From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 00:34:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 283AE16A4DD; Sun, 20 Aug 2006 00:34:26 +0000 (UTC) (envelope-from rip@overflow.no) Received: from mail.mailwhiz.net (mail.mailwhiz.net [24.244.141.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3D7343D55; Sun, 20 Aug 2006 00:34:25 +0000 (GMT) (envelope-from rip@overflow.no) Message-ID: <44E7AE0F.2000103@overflow.no> Date: Sat, 19 Aug 2006 20:34:23 -0400 From: Chris User-Agent: Thunderbird 1.5.0.5 (X11/20060728) MIME-Version: 1.0 To: Daniel Gerzo References: <44E76B21.8000409@thedarkside.nl> <47517034.20060819233730@rulez.sk> In-Reply-To: <47517034.20060819233730@rulez.sk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 00:34:26 -0000 I'm maintaining a patch for OpenSSH portable that allows configurable blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I will post it if anyone is interested in it. Daniel Gerzo wrote: > Hello Pieter, > > Saturday, August 19, 2006, 9:48:49 PM, you wrote: > > >> Gang, >> > > >> For months now, we're all seeing repeated bruteforce attempts on SSH. >> I've configured my pf install to ratelimit TCP connections to port 22 >> and to automatically add IP-addresses that connect too fast to a table >> that's filtered: >> > > >> table { } >> > > >> block quick from to any >> > > >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >> modulate state (source-track rule max-src-nodes 8 max-src-conn 8 >> max-src-conn-rate 3/60 overload flush global) >> > > > >> This works as expected, IP-addresses are added to the 'lamers'-table >> every once in a while. >> > > >> However, there apparently are SSH bruteforcers that simply use one >> connection to perform a brute-force attack: >> > > >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 >> > > > >> My theory was/is that this particular scanner simply multiplexes >> multiple authentication attempts over a single connection. I 'used the >> source luke' of OpenSSH to find support for this theory, but found the >> source a bit too wealthy for my brain to find such support. >> > > >> So, my question is: Does anyone know how this particular attack works >> and if there's a way to stop this? If my theory is sound and OpenSSH >> does not have provisions to limit the authentication requests per TCP >> session, I'd find that an inadequacy in OpenSSH, but I'm probably >> missing something here :) >> > > try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html > or my pet project http://danger.rulez.sk/projects/bruteforceblocker/ > > >> Regards, >> Pieter >> > > From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 03:42:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A27416A4DF for ; Sun, 20 Aug 2006 03:42:20 +0000 (UTC) (envelope-from chrcoluk@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8D4043D55 for ; Sun, 20 Aug 2006 03:42:19 +0000 (GMT) (envelope-from chrcoluk@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1808851pye for ; Sat, 19 Aug 2006 20:42:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QvB8KPNA2RRhQeERIQubwZZZvMRmdiqcRBbVsdfKXnrsqpjTUVlF/wEluR99aWp8TiBcQY8D1Pxl8kOaXlT3DJFDdbDIQ+MofBUnbWIussOPJJQPwIozobT3P/jKNKYXYoZeQ9nUvFBTXikCF24d+tlcvMMDIqYPROKHcY8Whug= Received: by 10.35.41.14 with SMTP id t14mr9801603pyj; Sat, 19 Aug 2006 20:42:18 -0700 (PDT) Received: by 10.35.29.20 with HTTP; Sat, 19 Aug 2006 20:42:17 -0700 (PDT) Message-ID: <3aaaa3a0608192042k2f079d96re0592109dd6d0d69@mail.gmail.com> Date: Sun, 20 Aug 2006 04:42:17 +0100 From: Chris To: Chris In-Reply-To: <44E7AE0F.2000103@overflow.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E76B21.8000409@thedarkside.nl> <47517034.20060819233730@rulez.sk> <44E7AE0F.2000103@overflow.no> Cc: freebsd-security@freebsd.org, Daniel Gerzo , Pieter de Boer Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 03:42:20 -0000 On 20/08/06, Chris wrote: > I'm maintaining a patch for OpenSSH portable that allows configurable > blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I > will post it if anyone is interested in it. > > Daniel Gerzo wrote: > > Hello Pieter, > > > > Saturday, August 19, 2006, 9:48:49 PM, you wrote: > > > > > >> Gang, > >> > > > > > >> For months now, we're all seeing repeated bruteforce attempts on SSH. > >> I've configured my pf install to ratelimit TCP connections to port 22 > >> and to automatically add IP-addresses that connect too fast to a table > >> that's filtered: > >> > > > > > >> table { } > >> > > > > > >> block quick from to any > >> > > > > > >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > >> modulate state (source-track rule max-src-nodes 8 max-src-conn 8 > >> max-src-conn-rate 3/60 overload flush global) > >> > > > > > > > >> This works as expected, IP-addresses are added to the 'lamers'-table > >> every once in a while. > >> > > > > > >> However, there apparently are SSH bruteforcers that simply use one > >> connection to perform a brute-force attack: > >> > > > > > >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > >> > > > > > > > >> My theory was/is that this particular scanner simply multiplexes > >> multiple authentication attempts over a single connection. I 'used the > >> source luke' of OpenSSH to find support for this theory, but found the > >> source a bit too wealthy for my brain to find