From owner-freebsd-security Sun May 27 18:56:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fisbum.fi.itb.ac.id (fisbum.fi.itb.ac.id [167.205.2.34]) by hub.freebsd.org (Postfix) with ESMTP id 34C3037B422 for ; Sun, 27 May 2001 18:56:31 -0700 (PDT) (envelope-from irfan@fisbum.fi.itb.ac.id) Received: by fisbum.fi.itb.ac.id (Postfix, from userid 1069) id A71ABC6D; Mon, 28 May 2001 08:56:14 +0700 (JAVT) Received: from localhost (localhost [127.0.0.1]) by fisbum.fi.itb.ac.id (Postfix) with ESMTP id 9ECFDC6C for ; Mon, 28 May 2001 08:56:14 +0700 (JAVT) Date: Mon, 28 May 2001 08:56:14 +0700 (JAVT) From: Irfan Dwi P To: Subject: whats wrong with httpd service ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i have had this messages since i upgrading my server into 4.3-STABLE from 4.2 STABLE May 28 05:45:36 students /kernel: pid 27413 (httpd), uid 1124: exited on signal 8 any suggestion what's going on with the httpd ? or the system may be ? thanks ~irfan dp~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 27 19: 1:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 1660A37B440 for ; Sun, 27 May 2001 19:01:42 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f4S26ou70262; Sun, 27 May 2001 19:06:50 -0700 (PDT) (envelope-from fasty) Date: Sun, 27 May 2001 19:06:50 -0700 From: faSty To: Irfan Dwi P Cc: freebsd-security@freebsd.org Subject: Re: whats wrong with httpd service ? Message-ID: <20010527190650.A70249@i-sphere.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from irfan@fisbum.fi.itb.ac.id on Mon, May 28, 2001 at 08:56:14AM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would recompile the apache with latest version, I had that same problem in past. All I did was recompile new apache but it wont overwrite httpd.conf :) -trev On Mon, May 28, 2001 at 08:56:14AM +0700, Irfan Dwi P wrote: > i have had this messages since i upgrading my server into 4.3-STABLE from > 4.2 STABLE > > May 28 05:45:36 students /kernel: pid 27413 (httpd), uid 1124: exited on > signal 8 > > any suggestion what's going on with the httpd ? or the system may be ? > > thanks > > ~irfan dp~ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 27 19:59:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BC96137B422 for ; Sun, 27 May 2001 19:59:12 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f4S2x3f09378; Sun, 27 May 2001 22:59:03 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 27 May 2001 22:59:03 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: Apple and FreeBSD Security Collaboration In-Reply-To: <4.2.2.20010523201612.01aa97e0@192.168.0.12> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, we regularly exchange e-mail relating to vulnerabilities, and I've submitted a number of security patches to correct vulnerabilities both prior to and following their release. We hope to continue to build a stronger relationship with Apple in the future. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Wed, 23 May 2001, Mike Tancsa wrote: > > I hate to be so cynical and not accept it at face value, but is it true ? > Do they really work closely with the security officer(s) ? > > ---Mike > > At 04:34 PM 5/23/2001 -0700, R.P. Aditya wrote: > >Add another feather to the cap of FreeBSD: > > > >From > > > > http://www.apple.com/support/security/security.html > > > >Collaboration with other security groups > >... > >Apple also works very closely with the FreeBSD Security team to analyze and > >release patches for security vulnerabilities. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 0:55:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.volant.org (dickson.phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (Postfix) with ESMTP id 0B77A37B422 for ; Mon, 28 May 2001 00:55:46 -0700 (PDT) (envelope-from patl@Phoenix.Volant.ORG) Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with esmtp (Exim 1.92 #8) for freebsd-security@freebsd.org id 154HsP-0001aQ-00; Mon, 28 May 2001 00:55:45 -0700 Received: from localhost (localhost [127.0.0.1]) by asimov.phoenix.volant.org (8.9.3+Sun/8.9.3) with SMTP id AAA05914 for ; Mon, 28 May 2001 00:55:45 -0700 (PDT) From: patl@Phoenix.Volant.ORG Date: Mon, 28 May 2001 00:55:45 -0700 (PDT) Reply-To: patl@Phoenix.Volant.ORG Subject: ipfw: reset -vs- unreach port To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There are a few 'nuisance' TCP services that are normally blocked by firewalls (e.g., auth [113] and netbios-ns [137]) In the interest of reducing the delays which would be imposed by simply dropping those packets, is it better to use 'reset' (send an RST), 'unreach port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' (send a Filter Prohibition ICMP message) ? Or is there another even better option? Thanks, -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 2:41: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 2757E37B424 for ; Mon, 28 May 2001 02:41:02 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Mon, 28 May 2001 02:41:02 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Mon, 28 May 2001 02:41:00 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Mysterious console message Reply-To: pjklist@ekahuna.com Message-ID: <3B11BABC.10640.3819C8@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Saw this on my console and in syslog today (FreeBSD 4.3-RC): login: May 27 18:13:23 hostname /kernel: arp: unknown hardware address format (0x0800) Any clues on this? Only thing I can think of is that I made some minor changes to the hardware firewall earlier that day, but these were firmware/minor config changes, no hardware changes. TIA, Phil -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 3: 5:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id BBB8237B42C for ; Mon, 28 May 2001 03:05:11 -0700 (PDT) (envelope-from sheldonh@uunet.co.za) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 154Jtb-0007Bo-00; Mon, 28 May 2001 12:05:07 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id MAA18564; Mon, 28 May 2001 12:05:05 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 18193; Mon May 28 12:03:49 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.22 #1) id 154JsK-000DJ7-00; Mon, 28 May 2001 12:03:48 +0200 To: patl@phoenix.volant.org Cc: freebsd-security@freebsd.org Subject: Re: ipfw: reset -vs- unreach port In-reply-to: Your message of "Mon, 28 May 2001 00:55:45 MST." Date: Mon, 28 May 2001 12:03:48 +0200 Message-ID: <51156.991044228@axl.fw.uunet.co.za> From: Sheldon Hearn Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > There are a few 'nuisance' TCP services that are normally blocked by > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > of reducing the delays which would be imposed by simply dropping > those packets, is it better to use 'reset' (send an RST), 'unreach > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' > (send a Filter Prohibition ICMP message) ? Yes. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 3:12:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 8980337B422 for ; Mon, 28 May 2001 03:12:34 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 675 invoked by uid 1000); 28 May 2001 10:11:36 -0000 Date: Mon, 28 May 2001 13:11:36 +0300 From: Peter Pentchev To: patl@phoenix.volant.org Cc: Sheldon Hearn , freebsd-security@freebsd.org Subject: Re: ipfw: reset -vs- unreach port Message-ID: <20010528131136.A588@ringworld.oblivion.bg> Mail-Followup-To: patl@phoenix.volant.org, Sheldon Hearn , freebsd-security@freebsd.org References: <51156.991044228@axl.fw.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <51156.991044228@axl.fw.uunet.co.za>; from sheldonh@uunet.co.za on Mon, May 28, 2001 at 12:03:48PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 28, 2001 at 12:03:48PM +0200, Sheldon Hearn wrote: > > > On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > > > There are a few 'nuisance' TCP services that are normally blocked by > > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > > of reducing the delays which would be imposed by simply dropping > > those packets, is it better to use 'reset' (send an RST), 'unreach > > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' > > (send a Filter Prohibition ICMP message) ? > > Yes. Uh.. I think the original poster already considered using one of these three better than just dropping the packet on the floor, and his question was more like which of the three was better :) IMHO, a simple RST would be best - a classic, old-fashioned 'connection refused, no one here' reply, almost no indication that it is actually a firewall blocking the attempt, no fear of overly-paranoid firewalls dropping stray ICMP packets (and causing the same delay due to no response). Yes, I know that no one should block *these* types of ICMP, but the sad fact is, some ISP's do. G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 5:35: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2F00237B42C for ; Mon, 28 May 2001 05:35:04 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA17651; Mon, 28 May 2001 05:33:53 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17649; Mon May 28 05:33:41 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f4SCXaf38713; Mon, 28 May 2001 05:33:36 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdM38711; Mon May 28 05:33:35 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f4SCXJE11964; Mon, 28 May 2001 05:33:19 -0700 (PDT) Message-Id: <200105281233.f4SCXJE11964@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdM11960; Mon May 28 05:33:10 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Peter Pentchev Cc: patl@phoenix.volant.org, Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: ipfw: reset -vs- unreach port In-reply-to: Your message of "Mon, 28 May 2001 13:11:36 +0300." <20010528131136.A588@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 May 2001 05:33:10 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010528131136.A588@ringworld.oblivion.bg>, Peter Pentchev writes: > On Mon, May 28, 2001 at 12:03:48PM +0200, Sheldon Hearn wrote: > > > > > > On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > > > > > There are a few 'nuisance' TCP services that are normally blocked by > > > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > > > of reducing the delays which would be imposed by simply dropping > > > those packets, is it better to use 'reset' (send an RST), 'unreach > > > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' > > > (send a Filter Prohibition ICMP message) ? > > > > Yes. > > Uh.. I think the original poster already considered using one of these > three better than just dropping the packet on the floor, and his question > was more like which of the three was better :) > > IMHO, a simple RST would be best - a classic, old-fashioned 'connection > refused, no one here' reply, almost no indication that it is actually > a firewall blocking the attempt, no fear of overly-paranoid firewalls > dropping stray ICMP packets (and causing the same delay due to no response). > Yes, I know that no one should block *these* types of ICMP, but the sad > fact is, some ISP's do. Actually, there is indication that there is a firewall by sending a simple RST. If in fact the firewall is dropping all other packets and just sending RST for blocked packets destined for port 113, we must conclude that there is a firewall blocking access. If the firewall sends a RST to all connection attempts, replies with port-unreachable to any UDP packets, and replies to all pings, it will appear that a host is connected but not running any services. Anything other than a black hole response to everything would make it easy to deduce that a firewall is in the path. Of course just dropping every blocked packet will seem to indicate that there is no host or firewall in the path, but you cannot be selective about this. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 5:41:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4B9EB37B423 for ; Mon, 28 May 2001 05:41:38 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 7716 invoked by uid 1000); 28 May 2001 12:40:40 -0000 Date: Mon, 28 May 2001 15:40:40 +0300 From: Peter Pentchev To: Cy Schubert - ITSD Open Systems Group Cc: patl@phoenix.volant.org, Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: ipfw: reset -vs- unreach port Message-ID: <20010528154040.J588@ringworld.oblivion.bg> Mail-Followup-To: Cy Schubert - ITSD Open Systems Group , patl@phoenix.volant.org, Sheldon Hearn , freebsd-security@FreeBSD.ORG References: <20010528131136.A588@ringworld.oblivion.bg> <200105281233.f4SCXJE11964@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105281233.f4SCXJE11964@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Mon, May 28, 2001 at 05:33:10AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 28, 2001 at 05:33:10AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > In message <20010528131136.A588@ringworld.oblivion.bg>, Peter Pentchev > writes: > > On Mon, May 28, 2001 at 12:03:48PM +0200, Sheldon Hearn wrote: > > > > > > > > > On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > > > > > > > There are a few 'nuisance' TCP services that are normally blocked by > > > > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > > > > of reducing the delays which would be imposed by simply dropping > > > > those packets, is it better to use 'reset' (send an RST), 'unreach > > > > port' (send a Port Unreachable ICMP message), or 'unreach filter-prohib' > > > > (send a Filter Prohibition ICMP message) ? > > > > > > Yes. > > > > Uh.. I think the original poster already considered using one of these > > three better than just dropping the packet on the floor, and his question > > was more like which of the three was better :) > > > > IMHO, a simple RST would be best - a classic, old-fashioned 'connection > > refused, no one here' reply, almost no indication that it is actually > > a firewall blocking the attempt, no fear of overly-paranoid firewalls > > dropping stray ICMP packets (and causing the same delay due to no response). > > Yes, I know that no one should block *these* types of ICMP, but the sad > > fact is, some ISP's do. > > Actually, there is indication that there is a firewall by sending a > simple RST. If in fact the firewall is dropping all other packets and > just sending RST for blocked packets destined for port 113, we must > conclude that there is a firewall blocking access. If the firewall > sends a RST to all connection attempts, replies with port-unreachable > to any UDP packets, and replies to all pings, it will appear that a > host is connected but not running any services. Anything other than a > black hole response to everything would make it easy to deduce that a > firewall is in the path. Of course just dropping every blocked packet > will seem to indicate that there is no host or firewall in the path, > but you cannot be selective about this. I was talking about a case when there are no dropped connection attempts, and every 'denied' connection attempt is 'denied' by sending a RST. G'luck, Peter -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 6:13:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id D7D4037B423 for ; Mon, 28 May 2001 06:13:16 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA17745; Mon, 28 May 2001 06:11:54 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17741; Mon May 28 06:11:51 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f4SDBkl38912; Mon, 28 May 2001 06:11:46 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdx38910; Mon May 28 06:11:20 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f4SDBKD12215; Mon, 28 May 2001 06:11:20 -0700 (PDT) Message-Id: <200105281311.f4SDBKD12215@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdm12210; Mon May 28 06:10:40 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Peter Pentchev Cc: Cy Schubert - ITSD Open Systems Group , patl@phoenix.volant.org, Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: ipfw: reset -vs- unreach port In-reply-to: Your message of "Mon, 28 May 2001 15:40:40 +0300." <20010528154040.J588@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 May 2001 06:10:40 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010528154040.J588@ringworld.oblivion.bg>, Peter Pentchev writes: > On Mon, May 28, 2001 at 05:33:10AM -0700, Cy Schubert - ITSD Open Systems Gro > up wrote: > > In message <20010528131136.A588@ringworld.oblivion.bg>, Peter Pentchev > > writes: > > > On Mon, May 28, 2001 at 12:03:48PM +0200, Sheldon Hearn wrote: > > > > > > > > > > > > On Mon, 28 May 2001 00:55:45 MST, patl@Phoenix.Volant.ORG wrote: > > > > > > > > > There are a few 'nuisance' TCP services that are normally blocked by > > > > > firewalls (e.g., auth [113] and netbios-ns [137]) In the interest > > > > > of reducing the delays which would be imposed by simply dropping > > > > > those packets, is it better to use 'reset' (send an RST), 'unreach > > > > > port' (send a Port Unreachable ICMP message), or 'unreach filter-proh > ib' > > > > > (send a Filter Prohibition ICMP message) ? > > > > > > > > Yes. > > > > > > Uh.. I think the original poster already considered using one of these > > > three better than just dropping the packet on the floor, and his question > > > was more like which of the three was better :) > > > > > > IMHO, a simple RST would be best - a classic, old-fashioned 'connection > > > refused, no one here' reply, almost no indication that it is actually > > > a firewall blocking the attempt, no fear of overly-paranoid firewalls > > > dropping stray ICMP packets (and causing the same delay due to no respons > e). > > > Yes, I know that no one should block *these* types of ICMP, but the sad > > > fact is, some ISP's do. > > > > Actually, there is indication that there is a firewall by sending a > > simple RST. If in fact the firewall is dropping all other packets and > > just sending RST for blocked packets destined for port 113, we must > > conclude that there is a firewall blocking access. If the firewall > > sends a RST to all connection attempts, replies with port-unreachable > > to any UDP packets, and replies to all pings, it will appear that a > > host is connected but not running any services. Anything other than a > > black hole response to everything would make it easy to deduce that a > > firewall is in the path. Of course just dropping every blocked packet > > will seem to indicate that there is no host or firewall in the path, > > but you cannot be selective about this. > > I was talking about a case when there are no dropped connection attempts, > and every 'denied' connection attempt is 'denied' by sending a RST. Just reading through SecurityPortal, there is a pointer to timely article discussing the reject v.s. deny controversy. I'm not implying that that we have a controversy here, just a timely article. Take a look at http://securityportal.com/closet/closet20010523.html. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 9: 4: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 4175137B422 for ; Mon, 28 May 2001 09:03:55 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id TAA11724 for ; Mon, 28 May 2001 19:03:51 +0300 (IDT) Message-ID: <002c01c0e798$2cd55e80$b88f39d5@a> From: "Retal" To: Subject: filter-prohib/reset <-- not working Date: Mon, 28 May 2001 19:03:53 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0029_01C0E7A8.F022AC20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0029_01C0E7A8.F022AC20 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Im trying everything, i added rules like : add reset tcp from any to any, or add unreach = filter-prohib tcp from any to any it is still taking like 30 seconds till i get Connection refused... What could be the problem ?=20 (The rules are in their place) Best regards, =20 Liran Dahan (lirandb@netvision.net.il) ------=_NextPart_000_0029_01C0E7A8.F022AC20 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
Im trying everything,
i added rules like : add reset tcp from = any to any,=20 or add unreach filter-prohib tcp from any to any
it is still taking like 30 seconds till = i get=20 Connection refused...
What could be the problem ? =
 
(The rules are in their = place)
 
Best = regards,    
 
          &nbs= p;           Liran= =20 Dahan (lirandb@netvision.net.il)
------=_NextPart_000_0029_01C0E7A8.F022AC20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 9:15:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 161A037B423 for ; Mon, 28 May 2001 09:15:15 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id TAA12851 for ; Mon, 28 May 2001 19:15:13 +0300 (IDT) Message-ID: <006501c0e799$c37967e0$b88f39d5@a> From: "Retal" To: References: <002c01c0e798$2cd55e80$b88f39d5@a> Subject: Re: filter-prohib/reset <-- not working Date: Mon, 28 May 2001 19:15:15 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0062_01C0E7AA.86CFDD40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0062_01C0E7AA.86CFDD40 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Oh and i forgot one more thing, When im denying ICMP Packets.. should i = use unreach filter-prohib or unreach host? Is there any difference? i mean when im getting hard ICMP Flood (ping -f = -s) are any of them will help me from getting my machine down? because = like i've seen my firewall isnt helping soo much against ICMP attacks, = even when im doing this: ipfw add 900 allow icmp from 213.57.143.1 (MY IP)=20 ipfw add 901 unreach host/unreach filter-prohib icmp from any to any Best regards, And thanks,=20 Liran Dahan (lirandb@netvision.net.il) ----- Original Message -----=20 From: Retal=20 To: freebsd-security@FreeBSD.ORG=20 Sent: Monday, May 28, 2001 7:03 PM Subject: filter-prohib/reset <-- not working Im trying everything, i added rules like : add reset tcp from any to any, or add unreach = filter-prohib tcp from any to any it is still taking like 30 seconds till i get Connection refused... What could be the problem ?=20 (The rules are in their place) Best regards, =20 Liran Dahan (lirandb@netvision.net.il) ------=_NextPart_000_0062_01C0E7AA.86CFDD40 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
Oh and i forgot one more thing, When im = denying=20 ICMP Packets.. should i use unreach filter-prohib or unreach = host?
Is there any difference? i mean when im = getting=20 hard ICMP Flood (ping -f -s) are any of them will help me from getting = my=20 machine down? because like i've seen my firewall isnt helping soo much = against=20 ICMP attacks, even when im doing this:
ipfw add 900 allow icmp from = 213.57.143.1 (MY IP)=20
ipfw add 901 unreach host/unreach = filter-prohib=20 icmp from any to any
 
Best regards, And thanks,
 
          &nbs= p;     =20 Liran Dahan (lirandb@netvision.net.il)
----- Original Message -----
From:=20 Retal
To: freebsd-security@FreeBSD.ORG =
Sent: Monday, May 28, 2001 7:03 = PM
Subject: filter-prohib/reset = <-- not=20 working

Im trying everything,
i added rules like : add reset tcp = from any to=20 any, or add unreach filter-prohib tcp from any to any
it is still taking like 30 seconds = till i get=20 Connection refused...
What could be the problem ? =
 
(The rules are in their = place)
 
Best=20 regards,    
 
          &nbs= p;           Liran= =20 Dahan (lirandb@netvision.net.il)
------=_NextPart_000_0062_01C0E7AA.86CFDD40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 10: 7:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id E1D7C37B423 for ; Mon, 28 May 2001 10:07:23 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust228.tnt1.clarksburg.wv.da.uu.net [63.21.114.228]) by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id KAA20706; Mon, 28 May 2001 10:07:34 -0700 (PDT) Message-ID: <3B1286AF.9BF5CF7B@colltech.com> Date: Mon, 28 May 2001 13:11:11 -0400 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: pjklist@ekahuna.com Cc: security@FreeBSD.ORG Subject: Re: Mysterious console message References: <3B11BABC.10640.3819C8@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See the thread started on Wed, 23 May 2001 with subject "service attacks". Specifically the message w/ id 3B0C3BE0.F263E036@globalstar.com from Chris Clark. Daniel "Philip J. Koenig" wrote: > > Saw this on my console and in syslog today (FreeBSD 4.3-RC): > > login: May 27 18:13:23 hostname /kernel: arp: unknown hardware address format (0x0800) > > Any clues on this? Only thing I can think of is that I made some > minor changes to the hardware firewall earlier that day, but these > were firmware/minor config changes, no hardware changes. > > TIA, > > Phil > > -- > Philip J. Koenig pjklist@ekahuna.com > Electric Kahuna Systems -- Computers & Communications for the New Millenium > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 16: 0:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A6C4637B423; Mon, 28 May 2001 16:00:20 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f4SN0Kq49291; Mon, 28 May 2001 16:00:20 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 28 May 2001 16:00:20 -0700 (PDT) Message-Id: <200105282300.f4SN0Kq49291@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:38.samba [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:36 Security Advisory FreeBSD, Inc. Topic: samba ports contain locally exploitable /tmp races [REVISED] Category: ports Module: samba Announced: 2001-04-23 Revised: 2001-05-28 Credits: Marcus Meissner Affects: Ports collection prior to the correction date. Corrected: 2001-04-18 (samba-devel), 2001-05-09 (samba) Vendor status: Updated version released FreeBSD only: No 0. Revision History 2001-04-23 v1.0 Initial release 2001-05-28 v1.1 Note that Samba 2.0.8 is also vulnerable to the problem. I. Background Samba is an implementation of the Server Message Block (SMB) protocol. II. Problem Description The samba ports, versions prior to samba-2.0.9 and samba-devel-2.2.0, contain /tmp races that may allow local users to cause arbitrary files and devices to be overwritten. Due to easily predictable printer queue cache file names, local users may create symbolic links to any file or device causing it to be corrupted when a remote user accesses a printer. In addition, the file will be left with world- writable permission allowing any user to enter their own data. The samba ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 5000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. The ports collection that shipped with FreeBSD 4.3 is not vulnerable since this problem was corrected prior to the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may cause arbitrary files or devices to be corrupted and gain increased privileges on the local system. If you have not chosen to install the samba ports/packages, then your system is not vulnerable to this problem. Samba servers that do not have any printers configured are not vulnerable. IV. Workaround Deinstall the samba port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the samba port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/samba-2.0.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/samba-2.0.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/samba-devel-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/samba-devel-2.2.0.tgz NOTE: it may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the samba from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOxLYBlUuHi5z0oilAQH+3wP/ec/p0A70hkyrIvz7AWbuABdmhHi4pQ7Y Bh8rHnW/YErtPaa7+xsutv6BltlpElYi67W9MI3JKkCpz95wv+thuhwUImNYxRMt ht5gyFxU7RkbtaNFrmrkt3YgsFKfhuhlSLkyneZnvo6jxKgU3BGp05NoRcwmResN O3py2hE9e9M= =iPr4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 16: 2: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 96B8437B422 for ; Mon, 28 May 2001 16:01:59 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id CAA16476 for ; Tue, 29 May 2001 02:01:58 +0300 (IDT) Message-ID: <001a01c0e7d2$97743e20$b88f39d5@a> From: "Retal" To: Subject: Kernel message Date: Tue, 29 May 2001 02:02:03 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0017_01C0E7E3.5AC31260" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C0E7E3.5AC31260 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable I got this message while i was changing icmpbandlim from 200 to 30: May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from = 78 to 30 packets per second i got this message like 10000 times.. What is that means.. Liran Dahan (lirandb@netvision.net.il) (retal@retal.co.il) ------=_NextPart_000_0017_01C0E7E3.5AC31260 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
I got this message while i was changing = icmpbandlim=20 from 200 to 30:
May 29 01:42:14 freebsd /kernel: = Limiting closed=20 port RST response from 78 to 30
 packets per second
 
i got this message like 10000 = times..
What is that means..
 
 
Liran Dahan (lirandb@netvision.net.il)
          &nbs= p;     =20 (retal@retal.co.il)
------=_NextPart_000_0017_01C0E7E3.5AC31260-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 16:22:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2893D37B422; Mon, 28 May 2001 16:21:58 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f4SNLwY53233; Mon, 28 May 2001 16:21:58 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 28 May 2001 16:21:58 -0700 (PDT) Message-Id: <200105282321.f4SNLwY53233@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:23 Security Advisory FreeBSD, Inc. Topic: icecast port contains remote vulnerability [REVISED] Category: ports Module: icecast Announced: 2001-03-12 Revised: 2001-05-28 Credits: |CyRaX| Affects: Ports collection prior to the correction date. Corrected: 2001-04-20 Vendor status: Updated version released FreeBSD only: NO 0. Revision History 2001-03-12 v1.0 Initial release 2001-05-28 v1.1 Note vulnerabilities in versions prior to 1.3.10 I. Background icecast is a server for streaming MP3 audio. II. Problem Description The icecast software, versions prior to 1.3.10, contains multiple format string vulnerabilities, which allow a remote attacker to execute arbitrary code as the user running icecast, usually the root user. There are a number of other potential abuses of format strings which may or may not pose security risks, but have not currently been audited. The icecast port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 5200 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.3 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Arbitrary remote users can execute arbitrary code on the local system as the user running icecast, usually the root user. If you have not chosen to install the icecast port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the icecast port/package, if you have installed it. V. Solution Consider running the icecast software as a non-privileged user to minimize the impact of further security vulnerabilities in this software. To upgrade icecast, choose one of the following options: 1) Upgrade your entire ports collection and rebuild the icecast port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/icecast-1.3.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/icecast-1.3.10.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the icecast port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOxLdQFUuHi5z0oilAQEksAP/ar7tYpvKO1/Zg//kALIsg92yXoi0dQas 83ADVyzqaECID1kXMMaW6f3YOO6+n6BIcT1sgMHXrSw3AmsIiLUBSUiZN7Uk6Ylk HNSl1JUbINePepYrqn8c4Mi2tiQ9OPGClRfwx2kfTMChZRB8JQ/L0nb0gruvC88t okHUhPlKB2Q= =hiK4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 16:38:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id A119F37B422 for ; Mon, 28 May 2001 16:38:21 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 39572 invoked by uid 1000); 28 May 2001 23:37:22 -0000 Date: Tue, 29 May 2001 02:37:22 +0300 From: Peter Pentchev To: Retal Cc: freebsd-security@freebsd.org Subject: Re: Kernel message Message-ID: <20010529023722.C30478@ringworld.oblivion.bg> Mail-Followup-To: Retal , freebsd-security@freebsd.org References: <001a01c0e7d2$97743e20$b88f39d5@a> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001a01c0e7d2$97743e20$b88f39d5@a>; from lirandb@netvision.net.il on Tue, May 29, 2001 at 02:02:03AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote: > I got this message while i was changing icmpbandlim from 200 to 30: > May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78 to 30 > packets per second > > i got this message like 10000 times.. > What is that means.. Somebody was portscanning you - running a simple program that connects to every port from 1 to, say, 32768, on your machine, to see which ports are 'open' - what services (daemons, servers) you are running on your machine. The kernel had to sent a lot of 'connection refused' ('closed' port, not open) messages, and it had a max value of 30 of those per second. It is informing you that in one given second, it was supposed to send out 78 of those, but it only sent 30. So.. somebody was portscanning you. If you are running any programs that have known security issues, you had better stop them. Look at the output of sockstat -4 to see which ports you have open (if your FreeBSD is 4.3 or later, you can use sockstat -4l to see listening sockets only), then look at the FreeBSD website to find a list of security advisories to see if any of the programs you are running are vulnerable in the versions on your machine. G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 16:47: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 736FF37B424 for ; Mon, 28 May 2001 16:47:02 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.27.35]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010528234701.WNDY27183.tomts5-srv.bellnexxia.net@frogbox.glassfish.net> for ; Mon, 28 May 2001 19:47:01 -0400 Received: (qmail 7152 invoked from network); 28 May 2001 23:47:00 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 28 May 2001 23:47:00 -0000 From: "Michael Tang Helmeste" To: Subject: RE: Kernel message Date: Mon, 28 May 2001 19:46:18 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <20010529023722.C30478@ringworld.oblivion.bg> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you get this a lot and it annoys you, I'd recommend something like portsentry (I used to get portscanned a lot and I installed this). You can get it here: www.psionic.com/abacus It can block them via tcpwrappers, or even add a route for them using 'route' to make it so that they can't contact you anymore (by specifying the route to their IP as through a dummy IP on your network). It also logs it in syslog, and you can use the log reporting tool on the same page above, to monitor for those types of things I found it very useful. :) -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev Sent: Monday, May 28, 2001 7:37 PM To: Retal Cc: freebsd-security@freebsd.org Subject: Re: Kernel message On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote: > I got this message while i was changing icmpbandlim from 200 to 30: > May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78 to 30 > packets per second > > i got this message like 10000 times.. > What is that means.. Somebody was portscanning you - running a simple program that connects to every port from 1 to, say, 32768, on your machine, to see which ports are 'open' - what services (daemons, servers) you are running on your machine. The kernel had to sent a lot of 'connection refused' ('closed' port, not open) messages, and it had a max value of 30 of those per second. It is informing you that in one given second, it was supposed to send out 78 of those, but it only sent 30. So.. somebody was portscanning you. If you are running any programs that have known security issues, you had better stop them. Look at the output of sockstat -4 to see which ports you have open (if your FreeBSD is 4.3 or later, you can use sockstat -4l to see listening sockets only), then look at the FreeBSD website to find a list of security advisories to see if any of the programs you are running are vulnerable in the versions on your machine. G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 17:32:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.svr.pol.co.uk (mail1.svr.pol.co.uk [195.92.193.18]) by hub.freebsd.org (Postfix) with ESMTP id 3215C37B43E for ; Mon, 28 May 2001 17:32:16 -0700 (PDT) (envelope-from lee@kechara.net) Received: from [195.92.198.123] (helo=mail17.svr.pol.co.uk) by mail1.svr.pol.co.uk with esmtp (Exim 3.13 #0) id 154XQl-0001I0-00 for freebsd-security@freebsd.org; Tue, 29 May 2001 01:32:15 +0100 Received: from modem-47.aerin.dialup.pol.co.uk ([62.136.98.175] helo=mail.btinternet.com) by mail17.svr.pol.co.uk with smtp (Exim 3.13 #0) id 154XQk-0005R3-00 for freebsd-security@freebsd.org; Tue, 29 May 2001 01:32:14 +0100 Date: Mon, 28 May 2001 13:36:04 +0100 From: Lee Smallbone X-Mailer: The Bat! (v1.18 Christmas Edition) S/N 3FDB2AD8 Reply-To: Lee Smallbone Organization: Kechara Internet X-Priority: 3 (Normal) Message-ID: <19566.010528@kechara.net> To: "Michael Tang Helmeste" Subject: Re[2]: Kernel message References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tuesday, 29 May 2001, you wrote: MTH> If you get this a lot and it annoys you, I'd recommend something like MTH> portsentry (I used to get portscanned a lot and I installed this). MTH> You can get it here: www.psionic.com/abacus MTH> It can block them via tcpwrappers, or even add a route for them using MTH> 'route' to make it so that they can't contact you anymore (by specifying the MTH> route to their IP as through a dummy IP on your network). It also logs it in MTH> syslog, and you can use the log reporting tool on the same page above, to MTH> monitor for those types of things MTH> I found it very useful. :) Be careful with programs that block on receipt of probes. It is extremely easy to spoof IPs that your system might need to live (ISP's DNS servers, for example.) --Lee. MTH> -----Original Message----- MTH> From: owner-freebsd-security@FreeBSD.ORG MTH> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev MTH> Sent: Monday, May 28, 2001 7:37 PM MTH> To: Retal MTH> Cc: freebsd-security@freebsd.org MTH> Subject: Re: Kernel message MTH> On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote: >> I got this message while i was changing icmpbandlim from 200 to 30: >> May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78 MTH> to 30 >> packets per second >> >> i got this message like 10000 times.. >> What is that means.. MTH> Somebody was portscanning you - running a simple program that connects MTH> to every port from 1 to, say, 32768, on your machine, to see which ports MTH> are 'open' - what services (daemons, servers) you are running on your MTH> machine. The kernel had to sent a lot of 'connection refused' ('closed' MTH> port, not open) messages, and it had a max value of 30 of those per second. MTH> It is informing you that in one given second, it was supposed to send out MTH> 78 of those, but it only sent 30. MTH> So.. somebody was portscanning you. If you are running any programs MTH> that have known security issues, you had better stop them. Look at MTH> the output of sockstat -4 to see which ports you have open (if your MTH> FreeBSD is 4.3 or later, you can use sockstat -4l to see listening MTH> sockets only), then look at the FreeBSD website to find a list of MTH> security advisories to see if any of the programs you are running MTH> are vulnerable in the versions on your machine. MTH> G'luck, MTH> Peter MTH> -- MTH> I am the meaning of this sentence. MTH> To Unsubscribe: send mail to majordomo@FreeBSD.org MTH> with "unsubscribe freebsd-security" in the body of the message MTH> To Unsubscribe: send mail to majordomo@FreeBSD.org MTH> with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 28 23:10:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 4563F37B422 for ; Mon, 28 May 2001 23:10:42 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id CAA19384; Tue, 29 May 2001 02:10:30 -0400 Message-ID: <3B133E61.C146B21B@allmaui.com> Date: Mon, 28 May 2001 23:14:57 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Daniel Hagan Cc: pjklist@ekahuna.com, security@FreeBSD.ORG Subject: Re: Mysterious console message References: <3B11BABC.10640.3819C8@localhost> <3B1286AF.9BF5CF7B@colltech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I had the same problem at the same time I was having trouble with my at&t service. It went away when I finally got the at&t problem corrected. Daniel Hagan wrote: > See the thread started on Wed, 23 May 2001 with subject "service > attacks". Specifically the message w/ id > 3B0C3BE0.F263E036@globalstar.com from Chris Clark. > > Daniel > > "Philip J. Koenig" wrote: > > > > Saw this on my console and in syslog today (FreeBSD 4.3-RC): > > > > login: May 27 18:13:23 hostname /kernel: arp: unknown hardware address format (0x0800) > > > > Any clues on this? Only thing I can think of is that I made some > > minor changes to the hardware firewall earlier that day, but these > > were firmware/minor config changes, no hardware changes. > > > > TIA, > > > > Phil > > > > -- > > Philip J. Koenig pjklist@ekahuna.com > > Electric Kahuna Systems -- Computers & Communications for the New Millenium > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Consultant, Collective Technologies http://www.collectivetech.com/ > Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ > Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 1:45:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from brinstar.nerim.net (brinstar.nerim.net [62.4.16.71]) by hub.freebsd.org (Postfix) with ESMTP id 6924537B422 for ; Tue, 29 May 2001 01:45:27 -0700 (PDT) (envelope-from chojin@nerim.net) Received: from chojin (chojin.adsl.nerim.net [62.4.22.98]) by brinstar.nerim.net (8.11.2/Raphit-20001115) with SMTP id f4T8jPt47342 for ; Tue, 29 May 2001 10:45:26 +0200 (CEST) (envelope-from chojin@nerim.net) Message-ID: <007201c0e81b$ca9b24a0$0245a8c0@chojin> From: "Chojin" To: References: Subject: Re: Kernel message Date: Tue, 29 May 2001 10:46:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could you give me a good portsentry configuration and a good KILLROUTE line (I use ipf) to block port scanning and other) ? Thanks ----- Original Message ----- From: "Michael Tang Helmeste" To: Sent: Tuesday, May 29, 2001 1:46 AM Subject: RE: Kernel message > If you get this a lot and it annoys you, I'd recommend something like > portsentry (I used to get portscanned a lot and I installed this). > You can get it here: www.psionic.com/abacus > It can block them via tcpwrappers, or even add a route for them using > 'route' to make it so that they can't contact you anymore (by specifying the > route to their IP as through a dummy IP on your network). It also logs it in > syslog, and you can use the log reporting tool on the same page above, to > monitor for those types of things > I found it very useful. :) > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev > Sent: Monday, May 28, 2001 7:37 PM > To: Retal > Cc: freebsd-security@freebsd.org > Subject: Re: Kernel message > > > On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote: > > I got this message while i was changing icmpbandlim from 200 to 30: > > May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78 > to 30 > > packets per second > > > > i got this message like 10000 times.. > > What is that means.. > > Somebody was portscanning you - running a simple program that connects > to every port from 1 to, say, 32768, on your machine, to see which ports > are 'open' - what services (daemons, servers) you are running on your > machine. The kernel had to sent a lot of 'connection refused' ('closed' > port, not open) messages, and it had a max value of 30 of those per second. > It is informing you that in one given second, it was supposed to send out > 78 of those, but it only sent 30. > > So.. somebody was portscanning you. If you are running any programs > that have known security issues, you had better stop them. Look at > the output of sockstat -4 to see which ports you have open (if your > FreeBSD is 4.3 or later, you can use sockstat -4l to see listening > sockets only), then look at the FreeBSD website to find a list of > security advisories to see if any of the programs you are running > are vulnerable in the versions on your machine. > > G'luck, > Peter > > -- > I am the meaning of this sentence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 4:24: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id B9D3A37B422 for ; Tue, 29 May 2001 04:23:51 -0700 (PDT) (envelope-from security@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=netgod.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 154haO-0003vN-00 for freebsd-security@freebsd.org; Tue, 29 May 2001 13:22:52 +0200 Message-Id: <5.0.2.1.2.20010529132250.01c223e0@nol.co.za> X-Sender: security@nol.co.za (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 29 May 2001 13:24:57 +0200 To: freebsd-security@freebsd.org From: "Timothy S. Bowers" Subject: file system Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Since I installed Fbsd4.3 I'm getting this: warning: /var/run/dev.db: Too many open files in system Is there a new kernel option or anything else I have to set to accomodate this ? Thanks, Timothy Bowers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 5:14:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id 316BD37B423 for ; Tue, 29 May 2001 05:14:20 -0700 (PDT) (envelope-from security@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=netgod.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 154iH3-0004G3-00; Tue, 29 May 2001 14:06:57 +0200 Message-Id: <5.0.2.1.2.20010529140721.00a2ac90@nol.co.za> X-Sender: security@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 29 May 2001 14:08:52 +0200 To: Axel Scheepers From: "Timothy S. Bowers" Subject: Re: maxfiles in kernel Cc: freebsd-security@freebsd.org In-Reply-To: <20010529135421.A4025@surf.iae.nl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Axel, Mine was 1064 and I've changed it to 4096. I've also changed kern.maxfilesperproc to 4096. I hope this holds :) What do you think I should put in the kernel for maxusers ? Regards, Timothy Bowers At 01:54 PM 5/29/01, you wrote: >Hi there, >You can use sysctl -w kernel.maxfiles= to set it manually or >change the maxusers value in your kernel config. >Greetz, >Axel > >-- >Met vriendelijke groet, >VIA NET.WORKS Nederland > >Axel Scheepers >Operations >phone +31 40 239 33 93 >fax +31 40 239 33 11 >e-mail eindhoven.beheer@vianetworks.nl >http://www.vianetworks.nl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 6:13:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 3C1FB37B422 for ; Tue, 29 May 2001 06:13:47 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f4TDHMi43888; Tue, 29 May 2001 09:17:22 -0400 (EDT) Date: Tue, 29 May 2001 09:17:22 -0400 (EDT) From: Ralph Huntington To: "Timothy S. Bowers" Cc: Axel Scheepers , freebsd-security@FreeBSD.ORG Subject: Re: maxfiles in kernel In-Reply-To: <5.0.2.1.2.20010529140721.00a2ac90@nol.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In the kernel config maxusers 512 gives 16424 maxfiles 256 gives half that and 128 half again On Tue, 29 May 2001, Timothy S. Bowers wrote: > Hi Axel, > > Mine was 1064 and I've changed it to 4096. I've also changed kern.maxfilesperproc to 4096. > I hope this holds :) > > What do you think I should put in the kernel for maxusers ? > > Regards, > > Timothy Bowers > > > At 01:54 PM 5/29/01, you wrote: > >Hi there, > >You can use sysctl -w kernel.maxfiles= to set it manually or > >change the maxusers value in your kernel config. > >Greetz, > >Axel > > > >-- > >Met vriendelijke groet, > >VIA NET.WORKS Nederland > > > >Axel Scheepers > >Operations > >phone +31 40 239 33 93 > >fax +31 40 239 33 11 > >e-mail eindhoven.beheer@vianetworks.nl > >http://www.vianetworks.nl/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 11:22:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.sit.edu.my (saturn.sit.edu.my [202.184.64.24]) by hub.freebsd.org (Postfix) with ESMTP id 67B0237B424; Tue, 29 May 2001 11:22:43 -0700 (PDT) (envelope-from Lim.Seng.Chor@sit.edu.my) Received: from LION (pmail.sit.edu.my [202.184.64.6]) by saturn.sit.edu.my (8.11.4/8.11.3) with ESMTP id f4TISfW11877; Wed, 30 May 2001 02:28:42 +0800 Received: from LION/SpoolDir by LION (Mercury 1.47); 30 May 01 02:25:43 +0800 Received: from SpoolDir by LION (Mercury 1.47); 30 May 01 02:25:34 +0800 From: "Lim Seng Chor" Organization: Sepang Institute of Technology To: freebsd-security@freebsd.org Date: Wed, 30 May 2001 02:25:28 +0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: freebsd rootkit Cc: freebsd-question@freebsd.org Message-ID: <3B145A16.26692.847EDF@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, any idea where can i find freebsd rootkit? thanks. : ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 11:26:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.javanet.com (mail1.javanet.com [205.219.162.10]) by hub.freebsd.org (Postfix) with ESMTP id A0B6E37B42C; Tue, 29 May 2001 11:26:45 -0700 (PDT) (envelope-from kaworu@sektor7.ath.cx) Received: from wintermute.sekt7.org (146-115-66-7.c3-0.lex-ubr1.sbo-lex.ma.cable.rcn.com [146.115.66.7]) by mail1.javanet.com (8.9.3/8.9.2) with ESMTP id OAA22280; Tue, 29 May 2001 14:27:03 -0400 (EDT) Date: Tue, 29 May 2001 14:30:27 -0400 (EDT) From: Evan S X-Sender: kaworu@wintermute.sekt7 To: Lim Seng Chor Cc: freebsd-security@freebsd.org, freebsd-question@freebsd.org Subject: Re: freebsd rootkit In-Reply-To: <3B145A16.26692.847EDF@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I h4v3 4 f433b5d r00tk17 m4ng 3y3 4m 700 1337!!!! ;-p ------------------------------------------ Evan Sarmiento | GPG id: 9D0BDB6C ems@open-root.org | http://sekt7.org/~ems/ ------------------------------------------ On Wed, 30 May 2001, Lim Seng Chor wrote: > hi, > any idea where can i find freebsd rootkit? > thanks. : ) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 11:30:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.sit.edu.my (saturn.sit.edu.my [202.184.64.24]) by hub.freebsd.org (Postfix) with ESMTP id 4646337B422 for ; Tue, 29 May 2001 11:30:56 -0700 (PDT) (envelope-from Lim.Seng.Chor@sit.edu.my) Received: from LION (pmail.sit.edu.my [202.184.64.6]) by saturn.sit.edu.my (8.11.4/8.11.3) with ESMTP id f4TIamW11921; Wed, 30 May 2001 02:36:51 +0800 Received: from LION/SpoolDir by LION (Mercury 1.47); 30 May 01 02:33:56 +0800 Received: from SpoolDir by LION (Mercury 1.47); 30 May 01 02:33:48 +0800 From: "Lim Seng Chor" Organization: Sepang Institute of Technology To: freebsd-security@freebsd.org Date: Wed, 30 May 2001 02:33:41 +0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: freebsd rootkit Cc: Christian Kuhtz , ferdl@atommuell.oeh.uni-linz.ac.at, kaworu@sektor7.ath.cx Message-ID: <3B145C04.31331.8C0610@localhost> In-reply-to: <20010529142422.U24763@ns1.arch.bellsouth.net> References: <3B145A16.26692.847EDF@localhost>; from Lim Seng Chor on Wed, May 30, 2001 at 02:25:28AM +0800 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sorry, you all misunderstood me... : ( i am the system admin of my site here, and i am suspecting my user is compromising my system files. i would like to check on what the files availble in rootkit, and see whether my users are using that or not. it is just for security audit purpose.... stop xxxxxxx me please.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 11:41: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from globalrelay.com (h216-18-71-77.gtcust.grouptelecom.net [216.18.71.77]) by hub.freebsd.org (Postfix) with ESMTP id B7F9237B422 for ; Tue, 29 May 2001 11:41:02 -0700 (PDT) (envelope-from lists@globalrelay.net) Received: from [10.2.0.6] (HELO hpvl4002) by globalrelay.com (CommuniGate Pro SMTP 3.4b7) with SMTP id 483308; Tue, 29 May 2001 11:41:02 -0700 Message-ID: <01a601c0e86e$bfd137a0$0600020a@frontend> From: "Eric Parusel" To: "Lim Seng Chor" , References: <3B145A16.26692.847EDF@localhost>; from Lim Seng Chor on Wed, May 30, 2001 at 02:25:28AM +0800 <3B145C04.31331.8C0610@localhost> Subject: Re: freebsd rootkit Date: Tue, 29 May 2001 11:39:30 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > sorry, you all misunderstood me... : ( > > i am the system admin of my site here, and i am suspecting my > user is compromising my system files. i would like to check on > what the files availble in rootkit, and see whether my users are > using that or not. > it is just for security audit purpose.... > > stop xxxxxxx me please.... > I realize that hindsight is 20/20, but properly set up tripwire or a tripwire-like software package (AIDE, mtree?) would have worked wonders in this situation.... Oh, and: http://www.google.com/search?q=freebsd+rootkit Eric Parusel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 11:41:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.sit.edu.my (saturn.sit.edu.my [202.184.64.24]) by hub.freebsd.org (Postfix) with ESMTP id 855E637B43C for ; Tue, 29 May 2001 11:41:19 -0700 (PDT) (envelope-from Lim.Seng.Chor@sit.edu.my) Received: from LION (pmail.sit.edu.my [202.184.64.6]) by saturn.sit.edu.my (8.11.4/8.11.3) with ESMTP id f4TIlHW11951 for ; Wed, 30 May 2001 02:47:18 +0800 Received: from LION/SpoolDir by LION (Mercury 1.47); 30 May 01 02:44:20 +0800 Received: from SpoolDir by LION (Mercury 1.47); 30 May 01 02:44:11 +0800 From: "Lim Seng Chor" Organization: Sepang Institute of Technology To: freebsd-security@freebsd.org Date: Wed, 30 May 2001 02:44:08 +0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: chkrootkit Message-ID: <3B145E77.14158.9596E9@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i found this: http://www.chkrootkit.org/ well, i think this could be helpful : ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 11:45: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id AD7DC37B424 for ; Tue, 29 May 2001 11:45:00 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.3) with ESMTP id f4TIfN398121; Tue, 29 May 2001 13:41:23 -0500 (CDT) (envelope-from chris@jeah.net) Date: Tue, 29 May 2001 13:41:21 -0500 (CDT) From: Chris Byrnes To: Lim Seng Chor Cc: , Christian Kuhtz , , Subject: Re: freebsd rootkit In-Reply-To: <3B145C04.31331.8C0610@localhost> Message-ID: <20010529134040.R98104-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That's not a wise request on a list like this. Backup, format and reinstall. Chris Byrnes (chris@JEAH.net) JEAH Communications, LLC (www.JEAH.net) Call toll-free! 1-866-AWW-JEAH On Wed, 30 May 2001, Lim Seng Chor wrote: > sorry, you all misunderstood me... : ( > > i am the system admin of my site here, and i am suspecting my > user is compromising my system files. i would like to check on > what the files availble in rootkit, and see whether my users are > using that or not. > it is just for security audit purpose.... > > stop xxxxxxx me please.... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 11:47: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from magnetar.blackhatnetworks.com (magnetar.blackhatnetworks.com [65.166.202.3]) by hub.freebsd.org (Postfix) with ESMTP id 097ED37B424 for ; Tue, 29 May 2001 11:46:57 -0700 (PDT) (envelope-from alex@nixfreak.org) Received: from localhost (alex@localhost.blackhatnetworks.com [127.0.0.1]) by magnetar.blackhatnetworks.com (8.x/8.x) with ESMTP id f4TIklt60813 for ; Tue, 29 May 2001 14:46:47 -0400 (EDT) Date: Tue, 29 May 2001 14:46:47 -0400 (EDT) From: Alex X-X-Sender: To: Subject: Re: freebsd rootkit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Lim, Please referance the following URL for a very preliminary checking utility: http://www.chkrootkit.org/ Also, consider creating a CD with a clean kernel, shell, and various system checking utilities such as systat, netstat, fstat, lsof, etc. Booting from the CD, and testing the integrity of the system. Also, please consider installing a HIDS or NIDS after recovery: http://www.cerias.purdue.edu/coast/intrusion-detection/welcome.html Best wishes, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 13:43: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 5E3E637B422 for ; Tue, 29 May 2001 13:43:02 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id XAA30887 for ; Tue, 29 May 2001 23:43:01 +0300 (IDT) Message-ID: <010f01c0e888$5ab3c120$b88f39d5@a> From: "Liran Dahan" To: Subject: Syn+Fin (Setup) And TCP RST Date: Tue, 29 May 2001 23:43:09 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_010C_01C0E899.1E135E40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_010C_01C0E899.1E135E40 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable I've added those 2 options in my kernel long time ago: options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST = =20 Is this could be the reason why even when i add in my firewall to send = RST packets, it takes me 30 seconds till i get timeout of Connection = refused when i telneting my box on randomly closed ports.. ?=20 And about TCP_DROP_SYNFIN .. is this could be one of the reasons 'setup' = command 'aint working on my ipfw? If my speculations are true... Why those kernel options are used for? Thanks, Liran Dahan (lirandb@netvision.net.il) ------=_NextPart_000_010C_01C0E899.1E135E40 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
I've added those 2 options in my kernel = long time=20 ago:
options        =20 TCP_DROP_SYNFIN         #drop = TCP=20 packets with = SYN+FIN
options        =20 TCP_RESTRICT_RST        #restrict = emission of=20 TCP RST          =
 
