or 2, startx crashed with > > "KBENBIO (or like that): Operation not permitted" > > It's been a while since I read something about this, but let's see how > good my memory is -- corrections welcomed.... :) > > When running with a >0 securelevel, X can't access the video memory due to > security restrictions (probably something about letting a non-kernel > process access any kind of I/O or memory port directly), so the X server > can't talk to the video card -- boom. > > Am I right? > > mike > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 15 10: 7:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 349BC15236 for ; Fri, 15 Oct 1999 10:07:16 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA31953; Fri, 15 Oct 1999 13:07:12 -0400 (EDT) (envelope-from wollman) Date: Fri, 15 Oct 1999 13:07:12 -0400 (EDT) From: Garrett Wollman Message-Id: <199910151707.NAA31953@khavrinen.lcs.mit.edu> To: security@freebsd.org Subject: PAM module for Kerberos 5? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone gone to the effort yet of making a PAM module for Kerberos 5? How about passwd(1)? That's one of the last things I need before I can move our KDC over to Kerberos 5.... -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 15 13:35:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from tusk.mountain-inter.net (tusk.mountain-inter.net [204.244.200.1]) by hub.freebsd.org (Postfix) with ESMTP id CA5AD14BC8 for ; Fri, 15 Oct 1999 13:35:37 -0700 (PDT) (envelope-from sreid@sea-to-sky.net) Received: from grok.localnet (dialup10.mountain-inter.net [204.244.200.19]) by tusk.mountain-inter.net (8.9.3/8.9.3) with ESMTP id NAA12975; Fri, 15 Oct 1999 13:34:02 -0700 Received: by grok.localnet (Postfix, from userid 1000) id 5AD41212E07; Fri, 15 Oct 1999 13:33:36 -0700 (PDT) Date: Fri, 15 Oct 1999 13:33:36 -0700 From: Steve Reid To: Antoine Beaupre Cc: Mike Nowlin , "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X Message-ID: <19991015133335.A410@grok.localnet> References: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA>; from Antoine Beaupre on Fri, Oct 15, 1999 at 12:53:39PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 15, 1999 at 12:53:39PM -0400, Antoine Beaupre wrote: > I guess there is no way to run X in secure level > 0, right? OpenBSD and NetBSD can do it, through the aperture driver. But I don't think FreeBSD has that capability. I haven't seen any mention of a FreeBSD aperture driver, not even in vaporware form. Maybe people just don't realize such a thing is possible? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 15 13:56:16 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id AA93815169; Fri, 15 Oct 1999 13:56:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 9BDEB1CD474; Fri, 15 Oct 1999 13:56:15 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Fri, 15 Oct 1999 13:56:15 -0700 (PDT) From: Kris Kennaway To: Garrett Wollman Cc: security@freebsd.org Subject: Re: PAM module for Kerberos 5? In-Reply-To: <199910151707.NAA31953@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Oct 1999, Garrett Wollman wrote: > Has anyone gone to the effort yet of making a PAM module for Kerberos > 5? How about passwd(1)? > That's one of the last things I need before I can move our KDC > over to Kerberos 5.... See http://www.us.kernel.org/pub/linux/libs/pam/modules.html which references http://www-personal.engin.umich.edu/~itoi/pam_krb5/pam_krb5-1.0-1.tar.gz I also found a reference to ftp://ftp.dementia.org/pub/pam/pam_krb5-1.1.3.tar.gz Don't know if these compile (or work!) under FreeBSD, but they should be portable easily enough since we use the Linux-PAM code. Kris ---- XOR for AES -- join the campaign! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 15 14:36:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from main.nwserv.com (main.nwserv.com [216.168.91.66]) by hub.freebsd.org (Postfix) with ESMTP id 4FE2214DDA for ; Fri, 15 Oct 1999 14:36:54 -0700 (PDT) (envelope-from asaddi@philosophysw.com) Received: from localhost (asaddi@localhost) by main.nwserv.com (8.9.3/8.9.2) with ESMTP id OAA59938; Fri, 15 Oct 1999 14:34:57 -0700 (PDT) (envelope-from asaddi@philosophysw.com) Date: Fri, 15 Oct 1999 14:34:57 -0700 (PDT) From: Allan Saddi X-Sender: asaddi@main.nwserv.com To: Steve Reid Cc: Antoine Beaupre , Mike Nowlin , "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X In-Reply-To: <19991015133335.A410@grok.localnet> Message-ID: Organization: Philosophy SoftWorks MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Oct 1999, Steve Reid wrote: > But I don't think FreeBSD has that capability. I haven't seen any > mention