such support. > >> > > > > > >> So, my question is: Does anyone know how this particular attack works > >> and if there's a way to stop this? If my theory is sound and OpenSSH > >> does not have provisions to limit the authentication requests per TCP > >> session, I'd find that an inadequacy in OpenSSH, but I'm probably > >> missing something here :) > >> > > > > try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html > > or my pet project http://danger.rulez.sk/projects/bruteforceblocker/ > > > > > >> Regards, > >> Pieter > >> > > > > > I am interested in this patch thanks. Chris From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 12:43:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DF0A16A4DE for ; Sun, 20 Aug 2006 12:43:16 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com [193.202.115.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id C522C43D49 for ; Sun, 20 Aug 2006 12:43:15 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.91] (ip-84-91.members.virt-ix.net [195.16.84.91]) by mail.thelostparadise.com (Postfix) with ESMTP id BFD0961C39 for ; Sun, 20 Aug 2006 14:43:38 +0200 (CEST) Message-ID: <44E858E1.7050809@thedarkside.nl> Date: Sun, 20 Aug 2006 14:43:13 +0200 From: Pieter de Boer User-Agent: Thunderbird 1.5.0.4 (X11/20060611) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <44E76B21.8000409@thedarkside.nl> <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com> In-Reply-To: <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 20 Aug 2006 12:45:34 +0000 Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 12:43:16 -0000 Scot Hetzel wrote: >> However, there apparently are SSH bruteforcers that simply use one >> connection to perform a brute-force attack: >> >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from >> 83.19.113.122 >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from >> 83.19.113.122 > It looks as though you need to lower 'MaxAuthTries' in your > sshd_config file, as the default is set to allow six authentication > attempts per connection. I had already lowered this value to '3', which apparantly does not matter at all. I even forgot that I did, which says enough ;) Makes me wonder even more what's happening; even with 3 auth sessions per connection, that would mean only 9 attempts per minute should be possible. I'm seeing >100 attempts per minute, though. -- Pieter From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 12:50:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EDB116A4F4 for ; Sun, 20 Aug 2006 12:50:16 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com [193.202.115.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCF8343D5E for ; Sun, 20 Aug 2006 12:50:10 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.91] (ip-84-91.members.virt-ix.net [195.16.84.91]) by mail.thelostparadise.com (Postfix) with ESMTP id F28A261C38 for ; Sun, 20 Aug 2006 14:50:33 +0200 (CEST) Message-ID: <44E85A80.3000608@thedarkside.nl> Date: Sun, 20 Aug 2006 14:50:08 +0200 From: Pieter de Boer User-Agent: Thunderbird 1.5.0.4 (X11/20060611) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <44E76B21.8000409@thedarkside.nl> <20060819142846.N45201@orthanc.ca> In-Reply-To: <20060819142846.N45201@orthanc.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 20 Aug 2006 13:31:25 +0000 Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 12:50:16 -0000 Lyndon Nerenberg wrote: > Take a look at /usr/ports/security/bruteforceblocker. It monitors the > system log for failed ssh logins, and blocks the sites via pf. It's > reasonably configurable, and works very well. I've been running it for > months without trouble. I've written a similar script which worked okay for the most part. Probably not as fancy, but a la. Point is, I'd prefer to: 1) Know why the attack still works although I'm ratelimiting to 3 connections per minute and MaxAuthTries is set to 3 (but if it was still the default value 6, it should've triggered, too) 2) Fix it at the root cause, probably OpenSSH? -- Pieter From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 16:35:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D77816A4DE for ; Sun, 20 Aug 2006 16:35:07 +0000 (UTC) (envelope-from mureninc@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BDE943D53 for ; Sun, 20 Aug 2006 16:35:06 +0000 (GMT) (envelope-from mureninc@gmail.com) Received: by wx-out-0506.google.com with SMTP id i27so1253638wxd for ; Sun, 20 Aug 2006 09:35:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XO4oUQB4SuE3SWePlwYf7izJVR0YNjQ/u6AmR46BTjOMMvFhUGrY1ipuA+VliMlfvxpJiFixbnqoT0rTEqEJNk1PLeoSNviWeoAbG5qGRGucmLG/V96KKQye5bZdwmg4PnvAdu1snVO4cJsarw838fu0V5yQy+S4OKl5BDdRJIo= Received: by 10.70.18.11 with SMTP id 11mr8181960wxr; Sun, 20 Aug 2006 09:35:05 -0700 (PDT) Received: by 10.70.78.17 with HTTP; Sun, 20 Aug 2006 09:35:05 -0700 (PDT) Message-ID: Date: Sun, 20 Aug 2006 12:35:05 -0400 From: "Constantine A. Murenin" To: "Pieter de Boer" In-Reply-To: <44E76B21.8000409@thedarkside.