 
Is this could be the reason why even = when i add in=20 my firewall to send RST packets, it takes me 30 seconds till i get = timeout of=20 Connection refused when i telneting my box on randomly closed ports.. ?=20
 
And about TCP_DROP_SYNFIN .. is this = could be one=20 of the reasons 'setup' command 'aint working on my ipfw?
 
If my speculations are true... Why = those kernel=20 options are used for?
 
Thanks,
 
          Liran = Dahan (lirandb@netvision.net.il)
------=_NextPart_000_010C_01C0E899.1E135E40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 13:54: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from hecky.it.northwestern.edu (hecky.acns.nwu.edu [129.105.16.51]) by hub.freebsd.org (Postfix) with ESMTP id 76E3237B422; Tue, 29 May 2001 13:54:05 -0700 (PDT) (envelope-from stuyman@confusion.net) Received: (from mailnull@localhost) by hecky.it.northwestern.edu (8.8.7/8.8.7) id PAA29147; Tue, 29 May 2001 15:54:04 -0500 (CDT) Received: from confusion.net (dhcp089069.res-hall.nwu.edu [199.74.89.69]) by hecky.acns.nwu.edu via smap (V2.0) id xma028850; Tue, 29 May 01 15:53:42 -0500 Message-ID: <3B140C54.74518AF6@confusion.net> Date: Tue, 29 May 2001 15:53:40 -0500 From: Laurence Berland X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Evan S Cc: Lim Seng Chor , freebsd-security@FreeBSD.ORG, freebsd-question@FreeBSD.ORG Subject: Re: freebsd rootkit References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org m4ng? Evan S wrote: > > I h4v3 4 f433b5d r00tk17 m4ng 3y3 4m 700 1337!!!! > > ;-p > > ------------------------------------------ > Evan Sarmiento | GPG id: 9D0BDB6C > ems@open-root.org | http://sekt7.org/~ems/ > ------------------------------------------ > > On Wed, 30 May 2001, Lim Seng Chor wrote: > > > hi, > > any idea where can i find freebsd rootkit? > > thanks. : ) > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Laurence Berland Northwestern '04 stuyman@confusion.net http://www.isp.northwestern.edu/~laurence "The world has turned and left me here" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 13:55:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id C7BDD37B422 for ; Tue, 29 May 2001 13:55:33 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7353C671A4; Tue, 29 May 2001 13:55:33 -0700 (PDT) Date: Tue, 29 May 2001 13:55:33 -0700 From: Kris Kennaway To: Liran Dahan Cc: freebsd-security@freebsd.org Subject: Re: Syn+Fin (Setup) And TCP RST Message-ID: <20010529135533.B99627@xor.obsecurity.org> References: <010f01c0e888$5ab3c120$b88f39d5@a> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bCsyhTFzCvuiizWE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <010f01c0e888$5ab3c120$b88f39d5@a>; from lirandb@netvision.net.il on Tue, May 29, 2001 at 11:43:09PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --bCsyhTFzCvuiizWE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 29, 2001 at 11:43:09PM +0200, Liran Dahan wrote: > I've added those 2 options in my kernel long time ago: > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options TCP_RESTRICT_RST #restrict emission of TCP RST = =20 > Is this could be the reason why even when i add in my firewall to > send RST packets, it takes me 30 seconds till i get timeout of > Connection refused when i telneting my box on randomly closed > ports.. ? Could be. > And about TCP_DROP_SYNFIN .. is this could be one of the reasons > 'setup' command 'aint working on my ipfw? I'm less sure about this one. > If my speculations are true... Why those kernel options are used for? People who want that behaviour. See the comments in LINT about both options. Kris --bCsyhTFzCvuiizWE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FAzEWry0BWjoQKURAoBgAJ94Qas3HXYnKX+aYm5Nk2kzQ+PrJQCg/Q2c s7+0reIGt2tP6bKBRrVk8PA= =UOp4 -----END PGP SIGNATURE----- --bCsyhTFzCvuiizWE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 13:56:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 6337A37B422 for ; Tue, 29 May 2001 13:56:14 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from cascade (cascade.veldy.net [192.168.1.1]) by veldy.net (Postfix) with SMTP id E1F0CBAAB; Tue, 29 May 2001 15:56:07 -0500 (CDT) Message-ID: <007501c0e881$c86a78a0$0101a8c0@cascade> From: "Thomas T. Veldhouse" To: "Liran Dahan" , References: <010f01c0e888$5ab3c120$b88f39d5@a> Subject: Re: Syn+Fin (Setup) And TCP RST Date: Tue, 29 May 2001 15:56:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org NO. I have those options in my kernel and I have no such trouble connecting via telnet. Tom Veldhouse veldy@veldy.net PS HTML is a bit inappropriate for a public mailing list. ----- Original Message ----- From: Liran Dahan To: freebsd-security@freebsd.org Sent: Tuesday, May 29, 2001 4:43 PM Subject: Syn+Fin (Setup) And TCP RST I've added those 2 options in my kernel long time ago: options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST Is this could be the reason why even when i add in my firewall to send RST packets, it takes me 30 seconds till i get timeout of Connection refused when i telneting my box on randomly closed ports.. ? And about TCP_DROP_SYNFIN .. is this could be one of the reasons 'setup' command 'aint working on my ipfw? If my speculations are true... Why those kernel options are used for? Thanks, Liran Dahan (lirandb@netvision.net.il) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 13:59: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id D914F37B423 for ; Tue, 29 May 2001 13:59:02 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f4TL2BP12260; Tue, 29 May 2001 14:02:11 -0700 (PDT) (envelope-from fasty) Date: Tue, 29 May 2001 14:02:10 -0700 From: faSty To: Liran Dahan , freebsd-security@FreeBSD.ORG Subject: Re: Syn+Fin (Setup) And TCP RST Message-ID: <20010529140207.A12246@i-sphere.com> References: <010f01c0e888$5ab3c120$b88f39d5@a> <007501c0e881$c86a78a0$0101a8c0@cascade> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007501c0e881$c86a78a0$0101a8c0@cascade>; from veldy@veldy.net on Tue, May 29, 2001 at 03:56:07PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have TCP_DROP_SYNFIN and RST enabled on my server. I have no problem connection via telnet or any service. -trev On Tue, May 29, 2001 at 03:56:07PM -0500, Thomas T. Veldhouse wrote: > NO. I have those options in my kernel and I have no such trouble connecting > via telnet. > > Tom Veldhouse > veldy@veldy.net > > PS HTML is a bit inappropriate for a public mailing list. > > ----- Original Message ----- > From: Liran Dahan > To: freebsd-security@freebsd.org > Sent: Tuesday, May 29, 2001 4:43 PM > Subject: Syn+Fin (Setup) And TCP RST > > > I've added those 2 options in my kernel long time ago: > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options TCP_RESTRICT_RST #restrict emission of TCP RST > > > Is this could be the reason why even when i add in my firewall to send RST > packets, it takes me 30 seconds till i get timeout of Connection refused > when i telneting my box on randomly closed ports.. ? > > And about TCP_DROP_SYNFIN .. is this could be one of the reasons 'setup' > command 'aint working on my ipfw? > > If my speculations are true... Why those kernel options are used for? > > Thanks, > > Liran Dahan (lirandb@netvision.net.il) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 14: 0:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 4664F37B423 for ; Tue, 29 May 2001 14:00:23 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id AAA31413 for ; Wed, 30 May 2001 00:00:21 +0300 (IDT) Message-ID: <00c501c0e88a$c6dd59e0$b88f39d5@a> From: "Liran Dahan" To: References: <010f01c0e888$5ab3c120$b88f39d5@a> <007501c0e881$c86a78a0$0101a8c0@cascade> Subject: Re: Syn+Fin (Setup) And TCP RST Date: Wed, 30 May 2001 00:00:30 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have no problem to connect via telnet either.. What i ment is that when im telnet for example: to ip 192.115.25.1 (lets say its my freebsd with firewall and rule to reset tcp requests) , it takes atleast 30 seconds till i get the message connection refused..and i want it to take 1 sec.. That people even wont know i have firewall installed... and im pretty sure this RST option is doing some probs. Thanks, Liran Dahan (lirandb@netvision.net.il) ----- Original Message ----- From: "Thomas T. Veldhouse" To: "Liran Dahan" ; Sent: Tuesday, May 29, 2001 10:56 PM Subject: Re: Syn+Fin (Setup) And TCP RST > NO. I have those options in my kernel and I have no such trouble connecting > via telnet. > > Tom Veldhouse > veldy@veldy.net > > PS HTML is a bit inappropriate for a public mailing list. > > ----- Original Message ----- > From: Liran Dahan > To: freebsd-security@freebsd.org > Sent: Tuesday, May 29, 2001 4:43 PM > Subject: Syn+Fin (Setup) And TCP RST > > > I've added those 2 options in my kernel long time ago: > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options TCP_RESTRICT_RST #restrict emission of TCP RST > > > Is this could be the reason why even when i add in my firewall to send RST > packets, it takes me 30 seconds till i get timeout of Connection refused > when i telneting my box on randomly closed ports.. ? > > And about TCP_DROP_SYNFIN .. is this could be one of the reasons 'setup' > command 'aint working on my ipfw? > > If my speculations are true... Why those kernel options are used for? > > Thanks, > > Liran Dahan (lirandb@netvision.net.il) > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 14: 4:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 0889637B422 for ; Tue, 29 May 2001 14:04:18 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f4TL7UR12344; Tue, 29 May 2001 14:07:30 -0700 (PDT) (envelope-from fasty) Date: Tue, 29 May 2001 14:07:30 -0700 From: faSty To: Liran Dahan Cc: freebsd-security@freebsd.org Subject: Re: Syn+Fin (Setup) And TCP RST Message-ID: <20010529140730.C12246@i-sphere.com> References: <010f01c0e888$5ab3c120$b88f39d5@a> <007501c0e881$c86a78a0$0101a8c0@cascade> <00c501c0e88a$c6dd59e0$b88f39d5@a> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00c501c0e88a$c6dd59e0$b88f39d5@a>; from lirandb@netvision.net.il on Wed, May 30, 2001 at 12:00:30AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org make sure your box able resolve 192.115.25.1, If it doesnt resolve and it takes forever to let you enter the box via telnet. It happened to me once or twice. add that address in /etc/hosts 192.115.25.1 hostname or localhost whatever you like. -trev On Wed, May 30, 2001 at 12:00:30AM +0200, Liran Dahan wrote: > I have no problem to connect via telnet either.. > What i ment is that when im telnet for example: > to ip 192.115.25.1 (lets say its my freebsd with firewall and rule to reset > tcp requests) , it takes atleast 30 seconds till i get the message > connection refused..and i want it to take 1 sec.. That people even wont know > i have firewall installed... > and im pretty sure this RST option is doing some probs. > > Thanks, > > Liran Dahan (lirandb@netvision.net.il) > > ----- Original Message ----- > From: "Thomas T. Veldhouse" > To: "Liran Dahan" ; > Sent: Tuesday, May 29, 2001 10:56 PM > Subject: Re: Syn+Fin (Setup) And TCP RST > > > > NO. I have those options in my kernel and I have no such trouble > connecting > > via telnet. > > > > Tom Veldhouse > > veldy@veldy.net > > > > PS HTML is a bit inappropriate for a public mailing list. > > > > ----- Original Message ----- > > From: Liran Dahan > > To: freebsd-security@freebsd.org > > Sent: Tuesday, May 29, 2001 4:43 PM > > Subject: Syn+Fin (Setup) And TCP RST > > > > > > I've added those 2 options in my kernel long time ago: > > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > > options TCP_RESTRICT_RST #restrict emission of TCP RST > > > > > > Is this could be the reason why even when i add in my firewall to send RST > > packets, it takes me 30 seconds till i get timeout of Connection refused > > when i telneting my box on randomly closed ports.. ? > > > > And about TCP_DROP_SYNFIN .. is this could be one of the reasons 'setup' > > command 'aint working on my ipfw? > > > > If my speculations are true... Why those kernel options are used for? > > > > Thanks, > > > > Liran Dahan (lirandb@netvision.net.il) > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 14: 7:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from dialup.ptt.ru (dialup.ptt.ru [195.34.0.100]) by hub.freebsd.org (Postfix) with SMTP id 7D2F337B422 for ; Tue, 29 May 2001 14:07:45 -0700 (PDT) (envelope-from void@void.ru) Received: (qmail 58195 invoked from network); 29 May 2001 21:15:12 -0000 Received: from dialup-28016.dialup.ptt.ru (195.34.28.16) by dialup.ptt.ru with SMTP; 29 May 2001 21:15:12 -0000 Date: Wed, 30 May 2001 01:03:53 +0400 From: duke X-Mailer: The Bat! (v1.47 Halloween Edition) UNREG / CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <229383122.20010530010353@void.ru> To: "Liran Dahan" Subject: Re[2]: Syn+Fin (Setup) And TCP RST In-reply-To: <00c501c0e88a$c6dd59e0$b88f39d5@a> References: <010f01c0e888$5ab3c120$b88f39d5@a> <007501c0e881$c86a78a0$0101a8c0@cascade> <00c501c0e88a$c6dd59e0$b88f39d5@a> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipfw (8) has adjustable icmp message type which is sent to remote address when filter blocks connection. try to set it to various values and then try to connect to filtered ports for better studying of its meaning. /duke To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 14:10:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 3B8A237B422 for ; Tue, 29 May 2001 14:10:53 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id AAA31039 for ; Wed, 30 May 2001 00:10:51 +0300 (IDT) Message-ID: <012601c0e88c$3e6efb20$b88f39d5@a> From: "Liran Dahan" To: References: <010f01c0e888$5ab3c120$b88f39d5@a> <200105291052100670.246E525C@smtp> Subject: Re: Syn+Fin (Setup) And TCP RST Date: Wed, 30 May 2001 00:11:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, you right, i noticed it just now, i've changed the variable net.inet.tcp.restrict_rst to 1 and saw it took me ages till i got Connection timeout.. so what can be the problem.. why my firewall is not sending TCP RST when im doing ipfw add reset tcp from any to any ? -Liran Dahan- (lirandb@netvision.net.il) ----- Original Message ----- From: "Arthur W. Neilson III" To: "Liran Dahan" Sent: Tuesday, May 29, 2001 10:52 PM Subject: Re: Syn+Fin (Setup) And TCP RST > adding these options to your kernel config merely compiles in > the code to support these features. In order to actually turn them > on you have to set the variables in rc.conf to "YES" or turn them > on via sysctl(1) ... > > # For the following two options, you need to have > # TCP_DROP_SYNFIN and TCP_RESTRICT_RST > # set in your kernel. Please refer to LINT for details. > tcp_drop_synfin="NO" # Set to YES to drop TCP w/SYN+FIN > # NOTE: this violates the TCP specification > tcp_restrict_rst="NO" # Set to YES to restrict emission of RST > > On 5/29/01 at 11:43 PM Liran Dahan wrote: > > > >I've added those 2 options in my kernel long time ago: > >options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > >options TCP_RESTRICT_RST #restrict emission of TCP RST > > -- > __ > / ) _/_ It is a capital mistake to theorise before one has data. > /--/ __ / Insensibly one begins to twist facts to suit theories, > / (_/ (_<__ Instead of theories to suit facts. > -- Sherlock Holmes, "A Scandal in Bohemia" > Arthur W. Neilson III, WH7N - FISTS #7448 > Bank of Hawaii Tech Support > http://www.pilikia.net > art@pilikia.net, aneilson@boh.com, wh7n@arrl.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 14:39:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 7673937B424; Tue, 29 May 2001 14:39:34 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (pwnat-2-o.placeware.com [209.1.15.34]) by allmaui.com (8.8.8/8.8.5) with ESMTP id RAA11050; Tue, 29 May 2001 17:38:43 -0400 Message-ID: <3B1417F6.E39C3F53@allmaui.com> Date: Tue, 29 May 2001 14:43:18 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Laurence Berland Cc: Evan S , Lim Seng Chor , freebsd-security@FreeBSD.ORG, freebsd-question@FreeBSD.ORG Subject: Re: freebsd rootkit References: <3B140C54.74518AF6@confusion.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What ever happened to english? Laurence Berland wrote: > m4ng? > > Evan S wrote: > > > > I h4v3 4 f433b5d r00tk17 m4ng 3y3 4m 700 1337!!!! > > > > ;-p > > > > ------------------------------------------ > > Evan Sarmiento | GPG id: 9D0BDB6C > > ems@open-root.org | http://sekt7.org/~ems/ > > ------------------------------------------ > > > > On Wed, 30 May 2001, Lim Seng Chor wrote: > > > > > hi, > > > any idea where can i find freebsd rootkit? > > > thanks. : ) > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Laurence Berland > Northwestern '04 > stuyman@confusion.net > http://www.isp.northwestern.edu/~laurence > > "The world has turned and left me here" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 15:11:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id BCD3337B422 for ; Tue, 29 May 2001 15:11:25 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE4AYB00.RTU; Tue, 29 May 2001 15:10:59 -0700 Message-ID: <3B141E8A.5AC7E84E@globalstar.com> Date: Tue, 29 May 2001 15:11:22 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Liran Dahan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Syn+Fin (Setup) And TCP RST References: <010f01c0e888$5ab3c120$b88f39d5@a> <200105291052100670.246E525C@smtp> <012601c0e88c$3e6efb20$b88f39d5@a> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Liran Dahan wrote: > > Yes, you right, i noticed it just now, i've changed the variable > net.inet.tcp.restrict_rst to 1 and saw it took me ages till i got Connection > timeout.. so what can be the problem.. why my firewall is not sending TCP > RST when im doing ipfw add reset tcp from any to any ? The output of, # ipfw show # tcpdump -nv 'host ' # ipfw show Yes, two 'ipfw show's to see if we can see the packets being counted in another rule. Perhaps add some logging. We want to be _sure_ that the connection attempts are actually triggering the rule with the 'reset' action before jumping to conclusions about no RSTs. I would be surprised if TCP_RESTRICT_RST is interfering with this. IIRC, the code for "spoofing" these RSTs in the firewall lives in other parts of the kernel from that generating "real" RSTs (where TCP_RESTRICT_RST would have its effects). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 15:28:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id C7C6337B422 for ; Tue, 29 May 2001 15:28:25 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id BAA00149 for ; Wed, 30 May 2001 01:28:20 +0300 (IDT) Message-ID: <000801c0e897$11f2bb80$b88f39d5@a> From: "Liran Dahan" To: References: <010f01c0e888$5ab3c120$b88f39d5@a> <200105291052100670.246E525C@smtp> <012601c0e88c$3e6efb20$b88f39d5@a> <3B141E8A.5AC7E84E@globalstar.com> Subject: Re: Syn+Fin (Setup) And TCP RST Date: Wed, 30 May 2001 01:28:30 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I checked the rules order, its ok...But something strange.. I've added rule like: ipfw add 1 reset tcp from any to any 100-200 , and i have daemon running on port 110, i telneted it and i got connection refused after 2 secs..(even when i have TCP_RESTRICT_RST Enabled - Via sysctl and Kernel), But when i telneted the other ports (that arent running daemons - Closed ports), it took about 30 seconds till i got connection refused - or it was connection timeout (i did it from windows telnet). Though if i add rule like ipfw add ip from any to any, ill get connection refused after 2 secs (As if TCP_RESTRICT_RST Is disabled) And about the TCP_RESTRICT_RST, You right, it has nothing to do with it. -Liran Dahan- (lirandb@netvision.net.il) ----- Original Message ----- From: "Crist Clark" To: "Liran Dahan" Cc: Sent: Wednesday, May 30, 2001 12:11 AM Subject: Re: Syn+Fin (Setup) And TCP RST > Liran Dahan wrote: > > > > Yes, you right, i noticed it just now, i've changed the variable > > net.inet.tcp.restrict_rst to 1 and saw it took me ages till i got Connection > > timeout.. so what can be the problem.. why my firewall is not sending TCP > > RST when im doing ipfw add reset tcp from any to any ? > > The output of, > > # ipfw show > # tcpdump -nv 'host ' > > # ipfw show > > Yes, two 'ipfw show's to see if we can see the packets being counted in > another rule. Perhaps add some logging. We want to be _sure_ that the > connection attempts are actually triggering the rule with the 'reset' > action before jumping to conclusions about no RSTs. > > I would be surprised if TCP_RESTRICT_RST is interfering with this. IIRC, > the code for "spoofing" these RSTs in the firewall lives in other parts > of the kernel from that generating "real" RSTs (where TCP_RESTRICT_RST > would have its effects). > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 15:34:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from home.ephemeron.org (cx838950-a.fed1.sdca.home.com [24.251.134.132]) by hub.freebsd.org (Postfix) with ESMTP id 3D98D37B423 for ; Tue, 29 May 2001 15:34:37 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.9.3/8.9.3) with ESMTP id PAA95490 for ; Tue, 29 May 2001 15:34:29 -0700 (PDT) (envelope-from bigby@ephemeron.org) Date: Tue, 29 May 2001 15:34:29 -0700 (PDT) From: Bigby Findrake To: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit In-Reply-To: <20010529134040.R98104-100000@awww.jeah.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 29 May 2001, Chris Byrnes wrote: > That's not a wise request on a list like this. Backup, format and > reinstall. Why not? Surely you're not suggesting that a rootkit is a bad thing, or that no one here would help him find one - wouldn't that be rather silly of us? If we knew where one was, wouldn't it make the most sense to make sure that anyone could get there hands on it? Isn't that (among other ways) how open software advances? I can't count the number of times I've seen security people make the argument that everyone should own lockpicks. If I misunderstood, you, Chris, what did you mean? > > > Chris Byrnes (chris@JEAH.net) > JEAH Communications, LLC (www.JEAH.net) > Call toll-free! 1-866-AWW-JEAH > > > On Wed, 30 May 2001, Lim Seng Chor wrote: > > > sorry, you all misunderstood me... : ( > > > > i am the system admin of my site here, and i am suspecting my > > user is compromising my system files. i would like to check on > > what the files availble in rootkit, and see whether my users are > > using that or not. > > it is just for security audit purpose.... > > > > stop xxxxxxx me please.... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 16: 1:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 4347D37B424 for ; Tue, 29 May 2001 16:01:38 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.3) with ESMTP id f4TMvoN03850; Tue, 29 May 2001 17:57:50 -0500 (CDT) (envelope-from chris@jeah.net) Date: Tue, 29 May 2001 17:57:49 -0500 (CDT) From: Chris Byrnes To: Bigby Findrake Cc: Subject: Re: freebsd rootkit In-Reply-To: Message-ID: <20010529175634.U3809-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Why not? Surely you're not suggesting that a rootkit is a bad thing, or > that no one here would help him find one - wouldn't that be rather silly > of us? If we knew where one was, wouldn't it make the most sense to make > sure that anyone could get there hands on it? Isn't that (among other > ways) how open software advances? I can't count the number of times I've > seen security people make the argument that everyone should own lockpicks. > > If I misunderstood, you, Chris, what did you mean? I'm not sure who you are, but it's funny how you post this on the public mailing list, and send me another e-mail in private that isn't so, for lack of better word, clean. I'm sorry if I don't advocate the distribution of attack tools. I'll make sure I change my mentality -- just for you. Chris Byrnes (chris@JEAH.net) JEAH Communications, LLC (www.JEAH.net) Call toll-free! 1-866-AWW-JEAH To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 16:32:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from hecky.it.northwestern.edu (hecky.acns.nwu.edu [129.105.16.51]) by hub.freebsd.org (Postfix) with ESMTP id 3305337B440; Tue, 29 May 2001 16:32:49 -0700 (PDT) (envelope-from stuyman@confusion.net) Received: (from mailnull@localhost) by hecky.it.northwestern.edu (8.8.7/8.8.7) id SAA14778; Tue, 29 May 2001 18:32:47 -0500 (CDT) Received: from confusion.net (dhcp089069.res-hall.nwu.edu [199.74.89.69]) by hecky.acns.nwu.edu via smap (V2.0) id xma014692; Tue, 29 May 01 18:32:31 -0500 Message-ID: <3B14318C.766332D4@confusion.net> Date: Tue, 29 May 2001 18:32:29 -0500 From: Laurence Berland X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Craig Cowen Cc: Evan S , Lim Seng Chor , freebsd-security@FreeBSD.ORG, freebsd-question@FreeBSD.ORG Subject: Re: freebsd rootkit References: <3B140C54.74518AF6@confusion.net> <3B1417F6.E39C3F53@allmaui.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wish I knew. I also wish I knew what m4ng was meant to mean.. Craig Cowen wrote: > > What ever happened to english? > > Laurence Berland wrote: > > > m4ng? > > > > Evan S wrote: > > > > > > I h4v3 4 f433b5d r00tk17 m4ng 3y3 4m 700 1337!!!! > > > > > > ;-p > > > > > > ------------------------------------------ > > > Evan Sarmiento | GPG id: 9D0BDB6C > > > ems@open-root.org | http://sekt7.org/~ems/ > > > ------------------------------------------ > > > > > > On Wed, 30 May 2001, Lim Seng Chor wrote: > > > > > > > hi, > > > > any idea where can i find freebsd rootkit? > > > > thanks. : ) > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > Laurence Berland > > Northwestern '04 > > stuyman@confusion.net > > http://www.isp.northwestern.edu/~laurence > > > > "The world has turned and left me here" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Laurence Berland Northwestern '04 stuyman@confusion.net http://www.isp.northwestern.edu/~laurence "The world has turned and left me here" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 16:56: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.arch.bellsouth.net (ns1.arch.bellsouth.net [205.152.173.2]) by hub.freebsd.org (Postfix) with ESMTP id D36C237B422 for ; Tue, 29 May 2001 16:56:02 -0700 (PDT) (envelope-from ck@ns1.arch.bellsouth.net) Received: (from ck@localhost) by ns1.arch.bellsouth.net (goaway/goaway) id f4TNtPk18792; Tue, 29 May 2001 19:55:25 -0400 (EDT) Date: Tue, 29 May 2001 19:55:25 -0400 From: Christian Kuhtz To: Bigby Findrake Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit Message-ID: <20010529195525.D24763@ns1.arch.bellsouth.net> References: <20010529134040.R98104-100000@awww.jeah.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Bigby Findrake on Tue, May 29, 2001 at 03:34:29PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, May 29, 2001 at 03:34:29PM -0700, Bigby Findrake wrote: > On Tue, 29 May 2001, Chris Byrnes wrote: > > > That's not a wise request on a list like this. Backup, format and > > reinstall. > > Why not? Surely you're not suggesting that a rootkit is a bad thing, or > that no one here would help him find one - wouldn't that be rather silly > of us? What would be silly is for one of us to say "here's a rootkit" and then for him to go thinking if he cleans those files up or only those are affected, he's safe. Fact is, rootkits come in many flavors. To think that they're all the same or to deduct from one specific rootkit anything which in turn is deemed to be definitively applicable to every other rootkit is a very naive and dangerous proposition. The best way to clean the mess up is to analyze the situation and take the safe route (which may include removing the network connection etc; and there are some rootkits which go into self destruct mode when you do so). If you think for one second that you've been compromised, IMHO, it's best to err on the side of safety... My point is that the fundamental approach is not only wrong, but dangerous for other reasons than simply 'distribution of rootkits'. There are probably other points to be made here, but these are the ones that come in mind first and kill the whole idea as far as I'm concerned. > If we knew where one was, wouldn't it make the most sense to make > sure that anyone could get there hands on it? As I stated to you in private email, a rootkit is typically used as a fairly seriously offensive weapon in information warfare. Because we have a few maniacs in our society doesn't mean we arm everybody with automagic rifles, mortars and the like. But, that's beside the point when you consider the flawed fundamentals of the original poster's approach. Instead, it would've been more helpful if he had inquired as to what rootkits typically do and what sort of things to look for. In fact, if you can't figure out on your own if you have a rootkit, what in the world makes you think you can figure out exhaustively what it does when some hands it to you?? > Isn't that (among other > ways) how open software advances? Give me a break. ;) This has *NOTHING* to do with open software. Rootkits are not limited to open software and there's absolutely no definitive link between them. Because they happen to occur in the same place on occasion doesn't mean they're related. > I can't count the number of times I've > seen security people make the argument that everyone should own lockpicks. well, and there's probably at least as many people arguing the opposite. PS: I'm not defending either side in this thread, just adding my own $.03. Cheers, -- Christian Kuhtz -wk, -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only."" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 18:11:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id 3905F37B423 for ; Tue, 29 May 2001 18:11:34 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GE4005MX9A8H4@mta4.rcsntx.swbell.net> for freebsd-security@freebsd.org; Tue, 29 May 2001 16:35:09 -0500 (CDT) Date: Tue, 29 May 2001 16:31:33 -0500 From: Ryan Subject: Re: Syn+Fin (Setup) And TCP RST To: freebsd-security@freebsd.org Message-id: <002001c0e886$c440b2d0$45d8db40@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: multipart/alternative; boundary="----=_NextPart_000_0017_01C0E85C.D27B11D0" X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <010f01c0e888$5ab3c120$b88f39d5@a> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C0E85C.D27B11D0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable once again.. use ssh2 its alot safer! ----- Original Message -----=20 From: Liran Dahan=20 To: freebsd-security@freebsd.org=20 Sent: Tuesday, May 29, 2001 4:43 PM Subject: Syn+Fin (Setup) And TCP RST I've added those 2 options in my kernel long time ago: options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST = =20 Is this could be the reason why even when i add in my firewall to send = RST packets, it takes me 30 seconds till i get timeout of Connection = refused when i telneting my box on randomly closed ports.. ?=20 And about TCP_DROP_SYNFIN .. is this could be one of the reasons = 'setup' command 'aint working on my ipfw? If my speculations are true... Why those kernel options are used for? Thanks, Liran Dahan (lirandb@netvision.net.il) ------=_NextPart_000_0017_01C0E85C.D27B11D0 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
once again.. use ssh2
its alot safer!
 