of a FreeBSD aperture driver, not even in vaporware form. > Maybe people just don't realize such a thing is possible? I used to run X with high securelevels back in 2.2.x. I simply started X/xdm before upping the securelevel. This seemed to work fine. I haven't verified that it still works w/ 3.x, however. -- Allan Saddi "The Earth is the cradle of mankind, asaddi@philosophysw.com but we cannot live in the cradle http://www.philosophysw.com/asaddi/ forever." - K.E. Tsiolkovsky To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 1:50:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id 522B814A1D for ; Sat, 16 Oct 1999 01:50:42 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id EAA25287; Sat, 16 Oct 1999 04:50:18 -0400 Date: Sat, 16 Oct 1999 04:50:18 -0400 (EDT) From: Mike Nowlin To: Steve Reid Cc: "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X In-Reply-To: <19991015133335.A410@grok.localnet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > But I don't think FreeBSD has that capability. I haven't seen any > mention of a FreeBSD aperture driver, not even in vaporware form. > Maybe people just don't realize such a thing is possible? ...not really sure I should bring this up, but....... My belief is that if you feel the necessity to run a machine (especially a production box) under a higher secure level, you should not be using that box for "general user uses", including X. With the prices of fast ethernet and motherboards these days, there's no reason why you can't make a workstation for general use that doesn't really mind getting trashed if somebody breaks in -- restore a backup tape, and you're ready to go. Diskless workstations (slaved off the high-security machine) comes to mind... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 2:48:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from fever.semiotek.com (H253.C225.tor.velocet.net [216.126.82.253]) by hub.freebsd.org (Postfix) with ESMTP id EB6FD1543D for ; Sat, 16 Oct 1999 02:48:21 -0700 (PDT) (envelope-from jread@fever.semiotek.com) Received: (from jread@localhost) by fever.semiotek.com (8.9.3/8.9.3) id FAA48562; Sat, 16 Oct 1999 05:47:52 -0400 (EDT) (envelope-from jread) Date: Sat, 16 Oct 1999 05:47:52 -0400 From: Justin Wells To: Mike Nowlin Cc: Steve Reid , "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X Message-ID: <19991016054752.A48505@fever.semiotek.com> References: <19991015133335.A410@grok.localnet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Oct 16, 1999 at 04:50:18AM -0400, Mike Nowlin wrote: > > > But I don't think FreeBSD has that capability. I haven't seen any > > mention of a FreeBSD aperture driver, not even in vaporware form. > > Maybe people just don't realize such a thing is possible? > > ...not really sure I should bring this up, but....... > > My belief is that if you feel the necessity to run a machine (especially a > production box) under a higher secure level, you should not be using that > box for "general user uses", including X. With the prices of fast > ethernet and motherboards these days, there's no reason why you can't make > a workstation for general use that doesn't really mind getting trashed if > somebody breaks in -- restore a backup tape, and you're ready to go. > Diskless workstations (slaved off the high-security machine) comes to > mind... I don't agree with this at all. Workstations are important targets for attackers, since if you can breach a workstation, you can probably infiltrate any server that the user of the workstation connects to. You can sniff passwords, capture TTY's, hijaack SSH sessions, find paths through firewalls... never assume that you would know if an attacker broke in. You might say that the workstations could all sit behind a firewall so that nobody could access it, but many people find it convenient to have their workstations accessible to the outside world. While you might be able to get away with less, I think there is a clear use case for a "network secure" workstation. Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 6:54:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id 0E77C14C9D for ; Sat, 16 Oct 1999 06:54:56 -0700 (PDT) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id PAA01390; Sat, 16 Oct 1999 15:54:49 +0200 (MET DST) Received: by bofh.enst.fr (Postfix, from userid 12426) id 488CED246; Sat, 16 Oct 1999 15:54:49 +0200 (CEST) Message-ID: <19991016155449.A86922@enst.fr> Date: Sat, 16 Oct 1999 15:54:49 +0200 From: Pierre Beyssac To: Philip Hallstrom , Patrick Bihan-Faou Cc: freebsd-security@FreeBSD.ORG Subject: Re: pipsecd example? References: <029001bf15dc$33f44c60$190aa8c0@local.mindstep.