----- Original Message -----
From:=20 Liran=20 Dahan
Sent: Tuesday, May 29, 2001 = 4:43 PM
Subject: Syn+Fin (Setup) And = TCP=20 RST

I've added those 2 options in my = kernel long time=20 ago:
options        =20 TCP_DROP_SYNFIN         #drop = TCP=20 packets with=20 SYN+FIN
options        =20 TCP_RESTRICT_RST        #restrict = emission=20 of TCP RST          =
 
 
Is this could be the reason why even = when i add=20 in my firewall to send RST packets, it takes me 30 seconds till i get = timeout=20 of Connection refused when i telneting my box on randomly closed = ports.. ?=20
 
And about TCP_DROP_SYNFIN .. is this = could be one=20 of the reasons 'setup' command 'aint working on my ipfw?
 
If my speculations are true... Why = those kernel=20 options are used for?
 
Thanks,
 
          Liran = Dahan (lirandb@netvision.net.il)
------=_NextPart_000_0017_01C0E85C.D27B11D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 18:25: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id EC23837B423 for ; Tue, 29 May 2001 18:24:56 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id DAA24690; Wed, 30 May 2001 03:24:47 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Liran Dahan" Cc: Subject: Re: Syn+Fin (Setup) And TCP RST References: <010f01c0e888$5ab3c120$b88f39d5@a> From: Dag-Erling Smorgrav Date: 30 May 2001 03:24:47 +0200 In-Reply-To: <010f01c0e888$5ab3c120$b88f39d5@a> Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Liran Dahan" writes: > I've added those 2 options in my kernel long time ago: > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options TCP_RESTRICT_RST #restrict emission of TCP RST They do nothing unless you also frob the accompanying sysctl variables. > If my speculations are true... Why those kernel options are used for? RTFM (rc.conf(5) in this case) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 29 18:36:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5DF6637B423 for ; Tue, 29 May 2001 18:36:20 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id DAA24724; Wed, 30 May 2001 03:36:17 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Crist Clark" Cc: Liran Dahan , freebsd-security@FreeBSD.ORG Subject: Re: Syn+Fin (Setup) And TCP RST References: <010f01c0e888$5ab3c120$b88f39d5@a> <200105291052100670.246E525C@smtp> <012601c0e88c$3e6efb20$b88f39d5@a> <3B141E8A.5AC7E84E@globalstar.com> From: Dag-Erling Smorgrav Date: 30 May 2001 03:36:16 +0200 In-Reply-To: <3B141E8A.5AC7E84E@globalstar.com> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Crist Clark" writes: > I would be surprised if TCP_RESTRICT_RST is interfering with this. IIRC, > the code for "spoofing" these RSTs in the firewall lives in other parts > of the kernel from that generating "real" RSTs (where TCP_RESTRICT_RST > would have its effects). I wrote the code, and I can guarantee you that TCP_RESTRICT_RST will not affect RSTs sent by the firewall. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 1:46: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from ego.mind.net (ego.mind.net [206.99.66.9]) by hub.freebsd.org (Postfix) with ESMTP id A931A37B424; Wed, 30 May 2001 01:45:57 -0700 (PDT) (envelope-from takhus@takhus.mind.net) Received: from takhus.dyn.mind.net (AFN-Dyn-2084622070.pc.ashlandfiber.net [208.46.220.70]) by ego.mind.net (8.9.3/8.9.3) with ESMTP id BAA23636; Wed, 30 May 2001 01:45:57 -0700 Received: from localhost (fleisher@localhost) by takhus.dyn.mind.net (8.11.3/8.11.3) with ESMTP id f4U8juY12649; Wed, 30 May 2001 01:45:56 -0700 (PDT) (envelope-from takhus@takhus.mind.net) X-Authentication-Warning: takhus.dyn.mind.net: fleisher owned process doing -bs Date: Wed, 30 May 2001 01:45:56 -0700 (PDT) From: Tony Fleisher X-Sender: fleisher@takhus.dyn.mind.net To: Arjan.deVet@adv.iae.nl Cc: green@freebsd.org, freebsd-security@freebsd.org Subject: Re: bin/25263 and conf/5062 : /etc/login.access does not work with IP addr Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Arjan.deVet@adv.iae.nl wrote: > > green@FreeBSD.org wrote: > > >This is a huge policy change and really would need to be discussed > >on (possibly) -security a lot before it could be made. The problem > >is that, as you know, login.access acts much like a firewall list. > >That also means that if the host is passed down the list it can take > >a totally different route (really, stop at a completely different > >time) than if you pass the IP address. This would need to be solved > >generally. > > Yep, I agree and my patch is indeed wrong. What we need I think is a > > login_access(user, from_tty, from_domain, from_ip) > > to implement the things the login_access(5) manual page promises. The > current 'from' argument can only contain either the FQDN or the > IP-address of the remote system, and that's not enough. > > Arjan I came across PR 25263 as I was looking into PR 5062, which is closely related (the real isssue here is that login.access(5) was not really implemented to meet the definition in the manpage), as this is more an issue of login.access than an openssh issue. I agree with that the login_access() needs to be passed both an IP address and a hostname (the alternative is to rewrite the definition of what this functionality is supposed to provide; it does not appear that it has ever actually provided the functionality described in the manpage) in order to perform the checks that it claims to perform. The fix for telnetd(8) to implement login.access according to the manpage is more difficult in that it spawns login(1), which only takes one paramater (via the -h switch) for "hostname" to check against. (It passes a hostname unless it cannot find one, in which case it passes the IP address. Whichever gets passed to login is what is used to match against entries in /etc/login.access) It seems that the lack of conformity to the manpage description should be documented in a BUGS section of login.access(5). Regards, Tony. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 1:55:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from Terry.Dorm8.NCTU.edu.tw (Terry.Dorm8.NCTU.edu.tw [140.113.93.99]) by hub.freebsd.org (Postfix) with ESMTP id 8413E37B422 for ; Wed, 30 May 2001 01:55:36 -0700 (PDT) (envelope-from ijliao@Terry.Dorm8.NCTU.edu.tw) Received: (from ijliao@localhost) by Terry.Dorm8.NCTU.edu.tw (8.11.3/8.11.2) id f4U8sIY64522; Wed, 30 May 2001 16:54:18 +0800 (CST) (envelope-from ijliao) Date: Wed, 30 May 2001 16:54:17 +0800 From: Ying-Chieh Liao To: Lim Seng Chor Cc: freebsd-security@FreeBSD.ORG Subject: Re: chkrootkit Message-ID: <20010530165417.A61719@terry.dragon2.net> References: <3B145E77.14158.9596E9@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: =?big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown?Q?=3C3B145E77=2E14158?= =?big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown?Q?=2E9596E9=40localhos?= =?big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown?Q?t=3E=3B_from_Lim=2ES?= =?big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown?Q?eng=2EChor=40sit=2Ee?= =?big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown?Q?du=2Emy_on_=A4T=2C__?= =?big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown?Q?5_30=2C_2001_at_02:4?= =?big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown?Q?4:08=A4W=A4=C8_+0800?= X-Operating-System: FreeBSD 5.0-CURRENT i386 X-PGP-Key-Location: http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x11C02382 X-PGP-Key-Fingerprint: 4E98 55CC 2866 7A90 EFD7 9DA5 ACC6 0165 11C0 2382 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=big5:gb2312:us-ascii:iso-8859-1:utf-8:x-unknown Content-Disposition: inline Content-Transfer-Encoding: 8bit On ¤T, 5 30, 2001 at 02:44:08 +0800, Lim Seng Chor wrote: > i found this: http://www.chkrootkit.org/ > well, i think this could be helpful already in ports/security/chkrootkit :) -- The sooner you start to code, the longer the program will take. --- Roy Carlson --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FLU4rMYBZRHAI4IRAtsrAJsFmKgVdPc5cfaeU2/euSxwai7MFwCfakPR JcRG/ibwJZA5J4ecyF7GJao= =+snD -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 4:22: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id BD1ED37B42C for ; Wed, 30 May 2001 04:21:56 -0700 (PDT) (envelope-from keramidi@otenet.gr) Received: from hades.hell.gr (patr530-b075.otenet.gr [195.167.121.203]) by mailsrv.otenet.gr (8.11.1/8.11.1) with ESMTP id f4UBLpe04150; Wed, 30 May 2001 14:21:52 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.3/8.11.3) id f4UAqtp10233; Wed, 30 May 2001 13:52:55 +0300 (EEST) (envelope-from keramidi@otenet.gr) Date: Wed, 30 May 2001 13:52:52 +0300 From: Giorgos Keramidas To: Liran Dahan Cc: freebsd-security@freebsd.org Subject: Re: Syn+Fin (Setup) And TCP RST Message-ID: <20010530135251.A10210@hades.hell.gr> References: <010f01c0e888$5ab3c120$b88f39d5@a> <200105291052100670.246E525C@smtp> <012601c0e88c$3e6efb20$b88f39d5@a> <3B141E8A.5AC7E84E@globalstar.com> <000801c0e897$11f2bb80$b88f39d5@a> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000801c0e897$11f2bb80$b88f39d5@a>; from lirandb@netvision.net.il on Wed, May 30, 2001 at 01:28:30AM +0200 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 30, 2001 at 01:28:30AM +0200, Liran Dahan wrote: > I checked the rules order, its ok...But something strange.. > I've added rule like: ipfw add 1 reset tcp from any to any 100-200 , and i > have daemon running on port 110, i telneted it and i got connection refused > after 2 secs..(even when i have TCP_RESTRICT_RST Enabled - Via sysctl and > Kernel), But when i telneted the other ports (that arent running daemons - > Closed ports), it took about 30 seconds till i got connection refused - or > it was connection timeout (i did it from windows telnet). Why do I have the strange feeling that you have PARANOID enabled in your hosts.allow for telnet connections and some DNS server times out on you? --giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 5:48:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id B1CC637B422 for ; Wed, 30 May 2001 05:48:54 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id PAA10532 for ; Wed, 30 May 2001 15:48:52 +0300 (IDT) Message-ID: <000b01c0e90f$49604100$b88f39d5@a> From: "Liran Dahan" To: References: <010f01c0e888$5ab3c120$b88f39d5@a> <200105291052100670.246E525C@smtp> <012601c0e88c$3e6efb20$b88f39d5@a> <3B141E8A.5AC7E84E@globalstar.com> <000801c0e897$11f2bb80$b88f39d5@a> <20010530135251.A10210@hades.hell.gr> Subject: Re: Syn+Fin (Setup) And TCP RST Date: Wed, 30 May 2001 15:49:02 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org About paranoid hosts.allow, you right :) But my DNS Server never timed out on me :P (I run my own DNS Server) ----- Original Message ----- From: "Giorgos Keramidas" To: "Liran Dahan" Cc: Sent: Wednesday, May 30, 2001 12:52 PM Subject: Re: Syn+Fin (Setup) And TCP RST > On Wed, May 30, 2001 at 01:28:30AM +0200, Liran Dahan wrote: > > I checked the rules order, its ok...But something strange.. > > I've added rule like: ipfw add 1 reset tcp from any to any 100-200 , and i > > have daemon running on port 110, i telneted it and i got connection refused > > after 2 secs..(even when i have TCP_RESTRICT_RST Enabled - Via sysctl and > > Kernel), But when i telneted the other ports (that arent running daemons - > > Closed ports), it took about 30 seconds till i got connection refused - or > > it was connection timeout (i did it from windows telnet). > > Why do I have the strange feeling that you have PARANOID enabled in your > hosts.allow for telnet connections and some DNS server times out on you? > > --giorgos > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 6:44:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id F346737B423 for ; Wed, 30 May 2001 06:44:47 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f4UDaBr20104; Wed, 30 May 2001 09:36:11 -0400 Date: Wed, 30 May 2001 09:36:11 -0400 From: Andrew Barros To: Bigby Findrake Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit Message-ID: <20010530093611.C27126@tjhsst.edu> Mail-Followup-To: Bigby Findrake , freebsd-security@FreeBSD.ORG References: <20010529134040.R98104-100000@awww.jeah.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="t0UkRYy7tHLRMCai" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bigby@ephemeron.org on Tue, May 29, 2001 at 03:34:29PM -0700 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 18.7831597222222 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --t0UkRYy7tHLRMCai Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Someone should add it in ports. It would be rooting and then cleaning up really easy. :-) -ajb On Tue, May 29, 2001 at 03:34:29PM -0700, Bigby Findrake wrote: ->On Tue, 29 May 2001, Chris Byrnes wrote: -> ->> That's not a wise request on a list like this. Backup, format and ->> reinstall. -> ->Why not? Surely you're not suggesting that a rootkit is a bad thing, or ->that no one here would help him find one - wouldn't that be rather silly ->of us? If we knew where one was, wouldn't it make the most sense to make ->sure that anyone could get there hands on it? Isn't that (among other ->ways) how open software advances? I can't count the number of times I've ->seen security people make the argument that everyone should own lockpicks. -> ->If I misunderstood, you, Chris, what did you mean? -> ->>=20 ->>=20 ->> Chris Byrnes (chris@JEAH.net) ->> JEAH Communications, LLC (www.JEAH.net) ->> Call toll-free! 1-866-AWW-JEAH ->>=20 ->>=20 ->> On Wed, 30 May 2001, Lim Seng Chor wrote: ->>=20 ->> > sorry, you all misunderstood me... : ( ->> > ->> > i am the system admin of my site here, and i am suspecting my ->> > user is compromising my system files. i would like to check on ->> > what the files availble in rootkit, and see whether my users are ->> > using that or not. ->> > it is just for security audit purpose.... ->> > ->> > stop xxxxxxx me please.... ->> > ->> > To Unsubscribe: send mail to majordomo@FreeBSD.org ->> > with "unsubscribe freebsd-security" in the body of the message ->> > ->>=20 ->>=20 ->> To Unsubscribe: send mail to majordomo@FreeBSD.org ->> with "unsubscribe freebsd-security" in the body of the message ->>=20 -> -> ->To Unsubscribe: send mail to majordomo@FreeBSD.org ->with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --t0UkRYy7tHLRMCai Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7FPdLChurNrZVH7gRAlsKAJ9tjP/VuxpVJILD6YVq2aD9ebxAuQCeOn2k Mc6uyES1nvvRn4gl4x3TLzw= =6VR1 -----END PGP SIGNATURE----- --t0UkRYy7tHLRMCai-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:10:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 3C28537B423 for ; Wed, 30 May 2001 07:10:28 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id PAA06670 for ; Wed, 30 May 2001 15:10:23 +0100 Date: Wed, 30 May 2001 15:10:23 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit In-Reply-To: <20010530093611.C27126@tjhsst.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 30 May 2001, Andrew Barros wrote: > Someone should add it in ports. Now, to me, that seems like a *reallly* bad idea. Imagine the situation: Some not so nice person keeps an eye on the ports tree for software with vulnerabilites that are not yet fixed, or indeed uses FreeBSD and keeps an up to date ports tree. They will see the words "rootkit". Can you imagine that? The look on their face. They'll re-read it. They'll stop and think for a moment. They'll re-read it again. Then, this thought will fly through their mind: "If I ever break into a FreeBSD machine, I've got a free rootkit. I don't even need to bother covering my tracks cleverly anymore". I would suggest *not* putting the rootkit in the ports tree, if only to save those who have only just installed FreeBSD and are just learning the Unix world. rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:17: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id C3FDD37B43C for ; Wed, 30 May 2001 07:16:58 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f4UEGuP21932; Wed, 30 May 2001 10:16:56 -0400 Date: Wed, 30 May 2001 10:16:56 -0400 From: Andrew Barros To: rich@rdrose.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit Message-ID: <20010530101656.D27126@tjhsst.edu> Mail-Followup-To: rich@rdrose.org, freebsd-security@FreeBSD.ORG References: <20010530093611.C27126@tjhsst.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sXc4Kmr5FA7axrvy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rich@rdrose.org on Wed, May 30, 2001 at 03:10:23PM +0100 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 18.7831597222222 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sXc4Kmr5FA7axrvy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable My apologies to the humor impaired, it was intented to be funny. -ajb On Wed, May 30, 2001 at 03:10:23PM +0100, rich@rdrose.org wrote: ->On Wed, 30 May 2001, Andrew Barros wrote: ->> Someone should add it in ports. -> ->Now, to me, that seems like a *reallly* bad idea. Imagine the situation: ->Some not so nice person keeps an eye on the ports tree for software with ->vulnerabilites that are not yet fixed, or indeed uses FreeBSD and keeps an ->up to date ports tree. They will see the words "rootkit". -> ->Can you imagine that? The look on their face. They'll re-read it. They'll ->stop and think for a moment. They'll re-read it again. Then, this thought ->will fly through their mind: "If I ever break into a FreeBSD machine, I've ->got a free rootkit. I don't even need to bother covering my tracks ->cleverly anymore". -> ->I would suggest *not* putting the rootkit in the ports tree, if only to ->save those who have only just installed FreeBSD and are just learning the ->Unix world. -> ->rik -> -> -> ->To Unsubscribe: send mail to majordomo@FreeBSD.org ->with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --sXc4Kmr5FA7axrvy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7FQDYChurNrZVH7gRAuuNAJ9r6UGvS4wjSHgkyHzib79BuYhCKACfUgJU bkT9ml5ZmeXiSkOKGGwOa2Y= =bRcr -----END PGP SIGNATURE----- --sXc4Kmr5FA7axrvy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:17:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 9D2BB37B423 for ; Wed, 30 May 2001 07:17:17 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id PAA06789 for ; Wed, 30 May 2001 15:17:17 +0100 Date: Wed, 30 May 2001 15:17:17 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: freebsd-security@freebsd.org Subject: Re: freebsd rootkit In-Reply-To: <3B150017.890B2B70@centtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 30 May 2001, Eric Anderson wrote: > I think it was supposed to be a joke. D'oh. I have to much e-mail this morning to have read it, rather than scanned it :/ Sorry :) rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:19:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id 71CCE37B43C for ; Wed, 30 May 2001 07:19:07 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 80680 invoked by uid 504); 30 May 2001 07:14:39 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 30 May 2001 07:14:39 -0000 From: "Dan Graaff" To: Subject: RE: freebsd rootkit Date: Wed, 30 May 2001 07:18:09 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org rik, Humor or not, the idea is to not be compromised to begin with.. I think if it were added to the ports tree it would NOT increase the chances of you being rooted, because if you WERE being attacked by someone whos intent is to root you.. you'd be rooted anyway! Thats the whole problem with the gun laws.. those who want guns will get them legally or illegally... the ports collection is a convienience, not something hackers rely on, or even use... -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of rich@rdrose.org Sent: Wednesday, May 30, 2001 7:10 AM To: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit On Wed, 30 May 2001, Andrew Barros wrote: > Someone should add it in ports. Now, to me, that seems like a *reallly* bad idea. Imagine the situation: Some not so nice person keeps an eye on the ports tree for software with vulnerabilites that are not yet fixed, or indeed uses FreeBSD and keeps an up to date ports tree. They will see the words "rootkit". Can you imagine that? The look on their face. They'll re-read it. They'll stop and think for a moment. They'll re-read it again. Then, this thought will fly through their mind: "If I ever break into a FreeBSD machine, I've got a free rootkit. I don't even need to bother covering my tracks cleverly anymore". I would suggest *not* putting the rootkit in the ports tree, if only to save those who have only just installed FreeBSD and are just learning the Unix world. rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:28:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id 5067C37B424 for ; Wed, 30 May 2001 07:27:44 -0700 (PDT) (envelope-from tim@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=netgod.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 1556wp-0000SP-00 for freebsd-security@freebsd.org; Wed, 30 May 2001 16:27:44 +0200 Message-Id: <5.0.2.1.2.20010530162407.01d57510@nol.co.za> X-Sender: tim@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 30 May 2001 16:26:37 +0200 To: freebsd-security@freebsd.org From: "Timothy S. Bowers" Subject: just SMTP Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm getting this all the time: Too many concurrent SMTP connections; please try again later. Any kernel setting I can change or exim mail setting to allow more SMTP connections ? Regards, Timothy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:31: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id 24CBA37B424 for ; Wed, 30 May 2001 07:31:05 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 80917 invoked by uid 504); 30 May 2001 07:26:33 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 30 May 2001 07:26:33 -0000 From: "Dan Graaff" To: Subject: RE: just SMTP Date: Wed, 30 May 2001 07:30:03 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <5.0.2.1.2.20010530162407.01d57510@nol.co.za> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What does that have to do with security? :-) see http://www.sendmail.org if you are using the stock freebsd install -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Timothy S. Bowers Sent: Wednesday, May 30, 2001 7:27 AM To: freebsd-security@freebsd.org Subject: just SMTP Hi, I'm getting this all the time: Too many concurrent SMTP connections; please try again later. Any kernel setting I can change or exim mail setting to allow more SMTP connections ? Regards, Timothy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:40:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id AFBC537B43E for ; Wed, 30 May 2001 07:40:15 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 67387 invoked from network); 30 May 2001 14:43:37 -0000 Received: from unknown (HELO book) (root@127.0.0.1) by 127.0.0.1 with SMTP; 30 May 2001 14:43:37 -0000 Message-ID: <00cd01c0e916$6f6bc520$01000001@book> From: "alexus" To: , "Timothy S. Bowers" References: <5.0.2.1.2.20010530162407.01d57510@nol.co.za> Subject: Re: just SMTP Date: Wed, 30 May 2001 10:40:13 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if you'd show us whole message that'd be better from syslog i'm guessing that's either inetd if u run smtp through inetd or ... ----- Original Message ----- From: "Timothy S. Bowers" To: Sent: Wednesday, May 30, 2001 10:26 AM Subject: just SMTP > Hi, > > I'm getting this all the time: Too many concurrent SMTP connections; please try again later. > Any kernel setting I can change or exim mail setting to allow more SMTP connections ? > > Regards, > Timothy > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:47:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 0BA8A37B424 for ; Wed, 30 May 2001 07:47:43 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 77392 invoked by uid 1000); 30 May 2001 14:46:34 -0000 Date: Wed, 30 May 2001 17:46:34 +0300 From: Peter Pentchev To: alexus Cc: freebsd-security@freebsd.org, "Timothy S. Bowers" Subject: Re: just SMTP Message-ID: <20010530174634.E74837@ringworld.oblivion.bg> Mail-Followup-To: alexus , freebsd-security@freebsd.org, "Timothy S. Bowers" References: <5.0.2.1.2.20010530162407.01d57510@nol.co.za> <00cd01c0e916$6f6bc520$01000001@book> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00cd01c0e916$6f6bc520$01000001@book>; from ml@db.nexgen.com on Wed, May 30, 2001 at 10:40:13AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 30, 2001 at 10:40:13AM -0400, alexus wrote: > if you'd show us whole message that'd be better from syslog > > i'm guessing that's either inetd if u run smtp through inetd or ... Shouldn't be inetd; inetd has no 'try again later' message, neither is it smart enough to know that the service running on port 25 is named SMTP, capitalized. (Note: I'm *not* saying it should be made "smart enough" :) This is most likely an exim error (the original post does mention using exim). It should be covered in the exim documentation. G'luck, Peter -- What would this sentence be like if pi were 3? > ----- Original Message ----- > From: "Timothy S. Bowers" > To: > Sent: Wednesday, May 30, 2001 10:26 AM > Subject: just SMTP > > > > Hi, > > > > I'm getting this all the time: Too many concurrent SMTP connections; > please try again later. > > Any kernel setting I can change or exim mail setting to allow more SMTP > connections ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from storm.psi-domain.co.uk (mail.trident-uk.co.uk [195.166.16.10]) by hub.freebsd.org (Postfix) with ESMTP id 6DDBD37B422 for ; Wed, 30 May 2001 07:48:15 -0700 (PDT) (envelope-from jamie@storm.psi-domain.co.uk) Received: (from jamie@localhost) by storm.psi-domain.co.uk (8.9.3/8.9.3) id DAA40932; Wed, 30 May 2001 03:36:43 +0100 (BST) (envelope-from jamie) Date: Wed, 30 May 2001 03:36:43 +0100 From: Jamie Heckford To: Dan Graaff Cc: freebsd-security@freebsd.org Subject: Re: just SMTP Message-ID: <20010530033643.A40649@storm.psi-domain.co.uk> Reply-To: heckfordj@psi-domain.co.uk References: <5.0.2.1.2.20010530162407.01d57510@nol.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from subscribed@de-net.org on Wed, May 30, 2001 at 07:30:03AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could be a DoS attack ;) J On Wed, May 30, 2001 at 07:30:03AM -0700, Dan Graaff wrote: > What does that have to do with security? :-) > > see http://www.sendmail.org if you are using the stock freebsd install > > -Dan Graaff / Digital > The DE-Network > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Timothy S. > Bowers > Sent: Wednesday, May 30, 2001 7:27 AM > To: freebsd-security@freebsd.org > Subject: just SMTP > > > Hi, > > I'm getting this all the time: Too many concurrent SMTP connections; > please try again later. > Any kernel setting I can change or exim mail setting to allow more SMTP > connections ? > > Regards, > Timothy > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 7:52:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 75A5C37B424 for ; Wed, 30 May 2001 07:52:35 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 67459 invoked from network); 30 May 2001 14:56:00 -0000 Received: from unknown (HELO book) (root@127.0.0.1) by 127.0.0.1 with SMTP; 30 May 2001 14:56:00 -0000 Message-ID: <011a01c0e918$2a115600$01000001@book> From: "alexus" To: "Peter Pentchev" Cc: , "Timothy S. Bowers" References: <5.0.2.1.2.20010530162407.01d57510@nol.co.za> <00cd01c0e916$6f6bc520$01000001@book> <20010530174634.E74837@ringworld.oblivion.bg> Subject: Re: just SMTP Date: Wed, 30 May 2001 10:52:35 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'd suggest you to sign up on sendmail list ----- Original Message ----- From: "Peter Pentchev" To: "alexus" Cc: ; "Timothy S. Bowers" Sent: Wednesday, May 30, 2001 10:46 AM Subject: Re: just SMTP > On Wed, May 30, 2001 at 10:40:13AM -0400, alexus wrote: > > if you'd show us whole message that'd be better from syslog > > > > i'm guessing that's either inetd if u run smtp through inetd or ... > > Shouldn't be inetd; inetd has no 'try again later' message, neither > is it smart enough to know that the service running on port 25 is > named SMTP, capitalized. (Note: I'm *not* saying it should be made > "smart enough" :) > > This is most likely an exim error (the original post does mention > using exim). It should be covered in the exim documentation. > > G'luck, > Peter > > -- > What would this sentence be like if pi were 3? > > > ----- Original Message ----- > > From: "Timothy S. Bowers" > > To: > > Sent: Wednesday, May 30, 2001 10:26 AM > > Subject: just SMTP > > > > > > > Hi, > > > > > > I'm getting this all the time: Too many concurrent SMTP connections; > > please try again later. > > > Any kernel setting I can change or exim mail setting to allow more SMTP > > connections ? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 10:18:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id BDC9437B423 for ; Wed, 30 May 2001 10:18:08 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA14275; Wed, 30 May 2001 09:14:05 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma014199; Wed, 30 May 01 09:13:43 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA22821; Wed, 30 May 2001 09:13:43 -0500 (CDT) Message-ID: <3B150017.890B2B70@centtech.com> Date: Wed, 30 May 2001 09:13:43 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: rich@rdrose.org Cc: freebsd-security@freebsd.org Subject: Re: freebsd rootkit References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think it was supposed to be a joke. rich@rdrose.org wrote: > > On Wed, 30 May 2001, Andrew Barros wrote: > > Someone should add it in ports. > > Now, to me, that seems like a *reallly* bad idea. Imagine the situation: > Some not so nice person keeps an eye on the ports tree for software with > vulnerabilites that are not yet fixed, or indeed uses FreeBSD and keeps an > up to date ports tree. They will see the words "rootkit". > > Can you imagine that? The look on their face. They'll re-read it. They'll > stop and think for a moment. They'll re-read it again. Then, this thought > will fly through their mind: "If I ever break into a FreeBSD machine, I've > got a free rootkit. I don't even need to bother covering my tracks > cleverly anymore". > > I would suggest *not* putting the rootkit in the ports tree, if only to > save those who have only just installed FreeBSD and are just learning the > Unix world. > > rik > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 The idea is to die young as late as possible. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 10:24:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id 7B27137B422 for ; Wed, 30 May 2001 10:24:17 -0700 (PDT) (envelope-from LConrad@Go2France.com) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 663B816B16 for ; Wed, 30 May 2001 19:41:53 +0200 (CEST) Received: from IBM-HIRXKN66F0W.Go2France.com [195.115.185.184] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id AE1832BE008E; Wed, 30 May 2001 19:30:00 +0200 Message-Id: <5.1.0.14.0.20010530192341.02333e58@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 30 May 2001 19:24:55 +0200 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: just SMTP In-Reply-To: <5.0.2.1.2.20010530162407.01d57510@nol.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >I'm getting this all the time: Too many concurrent SMTP connections; >please try again later. >Any kernel setting I can change or exim mail setting to allow more SMTP >connections ? I run into this with IMGate hubs. Go to the www.postfix.org and see the FAQ for tuning FreeBSD. Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 11:21:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 3995A37B423 for ; Wed, 30 May 2001 11:21:31 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id TAA09800; Wed, 30 May 2001 19:21:23 +0100 Date: Wed, 30 May 2001 19:21:23 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: Dan Graaff Cc: freebsd-security@FreeBSD.ORG Subject: RE: freebsd rootkit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Indeed. If you're rooted, you're already screwed. I was thinking of not making it any easier to cover up... Not that it's a chellenge to get stuff onto a system once you're root, but stil... rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 12:31:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 889D837B424 for ; Wed, 30 May 2001 12:31:47 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 15554 invoked from network); 30 May 2001 19:35:13 -0000 Received: from unknown (HELO book) (root@127.0.0.1) by 127.0.0.1 with SMTP; 30 May 2001 19:35:13 -0000 Message-ID: <005801c0e93f$2af71060$01000001@book> From: "alexus" To: "Rob Simmons" Cc: "Nick Cleaton" , References: Subject: Re: 4.3 Security: local DoS via clean-tmps Date: Wed, 30 May 2001 15:31:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ok then i'm calm:) ----- Original Message ----- From: "Rob Simmons" To: "alexus" Cc: "Nick Cleaton" ; Sent: Friday, May 25, 2001 1:53 PM Subject: Re: 4.3 Security: local DoS via clean-tmps > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > That is off by default in FreeBSD. You would have had to add a line like > this to /etc/periodic.conf > > daily_clean_tmps_enable="YES" > > The line in /etc/defaults/periodic.conf is: > > daily_clean_tmps_enable="NO" > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Fri, 25 May 2001, alexus wrote: > > > how can i make sure that i dont have this enabled? and if there a fix for > > that? > > > > ----- Original Message ----- > > From: "Nick Cleaton" > > To: > > Sent: Friday, May 25, 2001 1:03 PM > > Subject: 4.3 Security: local DoS via clean-tmps > > > > > > > > > > Tested in 4.3-RELEASE only: > > > > > > If /etc/periodic/daily/clean-tmps is enabled, then it's possible > > > for any local user to trick it into calling unlink() or rmdir() > > > on anything in the root directory. > > > > > > The problem is that "find -delete" can be made to do chdir("..") > > > multiple times followed by unlink() and/or rmdir(). > > > > > > 588 find CALL chdir(0x280e227d) > > > 588 find NAMI ".." > > > 588 find RET chdir 0 > > > 588 find CALL chdir(0x280e227d) > > > 588 find NAMI ".." > > > 588 find RET chdir 0 > > > 588 find CALL chdir(0x280e227d) > > > 588 find NAMI ".." > > > 588 find RET chdir 0 > > > 588 find CALL chdir(0x280e227d) > > > 588 find NAMI ".." > > > 588 find RET chdir 0 > > > 588 find CALL unlink(0x8051440) > > > 588 find NAMI "sys" > > > > > > This means it can be tricked into going up too high by moving > > > its current directory higher up the hierarchy, by for example > > > doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is > > > somewhere under "/tmp/1/2/3". > > > > > > The attached exploit will cause it to delete the /home -> /usr/home > > > symlink. I think this would render it impossible to log into a > > > system configured for non-root ssh access via DSA key only. > > > > > > This could also be used to unlink other users' files in /tmp > > > without regard to their age. > > > > > > -- > > > Nick Cleaton > > > nick@cleaton.net > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.5 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE7DpwSv8Bofna59hYRA3aIAJ40bgRrqBeUU/KwCEWoyECin3rNIQCfeWig > 3NZrJFVotoNfWFaMlUdTckA= > =+kjL > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 30 16:43:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.noos.fr (lafontaine.noos.net [212.198.2.72]) by hub.freebsd.org (Postfix) with ESMTP id DDD4C37B423 for ; Wed, 30 May 2001 16:43:09 -0700 (PDT) (envelope-from clefevre@redirect.to) Received: (qmail 199267 invoked by uid 0); 30 May 2001 23:43:08 -0000 Received: from d081.dhcp212-198-228.noos.fr (HELO gits.dyndns.org) ([212.198.228.81]) (envelope-sender ) by lafontaine.noos.net (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 30 May 2001 23:43:08 -0000 Received: (from root@localhost) by gits.dyndns.org (8.11.3/8.11.3) id f4UNh6H92264; Thu, 31 May 2001 01:43:06 +0200 (CEST) (envelope-from clefevre@redirect.to) To: security@freebsd.org Subject: Fwd: Port distfiles: sourceforge compromise References: <20010530141757.A12467@schutzenberger.liafa.jussieu.fr> X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C Reply-To: Cyrille Lefevre In-Reply-To: <20010530141757.A12467@schutzenberger.liafa.jussieu.fr> Mail-Copies-To: never From: Cyrille Lefevre Date: 31 May 2001 01:43:05 +0200 Message-ID: Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org just FYI, a message from announce@openbsd.org Marc Espie writes: > I just got belated news that SourceForge got compromised. It's a case > were we are very happy we do have strong cryptographic checksums for > distfiles. > > * users, if you compile a port from source, be very paranoid around > checksum changes, especially if the port comes from sourceforge. > > * porters, please be very, very careful in updating/importing anything > that comes from sourceforge, at least for a while. This probably means > that ANY update should not be done unless you've actually LOOKED HARD > at the diff between the previous and the current version, or you have > complete insurance that Source Forge is not the main distribution site, > and the project could not have been tainted. Cyrille. -- home: mailto:clefevre@redirect.to UNIX is user-friendly; it's just particular work: mailto:Cyrille.Lefevre@edf.fr about who it chooses to be friends with. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 2: 0:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.sit.edu.my (saturn.sit.edu.my [202.184.64.24]) by hub.freebsd.org (Postfix) with ESMTP id ED73A37B424 for ; Thu, 31 May 2001 02:00:44 -0700 (PDT) (envelope-from Lim.Seng.Chor@sit.edu.my) Received: from LION (pmail.sit.edu.my [202.184.64.6]) by saturn.sit.edu.my (8.11.4/8.11.3) with ESMTP id f4V4rdB12931 for ; Thu, 31 May 2001 12:53:55 +0800 Received: from LION/SpoolDir by LION (Mercury 1.47); 31 May 01 12:51:07 +0800 Received: from SpoolDir by LION (Mercury 1.47); 31 May 01 12:50:37 +0800 From: "Lim Seng Chor" Organization: Sepang Institute of Technology To: freebsd-security@freebsd.org Date: Thu, 31 May 2001 12:50:35 +0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: port 21 Message-ID: <3B163E0B.21487.332732D@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org my kernel message showing: Connection attempt to TCP 202.184.64.29:21 from 213.137.2.195:21 anyone can explain why 213.137.2.195 can use port 21 to connect to my ftp port but not random port above 1024? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 2:28:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 518C137B43F for ; Thu, 31 May 2001 02:28:16 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id NAA45092 for ; Thu, 31 May 2001 13:28:07 +0400 (MSD) Message-ID: <007701c0e9b3$fee0ff70$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: Subject: Re: port 21 Date: Thu, 31 May 2001 13:28:01 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My opinion is that unknown scanner was hoping to meet one of those admins who still use remote port of TCP/UDP packet as filter in their firewall rules (like this: "ipfw allow tcp from any 21"). NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: Lim Seng Chor To: freebsd-security@FreeBSD.ORG Date: 31 ìàÿ 2001 ã. 13:01 Subject: port 21 my kernel message showing: Connection attempt to TCP 202.184.64.29:21 from 213.137.2.195:21 anyone can explain why 213.137.2.195 can use port 21 to connect to my ftp port but not random port above 1024? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 2:37:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 8D84037B422 for ; Thu, 31 May 2001 02:37:50 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id MAA27648; Thu, 31 May 2001 12:37:46 +0300 (IDT) Message-ID: <001801c0e9bd$c2b7f3a0$b88f39d5@a> From: "Liran Dahan" To: Cc: References: <010f01c0e888$5ab3c120$b88f39d5@a><200105291052100670.246E525C@smtp><012601c0e88c$3e6efb20$b88f39d5@a> <200105301945280950.2B7D2CAF@smtp> Subject: Re: Syn+Fin (Setup) And TCP RST Date: Thu, 31 May 2001 12:37:58 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is no connectio Between net.inet.tcp.restict_rst=1 to ipfw, since ipfw will send RST packets if i tell him EVEN if i have rst restricted in my kernel. Best Regards, Liran Dahan (lirandb@netvision.net.il) ----- Original Message ----- From: "Arthur W. Neilson III" To: "Liran Dahan" Sent: Thursday, May 31, 2001 7:45 AM Subject: Re: Syn+Fin (Setup) And TCP RST > it's not sending a RST because you told it not to. The > net.inet.tcp.restrict_rst = 1 makes the stack NOT send RSTs, > it just drops the space held by the incoming segment and returns. > generally speaking, enabling restrict_rst is a bad idea and should > only be done if you're sure you need it (you're being attacked by SYN flood). > > On 5/30/01 at 12:11 AM Liran Dahan wrote: > > > >Yes, you right, i noticed it just now, i've changed the variable > >net.inet.tcp.restrict_rst to 1 and saw it took me ages till i got > >Connection > >timeout.. so what can be the problem.. why my firewall is not sending TCP > >RST when im doing ipfw add reset tcp from any to any ? > > > >-Liran Dahan- (lirandb@netvision.net.il) > >----- Original Message ----- > >From: "Arthur W. Neilson III" > >To: "Liran Dahan" > >Sent: Tuesday, May 29, 2001 10:52 PM > >Subject: Re: Syn+Fin (Setup) And TCP RST > > > > > >> adding these options to your kernel config merely compiles in > >> the code to support these features. In order to actually turn them > >> on you have to set the variables in rc.conf to "YES" or turn them > >> on via sysctl(1) ... > >> > >> # For the following two options, you need to have > >> # TCP_DROP_SYNFIN and TCP_RESTRICT_RST > >> # set in your kernel. Please refer to LINT for details. > >> tcp_drop_synfin="NO" # Set to YES to drop TCP w/SYN+FIN > >> # NOTE: this violates > >the TCP specification > >> tcp_restrict_rst="NO" # Set to YES to restrict emission of > >RST > >> > >> On 5/29/01 at 11:43 PM Liran Dahan wrote: > >> > > >> >I've added those 2 options in my kernel long time ago: > >> >options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > >> >options TCP_RESTRICT_RST #restrict emission of TCP RST > >> > >> -- > >> __ > >> / ) _/_ It is a capital mistake to theorise before one has data. > >> /--/ __ / Insensibly one begins to twist facts to suit theories, > >> / (_/ (_<__ Instead of theories to suit facts. > >> -- Sherlock Holmes, "A Scandal in Bohemia" > >> Arthur W. Neilson III, WH7N - FISTS #7448 > >> Bank of Hawaii Tech Support > >> http://www.pilikia.net > >> art@pilikia.net, aneilson@boh.com, wh7n@arrl.net > >> > >> > >> > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > -- > __ > / ) _/_ It is a capital mistake to theorise before one has data. > /--/ __ / Insensibly one begins to twist facts to suit theories, > / (_/ (_<__ Instead of theories to suit facts. > -- Sherlock Holmes, "A Scandal in Bohemia" > Arthur W. Neilson III, WH7N - FISTS #7448 > Bank of Hawaii Tech Support > http://www.pilikia.net > art@pilikia.net, aneilson@boh.com, wh7n@arrl.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 4:19:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from c0mailgw07.prontomail.com (mailgw.prontomail.com [216.163.180.10]) by hub.freebsd.org (Postfix) with ESMTP id 37E8D37B423 for ; Thu, 31 May 2001 04:19:29 -0700 (PDT) (envelope-from jacques_bourdeau@moncourrier.com) Received: from c5web106 (216.163.180.10) by c0mailgw07.prontomail.com (NPlex 5.5.015.3) id 3B137B740005E9BB for freebsd-security@FreeBSD.org; Thu, 31 May 2001 04:16:19 -0700 X-Version: moncourrier 6.3.3097.14 From: "Jacques Bourdeau" Message-Id: Date: Thu, 31 May 2001 13:22:16 +0200 X-Priority: Normal Content-Type: text/plain; charset=iso-8859-1 To: freebsd-security@FreeBSD.org Subject: producing an intrusion-proof FreeBSD X-Mailer: Web Based Pronto Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, during next summer, I will work on a solution for increasing significan= tly the security of any Unix server. I wish to do that by using the CHROOT as m= uch as possible. Right now, only few daemon are ready for using Chroot themselves (named= and some FTPD). But even them do not gain a lot of security because they la= unch the CHROOT themsleves. So if a bug is found in them (as its always the = case if an intrusion occur), the bad guy have a much larger chance to go out= of the CHROOT. What I try to do is to build a sub-system jail, containing the minimum = tools and functions (like RBASH as the only shell, no telnet client... ), over a = partition mounted with nosuid,nodev, etc, etc, and launching daemons from the jai= l. If the deamon can do a second CHROOT by itself, I also use it. The best wo= uld be to have no listening daemons running outside of the jail. After that, someone doing an intrusion against the system would not be = able to do anything over personnal datas, or to re-use the computer for attacki= ng another one on Internet (he will not have telnet / ftp or anything else availab= le). Because the CHROOT was done by a previous process (which do not exist a= nymore in process list), going out of the CHROOT will be MUCH more difficult. = Indeed, only a bug in the kernel could go out. I already built a small jail and run named in 2 level of CHROOT as well= as FTPD. I wish to add all others : SSH, inetd .. ... .... I'm doing that with shells scripts because I'm a poor progammers with C= or others languages. So, if FreeBSD is interested, just explain me how to transform this in = a complete project for FreeBSD community. Jacques Bourdeau (my mail address will change in 2 months when I will go back in Canada,= so do not distribute it right now if you wish to add the project in your list...)= -- Obtenez vous aussi votre adresse =E9lectronique gratuite MonCourrier.com (http://www.moncourrier.com), un service du R=E9seau BRANCHEZ-VOUS! (http://www.branchez-vous.com), le meilleur d'Internet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 5:15:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f45.law3.hotmail.com [209.185.241.45]) by hub.freebsd.org (Postfix) with ESMTP id 40C3B37B43F for ; Thu, 31 May 2001 05:15:20 -0700 (PDT) (envelope-from secure21st@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 31 May 2001 05:15:20 -0700 Received: from 32.103.39.196 by lw3fd.law3.hotmail.msn.com with HTTP; Thu, 31 May 2001 12:15:20 GMT X-Originating-IP: [32.103.39.196] From: "WebSec WebSec" To: security@FreeBSD.ORG Subject: Port 21 Date: Thu, 31 May 2001 12:15:20 -0000 Mime-Version: 1.0 Content-Type: text/html Message-ID: X-OriginalArrivalTime: 31 May 2001 12:15:20.0164 (UTC) FILETIME=[5C3F0240:01C0E9CB] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

This past weekend my IDS and  honey pot picked-up stealth scans on port 21 to port 21.

I used a number of tools to "trace" IPs of scanners and they all pointed towards an asian organization.  (Understanding limitations of TCP, I do not think anyone will state that this means anything :( )

One of the honeypots was on a DSL assigned sub-net. IT makes me think that whoever scanned me was after residential computers.  (this  is no different from others except for IDS installed :) )

In my case all scans were "stealth".

Also, in my opinion it may not be a good idea to provide real IPs (at least in this list) because you never know how you can tip someone.  Yes, this is "security" by obscurity, but....

Hope this helps.

 

 

---------------------------------------------------------------------------------------------------------------------------------------------

My opinion is that unknown scanner was hoping to meet one of those admins who still use remote port of TCP/UDP packet as filter in

their firewall rules (like this: "ipfw allow tcp from any 21").

NKritsky - SysAdmin InternetHelp.Ru

http://www.internethelp.ru

e-mail: nkritsky@internethelp.ru

 

 

-----Original Message-----

From: Lim Seng Chor <Lim.Seng.Chor@sit.edu.my>

To: freebsd-security@FreeBSD.ORG <freebsd-security@FreeBSD.ORG>

Date: 31 ìàÿ 2001 ã. 13:01

Subject: port 21

 

my kernel message showing:

Connection attempt to TCP 202.184.64.29:21 from

213.137.2.195:21

anyone can explain why 213.137.2.195 can use port 21 to connect

to my ftp port but not random port above 1024?

To Unsubscribe: send mail to majordomo@FreeBSD.org

with "unsubscribe freebsd-security" in the body of the message

 

 

To Unsubscribe: send mail to majordomo@FreeBSD.org

with "unsubscribe freebsd-security" in the body of the message


Get your FREE download of MSN Explorer at http://explorer.msn.com

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 5:30:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id 6044537B422; Thu, 31 May 2001 05:30:20 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) Date: Thu, 31 May 2001 08:30:09 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Cc: freebsd-stable@freebsd.org Subject: remounts (was: Re: adding "noschg" to ssh and friends) X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Message-Id: <20010531123020.6044537B422@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" wrote: > there are some real high-impact tweaks to be a little bit safer from > rootkits. one of them is mounting /tmp noexec. drawback: you got to > remount it exec for make installworld. I always wondered... Why are remounts permitted in all securelevels? I mean, in a locked-down system where it's acceptable to force a reboot in order to upgrade (or run a rootkit), I should be able to enforce read-only mounts. Currently anyone (well, root) can just mount -u -w them. Is this an implementation problem in mount(2)? (I haven't looked at the code). Or is this going to break things for people (amd? in high securelevels?). What am I missing? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 6:41:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.nikoma.de (smtp1.nikoma.de [212.122.128.19]) by hub.freebsd.org (Postfix) with ESMTP id F114C37B422; Thu, 31 May 2001 06:41:23 -0700 (PDT) (envelope-from imorse@hotmail.com) Received: from burn.nikoma.de (burn.nikoma.de [212.122.129.2]) by smtp1.nikoma.de (8.9.3/8.9.3) with ESMTP id PAA02207; Thu, 31 May 2001 15:37:35 +0200 (CEST) (envelope-from imorse@hotmail.com) From: imorse@hotmail.com Received: from bridge.nikoma.de (root@bridge.nikoma.de [212.122.149.197]) by burn.nikoma.de (8.9.3/8.9.3) with ESMTP id PAA08782; Thu, 31 May 2001 15:36:05 +0200 Received: from 63.52.248.255 (pool-63.52.248.255.ipls.grid.net [63.52.248.255]) by bridge.nikoma.de (8.11.2/8.8.8) with SMTP id f4VDZxT27770; Thu, 31 May 2001 15:35:59 +0200 Message-ID: <00001c986ad4$0000395b$000073fc@> To: Subject: Receive a FREE Motorola Pager - Click Here NOW. 29692 Date: Sat, 02 Jun 2001 22:12:53 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org URGENT MESSAGE!

 PRIORITY EXPRESS MAIL

Absolutely FREE Motorola Talkabout Pager

 

You have been selected to recei= ve a FREE MOTOROLA Pager! This side viewable display pager is incredibly small and lightweight. Thi= s incredible MOTOROLA PAGER has a unique, never out of range feature so yo= u will never miss a page.

Call 1(800)761-0511 and Orde= r Your FREE Motorola Pager Today!

This strictly limited-time offe= r will enable you to stay in touch with family and friends.

There is no mistake. Your FREE= MOTOROLA Pager is waiting for you-but you must respond soon. If I do not= hear from you within 7 days this offer will go to someone else. Please do= not allow that to happen!

When you call you will receive = a BRAND NEW PAGER in your choice of color and already programmed with a lo= cal telephone number in just a few days!

P.S. This may be your final no= tice regarding the FREE MOTOROLA Pager.

*

Put your email address in body of = email to get removed.

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 9:29:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id 919AD37B423 for ; Thu, 31 May 2001 09:29:41 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust94.tnt2.clarksburg.wv.da.uu.net [63.21.115.94]) by gull.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id JAA29115; Thu, 31 May 2001 09:29:23 -0700 (PDT) Message-ID: <3B16712F.9DD3EC61@colltech.com> Date: Thu, 31 May 2001 12:28:31 -0400 From: Daniel Hagan X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: WebSec WebSec Cc: security@FreeBSD.ORG Subject: Re: Port 21 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 WebSec WebSec wrote: > Also, in my opinion it may not be a good idea to provide real IPs (at > least in this list) because you never know how you can tip someone. > Yes, this is "security" by obscurity, but.... That phrase has become so popular that people apparently forget what it actually *means*. Restricting information about an ongoing incident is not security by obscurity. That is information control, and is a critical component in "winning" any aggressor/defender scenario. (Just check something like the SANS Incident Handling guidelines, they make it clear that need-to-know and out-of-band communications are important.) Security by obscurity is designing a system that is hopelessly insecure from a technical viewpoint and assuming that someone will never notice (using xor as an encryption algorithm, for example). When designing a security infrastructure, you should have confidence that even given full knowledge of your system, an attacker would have a difficult time achieving a compromise. But it doesn't make much sense to actually give your attackers that information ahead of time, does it? (I'm not referring to special situations like red-team intrusion testing, I mean actually publishing it willy-nilly on the Internet.) Daniel - -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOxZxJsKlLCvSLxWxEQK66ACcDetfPuCmklTymk9wXw0289b9VPgAoPeJ fUDW+WDHWHC9nLCQv3NsrCBs =qYfv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 11: 0:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 7B4F937B422; Thu, 31 May 2001 11:00:21 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE7ONV00.02E; Thu, 31 May 2001 10:59:55 -0700 Message-ID: <3B1686B2.5693822B@globalstar.com> Date: Thu, 31 May 2001 11:00:18 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Dan Pelleg Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: remounts (was: Re: adding "noschg" to ssh and friends) References: <20010531123020.6044537B422@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dan Pelleg wrote: > > "Karsten W. Rohrbach" wrote: > > there are some real high-impact tweaks to be a little bit safer from > > rootkits. one of them is mounting /tmp noexec. drawback: you got to > > remount it exec for make installworld. > > I always wondered... Why are remounts permitted in all securelevels? I > mean, in a locked-down system where it's acceptable to force a reboot in > order to upgrade (or run a rootkit), I should be able to enforce read-only > mounts. Currently anyone (well, root) can just mount -u -w them. > > Is this an implementation problem in mount(2)? (I haven't looked at the > code). Or is this going to break things for people (amd? in high > securelevels?). What am I missing? I wrote a very simple patch that disallows mount(2) calls at elevated securelevel some time ago. Check the -security archives for December or so. Also look for a long thread on the whole question of turning off mount(2) at high securelevel. As for breaking things, yes, it will. You cannot mount stuff. But that's the whole idea. ;) OK, found it in the archive, http://docs.freebsd.org/mail/archive/2000/freebsd-security/20001224.freebsd-security.html Look at the 'Read-Only Filesystems' thread. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 11: 7:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id B9B8837B423; Thu, 31 May 2001 11:07:12 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE7OZB00.94E; Thu, 31 May 2001 11:06:47 -0700 Message-ID: <3B16884E.FC7A1E89@globalstar.com> Date: Thu, 31 May 2001 11:07:10 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Dan Pelleg , freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: remounts (was: Re: adding "noschg" to ssh and friends) References: <20010531123020.6044537B422@hub.freebsd.org> <3B1686B2.5693822B@globalstar.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist Clark wrote: [snip] > OK, found it in the archive, > > http://docs.freebsd.org/mail/archive/2000/freebsd-security/20001224.freebsd-security.html > > Look at the 'Read-Only Filesystems' thread. Oops, the actual patch came shortly after, http://docs.freebsd.org/cgi/getmsg.cgi?fetch=31106+0+archive/2001/freebsd-security/20010114.freebsd-security And Dan, the 'REMOVE' in your 'From:' line is _really_ annoying. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 11:20:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id F289C37B422 for ; Thu, 31 May 2001 11:20:09 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id VAA02510 for ; Thu, 31 May 2001 21:20:08 +0300 (IDT) Message-ID: <000a01c0ea06$be934600$b88f39d5@a> From: "Liran Dahan" To: Subject: Limiting TCP RST Response Packets Date: Thu, 31 May 2001 21:20:25 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C0EA17.81E093A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C0EA17.81E093A0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Im afarid of someone trying to flood me by Connecting to me 1000 times = and for every time like that it will send TCP Rst Reponse. Is there any way to Limit TCP Rst Response packets?=20 Is there a way to Limit Unreach Messages (IPFW) that it wont flood me = too ? -Liran Dahan- (lirandb@netvision.net.il) ------=_NextPart_000_0007_01C0EA17.81E093A0 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
Im afarid of someone trying to flood me = by=20 Connecting to me 1000 times and for every time like that it will send = TCP Rst=20 Reponse.
Is there any way to Limit TCP Rst = Response packets?=20
Is there a way to Limit Unreach = Messages (IPFW)=20 that it wont flood me too ?
 
-Liran Dahan- (lirandb@netvision.net.il)
------=_NextPart_000_0007_01C0EA17.81E093A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 11:45:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id F2E2537B424 for ; Thu, 31 May 2001 11:45:42 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4VIkDd04707; Thu, 31 May 2001 14:46:13 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 31 May 2001 14:46:09 -0400 (EDT) From: Rob Simmons To: Liran Dahan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting TCP RST Response Packets In-Reply-To: <000a01c0ea06$be934600$b88f39d5@a> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 You will need to add the following line to your kernel config file, and recompile the kernel: options TCP_RESTRICT_RST You should also read the comments about this option in the LINT file. Then you will need to add this line to your rc.conf file: tcp_restrict_rst="YES" or you can use the sysctl knob: net.inet.tcp.restrict_rst Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 31 May 2001, Liran Dahan wrote: > Im afarid of someone trying to flood me by Connecting to me 1000 times > and for every time like that it will send TCP Rst Reponse. Is there > any way to Limit TCP Rst Response packets? Is there a way to Limit > Unreach Messages (IPFW) that it wont flood me too ? > > -Liran Dahan- (lirandb@netvision.net.il) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FpF1v8Bofna59hYRA/uBAJ43eCmPWdjrBK3DTt1DKCnSA5k0KwCdGMAa MgbhLld2PtM7xBxEEuXfcgc= =7UMY -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 11:57:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id E0B1637B423 for ; Thu, 31 May 2001 11:57:55 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 73980 invoked by uid 1000); 31 May 2001 18:57:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2001 18:57:53 -0000 Date: Thu, 31 May 2001 13:57:53 -0500 (CDT) From: Mike Silbersack To: Liran Dahan Cc: Subject: Re: Limiting TCP RST Response Packets In-Reply-To: <000a01c0ea06$be934600$b88f39d5@a> Message-ID: <20010531135604.F73746-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 31 May 2001, Liran Dahan wrote: > Im afarid of someone trying to flood me by Connecting to me 1000 times > and for every time like that it will send TCP Rst Reponse. Is there > any way to Limit TCP Rst Response packets? Is there a way to Limit > Unreach Messages (IPFW) that it wont flood me too ? > > -Liran Dahan- (lirandb@netvision.net.il) Since 4.0-release, limiting of RST response packets and icmp unreach messages has been done automatically by the default kernel. You do not need to do anything special, and need not worry about this. If the limiting is triggered, you will see messages in dmesg telling you so. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 12: 0:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 6C43837B43C for ; Thu, 31 May 2001 12:00:44 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 73997 invoked by uid 1000); 31 May 2001 19:00:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2001 19:00:43 -0000 Date: Thu, 31 May 2001 14:00:43 -0500 (CDT) From: Mike Silbersack To: Rob Simmons Cc: Liran Dahan , Subject: Re: Limiting TCP RST Response Packets In-Reply-To: Message-ID: <20010531135800.F73746-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 31 May 2001, Rob Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > You will need to add the following line to your kernel config file, and > recompile the kernel: > > options TCP_RESTRICT_RST > > You should also read the comments about this option in the LINT file. No. Bad. This is a paranoid response that will reduce the general friendlyness of your box, and doesn't help much (if it all) more than simply letting the built-in ratelimiting function. However, if you wish to reduce the rst packets per second, tune the net.inet.icmp.icmplim sysctl. Don't reduce the count to zero, that means unlimited. I find 20 to be a nice limit, personally. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 12: 0:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 44FF637B423 for ; Thu, 31 May 2001 12:00:55 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id AA5AD2FBD for ; Thu, 31 May 2001 12:00:29 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id MAA03558; Thu, 31 May 2001 12:00:29 -0700 From: appleseed@hushmail.com Message-Id: <200105311900.MAA03558@user7.hushmail.com> Date: Thu, 31 May 2001 12:03:06 -0500 (PDT) To: freebsd-security@FreeBSD.ORG Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_KybGECiXrzXjJtuqIVBvawxaMtMcCKxn" Subject: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_KybGECiXrzXjJtuqIVBvawxaMtMcCKxn Content-type: text/plain Meh. Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_KybGECiXrzXjJtuqIVBvawxaMtMcCKxn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 12: 6:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id D116A37B422 for ; Thu, 31 May 2001 12:06:41 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 54542 invoked from network); 31 May 2001 19:10:12 -0000 Received: from unknown (HELO book) (root@127.0.0.1) by 127.0.0.1 with SMTP; 31 May 2001 19:10:12 -0000 Message-ID: <003101c0ea04$d498b400$01000001@book> From: "alexus" To: "Rob Simmons" , "Liran Dahan" Cc: References: Subject: Re: Limiting TCP RST Response Packets Date: Thu, 31 May 2001 15:06:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org what is TCP_RESTRICT_RST do anyway? what is it for? ----- Original Message ----- From: "Rob Simmons" To: "Liran Dahan" Cc: Sent: Thursday, May 31, 2001 2:46 PM Subject: Re: Limiting TCP RST Response Packets > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > You will need to add the following line to your kernel config file, and > recompile the kernel: > > options TCP_RESTRICT_RST > > You should also read the comments about this option in the LINT file. > > Then you will need to add this line to your rc.conf file: > > tcp_restrict_rst="YES" > > or you can use the sysctl knob: > > net.inet.tcp.restrict_rst > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Thu, 31 May 2001, Liran Dahan wrote: > > > Im afarid of someone trying to flood me by Connecting to me 1000 times > > and for every time like that it will send TCP Rst Reponse. Is there > > any way to Limit TCP Rst Response packets? Is there a way to Limit > > Unreach Messages (IPFW) that it wont flood me too ? > > > > -Liran Dahan- (lirandb@netvision.net.il) > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.5 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE7FpF1v8Bofna59hYRA/uBAJ43eCmPWdjrBK3DTt1DKCnSA5k0KwCdGMAa > MgbhLld2PtM7xBxEEuXfcgc= > =7UMY > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 12:14:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id E9CAA37B50B for ; Thu, 31 May 2001 12:14:32 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 78243 invoked by uid 1000); 31 May 2001 19:14:53 -0000 Date: Thu, 31 May 2001 21:14:53 +0200 From: "Karsten W. Rohrbach" To: Rob Simmons Cc: Liran Dahan , freebsd-security@FreeBSD.ORG Subject: Re: Limiting TCP RST Response Packets Message-ID: <20010531211453.B69543@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Rob Simmons , Liran Dahan , freebsd-security@FreeBSD.ORG References: <000a01c0ea06$be934600$b88f39d5@a> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sdOeJE8sLwpQaOMV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Thu, May 31, 2001 at 02:46:09PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sdOeJE8sLwpQaOMV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable blackhole makes more sense i think. see blackhole(4) rohrbach@WM:datasink[~]19% cat /etc/sysctl.conf=20 net.inet.tcp.blackhole=3D2 net.inet.udp.blackhole=3D1 /k Rob Simmons(rsimmons@wlcg.com)@2001.05.31 14:46:09 +0000: > You will need to add the following line to your kernel config file, and > recompile the kernel: >=20 > options TCP_RESTRICT_RST >=20 > You should also read the comments about this option in the LINT file. >=20 > Then you will need to add this line to your rc.conf file: >=20 > tcp_restrict_rst=3D"YES" >=20 > or you can use the sysctl knob: >=20 > net.inet.tcp.restrict_rst >=20 > Robert Simmons > Systems Administrator > http://www.wlcg.com/ >=20 > On Thu, 31 May 2001, Liran Dahan wrote: >=20 > > Im afarid of someone trying to flood me by Connecting to me 1000 times > > and for every time like that it will send TCP Rst Reponse. Is there > > any way to Limit TCP Rst Response packets? Is there a way to Limit > > Unreach Messages (IPFW) that it wont flood me too ? > >=20 > > -Liran Dahan- (lirandb@netvision.net.il) > >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > yes, i'm writing all lowercase. that's a fact. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --sdOeJE8sLwpQaOMV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FpgtM0BPTilkv0YRAuNbAKC80HYLjuWQozgvj91jOULxiOeuCACgvq6e Gp4/njIwA1oI4M6+L9Hdn8w= =LTYA -----END PGP SIGNATURE----- --sdOeJE8sLwpQaOMV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 12:14:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 108F937B43F for ; Thu, 31 May 2001 12:14:44 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4VJFUP05950; Thu, 31 May 2001 15:15:30 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 31 May 2001 15:15:26 -0400 (EDT) From: Rob Simmons To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting TCP RST Response Packets In-Reply-To: <20010531135800.F73746-100000@achilles.silby.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Maybe that should be mentioned in LINT? Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 31 May 2001, Mike Silbersack wrote: > > On Thu, 31 May 2001, Rob Simmons wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > You will need to add the following line to your kernel config file, and > > recompile the kernel: > > > > options TCP_RESTRICT_RST > > > > You should also read the comments about this option in the LINT file. > > No. Bad. This is a paranoid response that will reduce the general > friendlyness of your box, and doesn't help much (if it all) more than > simply letting the built-in ratelimiting function. > > However, if you wish to reduce the rst packets per second, tune the > net.inet.icmp.icmplim sysctl. Don't reduce the count to zero, that means > unlimited. I find 20 to be a nice limit, personally. > > Mike "Silby" Silbersack > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FphSv8Bofna59hYRAyTvAJ979VdkOCleyOBmXGN1avmhm+B3igCfZsXb GgT+DR70aWE6BPs5XufqAcM= =u7r3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 12:40: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 559A237B422 for ; Thu, 31 May 2001 12:40:03 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 74083 invoked by uid 1000); 31 May 2001 19:40:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2001 19:40:02 -0000 Date: Thu, 31 May 2001 14:40:02 -0500 (CDT) From: Mike Silbersack To: Rob Simmons Cc: Subject: Re: Limiting TCP RST Response Packets In-Reply-To: Message-ID: <20010531143721.A74065-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 31 May 2001, Rob Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Maybe that should be mentioned in LINT? > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ Changing the comment to say that the *.blackhole sysctls should be used instead, and only then very sparingly would be a good idea, yes. RESTRICT_RST is gone from current, which is why nobody has thought about changing the comment for it in LINT. There is one case where such blackholing may be useful at this point in time. I think I have a better solution for it, but it'll be a while before I have a patch ready. (It's not a big deal, in any case.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 13: 4:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id D05BF37B424 for ; Thu, 31 May 2001 13:04:28 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id XAA04188 for ; Thu, 31 May 2001 23:04:27 +0300 (IDT) Message-ID: <009401c0ea15$518a3a00$b88f39d5@a> From: "Liran Dahan" To: Subject: Re: Limiting TCP RST Response Packets Date: Thu, 31 May 2001 23:04:44 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0091_01C0EA26.14D16D20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0091_01C0EA26.14D16D20 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable I saw blackhole(4) but i dont really understand it..?=20 is it useful? And if i use firewall and filter-prohib tcp packets, then = what? >blackhole makes more sense i think. see blackhole(4) > >rohrbach@WM:datasink[~]19% cat /etc/sysctl.conf=20 >net.inet.tcp.blackhole=3D2 >net.inet.udp.blackhole=3D1 > >/k > >Rob Simmons(rsimmons@wlcg.com)@2001.05.31 >14:46:09 +0000: ------=_NextPart_000_0091_01C0EA26.14D16D20 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
I saw blackhole(4) but i dont really = understand=20 it..
 is it useful? And if i use = firewall and=20 filter-prohib tcp packets, then what?
 
>blackhole makes more sense i think. = see=20 blackhole(4)
>
>rohrbach@WM:datasink[~]19% cat = /etc/sysctl.conf=20
>net.inet.tcp.blackhole=3D2
>net.inet.udp.blackhole=3D1
>
>/k
>
>Rob Simmons(rsimmons@wlcg.com)@2001.05.31 = >14:46:09=20 +0000:
------=_NextPart_000_0091_01C0EA26.14D16D20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 13:54:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natpost.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id 7C77A37B423 for ; Thu, 31 May 2001 13:54:37 -0700 (PDT) (envelope-from koester@x-itec.de) Received: from localhost (pD904975A.dip.t-dialin.net [217.4.151.90]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id WAA20435 for ; Thu, 31 May 2001 22:54:35 +0200 (MET DST) Received: (qmail 7297 invoked from network); 31 May 2001 21:49:40 -0000 Received: from unknown (HELO master.XHQ.local) (192.168.0.1) by 192.168.0.99 with SMTP; 31 May 2001 21:49:40 -0000 Date: Thu, 31 May 2001 22:54:20 +0200 From: Boris X-Mailer: The Bat! (v1.48f) Personal Reply-To: Boris X-Priority: 3 (Normal) Message-ID: <3321529447.20010531225420@x-itec.de> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: Limiting TCP RST Response Packets In-reply-To: <009401c0ea15$518a3a00$b88f39d5@a> References: <009401c0ea15$518a3a00$b88f39d5@a> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>net.inet.tcp.blackhole=2 >>net.inet.udp.blackhole=1 I do no understand the difference between 2 and 1, even reading the manual does not help, can someone give me a hint? -- Boris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14: 4: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 5C00937B422 for ; Thu, 31 May 2001 14:03:57 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4VL4eb10307; Thu, 31 May 2001 17:04:40 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 31 May 2001 17:04:36 -0400 (EDT) From: Rob Simmons To: Boris Cc: freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: Limiting TCP RST Response Packets In-Reply-To: <3321529447.20010531225420@x-itec.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 1= Incoming SYN segment is dropped 2= Any segment is dropped Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 31 May 2001, Boris wrote: > > >>net.inet.tcp.blackhole=2 > >>net.inet.udp.blackhole=1 > > I do no understand the difference between 2 and 1, even reading the > manual does not help, can someone give me a hint? > > -- > Boris > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FrHov8Bofna59hYRA4M1AJ9+KUwo31NfO1LT2GawtXE+JZSXxgCdEUMN vTvyQM7Il7DN7fge6dvTunA= =Xc7H -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14:14:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 0BB3F37B42C for ; Thu, 31 May 2001 14:14:30 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id AAA05333 for ; Fri, 1 Jun 2001 00:14:28 +0300 (IDT) Message-ID: <001601c0ea1f$19c069a0$b88f39d5@a> From: "Liran Dahan" To: Subject: ICMP Killed me and my machine Date: Fri, 1 Jun 2001 00:14:45 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0013_01C0EA2F.DCFCEE60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0013_01C0EA2F.DCFCEE60 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable My machines are being attacked over hours and those are the only = messages i found: Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response from 710 = to 20 packets per second Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response from = 1092 to 20 packets per second i tonoz of messages like that... I Had Orange light ON - TRAF on my hub But i was down including all my machines.. -Liran Dahan- (lirandb@netvision.net.il) ------=_NextPart_000_0013_01C0EA2F.DCFCEE60 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
My machines are being attacked over = hours and those=20 are the only messages i found:
Jun  1 00:07:30 freebsd /kernel: = Limiting icmp=20 unreach response from 710 to 20 packets per second
Jun  1 00:05:49 freebsd /kernel: = Limiting icmp=20 unreach response from 1092 to 20 packets per second
i tonoz of messages like = that...
 
I Had Orange light ON - TRAF on my = hub
But i was down including all my=20 machines..
 