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Philip Hallstrom on Thu, Oct 14, 1999 at 12:55:35PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Oct 14, 1999 at 12:55:35PM -0700, Philip Hallstrom wrote: > how can I verify that it is indeed encrypting the connection? I looked at > tcpdump, but I'm not the best network packet analyzer in the world :) tcpdump -w /tmp/dumpfile -s 1500 -i ed0 (replace ed0 with your outgoing ethernet interface name). Try a few telnets, some http. Then stop tcpdump and do a strings /tmp/dumpfile. -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 7: 8: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8C8DA14D06 for ; Sat, 16 Oct 1999 07:07:58 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA25510; Sat, 16 Oct 1999 07:07:57 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda25507; Sat Oct 16 07:07:21 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA46169; Sat, 16 Oct 1999 07:05:04 -0700 (PDT) Message-Id: <199910161405.HAA46169@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdB46158; Sat Oct 16 07:04:13 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Mike Nowlin Cc: James Wyatt , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-reply-to: Your message of "Thu, 14 Oct 1999 02:42:42 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 16 Oct 1999 07:04:12 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mike Now lin writes: > > > > > > >actually, i don't think this is a good idea. there are still a few (ve > ry > > > > >few.. i hope) networks and LAN's that use UUCP for mail transfer and s > uch. > > > > > > Why are you hoping for very few users of UUCP? It works quite well, and > is > > > very low maintance. People who have intermittant connectivity have good > > > reason to still use it. I use it in a couple instances over FTP, because > it > > > has spooling and logging facilities built in. > > (This really should move to -net or something...) > > If we're going to entertain the idea of making UUCP a port, we should > entertain the idea of replacing it with something equally suited to moving > files over a modem, and FTP+PPP doesn't qualify -- too many points of > failure. I hate to admit it, but C-Kermit comes to mind. You need to > have SOMETHING in there that lets you do two key things - move files, and > talk directly to a serial port. Minicom works, but it relies on also > having zmodem, etc. installed as well. UUCP is sort of a standard. Virtually every commercial version of UNIX has it. By removing it we remove one more communication or compatibility option. Our UUCP is based on Taylor (GNU) UUCP, arguably the best UUCP around. > > As the maintainer of 200+ FreeBSD/Linux/Coherent (yuk!) systems spread > across northern Ohio in the harshest environments I've ever seen, (nursing > homes -- they make steel mills look clean :) ), having these gut-level > utilities as part of a base install is really handy when some patient > pours his calcium-and-sugar-rich dietary supplement into the power supply > fan... Not to mention that Coherent doesn't do TCP/IP (but they DID > finally get X working before they went under...:) ) I didn't think anyone used Coherent any more. My copy is collecting dust along with OS/2, NT 3.5, and PC-DOS 1.1. MWC did publish a good manual. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 8:49:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id A69E614CA3 for ; Sat, 16 Oct 1999 08:49:21 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA25694; Sat, 16 Oct 1999 08:49:19 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda25692; Sat Oct 16 08:49:10 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id IAA67111; Sat, 16 Oct 1999 08:49:06 -0700 (PDT) Message-Id: <199910161549.IAA67111@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdh67106; Sat Oct 16 08:48:06 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: James Wyatt Cc: Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-reply-to: Your message of "Wed, 13 Oct 1999 13:14:01 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 16 Oct 1999 08:48:05 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Jame s Wyatt writes: > On Wed, 13 Oct 1999, Greg Lewis wrote: > > In the interests of minimising bloat we could balance its inclusion by > > deleting something like, say, uucp. > > (:-) for the uucps users) > > As another heavy UUCP user on several machine here (and owner of CD sets > for 2.26/2.28/3.2/3.3/etc...) I wouldn't mind a wel-done package if it > still used /etc/uucp and added the UUCP user. I also would not mind it > being another optinal binset