-Liran Dahan- (lirandb@netvision.net.il)
------=_NextPart_000_0013_01C0EA2F.DCFCEE60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14:20:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id C17F837B43C for ; Thu, 31 May 2001 14:20:27 -0700 (PDT) (envelope-from js43064n@stmail.pace.edu) Received: from stmail.pace.edu (205.232.111.7:4463) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A89A82BF@smtp.pace.edu>; Thu, 31 May 2001 17:20:27 -0400 Date: Thu, 31 May 2001 17:20:26 -0400 Message-Id: <200105311720.AA16122206@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: To: , "Liran Dahan" Subject: Re: ICMP Killed me and my machine X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Time to call your ISP and get some filtering rules in place :) -- Jonathan ----------------------------------------- Jonathan M. Slivko Network Admin., DataSyrge Internet Svces. Server Co-Admin., AsylumNet IRC Networks web: http://webpage.pace.edu/js43064n/ voice: (212) 696-6774 (24 Hours) ----------------------------------------- ---------- Original Message ---------------------------------- From: "Liran Dahan" Date: Fri, 1 Jun 2001 00:14:45 +0200 >My machines are being attacked over hours and those are the only messages i found: >Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response from 710 to 20 packets per second >Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response from 1092 to 20 packets per second >i tonoz of messages like that... > >I Had Orange light ON - TRAF on my hub >But i was down including all my machines.. > >-Liran Dahan- (lirandb@netvision.net.il) > > ___________________________________________________________________ ___ Sent via the Pace University Mail system at stmail.pace.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14:21: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id A6B4137B43C for ; Thu, 31 May 2001 14:20:54 -0700 (PDT) (envelope-from roman@xpert.com) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.13 #1) id 155Zsg-000814-00 for freebsd-security@freebsd.org; Fri, 01 Jun 2001 00:21:22 +0300 Date: Fri, 1 Jun 2001 00:20:42 +0300 (IDT) From: Roman Shterenzon To: Liran Dahan Subject: Re: ICMP Killed me and my machine In-Reply-To: <001601c0ea1f$19c069a0$b88f39d5@a> Message-ID: Organization: Xpert UNIX Systems Ltd. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I believe that you've been smurfed with fake src addresses. Or, your routing table is not right. The only way to find out the truth is to run tcpdump(1) or other sniffer. Take care. On Fri, 1 Jun 2001, Liran Dahan wrote: > My machines are being attacked over hours and those are the only messages i found: > Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response from 710 to 20 packets per second > Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response from 1092 to 20 packets per second > i tonoz of messages like that... > > I Had Orange light ON - TRAF on my hub > But i was down including all my machines.. > > -Liran Dahan- (lirandb@netvision.net.il) > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14:22:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 1B27137B424 for ; Thu, 31 May 2001 14:22:57 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 74249 invoked by uid 1000); 31 May 2001 21:22:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2001 21:22:56 -0000 Date: Thu, 31 May 2001 16:22:56 -0500 (CDT) From: Mike Silbersack To: Liran Dahan Cc: Subject: Re: ICMP Killed me and my machine In-Reply-To: <001601c0ea1f$19c069a0$b88f39d5@a> Message-ID: <20010531162124.B74220-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Liran Dahan wrote: > My machines are being attacked over hours and those are the only messages i found: > Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response from 710 to 20 packets per second > Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response from 1092 to 20 packets per second > i tonoz of messages like that... > > I Had Orange light ON - TRAF on my hub > But i was down including all my machines.. > > -Liran Dahan- (lirandb@netvision.net.il) Someone's definitely flooding you. You're going to have to use tcpdump, see if you can figure out what's hitting you, and have someone upstream filter it. There's probably nothing more you can do on the machines themselves. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14:23:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 922E137B440 for ; Thu, 31 May 2001 14:23:46 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id AAA05302 for ; Fri, 1 Jun 2001 00:23:45 +0300 (IDT) Message-ID: <002f01c0ea20$657392e0$b88f39d5@a> From: "Liran Dahan" To: References: <200105311720.AA16122206@stmail.pace.edu> Subject: Re: ICMP Killed me and my machine Date: Fri, 1 Jun 2001 00:24:02 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org But i have my own filtering rules :) You mean... its my ISP's fault? even my ICMP bandwidth limited and my IPFW cant help? ----- Original Message ----- From: "Jonathan Slivko" To: ; "Liran Dahan" Sent: Thursday, May 31, 2001 11:20 PM Subject: Re: ICMP Killed me and my machine > Time to call your ISP and get some filtering rules in place :) > -- Jonathan > > ----------------------------------------- > Jonathan M. Slivko > Network Admin., DataSyrge Internet Svces. > Server Co-Admin., AsylumNet IRC Networks > > web: http://webpage.pace.edu/js43064n/ > voice: (212) 696-6774 (24 Hours) > ----------------------------------------- > > > > ---------- Original Message ---------------------------------- > From: "Liran Dahan" > Date: Fri, 1 Jun 2001 00:14:45 +0200 > > >My machines are being attacked over hours and those are the only > messages i found: > >Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response > from 710 to 20 packets per second > >Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response > from 1092 to 20 packets per second > >i tonoz of messages like that... > > > >I Had Orange light ON - TRAF on my hub > >But i was down including all my machines.. > > > >-Liran Dahan- (lirandb@netvision.net.il) > > > > > > > ___________________________________________________________________ > ___ > Sent via the Pace University Mail system at stmail.pace.edu > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14:26:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from rembrandt.esys.ca (rembrandt.esys.ca [198.161.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 2842737B42C for ; Thu, 31 May 2001 14:26:27 -0700 (PDT) (envelope-from cory.vokey@messagingdirect.com) Received: from elbrus (elbrus.esys.ca [198.161.92.83]) by rembrandt.esys.ca (8.11.0.Beta0/8.11.0.Beta0) with SMTP id f4VLQ9S12835; Thu, 31 May 2001 15:26:09 -0600 Message-ID: <007701c0ea18$811278c0$535ca1c6@elbrus> From: "Cory Vokey" To: "Mike Silbersack" , "Liran Dahan" Cc: References: <20010531162124.B74220-100000@achilles.silby.com> Subject: Re: ICMP Killed me and my machine Date: Thu, 31 May 2001 15:27:33 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Using tcpdump, find the source I.P address of who's hitting you and set up a rule using ipfw to block it. Cory Vokey. ----- Original Message ----- From: "Mike Silbersack" To: "Liran Dahan" Cc: Sent: Thursday, May 31, 2001 3:22 PM Subject: Re: ICMP Killed me and my machine > > On Fri, 1 Jun 2001, Liran Dahan wrote: > > > My machines are being attacked over hours and those are the only messages i found: > > Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response from 710 to 20 packets per second > > Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response from 1092 to 20 packets per second > > i tonoz of messages like that... > > > > I Had Orange light ON - TRAF on my hub > > But i was down including all my machines.. > > > > -Liran Dahan- (lirandb@netvision.net.il) > > Someone's definitely flooding you. You're going to have to use tcpdump, > see if you can figure out what's hitting you, and have someone upstream > filter it. There's probably nothing more you can do on the machines > themselves. > > Mike "Silby" Silbersack > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 14:43:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.cranehome.net (mkc-31-224-182.kc.rr.com [24.31.224.182]) by hub.freebsd.org (Postfix) with ESMTP id 5C9B437B424 for ; Thu, 31 May 2001 14:43:47 -0700 (PDT) (envelope-from kcrane@cranehome.org) Received: from kvcrane (saturn.cranehome.net [192.168.0.1]) by saturn.cranehome.net (Postfix) with SMTP id EF6BE24D02; Thu, 31 May 2001 16:43:39 -0500 (CDT) Message-ID: <005e01c0ea1a$d8ec2da0$e20b1cac@kvcrane> From: "Kyle Crane" To: "Liran Dahan" Cc: References: <200105311720.AA16122206@stmail.pace.edu> <002f01c0ea20$657392e0$b88f39d5@a> Subject: Re: ICMP Killed me and my machine Date: Thu, 31 May 2001 16:44:19 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Niether your limiting or IPFW will fix the problem with your bandwidth being eaten by the attack. The only way to cut it off is at the ISP level. Your filter will certainly block the packets at your machine (network card), but it wont stop the flood. It will only inflate your lifevest. ----- Original Message ----- From: "Liran Dahan" To: Sent: Thursday, May 31, 2001 5:24 PM Subject: Re: ICMP Killed me and my machine > But i have my own filtering rules :) > You mean... its my ISP's fault? even my ICMP bandwidth limited and my IPFW > cant help? > > ----- Original Message ----- > From: "Jonathan Slivko" > To: ; "Liran Dahan" > Sent: Thursday, May 31, 2001 11:20 PM > Subject: Re: ICMP Killed me and my machine > > > > Time to call your ISP and get some filtering rules in place :) > > -- Jonathan > > > > ----------------------------------------- > > Jonathan M. Slivko > > Network Admin., DataSyrge Internet Svces. > > Server Co-Admin., AsylumNet IRC Networks > > > > web: http://webpage.pace.edu/js43064n/ > > voice: (212) 696-6774 (24 Hours) > > ----------------------------------------- > > > > > > > > ---------- Original Message ---------------------------------- > > From: "Liran Dahan" > > Date: Fri, 1 Jun 2001 00:14:45 +0200 > > > > >My machines are being attacked over hours and those are the only > > messages i found: > > >Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response > > from 710 to 20 packets per second > > >Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response > > from 1092 to 20 packets per second > > >i tonoz of messages like that... > > > > > >I Had Orange light ON - TRAF on my hub > > >But i was down including all my machines.. > > > > > >-Liran Dahan- (lirandb@netvision.net.il) > > > > > > > > > > > > ___________________________________________________________________ > > ___ > > Sent via the Pace University Mail system at stmail.pace.edu > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 15: 2:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id 82B1937B424 for ; Thu, 31 May 2001 15:02:11 -0700 (PDT) (envelope-from js43064n@stmail.pace.edu) Received: from stmail.pace.edu (205.232.111.7:4767) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A89A86D5@smtp.pace.edu>; Thu, 31 May 2001 18:02:11 -0400 Date: Thu, 31 May 2001 18:02:10 -0400 Message-Id: <200105311802.AA37290334@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: To: "Liran Dahan" , "Kyle Crane" Cc: Subject: Re: ICMP Killed me and my machine X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Exactly :) -- Jonathan M. Slivko ----------------------------------------- Jonathan M. Slivko Network Admin., DataSyrge Internet Svces. Server Co-Admin., AsylumNet IRC Networks web: http://webpage.pace.edu/js43064n/ voice: (212) 696-6774 (24 Hours) ----------------------------------------- ---------- Original Message ---------------------------------- From: "Kyle Crane" Date: Thu, 31 May 2001 16:44:19 -0500 >Niether your limiting or IPFW will fix the problem with your bandwidth being >eaten by the attack. The only way to cut it off is at the ISP level. Your >filter will certainly block the packets at your machine (network card), but >it wont stop the flood. It will only inflate your lifevest. > > >----- Original Message ----- >From: "Liran Dahan" >To: >Sent: Thursday, May 31, 2001 5:24 PM >Subject: Re: ICMP Killed me and my machine > > >> But i have my own filtering rules :) >> You mean... its my ISP's fault? even my ICMP bandwidth limited and my IPFW >> cant help? >> >> ----- Original Message ----- >> From: "Jonathan Slivko" >> To: ; "Liran Dahan" > >> Sent: Thursday, May 31, 2001 11:20 PM >> Subject: Re: ICMP Killed me and my machine >> >> >> > Time to call your ISP and get some filtering rules in place :) >> > -- Jonathan >> > >> > ----------------------------------------- >> > Jonathan M. Slivko >> > Network Admin., DataSyrge Internet Svces. >> > Server Co-Admin., AsylumNet IRC Networks >> > >> > web: http://webpage.pace.edu/js43064n/ >> > voice: (212) 696-6774 (24 Hours) >> > ----------------------------------------- >> > >> > >> > >> > ---------- Original Message ---------------------------------- >> > From: "Liran Dahan" >> > Date: Fri, 1 Jun 2001 00:14:45 +0200 >> > >> > >My machines are being attacked over hours and those are the only >> > messages i found: >> > >Jun 1 00:07:30 freebsd /kernel: Limiting icmp unreach response >> > from 710 to 20 packets per second >> > >Jun 1 00:05:49 freebsd /kernel: Limiting icmp unreach response >> > from 1092 to 20 packets per second >> > >i tonoz of messages like that... >> > > >> > >I Had Orange light ON - TRAF on my hub >> > >But i was down including all my machines.. >> > > >> > >-Liran Dahan- (lirandb@netvision.net.il) >> > > >> > > >> > >> > >> > ___________________________________________________________________ >> > ___ >> > Sent via the Pace University Mail system at stmail.pace.edu >> > >> > >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > ___________________________________________________________________ ___ Sent via the Pace University Mail system at stmail.pace.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 15:10:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 762CB37B423 for ; Thu, 31 May 2001 15:10:11 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id SAA22134 for security@freebsd.org; Thu, 31 May 2001 18:10:02 -0400 (EDT) (envelope-from str) Date: Thu, 31 May 2001 18:10:02 -0400 (EDT) From: Igor Roshchin Message-Id: <200105312210.SAA22134@giganda.komkon.org> To: security@freebsd.org Subject: accounting doesn't record all programs ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've just observed the following situation: I saw a user running ee (1) (it was in the ps table, and was shown by w(1).) However, user's connection was interrupted, so he didn't exit from that process, and the process was left "running". When I ran "lastcomm" (I have accouting enabled), it didn't show "ee". Only when I killed the process, it was reflected in the accounting log (with all extra time accumulated). So, the program ran by a user is logged in the accounting logs only upon completion. I don't worry too much about the actual accounting (although it might be important for those who are using/selling a paid per access time shell accounts). What I worry is that there might be some ways that a user can run a process, make it an orphan, and leave it there until a reboot, and then it might not ever be logged into the accounting log. (I might be wrong, and there might be no such scenarion, because it will be recorded anyway upon shutdown command). So, my questions are: 1. Can one run a process without it being logged in the accounting log while accounting is enabled ? 2. (or 1a) Can a process name be somehow masked (I know that using a softlink wouldn't help, the actual file is logged) ? 3. (or 1b) Hence, can the accounting logs be trusted as an accurate list of programs ran by the user ? (assuming the logs are not altered). Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 15:36:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 1C38D37B424 for ; Thu, 31 May 2001 15:36:08 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE81FI00.D8K; Thu, 31 May 2001 15:35:42 -0700 Message-ID: <3B16C755.ACF5696@globalstar.com> Date: Thu, 31 May 2001 15:36:05 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: accounting doesn't record all programs ? References: <200105312210.SAA22134@giganda.komkon.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Igor Roshchin wrote: [snip] > So, my questions are: > 1. Can one run a process without it being logged in the accounting log > while accounting is enabled ? RTFM, acct(2), DESCRIPTION The acct() call enables or disables the collection of system accounting records. If the argument file is a nil pointer, accounting is disabled. If file is an existing pathname (null-terminated), record collection is enabled and for every process initiated which terminates under normal conditions an accounting record is appended to file. Abnormal conditions of termination are reboots or other fatal system problems. Records for processes which never terminate can not be produced by acct(). > 2. (or 1a) Can a process name be somehow masked > (I know that using a softlink wouldn't help, the actual file > is logged) ? Hard link. > 3. (or 1b) Hence, can the accounting logs be trusted as an accurate > list of programs ran by the user ? > (assuming the logs are not altered). The acct(2) mechanism is meant for accounting purposes, not security ones. It is usually possible to mask the name of a command executed. However, a system may be configured to make it difficult if not impossible, e.g. if all places mortal users have write access is noexec, I cannot see how they could do it. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 16: 1: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 498BA37B422 for ; Thu, 31 May 2001 16:00:55 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id QAA02830 for ; Thu, 31 May 2001 16:00:47 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02828; Thu May 31 16:00:39 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f4VN0Yx13276 for ; Thu, 31 May 2001 16:00:34 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdS13274; Thu May 31 16:00:27 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f4VN0RD24448 for ; Thu, 31 May 2001 16:00:27 -0700 (PDT) Message-Id: <200105312300.f4VN0RD24448@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdh24444; Thu May 31 16:00:17 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: freebsd-security@freebsd.org Subject: Apache Software Foundation Server compromised, resecured. (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 31 May 2001 16:00:17 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Some of you might be interested in this. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message Date: Wed, 30 May 2001 23:05:59 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: announce@apache.org Subject: Apache Software Foundation Server compromised, resecured. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N Earlier this month, a public server of the Apache Software Foundation (ASF) was illegally accessed by unknown crackers. The intrusion into this server, which handles the public mail lists, web services, and the source code repositories of all ASF projects was quickly discovered, and the server immediately taken offline. Security specialists and administrators determined the extent of the intrusion, repaired the damage, and brought the server back into public service. The public server that was affected by the incident serves as a source code repository as well as the main distribution server for binary release of ASF software. There is no evidence that any source or binary code was affected by the intrusion, and the integrity of all binary versions of ASF software has been explicitly verified. This includes the industry-leading Apache web server. Specifically: on May 17th, an Apache developer with a sourceforge.net account logged into a shell account at SourceForge, and then logged from there into his account at apache.org. The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he replaced our ssh client and server with versions designed to log names and passwords. When they did this replacement, the nightly automated security audits caught the change, as well as a few other trojaned executables the cracker had left behind. Once we discovered the compromise, we shut down ssh entirely, and through the serial console performed an exhaustive audit of the system. Once a fresh copy of the operating system was installed, backdoors removed, and passwords zeroed out, ssh and commit access was re-enabled. After this, an exhaustive audit of all Apache source code and binary distributions was performed. The ASF is working closely with other organizations as the investigation continues, specifically examining the link to other intrusion(s), such as that at SourceForge (http://sourceforge.net/) [ and php.net (http://www.php.net/). ] Through an extra verification step available to the ASF, the integrity of all source code repositories is being individually verified by developers. This is possible because ASF source code is distributed under an open-source license, and the source code is publicly and freely available. Therefore, the ASF repositories are being compared against the thousands of copies that have been distributed around the globe. While it was quickly determined that the source code repositories on the ASF server were untouched by the intruders, this extra verification step provides additional assurance that no damage was done. As of Tuesday, May 29, most of the repository has been checked, and as expected, no problems have been found. A list of verified modules will be maintained, and is available here: http://www.apache.org/info/hack-20010519.html Because of the possible link of the ASF server intrusion to other computer security incidents, the investigation is ongoing. When complete, the ASF will offer a complete and public report. The Apache Software Foundation strongly condemns this illegal intrusion, and is evaluating all options, including prosecution of the individual(s) responsible to the fullest extent of the law. Anyone with pertinent information relating to this or other related events should contact root@apache.org. Anyone from the media with further interest should contact press@apache.org. Thanks. Brian Behlendorf President, Apache Software Foundation - --------------------------------------------------------------------- You have received this mail because you are subscribed to the announce@apache.org mailing list. To unsubscribe, e-mail: announce-unsubscribe@apache.org For additional commands, e-mail: announce-help@apache.org ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 16:15: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from venus.entic.net (venus.entic.net [63.125.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 18F8F37B43C for ; Thu, 31 May 2001 16:14:54 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 49810 invoked from network); 31 May 2001 23:14:45 -0000 Received: from unknown (HELO enticetw0y55ob) (root@127.0.0.1) by 127.0.0.1 with SMTP; 31 May 2001 23:14:45 -0000 Message-ID: <022f01c0ea27$73a63370$b0a7e192@enticetw0y55ob> From: "Anil K. Jangity" To: , Subject: Re[2]: Limiting TCP RST Response Packets Date: Thu, 31 May 2001 16:14:32 -0700 Organization: Entic Services MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maybe blackhole(4) should be reworded to something like this: From: this as a "Connection reset by peer". By turning the TCP black hole MIB on to a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole. To: this as a "Connection reset by peer". By turning the TCP black hole MIB on to a numeric value of one, the incoming SYN segment arriving on a closed port is dropped, and no RST is sent, making the system appear as a blackhole. Thats what I think its trying to say... Anil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 16:19:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id DCF1537B422 for ; Thu, 31 May 2001 16:19:10 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 86136 invoked by uid 1000); 31 May 2001 23:19:30 -0000 Date: Fri, 1 Jun 2001 01:19:30 +0200 From: "Karsten W. Rohrbach" To: Boris Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting TCP RST Response Packets Message-ID: <20010601011930.B85717@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Boris , freebsd-security@FreeBSD.ORG References: <009401c0ea15$518a3a00$b88f39d5@a> <3321529447.20010531225420@x-itec.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZfOjI3PrQbgiZnxM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3321529447.20010531225420@x-itec.de>; from koester@x-itec.de on Thu, May 31, 2001 at 10:54:20PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ZfOjI3PrQbgiZnxM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Boris(koester@x-itec.de)@2001.05.31 22:54:20 +0000: >=20 > >>net.inet.tcp.blackhole=3D2 > >>net.inet.udp.blackhole=3D1 >=20 > I do no understand the difference between 2 and 1, even reading the > manual does not help, can someone give me a hint? net.inet.tcp.blackhole=3D1 drop every SYN segment arriving on a closed port net.inet.tcp.blackhole=3D2 drop every segment arriving on a closed port /k --=20 > SIGSIG -- signature too long (core dumped) KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --ZfOjI3PrQbgiZnxM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FtGCM0BPTilkv0YRAnaNAKCHGypVPtTIA1DtDm74c/bD1SO7mwCfY3MK M04ZXFsG68GpvhlbNq4/z64= =GToP -----END PGP SIGNATURE----- --ZfOjI3PrQbgiZnxM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 16:22:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id A9B5E37B422 for ; Thu, 31 May 2001 16:22:33 -0700 (PDT) (envelope-from brian@collab.net) Received: (qmail 56505 invoked by uid 1000); 31 May 2001 23:23:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2001 23:23:33 -0000 Date: Thu, 31 May 2001 16:23:33 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: Cy Schubert - ITSD Open Systems Group Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <200105312300.f4VN0RD24448@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 31 May 2001, Cy Schubert - ITSD Open Systems Group wrote: > Some of you might be interested in this. If anyone has any questions about this, I'm happy to answer them. It's always the stupid things (not finishing the upgrade of openssh to 2.3.0 when the advisory came out - no points for a "make buildworld" without a corresponding "make installworld"!) that catch you. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 16:27:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 109FD37B422 for ; Thu, 31 May 2001 16:27:31 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 86403 invoked by uid 1000); 31 May 2001 23:27:52 -0000 Date: Fri, 1 Jun 2001 01:27:52 +0200 From: "Karsten W. Rohrbach" To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601012752.C85717@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Cy Schubert - ITSD Open Systems Group , freebsd-security@freebsd.org References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="R+My9LyyhiUvIEro" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105312300.f4VN0RD24448@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, May 31, 2001 at 04:00:17PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --R+My9LyyhiUvIEro Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable this was one "result" of the comromised ssh binary at sourceforge. i don't want to think about it aloud in public what's next :-( last | grep sourceforge for (every account affected) pw usermod "account" -h - sh*t /k Cy Schubert - ITSD Open Systems Group(Cy.Schubert@uumail.gov.bc.ca)@2001.05= .31 16:00:17 +0000: > Some of you might be interested in this. >=20 >=20 > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC =20 >=20 >=20 > ------- Forwarded Message >=20 > Date: Wed, 30 May 2001 23:05:59 -0700 (PDT) > From: Brian Behlendorf > X-X-Sender: > To: announce@apache.org > Subject: Apache Software Foundation Server compromised, resecured. > Message-ID: > MIME-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=3DUS-ASCII > X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N >=20 >=20 > Earlier this month, a public server of the Apache Software Foundation > (ASF) was illegally accessed by unknown crackers. The intrusion into > this server, which handles the public mail lists, web services, and > the source code repositories of all ASF projects was quickly > discovered, and the server immediately taken offline. Security > specialists and administrators determined the extent of the intrusion, > repaired the damage, and brought the server back into public service. >=20 > The public server that was affected by the incident serves as a source > code repository as well as the main distribution server for binary > release of ASF software. There is no evidence that any source or binary > code was affected by the intrusion, and the integrity of all binary > versions of ASF software has been explicitly verified. This includes > the industry-leading Apache web server. >=20 > Specifically: on May 17th, an Apache developer with a sourceforge.net > account logged into a shell account at SourceForge, and then logged > from there into his account at apache.org. The ssh client at > SourceForge had been compromised to log outgoing names and passwords, > so the cracker was thus able get a shell on apache.org. After > unsuccessfully attempting to get elevated privileges using an old > installation of Bugzilla on apache.org, the cracker used a weakness in > the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he > replaced our ssh client and server with versions designed to log names > and passwords. When they did this replacement, the nightly automated > security audits caught the change, as well as a few other trojaned > executables the cracker had left behind. Once we discovered the > compromise, we shut down ssh entirely, and through the serial console > performed an exhaustive audit of the system. Once a fresh copy of the > operating system was installed, backdoors removed, and passwords > zeroed out, ssh and commit access was re-enabled. After this, an > exhaustive audit of all Apache source code and binary distributions > was performed. >=20 > The ASF is working closely with other organizations as the investigation > continues, specifically examining the link to other intrusion(s), such > as that at SourceForge (http://sourceforge.net/) [ and php.net > (http://www.php.net/). ] >=20 > Through an extra verification step available to the ASF, the integrity > of all source code repositories is being individually verified by > developers. This is possible because ASF source code is distributed > under an open-source license, and the source code is publicly and freely > available. Therefore, the ASF repositories are being compared against > the thousands of copies that have been distributed around the globe. > While it was quickly determined that the source code repositories on the > ASF server were untouched by the intruders, this extra verification step > provides additional assurance that no damage was done. >=20 > As of Tuesday, May 29, most of the repository has been checked, and as > expected, no problems have been found. A list of verified modules > will be maintained, and is available here: > http://www.apache.org/info/hack-20010519.html >=20 > Because of the possible link of the ASF server intrusion to other > computer security incidents, the investigation is ongoing. When > complete, the ASF will offer a complete and public report. >=20 > The Apache Software Foundation strongly condemns this illegal > intrusion, and is evaluating all options, including prosecution of the > individual(s) responsible to the fullest extent of the law. Anyone > with pertinent information relating to this or other related events > should contact root@apache.org. Anyone from the media with further > interest should contact press@apache.org. >=20 > Thanks. >=20 > Brian Behlendorf > President, Apache Software Foundation >=20 >=20 >=20 >=20 > - --------------------------------------------------------------------- > You have received this mail because you are subscribed to the > announce@apache.org mailing list. > To unsubscribe, e-mail: announce-unsubscribe@apache.org > For additional commands, e-mail: announce-help@apache.org >=20 >=20 > ------- End of Forwarded Message >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Unix is very simple, but it takes a genius to understand the > simplicity. --Dennis Ritchie KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --R+My9LyyhiUvIEro Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FtN4M0BPTilkv0YRAgRGAJ9c03xTecsnn5vooTZXl3ngMNBIlQCgjTs8 mJQ3Adm6N9CYIMgOPdT0dyg= =n2bf -----END PGP SIGNATURE----- --R+My9LyyhiUvIEro-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 16:30:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from f-control.area51.dk (f-control.area51.dk [213.237.108.10]) by hub.freebsd.org (Postfix) with SMTP id 025D637B424 for ; Thu, 31 May 2001 16:30:25 -0700 (PDT) (envelope-from a@f-control.area51.dk) Received: (qmail 35821 invoked by uid 1007); 31 May 2001 23:30:41 -0000 Date: Fri, 1 Jun 2001 01:30:41 +0200 From: Alex Holst To: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601013041.A32818@area51.dk> Mail-Followup-To: Alex Holst , freebsd-security@freebsd.org References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Thu, May 31, 2001 at 04:23:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Brian Behlendorf (brian@collab.net): > On Thu, 31 May 2001, Cy Schubert - ITSD Open Systems Group wrote: > > Some of you might be interested in this. > > If anyone has any questions about this, I'm happy to answer them. It's > always the stupid things (not finishing the upgrade of openssh to 2.3.0 > when the advisory came out - no points for a "make buildworld" without a > corresponding "make installworld"!) that catch you. That should be verified often with scanssh or something similar. I was surprised when I read about the compromise, because it gives the impression that people are still using passwords (as opposed to keys with passphrases) for authentication in this day and age. Is that correct? If so, why is that? -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 16:55: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 1B5ED37B422 for ; Thu, 31 May 2001 16:55:03 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f4VNsmT12938 for ; Thu, 31 May 2001 16:54:49 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3B16D9C8.2F6CE52E@ursine.com> Date: Thu, 31 May 2001 16:54:48 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst wrote: > > I was > surprised when I read about the compromise, because it gives the impression > that people are still using passwords (as opposed to keys with passphrases) > for authentication in this day and age. Is that correct? If so, why is that? Yeah, I'd say it's correct. As to why, I can think of two reasons. 1) It's easier to use ssh with passwords, and just not be "bothered" with the key maintenance. 2) The password is sent encrypted, not in cleartext, and that is in many people's minds one of the most important benefits of using ssh. The extra safety of keys is just not always seen as being worth the extra work. [And I'm not arguing either side of that issue, different people believe or prioritize in different ways...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 17:26:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 0668237B422 for ; Thu, 31 May 2001 17:26:19 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 88194 invoked by uid 1000); 1 Jun 2001 00:26:39 -0000 Date: Fri, 1 Jun 2001 02:26:39 +0200 From: "Karsten W. Rohrbach" To: Alex Holst Cc: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601022639.E85717@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Alex Holst , freebsd-security@freebsd.org References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jkO+KyKz7TfD21mV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010601013041.A32818@area51.dk>; from a@area51.dk on Fri, Jun 01, 2001 at 01:30:41AM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --jkO+KyKz7TfD21mV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Alex Holst(a@area51.dk)@2001.06.01 01:30:41 +0000: > That should be verified often with scanssh or something similar. I was > surprised when I read about the compromise, because it gives the impressi= on > that people are still using passwords (as opposed to keys with passphrase= s) > for authentication in this day and age. Is that correct? If so, why is th= at? there are people on the net that have telnetd listening on their servers. there are people on the net who run outdated versions of whatever you want (see netcraft apache versions or the dns server versions thingamabob that states that there are still ~30% bind 4.x boxes out there and a shitload of bind<8.2.3). there are big sites running old wu-ftpd's on badly patched slowlaris systems. i even heard of people publishing their web documents with iis on nt or 2000. the security discussion is always split: 1) improvement of current operating systems and daemon software 2) how to prevent people from inviting crackers to their boxes running outdated crap cheers, /k --=20 > As a computing professional, I believe it would be unethical for me to > advise, recommend, or support the use (save possibly for personal > amusement) of any product that is or depends on any Microsoft product. > --David H. Wolfskill KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --jkO+KyKz7TfD21mV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FuE/M0BPTilkv0YRAgtmAKCqAM/AtRqtTMM7rczDQysDLhXj3ACgmTMo J2dtI7voUlAAid6dAgNHtC8= =PkH2 -----END PGP SIGNATURE----- --jkO+KyKz7TfD21mV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 17:29: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id 21F4E37B423 for ; Thu, 31 May 2001 17:28:58 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f510SqI66794; Thu, 31 May 2001 17:28:52 -0700 (PDT) Date: Thu, 31 May 2001 17:28:52 -0700 (PDT) From: "f.johan.beisser" To: Alex Holst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601013041.A32818@area51.dk> Message-ID: X-Ignore: This statement isn't supposed to be read by you MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Alex Holst wrote: > That should be verified often with scanssh or something similar. I was > surprised when I read about the compromise, because it gives the impression > that people are still using passwords (as opposed to keys with passphrases) > for authentication in this day and age. Is that correct? If so, why is that? based on what i've read this morning, it wouldn't have made all that much of a difference. aparently the compromised version of ssh recorded passphrases, and keys. i don't see how else you could have avoided this problem. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "which then led me to realize leading my life by the motto 'i'm not as bad as jan' would still let me get away with A LOT" --- j. leah williams, University of Chicago, 19 Jan, 2001 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 17:41:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 58A2837B423 for ; Thu, 31 May 2001 17:41:23 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 88662 invoked by uid 1000); 1 Jun 2001 00:41:44 -0000 Date: Fri, 1 Jun 2001 02:41:44 +0200 From: "Karsten W. Rohrbach" To: "f.johan.beisser" Cc: Alex Holst , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601024144.H85717@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG References: <20010601013041.A32818@area51.