on the install. > > I have been saving a fair amount of room on my hosts by removing the yp > executables we *never* want and the 3MB+ of Japanese manpages we can't > read. I'm sure there are more examples of 'things that could be default > unchecked boxes in the install' things. - Jy@ Then again, I use YP (behind a firewall of course) with "*" in the password field and KRB5 for authentication. I think that everybody has their favorite package they wish to remove. In our shop, including the team I manage, everyone uses RedHat desktops, except for me of course. Most people I work with don't use the C compiler so they don't install it from the RedHat distribution. The point is that there are probably a bunch of FreeBSD users who don't use the C compiler either and from their point of view, as ludicrous as it sounds, it too should be removed. Each of us has a different requirement and expectation from FreeBSD. The current FreeBSD maintenance strategy, notwithstanding my previous ramblings in previous notes this morning, is a good one. I think that the bloat caused by UUCP, YP, NFS, and Sendmail is small. For example on my server here at home, FreeBSD uses only 200 MB, the source tree takes up another 230 MB, the FreeBSD CVS tree (w/o ports) uses 600 MB, X and X packages take up 210 MB, /compat/linux uses 40 MB, /usr/local uses 275 MB, and Star OFfice uses 140 MB. My 486/33 which has FreeBSD & W95 installed uses, Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/wd0s1a 199115 142352 40834 78% / /dev/wd0s2 168612 126796 41816 75% /dos The 486/33 is small because it relies on my server for X and packages when FreeBSD is running, and MS-Office via Samba when W95 is running. In short I don't think that a 200 MB O/S is bloatware. Some of the additional applications installed are bloatware -- e.g. how can an office application, Star Office, be almost as large as an operating system? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 13:13: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 2BC41154A6 for ; Sat, 16 Oct 1999 13:13:03 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA39421; Sat, 16 Oct 1999 16:12:50 -0400 (EDT) (envelope-from wollman) Date: Sat, 16 Oct 1999 16:12:50 -0400 (EDT) From: Garrett Wollman Message-Id: <199910162012.QAA39421@khavrinen.lcs.mit.edu> To: Cy Schubert - ITSD Open Systems Group Cc: James Wyatt , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <199910161549.IAA67111@cwsys.cwsent.com> References: <199910161549.IAA67111@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > The point is that there are probably a bunch of FreeBSD users who > don't use the C compiler either and from their point of view, as > ludicrous as it sounds, it too should be removed. The right thing to point out to them is that it would cost more in people's valuable time to do this and the disk space does (at $0.02/MB and dropping rapidly). There's a much better argument for segmenting out parts of the system which are intended to be ``field-replaceable units''. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 14: 6:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.welearn.com.au (phoenix.welearn.com.au [139.130.44.81]) by hub.freebsd.org (Postfix) with ESMTP id 78A1F155E3 for ; Sat, 16 Oct 1999 14:06:18 -0700 (PDT) (envelope-from sue@phoenix.welearn.com.au) Received: (from sue@localhost) by phoenix.welearn.com.au (8.9.3/8.9.3) id HAA20550 for freebsd-security@freebsd.org; Sun, 17 Oct 1999 07:06:14 +1000 (EST) (envelope-from sue) Date: Sun, 17 Oct 1999 07:06:12 +1000 From: Sue Blake To: freebsd-security@freebsd.org Subject: allowing telnet from locked terminal Message-ID: <19991017070610.E12725@welearn.com.au> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I use a machine in a fairly secure area. When I'm away, if someone rushes in to respond to a crisis they will want to use my machine to telnet (and maybe ping) to another. That's fine, but I don't want it to be easy for them to see/touch my other work which they're not interested in anyway. The people are trustworthy but will be unfamiliar with the machine and could press random buttons when working in panic mode. Periods away include coffee breaks, overnight, and weekends. Is there some quick way to remove convenient access to all but one virtual console whenever I leave the room? How safe and practical would it be to set up a user who is only allowed to execute telnet and ping, or better whose shell is a script offering a dialog(1) menu, and leave that user always logged in? -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 14:15:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from