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="QDIl5R72YNOeCxaP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jan@caustic.org on Thu, May 31, 2001 at 05:28:52PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --QDIl5R72YNOeCxaP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable f.johan.beisser(jan@caustic.org)@2001.05.31 17:28:52 +0000: > On Fri, 1 Jun 2001, Alex Holst wrote: >=20 > > That should be verified often with scanssh or something similar. I was > > surprised when I read about the compromise, because it gives the impres= sion > > that people are still using passwords (as opposed to keys with passphra= ses) > > for authentication in this day and age. Is that correct? If so, why is = that? >=20 > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. >=20 > i don't see how else you could have avoided this problem. use mtree(8) or tripwire /k --=20 > ASCII Ribbon Campaign - NO HTML/RTF in e-mail - NO Word docs in e-mail KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --QDIl5R72YNOeCxaP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FuTIM0BPTilkv0YRAgv7AJwLW70T/Ct/boGUSFGaniTXhmS24gCglvyc yxcmNtKG+HrgXMqZRLkCVlM= =IvUw -----END PGP SIGNATURE----- --QDIl5R72YNOeCxaP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 17:43:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailer.progressive-comp.com (docs3.abcrs.com [63.238.77.222]) by hub.freebsd.org (Postfix) with ESMTP id DD1A837B424 for ; Thu, 31 May 2001 17:43:41 -0700 (PDT) (envelope-from docs@mailer.progressive-comp.com) Received: (from docs@localhost) by mailer.progressive-comp.com with id UAA18400; Thu, 31 May 2001 20:43:10 -0400 Date: Thu, 31 May 2001 20:43:10 -0400 Message-Id: <200106010043.UAA18400@mailer.progressive-comp.com> From: Hank Leininger Reply-To: Hank Leininger To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) X-Shameless-Plug: Check out http://marc.theaimsgroup.com/ X-Warning: This mail posted via a web gateway at marc.theaimsgroup.com X-Warning: Report any violation of list policy to abuse@progressive-comp.com X-Posted-By: Hank Leininger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-06-01, "f.johan.beisser" wrote: > On Fri, 1 Jun 2001, Alex Holst wrote: > > impression that people are still using passwords (as opposed to keys > > with passphrases) for authentication in this day and age. Is that > > correct? If so, why is that? > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. > i don't see how else you could have avoided this problem. a) Don't hop through untrusted systems. b) Use protocol 2 exclusively to make MITM'ing harder. c) Use/require from=" " entries in your authorized_keys* files. d) When breaking a), exclusively port-forward the second hop inside the first; do *not* ssh to a command prompt and run 'ssh' on the intermediate host. e) When breaking all of the above (in an emergency, say) communicate with someone OOB *immediately* who can revoke all access you used in a safe way, until you can restore it via safe channels (consider any keys, passwords, etc you used to be compromised and never use them again). f) Hide under the bed. -- Hank Leininger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 17:54:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 0C15337B424 for ; Thu, 31 May 2001 17:54:56 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE87UQ00.57J; Thu, 31 May 2001 17:54:26 -0700 Message-ID: <3B16E7D9.3E9B78FF@globalstar.com> Date: Thu, 31 May 2001 17:54:49 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "f.johan.beisser" Cc: Alex Holst , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "f.johan.beisser" wrote: > > On Fri, 1 Jun 2001, Alex Holst wrote: > > > That should be verified often with scanssh or something similar. I was > > surprised when I read about the compromise, because it gives the impression > > that people are still using passwords (as opposed to keys with passphrases) > > for authentication in this day and age. Is that correct? If so, why is that? > > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. > > i don't see how else you could have avoided this problem. *sigh* You cannot 'record passphrases.' RSA authentication uses public key cryptography. The client, the person logging in, proves it knows a secret, the private key, without ever revealing it to the server who only knows the public key. The use of public key crypto allows you to log into potentially untrusted servers without revealing your secret. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 17:57:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id 7EBFC37B43C for ; Thu, 31 May 2001 17:57:52 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.3/8.11.0) id f510vJi53248; Thu, 31 May 2001 20:57:19 -0400 (EDT) (envelope-from mistwolf) Date: Thu, 31 May 2001 20:57:19 -0400 From: Jamie Norwood To: Crist Clark Cc: "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010531205717.A53232@mushhaven.net> References: <3B16E7D9.3E9B78FF@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, May 31, 2001 at 05:54:49PM -0700, Crist Clark wrote: > *sigh* > > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. The client, the person logging in, proves it knows a > secret, the private key, without ever revealing it to the server who > only knows the public key. I assume they meant .outgoing. keys from Sourceforge, which would, of course, have to pass via the compromised ssh client, ne? Jamie > > The use of public key crypto allows you to log into potentially > untrusted servers without revealing your secret. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 18:11:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id EF20137B422 for ; Thu, 31 May 2001 18:11:10 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 90201 invoked by uid 1000); 1 Jun 2001 01:11:31 -0000 Date: Fri, 1 Jun 2001 03:11:31 +0200 From: "Karsten W. Rohrbach" To: Crist Clark Cc: "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601031131.K85717@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Crist Clark , "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG References: <3B16E7D9.3E9B78FF@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="m0XfRaZG5aslkcJX" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --m0XfRaZG5aslkcJX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist Clark(crist.clark@globalstar.com)@2001.05.31 17:54:49 +0000: > *sigh* >=20 > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. The client, the person logging in, proves it knows a=20 > secret, the private key, without ever revealing it to the server who > only knows the public key. >=20 *sigh*=20 fopen() does not have rsa support (thank god) btw, the ssh-agent(1) holds the _decrypted_ key you opened with=20 ssh-add(1), entering your passphrase that went via a fd from ssh-askpass=20 to ssh-add. > The use of public key crypto allows you to log into potentially=20 > untrusted servers without revealing your secret. hopping a host you got to take care of the ssh binary handling your auth token connecting to another - untrusted - server. thus, the binary is also potentially untrusted. also the ssh ForwardAgent option is potentially dangerous, then. portforwarding, too. /k --=20 > "The path of excess leads to the tower of wisdom." --W. Blake KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --m0XfRaZG5aslkcJX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FuvDM0BPTilkv0YRAts/AJ0S0OM+hwTS5PrM7b/jhSLlF9LXdgCfT0P5 fxXrZTG5zG/g4Bj1PKvCcpk= =n4Vn -----END PGP SIGNATURE----- --m0XfRaZG5aslkcJX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 18:26:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id BB9BC37B422 for ; Thu, 31 May 2001 18:26:20 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1F26D678A5; Thu, 31 May 2001 18:26:20 -0700 (PDT) Date: Thu, 31 May 2001 18:26:20 -0700 From: Kris Kennaway To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: accounting doesn't record all programs ? Message-ID: <20010531182620.A12216@xor.obsecurity.org> References: <200105312210.SAA22134@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105312210.SAA22134@giganda.komkon.org>; from str@giganda.komkon.org on Thu, May 31, 2001 at 06:10:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, May 31, 2001 at 06:10:02PM -0400, Igor Roshchin wrote: > 3. (or 1b) Hence, can the accounting logs be trusted as an accurate > list of programs ran by the user ? > (assuming the logs are not altered). No. Process accounting isn't intended as a security audit trail. Kris --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Fu87Wry0BWjoQKURAmapAKDIBA6D1ebbQUXrW5uZw/Q3FXr75gCdFKzR V1rkjTA9v8v2v2ds7g5MJYw= =zwsb -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 18:37:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id 4268037B422 for ; Thu, 31 May 2001 18:37:37 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C04BF678A5; Thu, 31 May 2001 18:37:32 -0700 (PDT) Date: Thu, 31 May 2001 18:37:32 -0700 From: Kris Kennaway To: Crist Clark Cc: "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010531183732.B12216@xor.obsecurity.org> References: <3B16E7D9.3E9B78FF@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="s/l3CgOIzMHHjg/5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 31, 2001 at 05:54:49PM -0700, Crist Clark wrote: > *sigh* >=20 > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. The client, the person logging in, proves it knows a=20 > secret, the private key, without ever revealing it to the server who > only knows the public key. The ssh client on the sourceforge machine was trojaned; when the user entered their private key passphrase on the compromised machine (in order for the client to decrypt the private key and then perform RSA handshake with the server) it stored a copy. Once you have access to that credential you can use it to impersonate that user to other systems which trust it. > The use of public key crypto allows you to log into potentially=20 > untrusted servers without revealing your secret. But if you log in FROM an untrusted system using SSH and an authentication protocol which uses a persistent credential token on the client side (e.g. UNIX passphrase, RSA key, but not e.g. OPIE) then all bets are off because you must give the malicious client access to that credential in order for it to authenticate on your behalf. Kris --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FvHcWry0BWjoQKURAkw9AJ4oPK/aw9a5Lzcfh3o8Ng4OKYAz0ACfS0U+ RciCaLUaqOwUFOW4vOIeCrw= =OAUl -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 18:39: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id 8ED7737B424 for ; Thu, 31 May 2001 18:38:56 -0700 (PDT) (envelope-from brian@collab.net) Received: (qmail 57920 invoked by uid 1000); 1 Jun 2001 01:39:51 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jun 2001 01:39:51 -0000 Date: Thu, 31 May 2001 18:39:51 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: "Karsten W. Rohrbach" Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601012752.C85717@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Karsten W. Rohrbach wrote: > this was one "result" of the comromised ssh binary at sourceforge. > i don't want to think about it aloud in public what's next :-( > > last | grep sourceforge > for (every account affected) > pw usermod "account" -h - The shell machine at SF didn't have reverse DNS (or at least it wasn't recorded in the wtmp), so you might want to look for 216.136.171.252 (the machine our friend came in from) or maybe even 216.136/24. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 18:41:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id 332E637B423 for ; Thu, 31 May 2001 18:41:33 -0700 (PDT) (envelope-from brian@collab.net) Received: (qmail 57955 invoked by uid 1000); 1 Jun 2001 01:42:27 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jun 2001 01:42:27 -0000 Date: Thu, 31 May 2001 18:42:27 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: Alex Holst Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601013041.A32818@area51.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Alex Holst wrote: > That should be verified often with scanssh or something similar. I am sure it was 2.2.0. I had done a make buildworld Jan 31st but hadn't done a make installworld since Jan 12th, before the fix went in. Dumb dumb. > I was surprised when I read about the compromise, because it gives the > impression that people are still using passwords (as opposed to keys > with passphrases) for authentication in this day and age. Is that > correct? If so, why is that? CVS pserver. Yes, there is a long term plan to do away with the insecurities inherent in distributed CVS development: http://subversion.tigris.org/. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 18:44:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id F21E937B423 for ; Thu, 31 May 2001 18:44:25 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 91987 invoked by uid 1000); 1 Jun 2001 01:44:47 -0000 Date: Fri, 1 Jun 2001 03:44:47 +0200 From: "Karsten W. Rohrbach" To: Brian Behlendorf Cc: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601034447.A90738@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brian Behlendorf , freebsd-security@freebsd.org References: <20010601012752.C85717@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Thu, May 31, 2001 at 06:39:51PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brian Behlendorf(brian@collab.net)@2001.05.31 18:39:51 +0000: > On Fri, 1 Jun 2001, Karsten W. Rohrbach wrote: > > this was one "result" of the comromised ssh binary at sourceforge. > > i don't want to think about it aloud in public what's next :-( > > > > last | grep sourceforge > > for (every account affected) > > pw usermod "account" -h - >=20 > The shell machine at SF didn't have reverse DNS (or at least it wasn't > recorded in the wtmp), so you might want to look for 216.136.171.252 (the > machine our friend came in from) or maybe even 216.136/24. did that, have the notes in my office, i'm at home now so i could not look up the exact adress ;-) i think the concept was clear, though... thanks for pointing this one out, /k --=20 > Vegetarians for oral sex -- "The only meat that's fit to eat" KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FvOOM0BPTilkv0YRApj2AJ0SEoC+bLXCq/cklJXNl0qc2sEK0wCgtIn8 OyyifsmXAdq8vc601txwArY= =hMDk -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 18:46:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id AE83537B422 for ; Thu, 31 May 2001 18:46:08 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE8A8500.A7F; Thu, 31 May 2001 18:45:41 -0700 Message-ID: <3B16F3DD.E57AF761@globalstar.com> Date: Thu, 31 May 2001 18:46:05 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Karsten W. Rohrbach" Cc: "f.johan.beisser" , Alex Holst , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <3B16E7D9.3E9B78FF@globalstar.com> <20010601031131.K85717@mail.webmonster.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" wrote: > > Crist Clark(crist.clark@globalstar.com)@2001.05.31 17:54:49 +0000: > > *sigh* > > > > You cannot 'record passphrases.' RSA authentication uses public key > > cryptography. The client, the person logging in, proves it knows a > > secret, the private key, without ever revealing it to the server who > > only knows the public key. > > > *sigh* > > fopen() does not have rsa support (thank god) > btw, the ssh-agent(1) holds the _decrypted_ key you opened with > ssh-add(1), entering your passphrase that went via a fd from ssh-askpass > to ssh-add. Yep. It does. So? > > The use of public key crypto allows you to log into potentially > > untrusted servers without revealing your secret. > hopping a host you got to take care of the ssh binary handling your > auth token connecting to another - untrusted - server. thus, the binary > is also potentially untrusted. > also the ssh ForwardAgent option is potentially dangerous, then. > portforwarding, too. You misunderstand what agent forwarding is. Your private RSA key does NOT leave your local machine. Agent forwarding means that remote requests for the agents help will be forwarded to the local machine. When you are logged into a remote machine and do some action that requires the agent's help, the data is forwarded to the local agent, it does whatever magic is done, and the result of the action is passed back along to the remote machine. Note, the _result of the action_ is passed along, your private key is NOT passed to the remote server. Read the Ylonen SSH draft, specifically the section, "The Authentication Agent Protocol," for details. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 19:10:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id AD11A37B423 for ; Thu, 31 May 2001 19:10:02 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8C0AD678A5; Thu, 31 May 2001 19:10:01 -0700 (PDT) Date: Thu, 31 May 2001 19:10:01 -0700 From: Kris Kennaway To: Crist Clark Cc: security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010531191001.A12808@xor.obsecurity.org> References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16F492.128CB8B0@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 06:49:06PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 31, 2001 at 06:49:06PM -0700, Crist Clark wrote: > Kris Kennaway wrote: > >=20 > > On Thu, May 31, 2001 at 05:54:49PM -0700, Crist Clark wrote: > >=20 > > > *sigh* > > > > > > You cannot 'record passphrases.' RSA authentication uses public key > > > cryptography. The client, the person logging in, proves it knows a > > > secret, the private key, without ever revealing it to the server who > > > only knows the public key. > >=20 > > The ssh client on the sourceforge machine was trojaned; >=20 > A lot of people SSH _out_ of the sourceforge machine(s)? And they do > so by typing a passphrase on that machine as opposed to agent forwarding? Apparently so. I believe agent forwarding still exposes the problem: it basically sets up a trust relationship with the remote system which allows processes running as you on the target machine to access the keys stored in the original ssh-agent on your source machine. i.e. in order to authenticate from the second machine to a third when agent forwarding is enabled from machine one to machine two, the second client requests a copy of your decrypted credentials which are stored in the ssh-agent on the first, and uses them as it pleases (ideally, only to authenticate -- once, and according to your directions -- with the third system). The moral of the story is to never initiate SSH connections from untrusted machines, no matter how you do it, because you expose your private credentials to that system (unless you use something like OPIE where you don't need to actually expose your credentials to authenticate, just prove that you have them): always make them from a machine you can reasonably trust not to be compromised (or use something like OPIE :-). The perhaps less obvious moral is to never connect to an untrusted system with agent forwarding enabled -- no matter what you do on the untrusted system -- otherwise that system can still steal your identity as described above. This is why the OpenSSH client disables agent forwarding by default (contrary to what the defaults seem to say in /etc/ssh/ssh_config, but as correctly documented in the manpage). Kris --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Fvl5Wry0BWjoQKURAtXpAKC45vRIVhsNxR5qyJ+yzzrlZonQmgCeJHZX GIDXnFRrkFQcgJxfXBXz+nw= =SzmW -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 19:23:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id A362637B422 for ; Thu, 31 May 2001 19:23:26 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 93110 invoked by uid 1000); 1 Jun 2001 02:23:47 -0000 Date: Fri, 1 Jun 2001 04:23:47 +0200 From: "Karsten W. Rohrbach" To: Crist Clark Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601042347.C90738@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Crist Clark , freebsd-security@FreeBSD.ORG References: <3B16E7D9.3E9B78FF@globalstar.com> <20010601031131.K85717@mail.webmonster.de> <3B16F3DD.E57AF761@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="O3RTKUHj+75w1tg5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16F3DD.E57AF761@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 06:46:05PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --O3RTKUHj+75w1tg5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist Clark(crist.clark@globalstar.com)@2001.05.31 18:46:05 +0000: > "Karsten W. Rohrbach" wrote: > >=20 > > Crist Clark(crist.clark@globalstar.com)@2001.05.31 17:54:49 +0000: > > > *sigh* > > > > > > You cannot 'record passphrases.' RSA authentication uses public key > > > cryptography. The client, the person logging in, proves it knows a > > > secret, the private key, without ever revealing it to the server who > > > only knows the public key. > > > > > *sigh* > >=20 > > fopen() does not have rsa support (thank god) > > btw, the ssh-agent(1) holds the _decrypted_ key you opened with > > ssh-add(1), entering your passphrase that went via a fd from ssh-askpass > > to ssh-add. >=20 > Yep. It does. So? if you ssh to the untrusted box, have your .ssh/identity there (no good practice but a lot of people do it) ssh asks you to enter the passphrase. with a modified ssh binary an attacker would have the=20 passphrase. thus, he could obtain the decrypted identity/key. >=20 > > > The use of public key crypto allows you to log into potentially > > > untrusted servers without revealing your secret. > > hopping a host you got to take care of the ssh binary handling your > > auth token connecting to another - untrusted - server. thus, the binary > > is also potentially untrusted. > > also the ssh ForwardAgent option is potentially dangerous, then. > > portforwarding, too. >=20 > You misunderstand what agent forwarding is. Your private RSA key does > NOT leave your local machine. Agent forwarding means that remote requests > for the agents help will be forwarded to the local machine. When you > are logged into a remote machine and do some action that requires the > agent's help, the data is forwarded to the local agent, it does whatever > magic is done, and the result of the action is passed back along to=20 > the remote machine. Note, the _result of the action_ is passed along, > your private key is NOT passed to the remote server. >=20 > Read the Ylonen SSH draft, specifically the section, "The Authentication= =20 > Agent Protocol," for details. reading the source, i see that the agent itself does all the signing. i should have looked into ssh-agent.c first :-) in this case, agent forwarding has the preference over storing crypted identity on a remote host *grin* anyway, portforwarding could at least lead to session dos attacks i think. /k --=20 > "Niklaus Wirth has lamented that, whereas Europeans pronounce his name > correctly (Ni-klows Virt), Americans invariably mangle it into > (Nick-les Worth). Which is to say that Europeans call him by name, but > Americans call him by value." KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --O3RTKUHj+75w1tg5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FvyzM0BPTilkv0YRAp6RAJ9C5SU/JfelAwgGimnBhniM25VIQACdG2PS 45KhSQW05oH6itGcXES03xo= =gTZv -----END PGP SIGNATURE----- --O3RTKUHj+75w1tg5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 19:25:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 6325737B422 for ; Thu, 31 May 2001 19:25:24 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE8C1M00.F92; Thu, 31 May 2001 19:24:58 -0700 Message-ID: <3B16FD12.B1F251C8@globalstar.com> Date: Thu, 31 May 2001 19:25:22 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Thu, May 31, 2001 at 06:49:06PM -0700, Crist Clark wrote: > > Kris Kennaway wrote: > > > > > > On Thu, May 31, 2001 at 05:54:49PM -0700, Crist Clark wrote: > > > > > > > *sigh* > > > > > > > > You cannot 'record passphrases.' RSA authentication uses public key > > > > cryptography. The client, the person logging in, proves it knows a > > > > secret, the private key, without ever revealing it to the server who > > > > only knows the public key. > > > > > > The ssh client on the sourceforge machine was trojaned; > > > > A lot of people SSH _out_ of the sourceforge machine(s)? And they do > > so by typing a passphrase on that machine as opposed to agent forwarding? > > Apparently so. > > I believe agent forwarding still exposes the problem: it basically > sets up a trust relationship with the remote system which allows > processes running as you on the target machine to access the keys > stored in the original ssh-agent on your source machine. > > i.e. in order to authenticate from the second machine to a third when > agent forwarding is enabled from machine one to machine two, the > second client requests a copy of your decrypted credentials which are > stored in the ssh-agent on the first, and uses them as it pleases > (ideally, only to authenticate -- once, and according to your > directions -- with the third system). According to the documentation, this is NOT how the agent forwarding works. The second client passes data, typically a challenge, back to machine one, where the agent does its thing with the private key material, then passes the decrypted challenge information back to machine two. Have a look at all of the communications the agent does, SSH_AGENTC_REQUEST_RSA_IDENTITIES SSH_AGENT_RSA_IDENTITIES_ANSWER These two are basically the output of 'ssh-add -l.' There is no confidential data passed out of the agent, SSH_AGENTC_RSA_CHALLENGE SSH_AGENT_RSA_RESPONSE These are the two that I think people are confused about. In your example, Kris, machine two would take the challenge it got and pass it back to the agent on machine one with as a SSH_AGENTC_RSA_CHALLENGE comm. The agent would reply with a SSH_AGENT_RSA_RESPONSE. The private RSA key never changes hands. SSH_AGENT_FAILURE SSH_AGENT_SUCCESS If it does not understand something or when ACK's a comm and it does not need to pass data back, respectively. SSH_AGENTC_ADD_RSA_IDENTITY SSH_AGENT_REMOVE_RSA_IDENTITY How RSA identities are added to the agent. Note, there is no way to get it back out. It only can be deleted. And that's all. > The moral of the story is to never initiate SSH connections from > untrusted machines, no matter how you do it, because you expose your > private credentials to that system From how I read the docs, this is not true for agent forwarding. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 31 19:36: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id B8FED37B422 for ; Thu, 31 May 2001 19:35:56 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A585D678A5; Thu, 31 May 2001 19:35:55 -0700 (PDT) Date: Thu, 31 May 2001 19:35:55 -0700 From: Kris Kennaway To: Crist Clark Cc: Kris Kennaway , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010531193555.A13334@xor.obsecurity.org> References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16FD12.B1F251C8@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 07:25:22PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 31, 2001 at 07:25:22PM -0700, Crist Clark wrote: > According to the documentation, this is NOT how the agent forwarding > works. The second client passes data, typically a challenge, back to=20 > machine one, where the agent does its thing with the private key=20 > material, then passes the decrypted challenge information back to > machine two. Okay, I'm willing to admit I could be wrong about the mechanism, but the trust relationship still exists. The ssh-agent authenticates on demand, so as long as you're connected to the untrusted system it can authenticate as you to other systems without your permission. Kris --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Fv+LWry0BWjoQKURAhBqAKCteqxe1RdAiADmmALj81XXeJnvFgCbBveN KHyXsXzvNomLrOL2xWj4qX4= =0RHb -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 1:21:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mikehan.com (giles.mikehan.com [63.201.69.194]) by hub.freebsd.org (Postfix) with ESMTP id EEC7937B424 for ; Fri, 1 Jun 2001 01:21:36 -0700 (PDT) (envelope-from mikehan@mikehan.com) Received: (from mikehan@localhost) by mikehan.com (8.11.3/8.11.3) id f518LYD01659; Fri, 1 Jun 2001 01:21:34 -0700 (PDT) (envelope-from mikehan) Date: Fri, 1 Jun 2001 01:21:33 -0700 From: Michael Han To: Crist Clark Cc: security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601012133.A1203@giles.mikehan.com> References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16FD12.B1F251C8@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 07:25:22PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, May 31, 2001 at 07:25:22PM -0700, Crist Clark wrote: > Kris Kennaway wrote: > > > > On Thu, May 31, 2001 at 06:49:06PM -0700, Crist Clark wrote: > > > Kris Kennaway wrote: > > > > > > > > On Thu, May 31, 2001 at 05:54:49PM -0700, Crist Clark wrote: > > > > > > > > > *sigh* > > > > > > > > > > You cannot 'record passphrases.' RSA authentication uses public key > > > > > cryptography. The client, the person logging in, proves it knows a > > > > > secret, the private key, without ever revealing it to the server who > > > > > only knows the public key. > > > > > > > > The ssh client on the sourceforge machine was trojaned; > > > > > > A lot of people SSH _out_ of the sourceforge machine(s)? And they do > > > so by typing a passphrase on that machine as opposed to agent forwarding? > > > > Apparently so. > > > > I believe agent forwarding still exposes the problem: it basically > > sets up a trust relationship with the remote system which allows > > processes running as you on the target machine to access the keys > > stored in the original ssh-agent on your source machine. > > > > i.e. in order to authenticate from the second machine to a third when > > agent forwarding is enabled from machine one to machine two, the > > second client requests a copy of your decrypted credentials which are > > stored in the ssh-agent on the first, and uses them as it pleases > > (ideally, only to authenticate -- once, and according to your > > directions -- with the third system). > > According to the documentation, this is NOT how the agent forwarding > works. The second client passes data, typically a challenge, back to > machine one, where the agent does its thing with the private key > material, then passes the decrypted challenge information back to > machine two. > > [snip] Crist, I believe your analysis is correct WRT decrypted keys or passphrases *not* being available except by compromising the originating client hosting the first ssh-agent in a chain. However, Kris is correct, as I understand agent forwarding, in that if you forward your agent from trusted host A to untrusted host B, a rogue superuser on B could copy your SSH_AUTH_SOCK environment and begin passing RSA key requests back to your agent on A. There *is* a vulnerability introduced by forwarding your agent to an untrusted host, which is why I do not usually forward my agent. I try to give my understanding of these issues in http://www.mikehan.com/ssh/security.html -- mikehan@mikehan.com http://www.mikehan.com/ coffee achiever San Francisco, California A closed mouth gathers no foot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 1:29: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 796D737B422 for ; Fri, 1 Jun 2001 01:29:05 -0700 (PDT) (envelope-from borjam@sarenet.es) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.3/8.11.3) with SMTP id f518T2088225 for ; Fri, 1 Jun 2001 10:29:04 +0200 (CEST) (envelope-from borjam@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Date: Fri, 1 Jun 2001 10:29:02 +0200 X-Mailer: KMail [version 1.2] References: In-Reply-To: MIME-Version: 1.0 Message-Id: <01060109174003.87883@borja.sarenet.es> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 01 June 2001 02:28, you wrote: > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. > > i don't see how else you could have avoided this problem. If you use an authentication agent the keys are kept in your computer. If you ssh from A to B and from B to C, the challenge used for the authentication is sent from C through B to A. This means that a compromised ssh client in B cannot log any keys. I use to install *all* my ssh servers with "PasswordAuthentication no" in /etc/ssh/sshd_config. And, using an authentication agent would allow you to use a sort of external device to store the keys. For example, a Dallas Semiconductor "iButton", a PDA or a HP calculator. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 1:29:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id CB68B37B422 for ; Fri, 1 Jun 2001 01:29:18 -0700 (PDT) (envelope-from borjam@sarenet.es) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.3/8.11.3) with SMTP id f518TH088229 for ; Fri, 1 Jun 2001 10:29:17 +0200 (CEST) (envelope-from borjam@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Date: Fri, 1 Jun 2001 10:29:17 +0200 X-Mailer: KMail [version 1.2] References: <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> In-Reply-To: <20010531191001.A12808@xor.obsecurity.org> MIME-Version: 1.0 Message-Id: <01060109230204.87883@borja.sarenet.es> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 01 June 2001 04:10, you wrote: > I believe agent forwarding still exposes the problem: it basically > sets up a trust relationship with the remote system which allows > processes running as you on the target machine to access the keys > stored in the original ssh-agent on your source machine. > > i.e. in order to authenticate from the second machine to a third when > agent forwarding is enabled from machine one to machine two, the > second client requests a copy of your decrypted credentials which are > stored in the ssh-agent on the first, and uses them as it pleases > (ideally, only to authenticate -- once, and according to your > directions -- with the third system). Are you sure? I understand that the challenge encryption is done at the first system (by the authentication agent) and the private key is *not* sent to anywhere. If that were the case, the authentication agent would have no useful purpose! Of course, a problem remains; it might be possible to start connections from the second system to the third using the forwarded authentication, but the use of an external device storing the keys would make it more difficult. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 1:51: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by hub.freebsd.org (Postfix) with ESMTP id 48C9E37B422 for ; Fri, 1 Jun 2001 01:50:59 -0700 (PDT) (envelope-from michael.radzewitz@freenet-ag.de) Received: from [194.97.50.144] (helo=mx1.freenet.de) by mout0.freenet.de with esmtp (Exim 3.22 #1) id 155ke2-00065j-00 for security@freebsd.org; Fri, 01 Jun 2001 10:50:58 +0200 Received: from staff.freenet-ag.de ([62.104.227.5]) by mx1.freenet.de with esmtp (Exim 3.22 #2) id 155ke2-0002qH-00 for security@freebsd.org; Fri, 01 Jun 2001 10:50:58 +0200 Received: by staff.freenet-ag.de with Internet Mail Service (5.5.2653.19) id ; Fri, 1 Jun 2001 10:50:50 +0200 Message-ID: From: Michael Radzewitz To: "'security@freebsd.org'" Subject: RE: Apache Software Foundation Server compromised, resecured. Date: Fri, 1 Jun 2001 10:50:46 +0200 X-Mailer: Internet Mail Service (5.5.2653.19) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I aggree with michael. Forwarding is always a man in the middle even on a trusted host. Forwarding on untrusted hosts running outdated software make things even worse! Michael Radzewitz And them she gave her moebles and her thing. --Chaucer Softwareentwicklung Portaltechnologie & Infoportale _________________________________________________ freenet.de AG Deelbögenkamp 4c 22297 Hamburg Tel.: ++ 49(0)40 - 51306 - 622 michael.radzewitz@freenet-ag.de www.freenet.de _________________________________________________ Vorsitzender des Aufsichtsrates: Gerhard Schmid Vorstand: Eckhard Spoerr (Vors.), Axel Krieger Amtsgericht Hamburg, HRB 74048 _________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 2:30:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id 5BBD937B42C for ; Fri, 1 Jun 2001 02:30:52 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B8C05678A6; Fri, 1 Jun 2001 02:30:51 -0700 (PDT) Date: Fri, 1 Jun 2001 02:30:51 -0700 From: Kris Kennaway To: Borja Marcos Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601023051.A54447@xor.obsecurity.org> References: <01060109174003.87883@borja.sarenet.es> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01060109174003.87883@borja.sarenet.es>; from borjamar@sarenet.es on Fri, Jun 01, 2001 at 10:29:02AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 01, 2001 at 10:29:02AM +0200, Borja Marcos wrote: > On Friday 01 June 2001 02:28, you wrote: > > based on what i've read this morning, it wouldn't have made > > all that much of a difference. aparently the compromised > > version of ssh recorded passphrases, and keys. > > > > i don't see how else you could have avoided this problem. >=20 > If you use an authentication agent the keys are kept in your computer. I= f=20 > you ssh from A to B and from B to C, the challenge used for the=20 > authentication is sent from C through B to A. This means that a compromis= ed=20 > ssh client in B cannot log any keys.=20 But B can request that A authenticate you to any other host, at any time during the lifetime of the A-B agent forwarding connection, using your RSA key on A. Even though B can't get your key itself, it can authenticate as you as often as it likes, to as many systems as it likes, as long as that agent forwarding channel is available. That's the next best thing, because when you obtain access to a system once, in general (not always) it's fairly easy to retain access indefinitely. Kris --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F2DKWry0BWjoQKURAmCEAJ9Rra2H+/QTyCuXGqpFGOcNjwIzQwCfeLWl DnHZEfS/ODXjc40CKdJQ/hM= =3eVi -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 2:35:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id E0B7337B422 for ; Fri, 1 Jun 2001 02:35:24 -0700 (PDT) (envelope-from borjam@sarenet.es) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.3/8.11.3) with SMTP id f519ZM088423; Fri, 1 Jun 2001 11:35:22 +0200 (CEST) (envelope-from borjam@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: Kris Kennaway Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Date: Fri, 1 Jun 2001 11:35:22 +0200 X-Mailer: KMail [version 1.2] Cc: freebsd-security@FreeBSD.ORG References: <01060109174003.87883@borja.sarenet.es> <20010601023051.A54447@xor.obsecurity.org> In-Reply-To: <20010601023051.A54447@xor.obsecurity.org> MIME-Version: 1.0 Message-Id: <0106011135220C.87883@borja.sarenet.es> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 01 June 2001 11:30, Kris Kennaway wrote: But B can request that A authenticate you to any other host, at any > time during the lifetime of the A-B agent forwarding connection, using > your RSA key on A. Even though B can't get your key itself, it can > authenticate as you as often as it likes, to as many systems as it > likes, as long as that agent forwarding channel is available. That's > the next best thing, because when you obtain access to a system once, > in general (not always) it's fairly easy to retain access > indefinitely. Of course. That't why I want an external device. Something like an iButton, which you could plug *only* whenever you want to authenticate. Once authenticated, you disconnect it and the agent can no longer authenticate. Now I am playing with an HP calculator. It could be a fairly acceptable solution to store the keys and authenticate, and the screen could warn the user (and ask for a password) whenever a remote authentication request arrives. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 2:38:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 991DD37B422 for ; Fri, 1 Jun 2001 02:38:13 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id MAA11802 for ; Fri, 1 Jun 2001 12:38:12 +0300 (IDT) Message-ID: <00f101c0ea86$76af6fa0$b88f39d5@a> From: "Liran Dahan" To: Subject: Re: Apache Software Foundation Server Compromised, Resecured Date: Fri, 1 Jun 2001 12:34:40 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00EE_01C0EA97.3A05E500" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00EE_01C0EA97.3A05E500 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Would it be much much better to use as well as all the ssh security = issues, an IPFW Rules for it? or maybe TCP_Wrappers as well ?=20 -Liran Dahan- (lirandb@netvision.net.il) ------=_NextPart_000_00EE_01C0EA97.3A05E500 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
Would it be much much better to use as = well as all=20 the ssh security issues, an IPFW Rules for it? or maybe TCP_Wrappers as = well ?=20
 