isr4033.urh.uiuc.edu (isr4033.urh.uiuc.edu [130.126.208.49]) by hub.freebsd.org (Postfix) with SMTP id 5C51514BE6 for ; Sat, 16 Oct 1999 14:15:03 -0700 (PDT) (envelope-from ftobin@uiuc.edu) Received: (qmail 17411 invoked by uid 1000); 16 Oct 1999 21:15:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Oct 1999 21:15:01 -0000 Date: Sat, 16 Oct 1999 16:14:45 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@isr4033.urh.uiuc.edu To: FreeBSD-security Mailing List Subject: Re: FreeSSH In-Reply-To: <199910161549.IAA67111@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cy Schubert - ITSD Open Systems Group, at 08:48 on Sat, 16 Oct 1999, wrote: > I think that everybody has their favorite package they wish to remove. > In our shop, including the team I manage, everyone uses RedHat desktops, > except for me of course. Most people I work with don't use the C > compiler so they don't install it from the RedHat distribution. The > point is that there are probably a bunch of FreeBSD users who don't use > the C compiler either and from their point of view, as ludicrous as it > sounds, it too should be removed. I agree that the size of the distribution is pretty much not a problem; rather, that there are so many setuid/setgid binaries that get installed when 'everything' is installed. The process of going through the system and weeding out the ones one doesn't need is generally a cumbersome, needless task; the current process is similar to the idea that 'everything is allowed except that which is denied'. It's often better to follow the minimalist policy, 'everything is denied except that which is allowed', which, in this context, means installing as little as possible, and then adding on to that. - -- Frank Tobin "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus http://www.neverending.org/~ftobin/ OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (FreeBSD) Comment: PGPEnvelope - http://www.bigfoot.com/~ftobin/resources.html iD8DBQE4COrUVv/RCiYMT6MRAmOjAJ9EG/74ksqGntcmimSocTJqfU4OQgCdHDBZ ogrFjqcDKaudEYxHTzhMvPw= =HZVs -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 17:29:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 101A814C8E for ; Sat, 16 Oct 1999 17:29:08 -0700 (PDT) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id UAA09419; Sat, 16 Oct 1999 20:28:44 -0400 (EDT) (envelope-from matt@zigg.com) Date: Sat, 16 Oct 1999 20:28:43 -0400 (EDT) From: Matt Behrens To: Garrett Wollman Cc: Cy Schubert - ITSD Open Systems Group , James Wyatt , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <199910162012.QAA39421@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 16 Oct 1999, Garrett Wollman wrote: : The right thing to point out to them is that it would cost more in : people's valuable time to do this and the disk space does (at $0.02/MB : and dropping rapidly). : : There's a much better argument for segmenting out parts of the system : which are intended to be ``field-replaceable units''. I don't think it's necessarily out of the concern of disk space. I for one would rather just not have things on my system that I don't use or possibly even understand (such as UUCP). It's part of the minimalist philosophy -- the less there is, the less can go wrong. That said, it may not be worth anyone's time still on the team, but perhaps through our discussion someone with appropriate knowledge might become interested enough to try to implement it themselves. I don't think by the sheer virtue of discussion we are demanding it be done :-) Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 17:31: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (Postfix) with ESMTP id 0040214C8E for ; Sat, 16 Oct 1999 17:30:51 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (MailHost/Current) with UUCP id TAA17438; Sat, 16 Oct 1999 19:30:20 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.9.3/8.9.2) with ESMTP id TAA02135; Sat, 16 Oct 1999 19:19:47 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sat, 16 Oct 1999 19:19:47 -0500 (CDT) From: Jay Nelson To: Cy Schubert - ITSD Open Systems Group Cc: James Wyatt , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: FreeSSH In-Reply-To: <199910161549.IAA67111@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 16 Oct 1999, Cy Schubert - ITSD Open Systems Group wrote: [snip] >... I think that >the bloat caused by UUCP, YP, NFS, and Sendmail is small. For example I heartily agree. The nice thing about a "standard" system is that there are features you can count on. Many are not used on the typical installation, yet I rarely remove them unless there is a compelling reason -- things change over time. Hell -- if we're going to get rid of "bloat", let's get rid of grep and sed, since very few newbies understand regular expressions -- or the man pages -- few read them and they take up a _huge_ amount of space;) (Only my 2 bits) -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 21:30:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 1B9AD14C07 for ; Sat, 16 Oct 1999 21:30:28 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #2) id 11chxi-0001mI-00; Sat, 16 Oct 1999 22:30:27 -0600 Message-ID: <38093B73.31647DB3@softweyr.com> Date: Sat, 16 Oct 1999 20:58:59 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Sue Blake Cc: freebsd-security@FreeBSD.ORG Subject: Re: allowing telnet from locked terminal References: <19991017070610.E12725@welearn.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sue Blake wrote: > > I use a machine in a fairly secure area. When I'm away, if someone > rushes in to respond to a crisis they will want to use my machine to > telnet (and maybe ping) to another. > > That's fine, but I don't want it to be easy for them to see/touch my > other work which they're not interested in anyway. The people are > trustworthy but will be unfamiliar with the machine and could press > random buttons when working in panic mode. Periods away include coffee > breaks, overnight, and weekends. First, you need a "watchdog" program that can lock(1) the terminal if it is idle for more than a few minutes, so passers by won't be able to inter- act with your forgotten login session. I didn't find one in my 2-minute search of my 3.1-R system, but that doesn't mean one doesn't exist. There was one for Missed'em V floating about the net in the late 80's, called "untamo". Happy hunting. > Is there some quick way to remove convenient access to all but one > virtual console whenever I leave the room? > > How safe and practical would it be to set up a user who is only > allowed to execute telnet and ping, or better whose shell is a script > offering a dialog(1) menu, and leave that user always logged in? You could perhaps just have init launch the dialog on ttyv0 and not provide a login account to casual users. Tell your users to hit Alt-F1 if they don't see what they expect when they walk up to the system. A compiled, suid, chroot program would be an ideal candidate for the program to be run by init; it could simply start the dialog(1) script. Let me know if you need such a program; I'll be happy to throw it together for you. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 21:33:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from web115.yahoomail.com (web115.yahoomail.com [205.180.60.88]) by hub.freebsd.org (Postfix) with SMTP id 1BBC314FB7 for ; Sat, 16 Oct 1999 21:33:09 -0700 (PDT) (envelope-from tmcb1971@yahoo.com) Message-ID: <19991017043046.5909.rocketmail@web115.yahoomail.com> Received: from [207.215.8.122] by web115.yahoomail.com; Sat, 16 Oct 1999 21:30:46 PDT Date: Sat, 16 Oct 1999 21:30:46 -0700 (PDT) From: tom brown Subject: General securiy of vanilla install WAS [FreeSSH] To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think we've lost the direction here somewhere. This started as a conversation about 'security'options. I think that FreeBSD is great as a distribution, and it's realy importaint that it's flexable enough to suit us all, including UUCP is clearly a must. But something should be done to allow the less experienced users roll out a box that can sit unprotected on the net. Personal experience has demonstrated that many insecure installs are out there running in production enviroments. People often seem to have the impression that unix is secure, but they don't understand what they need to do to make it that way. If /stand/sysinstall had a checkbox in the install that said "don't run services" that would go a long way to stoping vanilla installs being "cracked" thereby giving the project a bad name. Simple IP filtering would also be a bonus. Commercialy speaking people will start to pay more attention to security in the near future. If the project were to exploit this need it could grab a bigger chunk of the pizza. It's a mean world out there, and FreeBSD is a good contender as security goes, but not straight out of the box! I know of two apache servers running FreeBSD that recieve a hostile packet every 5 seconds. Base-install+apache+IPFW. It took years the engineer 45 Minuits to build them, and 2 Years to learn how.. Tom ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 22:12: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id AAC9114FBA for ; Sat, 16 Oct 1999 22:12:04 -0700 (PDT) (envelope-from alex@wnm.net) Received: from localhost (alex@localhost) by earth.wnm.net (8.8.8/8.8.8) with ESMTP id AAA14779; Sun, 17 Oct 1999 00:11:51 -0500 (CDT) Date: Sun, 17 Oct 1999 00:11:51 -0500 (CDT) From: Alex Charalabidis To: tom brown Cc: freebsd-security@FreeBSD.ORG Subject: Re: General securiy of vanilla install WAS [FreeSSH] In-Reply-To: <19991017043046.5909.rocketmail@web115.