-Liran Dahan- (lirandb@netvision.net.il)
------=_NextPart_000_00EE_01C0EA97.3A05E500-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 2:48:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id 6C36537B424 for ; Fri, 1 Jun 2001 02:48:20 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0D5B0678A6; Fri, 1 Jun 2001 02:48:20 -0700 (PDT) Date: Fri, 1 Jun 2001 02:48:19 -0700 From: Kris Kennaway To: Liran Dahan Cc: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server Compromised, Resecured Message-ID: <20010601024819.A54727@xor.obsecurity.org> References: <00f101c0ea86$76af6fa0$b88f39d5@a> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00f101c0ea86$76af6fa0$b88f39d5@a>; from lirandb@netvision.net.il on Fri, Jun 01, 2001 at 12:34:40PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jun 01, 2001 at 12:34:40PM +0200, Liran Dahan wrote: > Would it be much much better to use as well as all the ssh security > issues, an IPFW Rules for it? or maybe TCP_Wrappers as well ? These address different aspects of the security problem. Kris --yrj/dFKFPuw6o+aM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F2TjWry0BWjoQKURAggLAJwMRpHueQBHSoS80Ib1s6C2+aD0VQCfai5y lblLrKcjJB5/6dRm/f3XFqs= =+aW1 -----END PGP SIGNATURE----- --yrj/dFKFPuw6o+aM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 3:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from impatience.valueclick.com (impatience.valueclick.com [216.246.96.99]) by hub.freebsd.org (Postfix) with SMTP id 3D2A437B422 for ; Fri, 1 Jun 2001 03:14:07 -0700 (PDT) (envelope-from ask@valueclick.com) Received: (qmail 7221 invoked by uid 500); 1 Jun 2001 10:14:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jun 2001 10:14:07 -0000 Date: Fri, 1 Jun 2001 03:14:06 -0700 (PDT) From: Ask Bjoern Hansen To: Alex Holst Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601013041.A32818@area51.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Alex Holst wrote: [...] > gives the impression that people are still using passwords (as > opposed to keys with passphrases) for authentication in this day > and age. Is that correct? If so, why is that? CVS pserver; weird windows SSH clients; convenience; laziness; "don't know any better"; ... Of any group of hundreds of developers I'm afraid that you'll find that MANY are not as aware of (unix) security issues as the average subscribe to freebsd-security. - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 6:34:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3EEDC37B42C for ; Fri, 1 Jun 2001 06:34:32 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA58850; Fri, 1 Jun 2001 15:34:27 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "alexus" Cc: "Rob Simmons" , "Liran Dahan" , Subject: Re: Limiting TCP RST Response Packets References: <003101c0ea04$d498b400$01000001@book> From: Dag-Erling Smorgrav Date: 01 Jun 2001 15:34:27 +0200 In-Reply-To: <003101c0ea04$d498b400$01000001@book> Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "alexus" writes: > what is TCP_RESTRICT_RST do anyway? > what is it for? Nothing. Move along, there's nothing to see here. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 6:40: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6205037B423 for ; Fri, 1 Jun 2001 06:40:06 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA58870; Fri, 1 Jun 2001 15:40:04 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alex Holst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> From: Dag-Erling Smorgrav Date: 01 Jun 2001 15:40:04 +0200 In-Reply-To: <20010601013041.A32818@area51.dk> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst writes: > That should be verified often with scanssh or something similar. I was > surprised when I read about the compromise, because it gives the impression > that people are still using passwords (as opposed to keys with passphrases) > for authentication in this day and age. Keys with passphrases wouldn't have made any difference. The ssh binary on sourceforge was trojaned, and could have harvested ssh keys just as easily as passwords. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 6:47: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1BE7537B423 for ; Fri, 1 Jun 2001 06:47:05 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA58898; Fri, 1 Jun 2001 15:47:00 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Brian Behlendorf Cc: Alex Holst , Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: From: Dag-Erling Smorgrav Date: 01 Jun 2001 15:47:00 +0200 In-Reply-To: Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brian Behlendorf writes: > On Fri, 1 Jun 2001, Alex Holst wrote: > > I was surprised when I read about the compromise, because it gives the > > impression that people are still using passwords (as opposed to keys > > with passphrases) for authentication in this day and age. Is that > > correct? If so, why is that? > CVS pserver. You don't need passwords to run CVS against a remote repository. All you need is 'CVSROOT=user@server:/path/to/repo' and 'CVS_RSH=ssh'. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 6:51: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 17F6237B617 for ; Fri, 1 Jun 2001 06:50:51 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 39033 invoked by alias); 1 Jun 2001 13:51:12 -0000 Received: from unknown (HELO moobert) (137.99.170.140) by d170h113.resnet.uconn.edu with SMTP; 1 Jun 2001 13:51:12 -0000 Message-ID: <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> From: "Peter C. Lai" To: References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> <3B16D9C8.2F6CE52E@ursine.com> Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Date: Fri, 1 Jun 2001 09:53:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org usually on untrusted systems (such as a public terminal), i ssh via mindterm's java ssh client which is stored on the system that i access. It only uses SSH1 (because they haven't written an SSH2 client yet). The java applet version i'm using is unsigned, and therefore should run in it's own sandbox wrt to the java runtime that i am using. Barring a trojaned java runtime that record all keystrokes, how else is using a trusted client stored on a trusted machine from an untrusted terminal dangerous? Peter C. Lai | University of Connecticut peter.lai@uconn.edu | Undergraduate Research Assistant The information contained in this e-mail is confidential, may be privileged, and is intended only for the use of the recipient(s) named above. If you are not the intended recipient(s) or a representative(s) of the intended recipient(s), you have received this e-mail in error and must not copy, use or disclose the contents of this email to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. ----- Original Message ----- From: "Michael Bryan" To: Sent: Thursday, May 31, 2001 7:54 PM Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) > > > Alex Holst wrote: > > > > I was > > surprised when I read about the compromise, because it gives the impression > > that people are still using passwords (as opposed to keys with passphrases) > > for authentication in this day and age. Is that correct? If so, why is that? > > Yeah, I'd say it's correct. As to why, I can think of two reasons. 1) It's > easier to use ssh with passwords, and just not be "bothered" with the key > maintenance. 2) The password is sent encrypted, not in cleartext, and that > is in many people's minds one of the most important benefits of using ssh. > The extra safety of keys is just not always seen as being worth the extra > work. [And I'm not arguing either side of that issue, different people believe > or prioritize in different ways...] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 6:56:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 2A51837B423 for ; Fri, 1 Jun 2001 06:56:54 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA58944; Fri, 1 Jun 2001 15:56:48 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Peter C. Lai" Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> <3B16D9C8.2F6CE52E@ursine.com> <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> From: Dag-Erling Smorgrav Date: 01 Jun 2001 15:56:47 +0200 In-Reply-To: <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Peter C. Lai" writes: > Barring a trojaned java > runtime that record all keystrokes, how else is using a trusted client > stored on a trusted machine from an untrusted terminal dangerous? I don't need to trojan Java to capture your password. All I need to do is steal your .Xauthority. I'm sure there exist easily available X keyboard capture utilities which even a script kiddie could use. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 7:19:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8FBD737B422 for ; Fri, 1 Jun 2001 07:19:30 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 12116 invoked by uid 1000); 1 Jun 2001 14:19:51 -0000 Date: Fri, 1 Jun 2001 16:19:51 +0200 From: "Karsten W. Rohrbach" To: Kris Kennaway Cc: Crist Clark , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601161951.F10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Kris Kennaway , Crist Clark , security@FreeBSD.org References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010531193555.A13334@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rWhLK7VZz0iBluhq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010531193555.A13334@xor.obsecurity.org>; from kris@obsecurity.org on Thu, May 31, 2001 at 07:35:55PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --rWhLK7VZz0iBluhq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kris Kennaway(kris@obsecurity.org)@2001.05.31 19:35:55 +0000: > On Thu, May 31, 2001 at 07:25:22PM -0700, Crist Clark wrote: >=20 > > According to the documentation, this is NOT how the agent forwarding > > works. The second client passes data, typically a challenge, back to=20 > > machine one, where the agent does its thing with the private key=20 > > material, then passes the decrypted challenge information back to > > machine two. >=20 > Okay, I'm willing to admit I could be wrong about the mechanism, but > the trust relationship still exists. The ssh-agent authenticates on > demand, so as long as you're connected to the untrusted system it can > authenticate as you to other systems without your permission. this does not lead to a big tragedy since the agent protocol is challenge-response. a challenge is sent by the remote peer, the agent signs it using the local identity and send the response back to the remote peer. the remote side checks the signed response against the public key and if it matches c'est ca. if this way of authentication has to be considered dangerous, public key crypto is, since you could not give away you public key, then ;-) the private key is never ever presented to an entity on a remote system. /k --=20 > "There is a God, but He drinks" --Blore KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --rWhLK7VZz0iBluhq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F6SHM0BPTilkv0YRAtCcAJ96C7yhKcLHgALHN1LUwntevro44wCgkXGB yoktSAoJpZTx/NTK/P/Hi/4= =20O6 -----END PGP SIGNATURE----- --rWhLK7VZz0iBluhq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 7:23:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3406B37B509 for ; Fri, 1 Jun 2001 07:23:13 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA59089; Fri, 1 Jun 2001 16:23:09 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Brian Behlendorf Cc: "Karsten W. Rohrbach" , Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: From: Dag-Erling Smorgrav Date: 01 Jun 2001 16:23:09 +0200 In-Reply-To: Message-ID: Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brian Behlendorf writes: > The shell machine at SF didn't have reverse DNS (or at least it wasn't > recorded in the wtmp), so you might want to look for 216.136.171.252 (the > machine our friend came in from) or maybe even 216.136/24. I hope you meant 216.136.171/24, and not 216.136/16: des@des ~% host freefall.freebsd.org freefall.freebsd.org has address 216.136.204.21 freefall.freebsd.org mail is handled (pri=10) by hub.freebsd.org Oh, and .252 does have reverse DNS: des@des ~% host 216.136.171.252 252.171.136.216.IN-ADDR.ARPA domain name pointer usw-sf-fw2.sourceforge.net DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 7:23:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 46D0F37B449 for ; Fri, 1 Jun 2001 07:23:06 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 12224 invoked by uid 1000); 1 Jun 2001 14:23:27 -0000 Date: Fri, 1 Jun 2001 16:23:27 +0200 From: "Karsten W. Rohrbach" To: Michael Han Cc: Crist Clark , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601162327.G10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Michael Han , Crist Clark , security@FreeBSD.org References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010601012133.A1203@giles.mikehan.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="L+ofChggJdETEG3Y" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010601012133.A1203@giles.mikehan.com>; from mikehan@mikehan.com on Fri, Jun 01, 2001 at 01:21:33AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --L+ofChggJdETEG3Y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Michael Han(mikehan@mikehan.com)@2001.06.01 01:21:33 +0000: > Crist, I believe your analysis is correct WRT decrypted keys or > passphrases *not* being available except by compromising the > originating client hosting the first ssh-agent in a chain. However, > Kris is correct, as I understand agent forwarding, in that if you > forward your agent from trusted host A to untrusted host B, a rogue > superuser on B could copy your SSH_AUTH_SOCK environment and begin > passing RSA key requests back to your agent on A. There *is* a > vulnerability introduced by forwarding your agent to an untrusted > host, which is why I do not usually forward my agent. I try to give my > understanding of these issues in > http://www.mikehan.com/ssh/security.html this would be a standard man in the middle attack, right? capturing the challenge from one machine passing it (as root) to the agent, getting the response packet back and passing it on to the to-be-broken-in server should not work due to session keying, should'nt it? /k --=20 > 71: 69 with two fingers up your ass. --George Carlin KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --L+ofChggJdETEG3Y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F6VfM0BPTilkv0YRAp9cAKC+yvTjO/TUhJy55p6VVxbTe6xDMgCdGQ8I +6k7TzpUlFNHqHRfg0FIeco= =a1Cr -----END PGP SIGNATURE----- --L+ofChggJdETEG3Y-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 7:25: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.yadt.co.uk (yadt.demon.co.uk [158.152.4.134]) by hub.freebsd.org (Postfix) with SMTP id D3A2037B50D for ; Fri, 1 Jun 2001 07:24:50 -0700 (PDT) (envelope-from davidt@yadt.co.uk) Received: (qmail 65033 invoked from network); 1 Jun 2001 14:24:33 -0000 Received: from gattaca.local.yadt.co.uk (HELO mail.gattaca.yadt.co.uk) (qmailr@10.0.0.2) by xfiles.yadt.co.uk with SMTP; 1 Jun 2001 14:24:33 -0000 Received: (qmail 2421 invoked by uid 1000); 1 Jun 2001 14:24:48 -0000 Date: Fri, 1 Jun 2001 15:24:48 +0100 From: David Taylor To: "Karsten W. Rohrbach" Cc: security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601152448.A1982@gattaca.yadt.co.uk> Mail-Followup-To: "Karsten W. Rohrbach" , security@FreeBSD.org References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010531193555.A13334@xor.obsecurity.org> <20010601161951.F10477@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010601161951.F10477@mail.webmonster.de>; from karsten@rohrbach.de on Fri, Jun 01, 2001 at 16:19:51 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 01 Jun 2001, Karsten W. Rohrbach wrote: > this does not lead to a big tragedy since the agent protocol is > challenge-response. a challenge is sent by the remote peer, the agent > signs it using the local identity and send the response back to the > remote peer. the remote side checks the signed response against the > public key and if it matches c'est ca. if this way of authentication > has to be considered dangerous, public key crypto is, since you could > not give away you public key, then ;-) the private key is never ever > presented to an entity on a remote system. > public key crypto _would_ be dangerous if you automatically signed anything an untrusted remote host threw at you. Now, if ssh-agent were to ask you if it should sign the challenge each time, that'd help. But if the remote ssh binary is trojaned, it could be designed to inject arbitrary commands into your session, so it wouldn't help very much. If you're allowing an untrusted machine to make a connection to another machine, its insecure, basically. -- David Taylor davidt@yadt.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 8: 5: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mikehan.com (giles.mikehan.com [63.201.69.194]) by hub.freebsd.org (Postfix) with ESMTP id 026B237B422 for ; Fri, 1 Jun 2001 08:05:05 -0700 (PDT) (envelope-from mikehan@mikehan.com) Received: (from mikehan@localhost) by mikehan.com (8.11.3/8.11.3) id f51F4Tj02831; Fri, 1 Jun 2001 08:04:29 -0700 (PDT) (envelope-from mikehan) Date: Fri, 1 Jun 2001 08:04:13 -0700 From: Michael Han To: "Karsten W. Rohrbach" , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601080413.D1203@giles.mikehan.com> References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010601012133.A1203@giles.mikehan.com> <20010601162327.G10477@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010601162327.G10477@mail.webmonster.de>; from karsten@rohrbach.de on Fri, Jun 01, 2001 at 04:23:27PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 01, 2001 at 04:23:27PM +0200, Karsten W. Rohrbach wrote: > Michael Han(mikehan@mikehan.com)@2001.06.01 01:21:33 +0000: > > Crist, I believe your analysis is correct WRT decrypted keys or > > passphrases *not* being available except by compromising the > > originating client hosting the first ssh-agent in a chain. However, > > Kris is correct, as I understand agent forwarding, in that if you > > forward your agent from trusted host A to untrusted host B, a rogue > > superuser on B could copy your SSH_AUTH_SOCK environment and begin > > passing RSA key requests back to your agent on A. There *is* a > > vulnerability introduced by forwarding your agent to an untrusted > > host, which is why I do not usually forward my agent. I try to give my > > understanding of these issues in > > http://www.mikehan.com/ssh/security.html > this would be a standard man in the middle attack, right? > capturing the challenge from one machine passing it (as root) to the > agent, getting the response packet back and passing it on to the > to-be-broken-in server should not work due to session keying, should'nt > it? I always understood MITM to involve intercepting the connection to a server in order to be able to intercept the cleartext of the session. What I describe about a superuser on an intermediary host being able to exploit an agent forwarded is trivially proven if you have root on a machine you can RSA auth into: hosta% ssh -lme hostb hostb% echo $SSH_AUTH_SOCK /tmp/ssh-agt38oh/agent.1234 hostb% su - Password: # echo $SSH_AUTH_SOCK # SSH_AUTH_SOCK=/tmp/ssh-agt38oh/agent.1234 # export SSH_AUTH_SOCK # ssh -lme localhost hostb% This is SSH-1.5 implemented by OpenSSH 2.3.0. Perhaps protocol version 2 addresses this? -- mikehan@mikehan.com http://www.mikehan.com/ coffee achiever San Francisco, California A double negative is a no-no. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 8:54: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (dsl027-182-008.sea1.dsl.speakeasy.net [216.27.182.8]) by hub.freebsd.org (Postfix) with SMTP id C6D3A37B423 for ; Fri, 1 Jun 2001 08:54:00 -0700 (PDT) (envelope-from brian@collab.net) Received: (qmail 2752 invoked by uid 1000); 1 Jun 2001 15:55:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jun 2001 15:55:16 -0000 Date: Fri, 1 Jun 2001 08:55:16 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: Dag-Erling Smorgrav Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 1 Jun 2001, Dag-Erling Smorgrav wrote: > You don't need passwords to run CVS against a remote repository. All > you need is 'CVSROOT=user@server:/path/to/repo' and 'CVS_RSH=ssh'. For those who use windows and mac GUI CVS clients, pserver's a requirement. IMHO, passwords are neither better nor worse, necessarily, than keys, in authenticating to a server. The basic difference is between "what you know" and "what you have". I'm as worried about people who have poor password management practices, as I am about people whose home or work machines where their private keys are may not be the most secure. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 8:55:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (dsl027-182-008.sea1.dsl.speakeasy.net [216.27.182.8]) by hub.freebsd.org (Postfix) with SMTP id E40C637B422 for ; Fri, 1 Jun 2001 08:55:28 -0700 (PDT) (envelope-from brian@collab.net) Received: (qmail 2756 invoked by uid 1000); 1 Jun 2001 15:56:44 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jun 2001 15:56:44 -0000 Date: Fri, 1 Jun 2001 08:56:44 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: Dag-Erling Smorgrav Cc: "Karsten W. Rohrbach" , Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 1 Jun 2001, Dag-Erling Smorgrav wrote: > Brian Behlendorf writes: > > The shell machine at SF didn't have reverse DNS (or at least it wasn't > > recorded in the wtmp), so you might want to look for 216.136.171.252 (the > > machine our friend came in from) or maybe even 216.136/24. > > I hope you meant 216.136.171/24, and not 216.136/16: Er, yeah; preferably someone could get a list of IP addresses SF.net has ever had public shell machines on. > Oh, and .252 does have reverse DNS: > > des@des ~% host 216.136.171.252 > 252.171.136.216.IN-ADDR.ARPA domain name pointer usw-sf-fw2.sourceforge.net OK, but it wasn't recorded in my wtmp, so I suspect it might not get recorded in others'. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 9:23:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 70E7A37B423 for ; Fri, 1 Jun 2001 09:23:51 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA02822; Fri, 1 Jun 2001 10:23:42 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA05636; Fri, 1 Jun 2001 10:23:38 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15127.49545.586283.574105@nomad.yogotech.com> Date: Fri, 1 Jun 2001 10:23:37 -0600 (MDT) To: Dag-Erling Smorgrav Cc: Brian Behlendorf , Alex Holst , Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: References: X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > I was surprised when I read about the compromise, because it gives the > > > impression that people are still using passwords (as opposed to keys > > > with passphrases) for authentication in this day and age. Is that > > > correct? If so, why is that? > > CVS pserver. > > You don't need passwords to run CVS against a remote repository. All > you need is 'CVSROOT=user@server:/path/to/repo' and 'CVS_RSH=ssh'. This requires that you give the user a valid login account, unless you use the hacks that OpenBSD uses (using a shell that only allows them to run CVS). Using pserver mode, you don't (necessarily) have to give them a valid login account. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 9:29:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 5D5C937B505 for ; Fri, 1 Jun 2001 09:29:30 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE9F4H00.HCL; Fri, 1 Jun 2001 09:29:05 -0700 Message-ID: <3B17C2E8.C24B8262@globalstar.com> Date: Fri, 01 Jun 2001 09:29:28 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Karsten W. Rohrbach" Cc: Michael Han , security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010601012133.A1203@giles.mikehan.com> <20010601162327.G10477@mail.webmonster.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" wrote: > > Michael Han(mikehan@mikehan.com)@2001.06.01 01:21:33 +0000: > > Crist, I believe your analysis is correct WRT decrypted keys or > > passphrases *not* being available except by compromising the > > originating client hosting the first ssh-agent in a chain. However, > > Kris is correct, as I understand agent forwarding, in that if you > > forward your agent from trusted host A to untrusted host B, a rogue > > superuser on B could copy your SSH_AUTH_SOCK environment and begin > > passing RSA key requests back to your agent on A. There *is* a > > vulnerability introduced by forwarding your agent to an untrusted > > host, which is why I do not usually forward my agent. I try to give my > > understanding of these issues in > > http://www.mikehan.com/ssh/security.html > this would be a standard man in the middle attack, right? > capturing the challenge from one machine passing it (as root) to the > agent, getting the response packet back and passing it on to the > to-be-broken-in server should not work due to session keying, should'nt > it? No. The problem people are describing is not a man-in-the-middle attack. Say you connect from Host_A to Host_B with agent forwarding enabled. When you do this, there is a sshd process on Host_B which is providing your SSH connection at Host_B. Agent forwarding basically means that the sshd process on Host_B can send authentication challenges to your ssh-agent process on Host_A, and the ssh-agent on Host_A will process them and return a response. Normally, if you were to ssh to Host_C from your session on Host_B, the ssh process started on Host_B will try to send auth. challenges to a local ssh-agent, but these get divered through your sshd on Host_B back to the ssh-agent on Host_A. The problem is that if root on Host_B is not (relatively) trusted or if the sshd binary is compromised your ssh-agent on Host_A has no way to know. It receives auth. challenge data from the sshd process on Host_B and responds. There is no way for it to know a priori whether the auth. challenge is legitimate or not. This means that as long as the agent forwarding channel is open, anyone who controls the sshd process on Host_B has access to the authentication materials loaded in the ssh-agent on Host_A. There are several ways to mitigate this attack. The obvious one is not to agent forward. This brings us back to the sourceforge problem. If you used public keys and did not do agent forwarding, the act of just logging in to the compromised sourceforge machine(s) would not have compromised any authentication secrets. A second possibility is to be careful about what keys you allow to forward. That is, if you have a group of machines at a similar level of trust and in the same administrative domain, perhaps one key pair to jump around those, and other keys to move around other groups. Only allow agents to forward the key associated with a domain around that domain. If one machine is compromised, an attacker can only access machines in that domain. It's a balance of usability versus security (as it always is). As for a more long term solution, I think the simplest thing would be to give ssh-agent some sort of logging abilities. One would still be vulnerable to the attack, but one would be aware of any unauthorized activities. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 11:28: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 31E8B37B422 for ; Fri, 1 Jun 2001 11:27:54 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 19760 invoked by uid 1000); 1 Jun 2001 18:28:13 -0000 Date: Fri, 1 Jun 2001 20:28:13 +0200 From: "Karsten W. Rohrbach" To: Crist Clark Cc: Michael Han , security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601202813.H10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Crist Clark , Michael Han , security@FreeBSD.ORG References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010601012133.A1203@giles.mikehan.com> <20010601162327.G10477@mail.webmonster.de> <3B17C2E8.C24B8262@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tcC6YSqBgqqkz7Sb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B17C2E8.C24B8262@globalstar.com>; from crist.clark@globalstar.com on Fri, Jun 01, 2001 at 09:29:28AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tcC6YSqBgqqkz7Sb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist Clark(crist.clark@globalstar.com)@2001.06.01 09:29:28 +0000: > "Karsten W. Rohrbach" wrote: > >=20 > > Michael Han(mikehan@mikehan.com)@2001.06.01 01:21:33 +0000: > > > Crist, I believe your analysis is correct WRT decrypted keys or > > > passphrases *not* being available except by compromising the > > > originating client hosting the first ssh-agent in a chain. However, > > > Kris is correct, as I understand agent forwarding, in that if you > > > forward your agent from trusted host A to untrusted host B, a rogue > > > superuser on B could copy your SSH_AUTH_SOCK environment and begin > > > passing RSA key requests back to your agent on A. There *is* a > > > vulnerability introduced by forwarding your agent to an untrusted > > > host, which is why I do not usually forward my agent. I try to give my > > > understanding of these issues in > > > http://www.mikehan.com/ssh/security.html > > this would be a standard man in the middle attack, right? > > capturing the challenge from one machine passing it (as root) to the > > agent, getting the response packet back and passing it on to the > > to-be-broken-in server should not work due to session keying, should'nt > > it? >=20 > No. The problem people are describing is not a man-in-the-middle > attack. Say you connect from Host_A to Host_B with agent forwarding > enabled. When you do this, there is a sshd process on Host_B which is=20 > providing your SSH connection at Host_B. Agent forwarding basically > means that the sshd process on Host_B can send authentication challenges > to your ssh-agent process on Host_A, and the ssh-agent on Host_A will > process them and return a response. Normally, if you were to ssh to > Host_C from your session on Host_B, the ssh process started on Host_B > will try to send auth. challenges to a local ssh-agent, but these get > divered through your sshd on Host_B back to the ssh-agent on Host_A. > The problem is that if root on Host_B is not (relatively) trusted > or if the sshd binary is compromised your ssh-agent on Host_A has no > way to know. It receives auth. challenge data from the sshd process > on Host_B and responds. There is no way for it to know a priori whether > the auth. challenge is legitimate or not. This means that as long as > the agent forwarding channel is open, anyone who controls the sshd=20 > process on Host_B has access to the authentication materials loaded > in the ssh-agent on Host_A. i understand... so, also, session key and per-session security won't work, regardless of their specific implementation unless the agent forward channel does not get plausibility checking (dunno the exakt word for it, german: plausibilitaetspruefung) and/or the agent itself gets instrumentation to allow/disallow certain auth requests or to have a dialog pop up that does this thing. >=20 > There are several ways to mitigate this attack. The obvious one is not > to agent forward. This brings us back to the sourceforge problem. If > you used public keys and did not do agent forwarding, the act of just > logging in to the compromised sourceforge machine(s) would not have > compromised any authentication secrets. A second possibility is to be > careful about what keys you allow to forward. That is, if you have a > group of machines at a similar level of trust and in the same=20 > administrative domain, perhaps one key pair to jump around those, and > other keys to move around other groups. Only allow agents to forward > the key associated with a domain around that domain. If one machine > is compromised, an attacker can only access machines in that domain. > It's a balance of usability versus security (as it always is). for the environment portion (which is the basis for the root account based attack), would it make sense to lock the pages in memory like gnupg does? ssh is suid root, anyway so this should not be much of a problem, right? >=20 > As for a more long term solution, I think the simplest thing would > be to give ssh-agent some sort of logging abilities. One would still > be vulnerable to the attack, but one would be aware of any unauthorized > activities. that for sure, but i am currently thinking about the SSH_ASKPASS interface for X11 which would also allow some better application protocol, thus the possibility of displaying alerts with the askpass executable, including detailed info about the remote side requesting the signature, and the option of user intervention by simply pressing cancel. does this make sense? > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com ooh. i forgot. wasn't this sent to a mailing list? *grin* i hope nobody sues me for replying to it in public... nevermind ;-) cheers /k --=20 > What can you use used tampons for? Tea bags for vampires. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --tcC6YSqBgqqkz7Sb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F969M0BPTilkv0YRAgrUAKCVscH3PVCX6HAhkCot8V11n/odzACfQw4l Ve1CPbty8HRmXjM+8vwmnxY= =XB3W -----END PGP SIGNATURE----- --tcC6YSqBgqqkz7Sb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 11:32: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 5C64837B423 for ; Fri, 1 Jun 2001 11:32:01 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 19989 invoked by uid 1000); 1 Jun 2001 18:32:22 -0000 Date: Fri, 1 Jun 2001 20:32:22 +0200 From: "Karsten W. Rohrbach" To: Brian Behlendorf Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601203222.I10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brian Behlendorf , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3U8TY7m7wOx7RL1F" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Fri, Jun 01, 2001 at 08:55:16AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3U8TY7m7wOx7RL1F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brian Behlendorf(brian@collab.net)@2001.06.01 08:55:16 +0000: > On 1 Jun 2001, Dag-Erling Smorgrav wrote: > > You don't need passwords to run CVS against a remote repository. All > > you need is 'CVSROOT=3Duser@server:/path/to/repo' and 'CVS_RSH=3Dssh'. >=20 > For those who use windows and mac GUI CVS clients, pserver's a > requirement. >=20 > IMHO, passwords are neither better nor worse, necessarily, than keys, in > authenticating to a server. The basic difference is between "what you > know" and "what you have". I'm as worried about people who have poor > password management practices, as I am about people whose home or work > machines where their private keys are may not be the most secure. having read a lot of the openssh sources last night (yay! finally) i must say that pkcs are better than password exchange or key transmission based systems in terms of security. the idea is having the public key on the remote side, having the authenticating side sign a challenge blob of data and xmit the response back where it is checked against the public key. if it matches =3D good, if it's garbage =3D noauth. the private key itself never gets transmitted over a wire, the public key just once. if the algorithm is really non-reversable it should prove more secure than every shared secret system out there (and that's why a lot of folks use it i think). /k --=20 > Hackers do it with fewer instructions. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --3U8TY7m7wOx7RL1F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F9+2M0BPTilkv0YRAiIEAJ9kai8YBdfGoXeWtfxK5bda4TAbRwCfbD4v PDSAglPQKORC8mAtU14UBHE= =S5/e -----END PGP SIGNATURE----- --3U8TY7m7wOx7RL1F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 11:42:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 0E27A37B423 for ; Fri, 1 Jun 2001 11:42:48 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 20425 invoked by uid 1000); 1 Jun 2001 18:43:09 -0000 Date: Fri, 1 Jun 2001 20:43:09 +0200 From: "Karsten W. Rohrbach" To: Brian Behlendorf Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601204309.K10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brian Behlendorf , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BFVE2HhgxTpCzM8t" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Fri, Jun 01, 2001 at 08:56:44AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --BFVE2HhgxTpCzM8t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brian Behlendorf(brian@collab.net)@2001.06.01 08:56:44 +0000: > On 1 Jun 2001, Dag-Erling Smorgrav wrote: > > Brian Behlendorf writes: > > > The shell machine at SF didn't have reverse DNS (or at least it wasn't > > > recorded in the wtmp), so you might want to look for 216.136.171.252 = (the > > > machine our friend came in from) or maybe even 216.136/24. > > > > I hope you meant 216.136.171/24, and not 216.136/16: >=20 > Er, yeah; preferably someone could get a list of IP addresses SF.net has > ever had public shell machines on. as a direct consequence of the incident it would be a prudent choice of the sourceforge folks to have already done it. that said (i do not know anyone at their site personally) could somebody with good connections the them propagate this list to -security, please? >=20 > > Oh, and .252 does have reverse DNS: > > > > des@des ~% host 216.136.171.252 > > 252.171.136.216.IN-ADDR.ARPA domain name pointer usw-sf-fw2.sourceforge= .net >=20 > OK, but it wasn't recorded in my wtmp, so I suspect it might not get > recorded in others'. reverse dns is not a security measure. it is the opposite ;-) dns can be easily manipulated in thousand ways. one should never rely on reverse dns or dns in general. /k --=20 > The more we disagree, the more chance there is that at least one of us > is right. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --BFVE2HhgxTpCzM8t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F+I9M0BPTilkv0YRAhBkAJ9Sp8uYJVnBcHkyLEU6zgvAwTXnGQCeOEmB zeg/gpmDJ5436z/M5smjAs4= =Thnu -----END PGP SIGNATURE----- --BFVE2HhgxTpCzM8t-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 14:19:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id 7753037B422 for ; Fri, 1 Jun 2001 14:19:17 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8FA72675B2; Fri, 1 Jun 2001 14:19:16 -0700 (PDT) Date: Fri, 1 Jun 2001 14:19:16 -0700 From: Kris Kennaway To: "Peter C. Lai" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601141916.A88206@xor.obsecurity.org> References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> <3B16D9C8.2F6CE52E@ursine.com> <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu>; from sirmoo@cowbert.2y.net on Fri, Jun 01, 2001 at 09:53:08AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jun 01, 2001 at 09:53:08AM -0400, Peter C. Lai wrote: > usually on untrusted systems (such as a public terminal), i ssh via > mindterm's java ssh client which is stored on the system that i access. It > only uses SSH1 (because they haven't written an SSH2 client yet). The java > applet version i'm using is unsigned, and therefore should run in it's own > sandbox wrt to the java runtime that i am using. Barring a trojaned java > runtime that record all keystrokes, how else is using a trusted client > stored on a trusted machine from an untrusted terminal dangerous? So many ways..another process running as you can monitor/intercept/modify the operation of the JVM because there's no protection against doing that under UNIX (the protection only exists between different processes running as different users); the kernel, or another process can record keystrokes (I don't know if mindterm is a text-based client or GUI, but it doesn't matter); the client can be trojaned without your knowledge (how did you KNOW it's "trusted"?), etc. You should just accept the fact that it's not possible to run trusted software in an untrusted environment, and if the system wants to compromise your software badly enough they can. There have been some interesting mathematical steps in this direction (involving computing of a certain class of function which are "encrypted" but in an isomorphic form, where the desired computation commutes with the operation of encryption so the untrusted system can perform the computation without knowing what it's doing) -- but nothing remotely usable. Kris --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7GAbTWry0BWjoQKURAiSEAJ49zvaswluzvqGFPOIkdykWd6FUBQCgp9P1 I6vPIdQQW0MNmBuI9EURces= =anfw -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 14:38: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-66.dsl.lsan03.pacbell.net [63.207.60.66]) by hub.freebsd.org (Postfix) with ESMTP id 6848F37B43C for ; Fri, 1 Jun 2001 14:37:56 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E05FB675B2; Fri, 1 Jun 2001 14:37:55 -0700 (PDT) Date: Fri, 1 Jun 2001 14:37:55 -0700 From: Kris Kennaway To: "Karsten W. Rohrbach" Cc: Kris Kennaway , Crist Clark , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601143755.B88206@xor.obsecurity.org> References: <3B16E7D9.3E9B78FF@globalstar.com> <20010531183732.B12216@xor.obsecurity.org> <3B16F492.128CB8B0@globalstar.com> <20010531191001.A12808@xor.obsecurity.org> <3B16FD12.B1F251C8@globalstar.com> <20010531193555.A13334@xor.obsecurity.org> <20010601161951.F10477@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010601161951.F10477@mail.webmonster.de>; from karsten@rohrbach.de on Fri, Jun 01, 2001 at 04:19:51PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 01, 2001 at 04:19:51PM +0200, Karsten W. Rohrbach wrote: > Kris Kennaway(kris@obsecurity.org)@2001.05.31 19:35:55 +0000: > > On Thu, May 31, 2001 at 07:25:22PM -0700, Crist Clark wrote: > >=20 > > > According to the documentation, this is NOT how the agent forwarding > > > works. The second client passes data, typically a challenge, back to= =20 > > > machine one, where the agent does its thing with the private key=20 > > > material, then passes the decrypted challenge information back to > > > machine two. > >=20 > > Okay, I'm willing to admit I could be wrong about the mechanism, but > > the trust relationship still exists. The ssh-agent authenticates on > > demand, so as long as you're connected to the untrusted system it can > > authenticate as you to other systems without your permission. > this does not lead to a big tragedy since the agent protocol is > challenge-response. Yes, but it's done on demand with no auditing. Two systems with an ssh-agent connection between them walked into a bar. System B says to System A, "Your user told me to buy this fine imported Australian beer, and that you'd pay for it. Just sign this cheque". "Well, okay, here you go". System B drinks its fine imported Australian beer and enjoys it. System B says to the bartender, "I'll have another one of those, thanks. My friend here is paying." "No problem, if my user says it's okay, I'm sure it's fine!", says the ever-trusting System A. System B drinks its fine imported Australian beer and enjoys it. At the end of the night System B stumbles back home, happy and full of Coopers Pale Ale; System A skips merrily home, happy that it was able to help its user so much tonight; and the user is none the wiser until he thinks to balance his chequebook at the end of the month. "I spent $100 on beer? Hmm, I don't remember that at all..it must have been a good night!" Kris --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7GAszWry0BWjoQKURAhHnAJ9d3FpD/uF/i5yy7UhLLpuBJ4FTLgCgwXQd 07RQIitxo0GWeOvTw+ZU6oE= =BYCZ -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 15:59:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from prime.gushi.org (prime.gushi.org [208.23.118.172]) by hub.freebsd.org (Postfix) with ESMTP id 2467637B43C; Fri, 1 Jun 2001 15:59:06 -0700 (PDT) (envelope-from danm@prime.gushi.org) Received: from localhost (danm@localhost) by prime.gushi.org (8.11.3/8.11.3) with ESMTP id f51N0RF95613; Fri, 1 Jun 2001 19:00:27 -0400 (EDT) Date: Fri, 1 Jun 2001 19:00:27 -0400 (EDT) From: "Dan Mahoney, System Admin" To: security@freebsd.org, questions@freebsd.org Subject: SetUID shell/perl scripts. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In articles dating as far back as 1997, I see people saying that freeBSD doesn't support setuid shell scripts. Does the system make an exception for apache? Because I'm able to run setuid root cgi scripts (and they're /usr/bin/perl, not /usr/bin/suidperl, although they still perform taint checking) (yes, I know, dangerous). Or is it because apache runs its parent process as root, and will jump down to "nobody" to run scripts, unless they're setuid, in which case it will suid to whoever. To my knowledge, I'm not using cgiwrap or suexec. -Dan -- "Man, this is such a trip" -Dan Mahoney, October 25, 1997 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm@prime.gushi.org for pgp public key and tel# --------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 1 18:36:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from heechee.tobez.org (254.adsl0.ryv.worldonline.dk [213.237.10.254]) by hub.freebsd.org (Postfix) with ESMTP id E8B0137B423; Fri, 1 Jun 2001 18:36:29 -0700 (PDT) (envelope-from tobez@tobez.org) Received: by heechee.tobez.org (Postfix, from userid 1001) id 83EE75422; Sat, 2 Jun 2001 03:36:28 +0200 (CEST) Date: Sat, 2 Jun 2001 03:36:28 +0200 From: Anton Berezin To: "Dan Mahoney, System Admin" Cc: security@freebsd.org, questions@freebsd.org Subject: Re: SetUID shell/perl scripts. Message-ID: <20010602033628.A78867@heechee.tobez.org> Mail-Followup-To: Anton Berezin , "Dan Mahoney, System Admin" , security@freebsd.org, questions@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from danm@prime.gushi.org on Fri, Jun 01, 2001 at 07:00:27PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 01, 2001 at 07:00:27PM -0400, Dan Mahoney, System Admin wrote: > In articles dating as far back as 1997, I see people saying that > freeBSD doesn't support setuid shell scripts. That's true. > Does the system make an exception for apache? Because I'm able to run > setuid root cgi scripts (and they're /usr/bin/perl, not > /usr/bin/suidperl, although they still perform taint checking) (yes, > I know, dangerous). Upon startup, /usr/bin/perl notes that the script is setuid, and launches /usr/bin/suidperl, if `setuid script emulation' was enabled during perl configuration process. In FreeBSD, it is enabled and such scripts work. Hence, more recent versions of FreeBSD set mode 0511 on /usr/bin/suidperl by default (this is controlled with ENABLE_SUIDPERL /etc/make.conf knob). Consider: $ sudo sh # cat >toobad.pl #! /usr/bin/perl print "$> $<\n"; ^D # chmod 4755 toobad.pl # chmod 511 /usr/bin/suidperl # ^D $ ./toobad.pl Can't do setuid; ensure that the setuid bit is set on suidperl $ sudo sh # chmod 4511 /usr/bin/suidperl # ^D $ ./toobad.pl 0 1001 Hope this helps, Cheers, %Anton. -- May the tuna salad be with you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 3:55:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from skink.ru.ac.za (skink.ru.ac.za [146.231.128.4]) by hub.freebsd.org (Postfix) with ESMTP id 008DF37B422 for ; Sat, 2 Jun 2001 03:55:06 -0700 (PDT) (envelope-from dom@dude.dsl.ru.ac.za) Received: from dude.dsl.ru.ac.za ([146.231.113.85]) by skink.ru.ac.za with esmtp (Exim 3.16 #1) id 15693W-0005AB-00 for freeBSD-security@FreeBSD.org; Sat, 02 Jun 2001 12:54:54 +0200 Received: (from dom@localhost) by dude.dsl.ru.ac.za (8.10.2/8.10.2/SuSE Linux 8.10.0-0.3) id f52Assc00721 for freeBSD-security@FreeBSD.org; Sat, 2 Jun 2001 12:54:54 +0200 Date: Sat, 2 Jun 2001 12:54:54 +0200 From: Dominic Parry To: freeBSD-security@FreeBSD.org Subject: Netscape Message-ID: <20010602125454.A692@dude.dsl.ru.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-added-header: added by skink.ru.ac.za Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi What is the problem with Netscape? :/usr/ports/www/netscape47-navigator # make ===> netscape-navigator-4.76 is marked as broken: Has a serious security hole, use 4.77 instead. Is anyone looking into fixing this? Thanks Dominic To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 4: 4:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailf.telia.com (mailf.telia.com [194.22.194.25]) by hub.freebsd.org (Postfix) with ESMTP id 7F49D37B423 for ; Sat, 2 Jun 2001 04:04:09 -0700 (PDT) (envelope-from ertr1013@student.uu.se) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailf.telia.com (8.11.2/8.11.0) with ESMTP id f52B47V05188 for ; Sat, 2 Jun 2001 13:04:07 +0200 (CEST) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id NAA18559 for ; Sat, 2 Jun 2001 13:04:06 +0200 (CEST) Received: (qmail 22754 invoked by uid 1001); 2 Jun 2001 11:03:52 -0000 Date: Sat, 2 Jun 2001 13:03:51 +0200 From: Erik Trulsson To: freeBSD-security@FreeBSD.ORG Subject: Re: Netscape Message-ID: <20010602130351.A22698@student.uu.se> Mail-Followup-To: freeBSD-security@FreeBSD.ORG References: <20010602125454.A692@dude.dsl.ru.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010602125454.A692@dude.dsl.ru.ac.za>; from dom@dude.dsl.ru.ac.za on Sat, Jun 02, 2001 at 12:54:54PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 02, 2001 at 12:54:54PM +0200, Dominic Parry wrote: > Hi > > What is the problem with Netscape? > > :/usr/ports/www/netscape47-navigator # make > ===> netscape-navigator-4.76 is marked as broken: Has a serious security > hole, use 4.77 instead. > > Is anyone looking into fixing this? > The problem with Netscape is that Netscape 4.76 has some security problems. Unfortunately there is no native FreeBSD version of Netscape 4.77 and there won't be until the people at Netscape creates one, so there isn't anything anybody here an do about it. In the meantime I suggest that you use the linux version of Netscape instead. -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 4:21: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 2A2B437B422 for ; Sat, 2 Jun 2001 04:21:03 -0700 (PDT) (envelope-from roam@ringworld.nanolink.com) Received: (qmail 28142 invoked by uid 1000); 2 Jun 2001 11:19:58 -0000 Date: Sat, 2 Jun 2001 14:19:58 +0300 From: Peter Pentchev To: Dominic Parry Cc: freeBSD-security@FreeBSD.org Subject: Re: Netscape Message-ID: <20010602141958.A27751@ringworld.oblivion.bg> Mail-Followup-To: Dominic Parry , freeBSD-security@FreeBSD.org References: <20010602125454.A692@dude.dsl.ru.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010602125454.A692@dude.dsl.ru.ac.za>; from dom@dude.dsl.ru.ac.za on Sat, Jun 02, 2001 at 12:54:54PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 02, 2001 at 12:54:54PM +0200, Dominic Parry wrote: > Hi > > What is the problem with Netscape? > > :/usr/ports/www/netscape47-navigator # make > ===> netscape-navigator-4.76 is marked as broken: Has a serious security > hole, use 4.77 instead. > > Is anyone looking into fixing this? Not really; Netscape Communications have not bothered to release 4.77 for BSD/OS (or, for that matter, for FreeBSD). The FreeBSD port maintainers cannot update the port to 4.77, until there actually *is* a 4.77 version for BSD/OS :) For the present, your best bet is to install Linux emulation, and use the www/linux-netscape47-{navigator,communicator} ports. This way, you'd even gain more, because there are quite a lot more plug-ins for the Linux browser than there are for the BSD/OS one. (I guess it might even be possible to run a Linux plug-in on a BSD/OS browser binary under Linux emulation, but I wouldn't bet on that..) G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 4:43:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id 4A21637B423 for ; Sat, 2 Jun 2001 04:43:09 -0700 (PDT) (envelope-from scott@link-net.com) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with ESMTP id com for ; Sat, 2 Jun 2001 04:43:08 -0700 Reply-To: From: "Scott Raymond" To: Subject: RE: Netscape Date: Sat, 2 Jun 2001 04:43:06 -0700 Keywords: FreeBSD Organization: LinkAmerica Communications Message-ID: <004601c0eb59$31da4a20$f13d0ad1@linknet.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20010602130351.A22698@student.uu.se> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, he'd be better off simply using mozilla instead. It works quite well. BTW, I spoke with Erik, and while my suggestion is fine on a current system, older systems with less powerful CPUs and less memory wouldn't have a fun time with mozilla. In that case, I might suggest using an older version of Netscape like 3.x or 4.0.x. -- Scott =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D Scott Raymond LinkAmerica Communications http://soundamerica.com =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > -----Original Message----- >=20 > On Sat, Jun 02, 2001 at 12:54:54PM +0200, Dominic Parry wrote: > > Hi > >=20 > > What is the problem with Netscape? > >=20 > > :/usr/ports/www/netscape47-navigator # make > > =3D=3D=3D> netscape-navigator-4.76 is marked as broken: Has a=20 > serious security > > hole, use 4.77 instead. > >=20 > > Is anyone looking into fixing this? > >=20 >=20 > The problem with Netscape is that Netscape 4.76 has some security > problems. Unfortunately there is no native FreeBSD version of Netscape > 4.77 and there won't be until the people at Netscape creates one, so > there isn't anything anybody here an do about it. > In the meantime I suggest that you use the linux version of Netscape > instead. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 5: 7:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from skink.ru.ac.za (skink.ru.ac.za [146.231.128.4]) by hub.freebsd.org (Postfix) with ESMTP id 6050437B422 for ; Sat, 2 Jun 2001 05:07:16 -0700 (PDT) (envelope-from dom@dude.dsl.ru.ac.za) Received: from dude.dsl.ru.ac.za ([146.231.113.85]) by skink.ru.ac.za with esmtp (Exim 3.16 #1) id 156ABT-0005sb-00; Sat, 02 Jun 2001 14:07:11 +0200 Received: (from dom@localhost) by dude.dsl.ru.ac.za (8.10.2/8.10.2/SuSE Linux 8.10.0-0.3) id f52C6xS01425; Sat, 2 Jun 2001 14:06:59 +0200 Date: Sat, 2 Jun 2001 14:06:59 +0200 From: Dominic Parry To: Scott Raymond Cc: freebsd-security@freebsd.org Subject: Re: Netscape Message-ID: <20010602140659.B692@dude.dsl.ru.ac.za> References: <20010602130351.A22698@student.uu.se> <004601c0eb59$31da4a20$f13d0ad1@linknet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004601c0eb59$31da4a20$f13d0ad1@linknet.com>; from scott@link-net.com on Sat, Jun 02, 2001 at 04:43:06AM -0700 X-added-header: added by skink.ru.ac.za Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I do use mozilla but it doesn't seem to work with some sites. Namely firstonline.co.za, and some others. I think it just doesn't work well with https in general On Sat 2001-06-02 (04:43), Scott Raymond wrote: //> Actually, he'd be better off simply using mozilla instead. It works //> quite well. //> //> BTW, I spoke with Erik, and while my suggestion is fine on a current //> system, older systems with less powerful CPUs and less memory wouldn't //> have a fun time with mozilla. In that case, I might suggest using an //> older version of Netscape like 3.x or 4.0.x. //> //> -- //> Scott //> ========================== //> Scott Raymond //> LinkAmerica Communications //> http://soundamerica.com //> ========================== //> //> > -----Original Message----- //> > //> > On Sat, Jun 02, 2001 at 12:54:54PM +0200, Dominic Parry wrote: //> > > Hi //> > > //> > > What is the problem with Netscape? //> > > //> > > :/usr/ports/www/netscape47-navigator # make //> > > ===> netscape-navigator-4.76 is marked as broken: Has a //> > serious security //> > > hole, use 4.77 instead. //> > > //> > > Is anyone looking into fixing this? //> > > //> > //> > The problem with Netscape is that Netscape 4.76 has some security //> > problems. Unfortunately there is no native FreeBSD version of Netscape //> > 4.77 and there won't be until the people at Netscape creates one, so //> > there isn't anything anybody here an do about it. //> > In the meantime I suggest that you use the linux version of Netscape //> > instead. //> //> //> To Unsubscribe: send mail to majordomo@FreeBSD.org //> with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 5:32:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7D7E637B424 for ; Sat, 2 Jun 2001 05:32:47 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f52CW8f95380; Sat, 2 Jun 2001 08:32:08 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 2 Jun 2001 08:32:08 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Kris Kennaway Cc: "Peter C. Lai" , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601141916.A88206@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Kris Kennaway wrote: > You should just accept the fact that it's not possible to run trusted > software in an untrusted environment, and if the system wants to > compromise your software badly enough they can. There have been some > interesting mathematical steps in this direction (involving computing of > a certain class of function which are "encrypted" but in an isomorphic > form, where the desired computation commutes with the operation of > encryption so the untrusted system can perform the computation without > knowing what it's doing) -- but nothing remotely usable. That work's very interesting, but as you say, I have yet to see anything indicating it can be used in a practical manner yet. There is, however, some ongoing research at NAI Labs on protecting mobile agents from the hosts that they execute on. The work has only just begun, but my understanding is that they're taking a number of approaches, including a replication/fault tolerant approach in which you run on a number of hosts and assume that not all will be malicious, performing distributed decision making/consistency checks to reduce the security failure scenario to a byzantine failure scenario. You can dig up a little (but not much) more at: http://www.pgp.com/research/nailabs/secure-execution/self-protecting.asp Of course, that scenario doesn't rely apply to the "hello, I'm on an untrusted and potentially malicious/compromised workstation". I recommend a Palm with serial IP and an SSH client or bringing your notebook :-). One-time passwords have the advantage of revocation, but won't help you with someone who is actively attacking and has the right tools. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 5:58:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 018AE37B424 for ; Sat, 2 Jun 2001 05:58:48 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f52CwYf95528; Sat, 2 Jun 2001 08:58:34 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 2 Jun 2001 08:58:33 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Kris Kennaway Cc: "Karsten W. Rohrbach" , Crist Clark , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601143755.B88206@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Kris Kennaway wrote: > On Fri, Jun 01, 2001 at 04:19:51PM +0200, Karsten W. Rohrbach wrote: > > Kris Kennaway(kris@obsecurity.org)@2001.05.31 19:35:55 +0000: > > > On Thu, May 31, 2001 at 07:25:22PM -0700, Crist Clark wrote: > > > > > > > According to the documentation, this is NOT how the agent forwarding > > > > works. The second client passes data, typically a challenge, back to > > > > machine one, where the agent does its thing with the private key > > > > material, then passes the decrypted challenge information back to > > > > machine two. > > > > > > Okay, I'm willing to admit I could be wrong about the mechanism, but > > > the trust relationship still exists. The ssh-agent authenticates on > > > demand, so as long as you're connected to the untrusted system it can > > > authenticate as you to other systems without your permission. > > this does not lead to a big tragedy since the agent protocol is > > challenge-response. > > Yes, but it's done on demand with no auditing. A particularly entertaining scenario is the following one: user has a private key on host A and C (where they frequently log in directly using a password), and the paired public key on hosts A, B, C, and D, all in different trust domains. The user logs into A, and sets up their ssh-agent with the private key. The attacker compromises B, trojaning its ssh daemon. The user logs into B from A with agent forwarding enabled, and the attacker uses access to the agent to build authenticated connections to A, B, C, and D. The agent uses debugger access on A to compromise the running ssh-agent and get access to the keying material for the RSA/DSA private key, or trojans the ssh-agent (either for that user by manipulating the execution environment, or for the system if privilege is escalated by modifying/replacing the binary, reordering the path, etc). Note also that in a multiple-key scenario, the SSH client provides no way to selectively forward keys to hosts, or express policy regarding whether keys are then forwarded by the host you have connected to. Note that X11 forwarding has similar compromise properties, only it provides an even more direct path to the user's keying material. The moral of the story, as has been pointed out a number of times, is that unless you are willing to place substantial trust in the host you're logging into, you should not forward either X11 or SSH to that host. And from the perspective of host administrators, it may be that your host is substantially at risk if a user uses the same private key to access other hosts than your own host, using the default configuration for many SSH clients (agent forwarding enabled). In fact, forcing the user to use one-time passwords on a handheld device combined with SSH as a secure host transport may provide the best protection from the perspective of a host administrator. SSH can provide a notable improvement over unencrypted communications in many situations. But in some compromise situations, it can actually make things much worse by providing access to hosts that previously would be unaffected by the compromise, as it encourages the use of automatic and shared authentication. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 6:52:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8A37937B423 for ; Sat, 2 Jun 2001 06:52:42 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 56919 invoked by uid 1000); 2 Jun 2001 13:53:02 -0000 Date: Sat, 2 Jun 2001 15:53:02 +0200 From: "Karsten W. Rohrbach" To: Robert Watson Cc: Kris Kennaway , Crist Clark , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010602155302.A56136@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Robert Watson , Kris Kennaway , Crist Clark , security@FreeBSD.org References: <20010601143755.B88206@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.org on Sat, Jun 02, 2001 at 08:58:33AM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Robert Watson(rwatson@FreeBSD.org)@2001.06.02 08:58:33 +0000: >=20 > On Fri, 1 Jun 2001, Kris Kennaway wrote: >=20 > > On Fri, Jun 01, 2001 at 04:19:51PM +0200, Karsten W. Rohrbach wrote: > > > Kris Kennaway(kris@obsecurity.org)@2001.05.31 19:35:55 +0000: > > > > On Thu, May 31, 2001 at 07:25:22PM -0700, Crist Clark wrote: > > > >=20 > > > > > According to the documentation, this is NOT how the agent forward= ing > > > > > works. The second client passes data, typically a challenge, back= to=20 > > > > > machine one, where the agent does its thing with the private key= =20 > > > > > material, then passes the decrypted challenge information back to > > > > > machine two. > > > >=20 > > > > Okay, I'm willing to admit I could be wrong about the mechanism, but > > > > the trust relationship still exists. The ssh-agent authenticates on > > > > demand, so as long as you're connected to the untrusted system it c= an > > > > authenticate as you to other systems without your permission. > > > this does not lead to a big tragedy since the agent protocol is > > > challenge-response. > >=20 > > Yes, but it's done on demand with no auditing. >=20 > A particularly entertaining scenario is the following one: user has a > private key on host A and C (where they frequently log in directly using a > password), and the paired public key on hosts A, B, C, and D, all in > different trust domains. The user logs into A, and sets up their > ssh-agent with the private key. The attacker compromises B, trojaning its > ssh daemon. The user logs into B from A with agent forwarding enabled, > and the attacker uses access to the agent to build authenticated > connections to A, B, C, and D. The agent uses debugger access on A to > compromise the running ssh-agent and get access to the keying material for > the RSA/DSA private key, or trojans the ssh-agent (either for that user by > manipulating the execution environment, or for the system if privilege is > escalated by modifying/replacing the binary, reordering the path, etc). this did not come to my mind because of my standard firewall setup which allows outgoing ssh connects only from all my workstations in different places. indeed, since the authorized_keys might be the same on the source host (A) this is a possible threat. if (A) does not have authorized_keys for the locally stored identity, this does not pose a problem. this should be added to the ssh docs and perhaps to security(7) by a native american or english speaker. > Note also that in a multiple-key scenario, the SSH client provides no way > to selectively forward keys to hosts, or express policy regarding whether > keys are then forwarded by the host you have connected to. would it be very hard to add this functionality? where would the policies be stored? storing them in the identity would require changing the key file format, so i guess something like an agent configuration would make sense. >=20 > Note that X11 forwarding has similar compromise properties, only it > provides an even more direct path to the user's keying material. sure thing. therefor i propose X11forwarding to be turned off by default in sshd_config and ssh_config. >=20 > The moral of the story, as has been pointed out a number of times, is that > unless you are willing to place substantial trust in the host you're > logging into, you should not forward either X11 or SSH to that host. And > from the perspective of host administrators, it may be that your host is > substantially at risk if a user uses the same private key to access other > hosts than your own host, using the default configuration for many SSH > clients (agent forwarding enabled). In fact, forcing the user to use > one-time passwords on a handheld device combined with SSH as a secure host > transport may provide the best protection from the perspective of a host > administrator. >=20 > SSH can provide a notable improvement over unencrypted communications in > many situations. But in some compromise situations, it can actually make > things much worse by providing access to hosts that previously would be > unaffected by the compromise, as it encourages the use of automatic and > shared authentication. i would go a little further and say that all pkcs based auth system have the explicit need to automate all this, since you as a user would not use it if you had to enter you key data all the time, etc. see 6) further down. to sum this all up: 1) we got a possible threat abusing the agent in several manners since it dumbfire signs all challenges it gets, so: - agent forwarding shoudl be turned off by default - the agent must write a log file with the vital signing process data, also syslogging would make sense sicne the admin could see the messages, too - the agent should get some instrumentation to process policies and allow/disallow certain signing requests - some popup/user intervention interface for signing challenge packets would improve interactive use - maybe it would make sense to have the agent evaluate the state of the session for validity, this would be a big change in the agent interface and most likely introduce new bugs 2) port forwarding poses at least a DoS threat, so this is turned off by default 3) X11 forwarding also poses several threats and should be turned off by default 4) i've seen several (other) os dirstributions allowing root logins over ssh. these should also be disabled in the default config 5) all of the pkcs based auth is good in a trusted environment, but when it comes to connecting to untrusted systems, s/key (or maybe opie) will be a much more sensible choice. 6) de-automation of certain ssh features would be a general objective to work on, it will give the user more fine grained control over what happens with his credentials /k --=20 > May the source be with you! KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7GO++M0BPTilkv0YRAlE3AJ97LMtgWy6MMj7PhOxO0Wcfy9mHSgCZAV7y DrlHaIYBgBeoTXH0tGrmL7M= =rMzP -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 7: 6:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 18AD737B424 for ; Sat, 2 Jun 2001 07:06:50 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f52E6Uf96038; Sat, 2 Jun 2001 10:06:31 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 2 Jun 2001 10:06:30 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Karsten W. Rohrbach" Cc: Kris Kennaway , Crist Clark , security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010602155302.A56136@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 2 Jun 2001, Karsten W. Rohrbach wrote: > > Note that X11 forwarding has similar compromise properties, only it > > provides an even more direct path to the user's keying material. > sure thing. therefor i propose X11forwarding to be turned off by default > in sshd_config and ssh_config. At this point, agent and X11 forwarding are both disabled by default in the FreeBSD OpenSSH distribution for that very reason. Many other distributions still enable them by default. We have them enabled on the server side, since generally speaking, these services are a risk to the client, and not to the server (at least one OpenSSH distribution has X11 forwarding turned off at the server to protect against a client-side attack :-). There are some resource allocation issues associated with enabling the services on the server, but as far as I know, not all that serious. > 1) we got a possible threat abusing the agent in several manners since > it dumbfire signs all challenges it gets, so: > - agent forwarding shoudl be turned off by default > - the agent must write a log file with the vital signing process > data, also syslogging would make sense sicne the admin could see > the messages, too > - the agent should get some instrumentation to process policies and > allow/disallow certain signing requests > - some popup/user intervention interface for signing challenge > packets would improve interactive use > - maybe it would make sense to have the agent evaluate the state of > the session for validity, this would be a big change in the agent > interface and most likely introduce new bugs Actually, what I'd like to see is a change in the RSA agent authentication such that the authentication can be performed against known host keys (making it a two-key authentication as opposed to a one-key authentication), meaning that (as long as the key is known to ssh-agent), the scope of an authentication could be reported when the agent is requested to provide authentication service. > 2) port forwarding poses at least a DoS threat, so this is turned off by > default > > 3) X11 forwarding also poses several threats and should be turned off by > default It's not clear how severe these threats are: it may be that the advantages associated with providing these services (since they are only provided to authenticated users) outweigh the resource costs. On the other hand, you could imagine introducing some policy enforcement relating to resources allocated to SSH sessions in global sshd configuration (max (n) forwardings per client session, etc, etc). > 4) i've seen several (other) os dirstributions allowing root logins over > ssh. these should also be disabled in the default config These are currently disabled by default on FreeBSD. > 5) all of the pkcs based auth is good in a trusted environment, but when > it comes to connecting to untrusted systems, s/key (or maybe opie) > will be a much more sensible choice. The advantages of one-time passwords often have to do more with administrative policy for the system performing the authentication, rather than for the client connecting, but the comment none-the-less applies. It should be noted that traditional authentication schemes have provided the administrator with the ability to enforce a variety of mandatory policies, but that SSH places an increased focus on the user managing their own authentication (by virtue of authorized_keys, etc). When defining policy and policy enforcement, we need to be very careful to avoid pitfalls associated with misunderstanding to whom particular benefits go (for example, the mistake of limiting X11 forwarding on the server, not the client -- a compromised server can always reenable X11 forwarding in negotiating with the client, and it was the client who was the victim of the attack). > 6) de-automation of certain ssh features would be a general objective to > work on, it will give the user more fine grained control over what > happens with his credentials This is certainly true: right now the policies associated with SSH are relatively hard to manage, and it's hard to bind policy to some tuples you'd like, including combinations of host and port, host and authenticated identity, etc. For example, you can imagine enabling SSH agent forwarding when logging in as yourname@somehost, but disabling it when logging in as ftp@somehost. Likewise, requiring different keys for yourname@host:8080, with different policy. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 8: 5:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 2DDEB37B424; Sat, 2 Jun 2001 08:05:29 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light/smtpfeed 1.12) with UUCP id f52F5Ix29669; Sun, 3 Jun 2001 00:05:18 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:tpRDXFKdCSqQiZl9YnoZDQrABCHnxMRSkCslKvY09rKYfnNadvyOgH0leB/m13tc@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f52F4xc11143; Sun, 3 Jun 2001 00:04:59 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sun, 03 Jun 2001 00:04:55 +0900 (JST) Message-Id: <20010603.000455.78786804.ume@mahoroba.org> To: mdavis@cts.com Cc: freebsd-stable@freebsd.org, security@freebsd.org, wollman@FreeBSD.org, gad@FreeBSD.org Subject: Re: lpd: Malformed from address From: Hajimu UMEMOTO In-Reply-To: <000001c0eb56$6d6ae250$241978d8@cts.com> References: <000001c0eb56$6d6ae250$241978d8@cts.com> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Sat, 2 Jun 2001 04:23:18 -0700 >>>>> "Morgan Davis" said: mdavis> After upgrading two different FreeBSD 4.2 systems to 4.3, they both mdavis> began to exhibit trouble when trying to print to their lpd processes. mdavis> Watching the raw traffic via tcpdump, both are failing immediately when mdavis> lpd tries to resolve the connecting client's address in chkhost(): mdavis> error = getnameinfo(f, f->sa_len, NULL, 0, serv, sizeof(serv), mdavis> NI_NUMERICSERV); mdavis> if (error || atoi(serv) >= IPPORT_RESERVED) mdavis> fatal(0, "Malformed from address"); mdavis> It can be exercised via telnet: mdavis> # telnet golf printer mdavis> Trying 205.163.23.102... mdavis> Connected to golf.cts.com. mdavis> Escape character is '^]'. mdavis> lpd: Malformed from address mdavis> Connection closed by foreign host. mdavis> This happens on both systems, different kernels, one running named and mdavis> one not. What in the world could be causing this? When I ported IPv6 support into FreeBSD from NetBSD, I wrongly brought reserved port checking code into FreeBSD. Originally, FreeBSD's lpd didn't check validity of connection by checking if it comes from reserved port. However, since lpd relies on r-authentication, it should be expected. Though it is easy to get rid of reserved port checking, we should have some considerlation. Any suggestion? -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 8:57:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mikehan.com (giles.mikehan.com [63.201.69.194]) by hub.freebsd.org (Postfix) with ESMTP id 7648837B424 for ; Sat, 2 Jun 2001 08:57:09 -0700 (PDT) (envelope-from mikehan@mikehan.com) Received: (from mikehan@localhost) by mikehan.com (8.11.3/8.11.3) id f52Fv5P07340; Sat, 2 Jun 2001 08:57:05 -0700 (PDT) (envelope-from mikehan) Date: Sat, 2 Jun 2001 08:57:05 -0700 From: Michael Han To: "Karsten W. Rohrbach" Cc: security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010602085705.A3799@giles.mikehan.com> References: <20010601143755.B88206@xor.obsecurity.org> <20010602155302.A56136@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010602155302.A56136@mail.webmonster.de>; from karsten@rohrbach.de on Sat, Jun 02, 2001 at 03:53:02PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 02, 2001 at 03:53:02PM +0200, Karsten W. Rohrbach wrote: > > > Note also that in a multiple-key scenario, the SSH client provides no way > > to selectively forward keys to hosts, or express policy regarding whether > > keys are then forwarded by the host you have connected to. > would it be very hard to add this functionality? > where would the policies be stored? > storing them in the identity would require changing the key file format, > so i guess something like an agent configuration would make sense. There's already a good precedent for this. $HOME/.ssh/config , which is where I decide which hosts I connect to are trusted (override ForwardX11 no and ForwardAgent no if desirable). So if someone thought of a new configuration command, like "ForwardAgentKeys" which took a list of fingerprints or something, that'd actually be a pretty straightforward iway to do this. My biggest complaint with ssh (though it's also quite nice) is the way it punts so many security issues to the user. As an admin, that choice makes it difficult to control the security policy on the network, and occassionally scares me, since most users don't really seem to be very concerned about security, yes ssh happily punts security policy issues to them. -- mikehan@mikehan.com http://www.mikehan.com/ coffee achiever San Francisco, California The life uncaffeinated is not worth living. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 9:55: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id A709E37B42C; Sat, 2 Jun 2001 09:55:00 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f52GswS39126; Sat, 2 Jun 2001 12:54:58 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <000001c0eb56$6d6ae250$241978d8@cts.com> References: <000001c0eb56$6d6ae250$241978d8@cts.com> Date: Sat, 2 Jun 2001 12:54:55 -0400 To: "Morgan Davis" , From: Garance A Drosihn Subject: Re: lpd: Malformed from address Cc: security@FreeBSD.ORG, wollman@FreeBSD.ORG, Hajimu UMEMOTO , freebsd-print@bostonradio.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 4:23 AM -0700 6/2/01, Morgan Davis wrote: > > After upgrading two different FreeBSD 4.2 systems to 4.3, > > they both began to exhibit trouble when trying to print > > to their lpd processes. > > Watching the raw traffic via tcpdump, both are failing > > immediately when lpd tries to resolve the connecting > > client's address in chkhost(): > > > > error = getnameinfo(f, f->sa_len, NULL, 0, serv, > > sizeof(serv), NI_NUMERICSERV); > > if (error || atoi(serv) >= IPPORT_RESERVED) > > fatal(0, "Malformed from address"); So, both of these systems are being sent print jobs from OTHER machines, and are refusing to accept those jobs due to the malformed 'from' address? Does this happen with jobs from all machines which send to the two print-servers, or only from some machines? For the client machines which DO fail, what OS are they running? Is there any reason those clients would NOT be sending from a reserved port? In your 'tcpdump' output, what port is the request coming from? Also, are the print jobs being sent via IPv4 connections, or IPv6 connections? In a later message on 6/3/01, Hajimu UMEMOTO wrote: >When I ported IPv6 support into FreeBSD from NetBSD, I wrongly >brought reserved port checking code into FreeBSD. Originally, >FreeBSD's lpd didn't check validity of connection by checking >if it comes from reserved port. Hmm. I wonder if this is something that got dropped along the way somewhere. The lpd I use at RPI *does* check that jobs are coming from a reserved port, and I am pretty sure I never wrote that code. That implies that it must have been in whatever version of lpd that RPI started with (*). But you are right that freebsd's version before the IPv6 update did not check (or at least, if the check was there then it did not work correctly). This is one of the sections of lpd where I haven't tried to reconcile RPI's code with freebsd's code. [* - although someone else did work on lpd at RPI before I did, so maybe they added this check] >However, since lpd relies on r-authentication, it should be >expected. Though it is easy to get rid of reserved port >checking, we should have some consideration. Any suggestion? It seems to me that checking for a reserved port is a good thing, so I want to hear back from Morgan to make sure we know what the exact problem is. It may be that the idea of doing the check is correct, but this specific implementation has a bug in it. [again, note that RPI's print servers have been running for years WITH a check for reserved port, and I am not aware of that causing any problems. So, I find it curious that the check would be causing a problem for Morgan] -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 10:36: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from crate.alongtheway.com (crate.alongtheway.com [208.176.94.56]) by hub.freebsd.org (Postfix) with ESMTP id 7CAF137B624 for ; Sat, 2 Jun 2001 10:35:56 -0700 (PDT) (envelope-from jamesb-freebsd-security@alongtheway.com) Received: (qmail 10574 invoked from network); 2 Jun 2001 17:35:51 -0000 Received: from localhost (HELO 5812-213.024.popsite.net) (nobody@127.0.0.1) by localhost with DES-CBC3-SHA encrypted SMTP; 2 Jun 2001 17:35:51 -0000 Received: (qmail 24170 invoked by user); 2 Jun 2001 17:35:43 -0000 Date: Sat, 2 Jun 2001 17:35:43 +0000 From: Jim Breton To: security@FreeBSD.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010602173543715890.4895@alongtheway.com> Mail-Followup-To: security@FreeBSD.org References: <20010602155302.A56136@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ; from rwatson@FreeBSD.org on Sat, Jun 02, 2001 at 10:06:30AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 02, 2001 at 10:06:30AM -0400, Robert Watson wrote: > For example, you can imagine enabling SSH > agent forwarding when logging in as yourname@somehost, but disabling it > when logging in as ftp@somehost. Likewise, requiring different keys for > yourname@host:8080, with different policy. What about making several aliases in .ssh/config, e.g.: Host yourname Hostname somehost User yourname Port 8080 IdentityFile ~/.ssh/id_yourname ForwardAgent yes Host ftp Hostname somehost User ftp Port 6666 IdentityFile ~/.ssh/id_ftp ForwardAgent no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 11:15:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 0570637B422 for ; Sat, 2 Jun 2001 11:15:18 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA03967 for ; Sat, 2 Jun 2001 12:15:14 -0600 (MDT) Message-Id: <4.3.2.7.2.20010602121447.04a23c00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 02 Jun 2001 12:15:08 -0600 To: security@freebsd.org From: Brett Glass Subject: FYI Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Date: Fri, 1 Jun 2001 23:28:20 -0700 From: Qpopper Support To: Qpopper Public List , qpopper-announce@rohan.qualcomm.com Cc: qpopper@qualcomm.com Subject: Qpopper 4.0.3 **** Fixes Buffer Overflow **** Qpopper 4.0.3 is available at . **** 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 -- PLEASE UPGRADE IMMEDIATELY *** Changes from 4.0.2 to 4.0.3: ---------------------------- 1. Don't call SSL_shutdown unless we tried to negotiate an SSL session. (As suggested by Kenneth Porter.) 2. Fix buffer overflow (reported by Gustavo Viscaino). 3. Fixed empty password treated as empty command (patch submitted by Michael Smith and others). 4. Added patch by Carles Xavier Munyoz to fix erroneous scanning for \n in getline(). 5. Fix from Arvin Schnell for warnings on 64-bit systems. 6. Added patch by Clifton Royston to change error message for nonauthfile and authfile tests. 7. Added 'uw-kludge' as synonym for 'uw-kluge'. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 11:34: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.148.220]) by hub.freebsd.org (Postfix) with SMTP id A65BC37B422 for ; Sat, 2 Jun 2001 11:34:06 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 23013 invoked from network); 2 Jun 2001 14:35:52 -0400 Received: from raoul.bgsu.edu (HELO gmx.net) (129.1.148.16) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 2 Jun 2001 14:35:52 -0400 Message-ID: <3B193273.B87F743A@gmx.net> Date: Sat, 02 Jun 2001 14:37:39 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: Connections to ports > 1024 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello everyone, thanks to all the ongoing discussions in this group I am learning a lot about securing my freebsd box. When looking through my daily security logs, I see the typical attempts to connect to port 21, which I am rapidly getting used to. Along with that I see attempts to connect with TCP on port 53 (I assume to break a DNS server, like BIND?) - not that I have a DNS running on my systems. What puzzles me more though is that more and more often I see connection attempts to ports > 1024, like 8000, or 1080. So, just because I am curious, are these people scanning for Trojans? Should I just ignore it - the connections are dropped anyway - or is there something more useful to do? Thanks, Raoul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 12: 2:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id CBB3A37B423; Sat, 2 Jun 2001 12:02:44 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f52J2dS102080; Sat, 2 Jun 2001 15:02:39 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: <000001c0eb56$6d6ae250$241978d8@cts.com> Date: Sat, 2 Jun 2001 15:02:37 -0400 To: "Morgan Davis" , From: Garance A Drosihn Subject: Re: lpd: Malformed from address Cc: security@FreeBSD.ORG, wollman@FreeBSD.ORG, Hajimu UMEMOTO , freebsd-print@bostonradio.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:54 PM -0400 6/2/01, I (Garance) wrote: >In a later message on 6/3/01, Hajimu UMEMOTO wrote: >>When I ported IPv6 support into FreeBSD from NetBSD, I wrongly >>brought reserved port checking code into FreeBSD. Originally, >>FreeBSD's lpd didn't check validity of connection by checking >>if it comes from reserved port. > >Hmm. I wonder if this is something that got dropped along >the way somewhere. The lpd I use at RPI *does* check that >jobs are coming from a reserved port, and I am pretty sure I >never wrote that code. That implies that it must have been >in whatever version of lpd that RPI started with A more awake person might have immediately remembered that the whole reason to keep CVS logs is so people can answer questions like this... It appears that freebsd's lpd lost this reserved-port check with version 1.6 of lpd, back in July of 1997. The comments for the change do not indicate why the check was dropped (and from the comments, it's not clear that the check was MEANT to be dropped...). My gut feeling is that the check is good to do, which gets us back to finding out why the implementation added with IPv6 does not seem to work for Morgan. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 12:25: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from tungsten.btinternet.com (tungsten.btinternet.com [194.73.73.81]) by hub.freebsd.org (Postfix) with ESMTP id 3CE9337B423 for ; Sat, 2 Jun 2001 12:25:05 -0700 (PDT) (envelope-from lee@kechara.net) Received: from host213-122-122-105.btinternet.com ([213.122.122.105] helo=mail.btinternet.com) by tungsten.btinternet.com with smtp (Exim 3.03 #83) id 156H1D-0006vw-00 for freebsd-security@freebsd.org; Sat, 02 Jun 2001 20:25:03 +0100 Date: Sun, 3 Jun 2001 08:24:27 +0100 From: Lee Smallbone X-Mailer: The Bat! (v1.18 Christmas Edition) S/N 3FDB2AD8 Reply-To: Lee Smallbone Organization: Kechara Internet X-Priority: 3 (Normal) Message-ID: <13350.010603@kechara.net> To: freebsd-security@freebsd.org Subject: Re: Connections to ports > 1024 References: <3B193273.B87F743A@gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org RS> Hello everyone, RS> thanks to all the ongoing discussions in this group I am learning a lot RS> about securing my freebsd box. RS> When looking through my daily security logs, I see the typical attempts RS> to connect to port 21, which I am rapidly getting used to. Along with RS> that I see attempts to connect with TCP on port 53 (I assume to break a RS> DNS server, like BIND?) - not that I have a DNS running on my systems. RS> What puzzles me more though is that more and more often I see connection attempts to ports >> 1024, like 8000, or 1080. RS> So, just because I am curious, are these people scanning for Trojans? RS> Should I just ignore it - the connections are dropped anyway - or is RS> there something more useful to do? 1080 is your common wingate/proxy port, people are most likely scanning class C subnets for open wingates to use. According to /etc/services, 8000 is for gicq (an ICQ clone?) If you're not running anything on these ports, I wouldn't be too concerned. Best Regards, Lee Smallbone +----------------------------------------------+ | Kechara Internet - Global Reach, Local Touch | +----------------------------------------------+ | Sales: 0800 138 7727 | Support: 01243 869969 | | sales@kechara.net | support@kechara.net | | web: www.kechara.net | Intl: +44 1243 869969 | +----------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 12:41: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id C8A2A37B422 for ; Sat, 2 Jun 2001 12:40:58 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id WAA25172 for ; Sat, 2 Jun 2001 22:40:57 +0300 (IDT) Message-ID: <002c01c0eba3$d6a4e020$b88f39d5@a> From: "Liran Dahan" To: References: <3B193273.B87F743A@gmx.net> Subject: Re: Connections to ports > 1024 Date: Sat, 2 Jun 2001 22:37:27 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes I agree with Lee, I don't think you have any specific reason to be worried, though if it is bothering you so much, put an speific IPFW/IPF rules for these ports, or maybe if you can see that these connections are being attemped by a Static IP User/s, you may block him/them as well, or maybe add an special route command to deny them. Buttom line I wouldn't be so worried about it. (Allthough I'm *paranoid*) Best Regards, Liran Dahan (lirandb@netvision.net.il) ----- Original Message ----- From: "Raoul Schroeder" To: "FreeBSD Security" Sent: Saturday, June 02, 2001 8:37 PM Subject: Connections to ports > 1024 > Hello everyone, > > thanks to all the ongoing discussions in this group I am learning a lot > about securing my freebsd box. > When looking through my daily security logs, I see the typical attempts > to connect to port 21, which I am rapidly getting used to. Along with > that I see attempts to connect with TCP on port 53 (I assume to break a > DNS server, like BIND?) - not that I have a DNS running on my systems. > What puzzles me more though is that more and more often I see connection > attempts to ports > 1024, like 8000, or 1080. > So, just because I am curious, are these people scanning for Trojans? > Should I just ignore it - the connections are dropped anyway - or is > there something more useful to do? > > Thanks, > > Raoul > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 13: 1:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 5223937B42C for ; Sat, 2 Jun 2001 13:01:26 -0700 (PDT) (envelope-from meshko@daedalus.cs.brandeis.edu) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id QAA20265 for ; Sat, 2 Jun 2001 16:01:20 -0400 Date: Sat, 2 Jun 2001 16:01:20 -0400 (EDT) From: Mikhail Kruk To: Subject: connections to 16001 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a bunch of those: Jun 1 18:10:35 polkan2 /kernel: Connection attempt to TCP 127.0.0.1:16001 from 127.0.0.1:4523 Can this mean anything? The only thing I can find on the net about this port, is esd, some kind of sound daemon from gnome or maybe enlightment. I don't have neither of those. AFAIK no one was using the machine at the time of the message. Can this be something dangerous? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 13: 8:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from ece.cmu.edu (ECE.CMU.EDU [128.2.236.200]) by hub.freebsd.org (Postfix) with ESMTP id BCB5337B422; Sat, 2 Jun 2001 13:08:05 -0700 (PDT) (envelope-from allbery@ece.cmu.edu) Received: from vpn5.ece.cmu.edu (ANNEX-4.ECE.CMU.EDU [128.2.136.4]) (authenticated) by ece.cmu.edu (8.11.0/8.10.2) with ESMTP id f52K7ug08174; Sat, 2 Jun 2001 16:07:56 -0400 (EDT) Date: Sat, 02 Jun 2001 16:07:42 -0400 From: "Brandon S. Allbery KF8NH" To: Garance A Drosihn , Morgan Davis , freebsd-stable@FreeBSD.ORG Cc: security@FreeBSD.ORG, wollman@FreeBSD.ORG, Hajimu UMEMOTO , freebsd-print@bostonradio.org Subject: Re: lpd: Malformed from address Message-ID: <72810000.991512459@vpn5.ece.cmu.edu> In-Reply-To: References: <000001c0eb56$6d6ae250$241978d8@cts.com> X-Mailer: Mulberry/2.1.0a6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday, June 02, 2001 15:02:37 -0400, Garance A Drosihn wrote: +----- | be dropped...). My gut feeling is that the check is good to | do, which gets us back to finding out why the implementation | added with IPv6 does not seem to work for Morgan. +--->8 For what it's worth, LPRng dropped the check because it puts a severe limit on the number of incoming and outgoing print jobs, and many implementations (especially DOS/Windows ones) don't restrict ports at all because the whole concept of reserved ports is meaningless on them. There's a good discussion of the issues in the LPRng FAQ/HOWTO. -- brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net system administrator [WAY too many hats] allbery@ece.cmu.edu electrical and computer engineering KF8NH carnegie mellon university ["better check the oblivious first" -ke6sls] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 13:10:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq.stars.eu.org (pa54.bialystok.sdi.tpnet.pl [213.25.59.54]) by hub.freebsd.org (Postfix) with SMTP id 4E36B37B423 for ; Sat, 2 Jun 2001 13:10:22 -0700 (PDT) (envelope-from spock@stars.eu.org) Received: (qmail 36653 invoked by uid 1001); 2 Jun 2001 20:09:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Jun 2001 20:09:29 -0000 Date: Sat, 2 Jun 2001 22:09:29 +0200 (CEST) From: Marcin Jurczuk To: freebsd-security@freebsd.org Subject: Identd via natd In-Reply-To: <002c01c0eba3$d6a4e020$b88f39d5@a> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all ! I have a NAT FreeBSD box. One of our users use internet connection from out network to hack other network server. I cat identify him because log from hacked server shows random identds responses from NAT box. The question is: Is there any non-random, and non-global ident support for natd for FreeBSD like for ipfilter on OpenBSD (oidentd) ? I can't set one ident response because there are some shell accounts and they need correct response. I needd something like: InternalIP->static ident response. P.S Sory for my English :-| ================================================ Marcin 'Spock' Jurczuk Intitute of Physics University of Bialystok ================================================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 13:35: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id F140C37B422 for ; Sat, 2 Jun 2001 13:34:58 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f52KcrJ84953; Sat, 2 Jun 2001 13:38:53 -0700 (PDT) (envelope-from fasty) Date: Sat, 2 Jun 2001 13:38:53 -0700 From: faSty To: Mikhail Kruk Cc: freebsd-security@freebsd.org Subject: Re: connections to 16001 Message-ID: <20010602133853.A84938@i-sphere.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from meshko@cs.brandeis.edu on Sat, Jun 02, 2001 at 04:01:20PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org try sockstat to see 127.0.0.1 assiocate to some daemon or whatever it is. -trev On Sat, Jun 02, 2001 at 04:01:20PM -0400, Mikhail Kruk wrote: > I have a bunch of those: > > Jun 1 18:10:35 polkan2 /kernel: Connection attempt to TCP 127.0.0.1:16001 > from 127.0.0.1:4523 > > Can this mean anything? The only thing I can find on the net about this > port, is esd, some kind of sound daemon from gnome or maybe enlightment. I > don't have neither of those. AFAIK no one was using the machine at the > time of the message. Can this be something dangerous? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 14:16:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from neko.cts.com (neko.cts.com [209.68.192.150]) by hub.freebsd.org (Postfix) with ESMTP id 7E08737B424; Sat, 2 Jun 2001 14:16:12 -0700 (PDT) (envelope-from mdavis@cts.com) Received: from venus.cts.com (venus.cts.com [216.120.25.34]) by neko.cts.com (8.9.3/8.9.3) with ESMTP id OAA12556; Sat, 2 Jun 2001 14:16:12 -0700 (PDT) Received: from orion (orion.cts.com [216.120.25.39]) by venus.cts.com (8.11.3/8.11.3) with ESMTP id f52LGAp10661; Sat, 2 Jun 2001 14:16:10 -0700 (PDT) (envelope-from mdavis@cts.com) From: "Morgan Davis" To: Cc: , , "'Hajimu UMEMOTO'" , , "'Garance A Drosihn'" Subject: RE: Malformed from address Date: Sat, 2 Jun 2001 14:16:36 -0700 Message-ID: <000001c0eba9$4f34e1c0$271978d8@cts.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2511 In-Reply-To: <000001c0eb56$6d6ae250$241978d8@cts.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2475.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hajimu and Garance, et al: Thank you for checking into my lpd problem in 4.3-STABLE (as of May 29). You asked excellent questions, and here are my findings: 1. The trouble occurs when connecting to both systems via telnet (which having a reserved port number would make sense). Yet, when I connect via telnet to a FreeBSD 3.5 or 4.2 system, I get connected to the lpd port (515) with no error. This confirms your discovery that the check is new in 4.3. 2. However, under 4.3, connections from all Windows clients I have access to (three) now fail to print. They're all using IPv4 (in fact, IPv6 is completely disabled in the FreeBSD machines). The jobs get stuck in the Windows spooler. 3. Watching tcpdump, the ports from the client systems start above the priviledged port range (IPPORT_RESERVED). With each failure, they will reconnect and increment the originating port number. Here are the starting ports numbers I saw in tcpdump for various Windows OS flavors: 23xx - Windows XP Pro (build 2475) 11xx - Windows 2000 Pro 10xx - Windows 2000 Server These are listed in order of machine uptime. I had just rebooted the Win2K Server machine to do this test, so it must start at 1024 (IPPORT_RESERVED). 4. The printer configurations on the Windows machines are using a "Custom TCP/IP Printer Port" configuration (which just means they speak lpr to a port 515 device). Nothing unique or out of the ordinary in any of their network configurations. They're not going through NAT or anything that might molest the ports. In looking at the lpd.c code (and netinet/in.h), the logic in lpd.c's test seems to be wrong (or is missing a !): if (error || atoi(serv) >= IPPORT_RESERVED) fatal(0, "Malformed from address"); This would imply that any port at or above the IPPORT_RESERVED threshhold is illegal, which (I think) is clearly wrong. Shouldn't it be < IPPORT_RESERVED? Or better still: if (error || atoi(serv) < IPPORT_RESERVED || atoi(serv) > IPPORT_HILASTAUTO) fatal(0, "Malformed from address or illegal port"); This protects the priviledged port range, but also gives clients enough free range as was mentioned in a later message by Brandon Allbery as a concern in the LPRng FAQ/HOWTO. Perhaps this is faulty thinking (forgive me, I'm not a FreeBSD hacker by trade), but after patching lpd.c, it works and I'm printing again. :-) --Morgan > -----Original Message----- > From: owner-freebsd-stable@FreeBSD.ORG > [mailto:owner-freebsd-stable@FreeBSD.ORG] On Behalf Of Morgan Davis > Sent: Saturday, June 02, 2001 4:23 AM > To: freebsd-stable@FreeBSD.ORG > Subject: lpd: Malformed from address > > > After upgrading two different FreeBSD 4.2 systems to 4.3, they both > began to exhibit trouble when trying to print to their lpd processes. > Watching the raw traffic via tcpdump, both are failing > immediately when > lpd tries to resolve the connecting client's address in chkhost(): > > error = getnameinfo(f, f->sa_len, NULL, 0, serv, sizeof(serv), > NI_NUMERICSERV); > if (error || atoi(serv) >= IPPORT_RESERVED) > fatal(0, "Malformed from address"); > > It can be exercised via telnet: > > # telnet golf printer > Trying 205.163.23.102... > Connected to golf.cts.com. > Escape character is '^]'. > lpd: Malformed from address > Connection closed by foreign host. > > This happens on both systems, different kernels, one running named and > one not. What in the world could be causing this? > > --Morgan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 14:50: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id F15BB37B43C; Sat, 2 Jun 2001 14:49:56 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light/smtpfeed 1.12) with UUCP id f52Lnmg20768; Sun, 3 Jun 2001 06:49:48 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:pKiQCSA9KdnuoKw4Xz4Tj8HkHyab7kfLMign8OLggPk0GRMlZz/hC6guMjmXOOCk@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f52LnRc16537; Sun, 3 Jun 2001 06:49:27 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sun, 03 Jun 2001 06:49:24 +0900 (JST) Message-Id: <20010603.064924.55505694.ume@mahoroba.org> To: mdavis@cts.com Cc: freebsd-stable@freebsd.org, security@freebsd.org, wollman@freebsd.org, freebsd-print@bostonradio.org, drosih@rpi.edu Subject: Re: Malformed from address From: Hajimu UMEMOTO In-Reply-To: <000001c0eba9$4f34e1c0$271978d8@cts.com> References: <000001c0eb56$6d6ae250$241978d8@cts.com> <000001c0eba9$4f34e1c0$271978d8@cts.com> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Sat, 2 Jun 2001 14:16:36 -0700 >>>>> "Morgan Davis" said: mdavis> 3. Watching tcpdump, the ports from the client systems start above the mdavis> priviledged port range (IPPORT_RESERVED). With each failure, they will mdavis> reconnect and increment the originating port number. Here are the mdavis> starting ports numbers I saw in tcpdump for various Windows OS flavors: mdavis> 23xx - Windows XP Pro (build 2475) mdavis> 11xx - Windows 2000 Pro mdavis> 10xx - Windows 2000 Server mdavis> These are listed in order of machine uptime. I had just rebooted the mdavis> Win2K Server machine to do this test, so it must start at 1024 mdavis> (IPPORT_RESERVED). Then, Windows is broken. printer client must bind source port to within IPPORT_RESERVED. mdavis> In looking at the lpd.c code (and netinet/in.h), the logic in lpd.c's mdavis> test seems to be wrong (or is missing a !): mdavis> if (error || atoi(serv) >= IPPORT_RESERVED) mdavis> fatal(0, "Malformed from address"); mdavis> This would imply that any port at or above the IPPORT_RESERVED mdavis> threshhold is illegal, which (I think) is clearly wrong. Shouldn't it mdavis> be < IPPORT_RESERVED? Or better still: This checking code is currect. r-authentication requires that connection comes from reserved port range. Please see iruserok_sa(3) manpage. mdavis> if (error || atoi(serv) < IPPORT_RESERVED || atoi(serv) > mdavis> IPPORT_HILASTAUTO) mdavis> fatal(0, "Malformed from address or illegal port"); This code is wrong. Since Unix's lpr do bind to reserved port, you will not be able to print from Unix boxes. If you wish to allow such broken connection, you can simply remove reserved port checking. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 19:18:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from neko.cts.com (neko.cts.com [209.68.192.150]) by hub.freebsd.org (Postfix) with ESMTP id 5867637B424; Sat, 2 Jun 2001 19:18:45 -0700 (PDT) (envelope-from mdavis@cts.com) Received: from venus.cts.com (venus.cts.com [216.120.25.34]) by neko.cts.com (8.9.3/8.9.3) with ESMTP id TAA29335; Sat, 2 Jun 2001 19:18:45 -0700 (PDT) Received: from orion (orion.cts.com [216.120.25.39]) by venus.cts.com (8.11.3/8.11.3) with ESMTP id f532IhF00813; Sat, 2 Jun 2001 19:18:43 -0700 (PDT) (envelope-from mdavis@cts.com) From: "Morgan Davis" To: "'Hajimu UMEMOTO'" Cc: , , , , Subject: RE: Malformed from address Date: Sat, 2 Jun 2001 19:19:09 -0700 Message-ID: <000801c0ebd3$932adae0$271978d8@cts.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2511 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2475.0000 In-Reply-To: <20010603.064924.55505694.ume@mahoroba.org> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hajimu UMEMOTO writes: > Then, Windows is broken. And, FreeBSD is also seriously outnumbered. > printer client must bind source port to within IPPORT_RESERVED. "Yeah, right." -- Bill Gates :-) I wonder if this imposition was a result of the lpd having a dual role as spooler and server. When lpd runs its spool and connects to a remote print server, you have a server-server arrangement rather than the more common client-server model. Is it right for lpd to force all connections to act as if they were really servers? It may be heretical to state this, but the way that Windows does it, grabbing free ports from the dynamic pool, makes sense in a client-server context. > If you wish to allow such > broken connection, you can simply remove reserved port checking. The restriction in lpd.c breaks printing from the vast majority of computers in this neck of the galaxy. And, there's no fix, other than for each admin to "simply" patch lpd.c, recompile, and deploy throughout their enterprise? I suggest that a compile-time option or a command line flag be added so that the port checking is selectable. (My vote is for a runtime flag that disables port checking or allows you to specify your own acceptable range.) Otherwise, the new behavior will surely impact more people than it serves to protect. While I'm making lpd suggestions, it would be very nice if it were smarter about using syslog or its own -d and -l capabilities to truly log fatal() error messages, rather than spewing them uselessly into stdout (or the socket stream). That doesn't do an administrator any good, until they resort to watching raw packets after hours of troubleshooting their network configuration, client configuration, hosts.lpd file, hosts.equiv file, spool directory permissions, etc., etc. How many have been bit by clients that wouldn't print, only to find that it was because they weren't in hosts.lpd, the client IP addresses changed or a forward/reverse DNS error was introduced, etc? Such a common problem, yet lpd makes it harder than it should be to detect. Garance, what do you think? --Morgan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 19:24: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ece.cmu.edu (ECE.CMU.EDU [128.2.236.200]) by hub.freebsd.org (Postfix) with ESMTP id 59AA337B422; Sat, 2 Jun 2001 19:23:57 -0700 (PDT) (envelope-from allbery@ece.cmu.edu) Received: from vpn5.ece.cmu.edu (ANNEX-4.ECE.CMU.EDU [128.2.136.4]) (authenticated) by ece.cmu.edu (8.11.0/8.10.2) with ESMTP id f532Nlg24746; Sat, 2 Jun 2001 22:23:48 -0400 (EDT) Date: Sat, 02 Jun 2001 22:23:44 -0400 From: "Brandon S. Allbery KF8NH" To: Morgan Davis , "'Hajimu UMEMOTO'" Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, wollman@FreeBSD.ORG, freebsd-print@bostonradio.org, drosih@rpi.edu Subject: RE: Malformed from address Message-ID: <153770000.991535023@vpn5.ece.cmu.edu> In-Reply-To: <000801c0ebd3$932adae0$271978d8@cts.com> References: <000801c0ebd3$932adae0$271978d8@cts.com> X-Mailer: Mulberry/2.1.0a6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday, June 02, 2001 19:19:09 -0700, Morgan Davis wrote: +----- | > printer client must bind source port to within IPPORT_RESERVED. | | "Yeah, right." -- Bill Gates :-) +--->8 If you want to be pedantic, the source port is supposed to be between 729 and 739 IIRC. Which is a ridiculous restriction that causes lpd to fall flat on its face when used with 50+ printers and several hundred clients. (But as someone else noted, the test was in fact backwards and *rejected* reserved ports, so it should be at minimum fixed and at best removed or made configurable.) -- brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net system administrator [WAY too many hats] allbery@ece.cmu.edu electrical and computer engineering KF8NH carnegie mellon university ["better check the oblivious first" -ke6sls] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 20:25:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 8740137B423; Sat, 2 Jun 2001 20:25:05 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f533OwS14418; Sat, 2 Jun 2001 23:24:58 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <000801c0ebd3$932adae0$271978d8@cts.com> References: <000801c0ebd3$932adae0$271978d8@cts.com> Date: Sat, 2 Jun 2001 23:24:52 -0400 To: "Morgan Davis" , "'Hajimu UMEMOTO'" From: Garance A Drosihn Subject: RE: Malformed from address Cc: , , Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 7:19 PM -0700 6/2/01, Morgan Davis wrote: >Hajimu UMEMOTO writes: >> Then, Windows is broken. > >And, FreeBSD is also seriously outnumbered. > >> printer client must bind source port to within IPPORT_RESERVED. > >"Yeah, right." -- Bill Gates :-) Consider the example of lpr at RPI. We accept print jobs from hundreds of unix clients which are administered by "us" (the computer center). While we have control of administration of those machines, there are 5,000 to 10,000 people who can log into those same machines. We haven't figured out how to control those users... :-) Our print servers do accept jobs from those machines based on the hostname. That does not mean we want to allow all those thousands of users to *telnet* into lpd on the print servers, and send their own little fake jobs, just like you were doing in your testing. We do not accept jobs from many Windows hosts (not directly into lpd, that is). Almost all our windows users have to go thru samba, because we charge users for their printouts and we have be pretty confident that we KNOW the userid to charge to. [and for the few windows boxes we DO accept jobs from, we have some other RPI-specific changes so all jobs from those hosts are charged to a specific userid -- no matter what userid is listed in control-files for print jobs from that host. That's one of the changes I hope to sort out and incorporate into FreeBSD's lpr] So in our environment, there is absolutely no way we can allow connections from non-reserved ports. Not unless we make some major changes to lpd (which is always an option, given enough caffeine and a long enough weekend...). > > If you wish to allow such >> broken connection, you can simply remove reserved port checking. > >The restriction in lpd.c breaks printing from the vast majority >of computers in this neck of the galaxy. And, there's no fix, >other than for each admin to "simply" patch lpd.c, recompile, >and deploy throughout their enterprise? I can see that the reserved-port restriction might be problematic in other environments, particularly since it has not been enforced for the past four years. I also agree that administrators should not have to patch and recompile lpd to get the behavior they want. >I suggest that a compile-time option or a command line flag be >added so that the port checking is selectable. (My vote is for >a runtime flag that disables port checking or allows you to >specify your own acceptable range.) This is a reasonable "quick fix". I am in the middle of a rather involved update to lpr/lpd right this minute, but I'd be willing to add an option to lpd to specify if the administrator wants lpd to do the port checking. I could write something up for that within the next week. As a security matter, I think it should do the port checking by default, and the option would be to turn that checking off. If we take a little time to ponder the matter, a better (but more involved) fix would be to have two lists of allowed hosts. In my case, I can not afford to accept non-reserved-port connections from Unix hosts which we do administer, but we might want to allow that for other machines (such as windows boxes). Perhaps /etc/hosts.lpd and /etc/hosts.lpd-special or something. I would certainly have to think about it some more, and figure out what the best thing to do is. Thus, this would be something to consider as a longer-term improvement. >While I'm making lpd suggestions, it would be very nice if it >were smarter about using syslog or its own -d and -l capabilities >to truly log fatal() error messages, rather than spewing them >uselessly into stdout (or the socket stream). Hmm. Not sure what you mean here. At least at RPI, we DO get error messages in logfiles, at least for some kinds of errors. What do you have for 'lpr'-ish entries in your /etc/syslog.conf ? If there is a problem there, I could look into that too, but I would want to be a little careful that lpd won't open up any new denial-of-service attacks. >How many have been bit by clients that wouldn't print, only to >find that it was because they weren't in hosts.lpd, the client >IP addresses changed or a forward/reverse DNS error was >introduced, etc? I know that we have SOME logfile entries when hosts are not in hosts.lpd, for instance. Maybe we turn up logging, or maybe it's just some other difference between RPI's lpd and freebsd's. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 2 20:36:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 0528C37B423; Sat, 2 Jun 2001 20:36:23 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f533aHS51242; Sat, 2 Jun 2001 23:36:17 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <153770000.991535023@vpn5.ece.cmu.edu> References: <000801c0ebd3$932adae0$271978d8@cts.com> <153770000.991535023@vpn5.ece.cmu.edu> Date: Sat, 2 Jun 2001 23:36:14 -0400 To: "Brandon S. Allbery KF8NH" , Morgan Davis , "'Hajimu UMEMOTO'" From: Garance A Drosihn Subject: RE: Malformed from address Cc: freebsd-stable@FreeBSD.org, security@FreeBSD.org, wollman@FreeBSD.org, freebsd-print@bostonradio.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:23 PM -0400 6/2/01, Brandon S. Allbery KF8NH wrote: >On Saturday, June 02, 2001, Morgan Davis wrote: >+----- >| > printer client must bind source port to within IPPORT_RESERVED. >| >| "Yeah, right." -- Bill Gates :-) >+--->8 > >If you want to be pedantic, the source port is supposed to be >between 729 and 739 IIRC. Which is a ridiculous restriction >that causes lpd to fall flat on its face when used with 50+ >printers and several hundred clients. I don't understand this statement, but then I will have to admit I am not an expert in network programming under Unix. In any case, we have about five print servers, which drive something like 200+ print queues, and those servers accept jobs from about 600 different hosts. I am not aware of lpd falling flat on it's fact here...in fact it seems to work reasonably well. Isn't this port range only going to be a limiting factor on the SENDING machine? In that case, the issue is not how many printers you have, but how many different users on a single machine might be printing to different remote-printers at the same time. If that is the issue, then I can believe that we (here at RPI) might just happen to avoid the problem. >(But as someone else noted, the test was in fact backwards and >*rejected* reserved ports, so it should be at minimum fixed >and at best removed or made configurable.) When you catch up with the recent email, you'll see that the check is correct. It does not reject reserved ports, obviously, as then it would have to reject jobs from other unix machines. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message