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 16 Oct 1999, tom brown wrote: > I think we've lost the direction here somewhere. > This started as a conversation about > 'security'options. > > But something should be done to allow the less > experienced users roll out a box that can sit > unprotected on the net. Personal experience has > demonstrated that many insecure installs are out there > running in production enviroments. People often seem > to have the impression that unix is secure, but they > don't understand what they need to do to make it that > way. > This ought to be addressed in future releases. I don't remember off-hand which services are enabled by default on a stock installation but I do remember always having to shut down a few on every new machine I install FreeBSD on (which means most machines that hit my desk). Somewhere in this thread, someone mentioned installing tcsh/bash and ssh as the first tasks on a new box. Wrong. The first thing we do is vi inetd.conf and shut down unneeded services. Those who don't know enough to do so are SOL. Sure, they need to learn but letting them learn by having their machines cracked is counterproductive. Granted, it is by far not as bad as it is with certain eponymous Linux distributions that come so service-happy it's scary, but there are concerns about new FreeBSD installations too. New users don't need the services (and shouldn't be running them), experienced users would rather enable what they need themselves. > If /stand/sysinstall had a checkbox in the install > that said "don't run services" that would go a long way to > stoping vanilla installs being "cracked" thereby giving > the project a bad name. Simple IP filtering would also > be a bonus. > Sounds very reasonable. Though maybe "run services" should be off by default. -ac -- Alex Charalabidis WebNet Memphis (901) 432-6000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 16 22:28:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from fever.semiotek.com (H253.C225.tor.velocet.net [216.126.82.253]) by hub.freebsd.org (Postfix) with ESMTP id B37141506F for ; Sat, 16 Oct 1999 22:28:15 -0700 (PDT) (envelope-from jread@fever.semiotek.com) Received: (from jread@localhost) by fever.semiotek.com (8.9.3/8.9.3) id BAA00864; Sun, 17 Oct 1999 01:27:50 -0400 (EDT) (envelope-from jread) Date: Sun, 17 Oct 1999 01:27:50 -0400 From: Justin Wells To: Antoine Beaupre Cc: Mike Nowlin , "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X Message-ID: <19991017012750.A812@fever.semiotek.com> References: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 15, 1999 at 12:53:39PM -0400, Antoine Beaupre wrote: > I guess there is no way to run X in secure level > 0, right? I'm now running X on my workstation at securelevel 3. I uncommented this in my /etc/ttys (I used to run startx manually): ttyv0 "/usr/X11R6/bin/xdm -nodaemon" xterm on secure and added this as the last thing in my rc.local: #secure operation if [ -f /etc/secure-level ]; then ( sleep 10 && sysctl -w kern.securelevel=`cat /etc/secure-level` ) & fi The purpose of the 10 second sleep is to give xdm time to initialize the display and get itself running. It works. You can exit your X session and log in as someone else and xdm is happy--it already has the access it needs I guess. However there's a downside: I have a bunch of chrooted daemons that get initialized before this. I feel they should be initialized AFTER the securelevel is set, since I view them as untrusted. However, then I would have to run xdm well before the system gets to multi user mode.... sigh. Ideally I should set my firewall rules right after the disks get mounted, and then impose the securelevel at that point--letting all of the userland initialization, daemons, etc., happen under the securelevel restriction--leaving open the smallest possible window for an attacker. The problem with securelevel, in my mind, is that an attacker who got root would simply write stuff into the /etc/rc scripts and then force the machine to reboot. It would be very difficult to set the schg flag on every possible file that gets run as root during bootup. Does anyone have any clever solutions? Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message