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E76B21.8000409@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 16:35:07 -0000 On 19/08/06, Pieter de Boer wrote: > Gang, > > For months now, we're all seeing repeated bruteforce attempts on SSH. > I've configured my pf install to ratelimit TCP connections to port 22 > and to automatically add IP-addresses that connect too fast to a table > that's filtered: > > table { } > > block quick from to any > > pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > modulate state (source-track rule max-src-nodes 8 max-src-conn 8 > max-src-conn-rate 3/60 overload flush global) > > > This works as expected, IP-addresses are added to the 'lamers'-table > every once in a while. > > However, there apparently are SSH bruteforcers that simply use one > connection to perform a brute-force attack: > > Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > > > My theory was/is that this particular scanner simply multiplexes > multiple authentication attempts over a single connection. I 'used the > source luke' of OpenSSH to find support for this theory, but found the > source a bit too wealthy for my brain to find such support. > > So, my question is: Does anyone know how this particular attack works > and if there's a way to stop this? If my theory is sound and OpenSSH > does not have provisions to limit the authentication requests per TCP > session, I'd find that an inadequacy in OpenSSH, but I'm probably > missing something here :) There were tons of discussions on this topic on misc@OpenBSD mailing list, so you can try searching the archives for some more ideas. This is just one thread that I've found now, called "is there a way to block sshd trolling?": http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006. Most of these attacks come from compromised Linux hosts, so if you use pf(4), you could easily block access to ssh port from any Linux machine, and then you're mostly covered. :) See http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409. Cheers, Constantine. From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 16:59:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C245B16A4DA for ; Sun, 20 Aug 2006 16:59:38 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (aberdeen.thelostparadise.com [193.202.115.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C6E243D4C for ; Sun, 20 Aug 2006 16:59:38 +0000 (GMT) (envelope-from pieter@thedarkside.nl) Received: from [195.16.84.91] (ip-84-91.members.virt-ix.net [195.16.84.91]) by mail.thelostparadise.com (Postfix) with ESMTP id A423361C39 for ; Sun, 20 Aug 2006 19:00:01 +0200 (CEST) Message-ID: <44E894F8.5090505@thedarkside.nl> Date: Sun, 20 Aug 2006 18:59:36 +0200 From: Pieter de Boer User-Agent: Thunderbird 1.5.0.4 (X11/20060611) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <44E76B21.8000409@thedarkside.nl> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 16:59:38 -0000 Constantine A. Murenin wrote: >> So, my question is: Does anyone know how this particular attack works >> and if there's a way to stop this? If my theory is sound and OpenSSH >> does not have provisions to limit the authentication requests per TCP >> session, I'd find that an inadequacy in OpenSSH, but I'm probably >> missing something here :) > This is just one thread that I've found now, called "is there a way to > block sshd trolling?": > http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&t=1325006. > > Most of these attacks come from compromised Linux hosts, so if you use > pf(4), you could easily block access to ssh port from any Linux > machine, and then you're mostly covered. :) See > http://arkiv.openbsd.nu/?ml=openbsd-misc&a=0&m=1332409. I'm not so much searching for a solution to the 'problem', but rather want to know why ratelimiting apparantly doesn't work for some of the scans. I see IP addresses being blocked just fine by the pf rule due to scans, but also see some other scans still succeed. Ratelimiting is one of the few solutions I can agree with, and it should simply work. Perhaps I should try running a tcpdump for a few days again to get a packet trace of such a 'succeeding' scan. Might show what's going on.. -- Pieter From owner-freebsd-security@FreeBSD.ORG Sun Aug 20 21:20:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A35AC16A4FF for ; Sun, 20 Aug 2006 21:20:32 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8128B43D6E for ; Sun, 20 Aug 2006 21:19:40 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from atlantis.dp.ua (localhost [127.0.0.1]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k7KLJWrW081946; Mon, 21 Aug 2006 00:19:32 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.13.1/8.13.1/Submit) with ESMTP id k7KLJRCv081926; Mon, 21 Aug 2006 00:19:32 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Mon, 21 Aug 2006 00:19:27 +0300 (EEST) From: Dmitry Pryanishnikov To: Pieter de Boer In-Reply-To: <44E76B21.8000409@thedarkside.nl> Message-ID: <20060821001221.T49962@atlantis.atlantis.dp.ua> References: <44E76B21.8000409@thedarkside.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2006 21:20:32 -0000 Hello! On Sat, 19 Aug 2006, Pieter de Boer wrote: > For months now, we're all seeing repeated bruteforce attempts on SSH. I've > configured my pf install to ratelimit TCP connections to port 22 and to I wonder why OpenSSH still doesn't support simple and nice feature of SSH.COM's sshd2_config: LoginGraceTime 60 AuthInteractiveFailureTimeout 10 These settings effectively cause robots to stop the scan for me. Every scan attempt gives only 1..N failed attempts (where N=number of externally-reachable and SSH-served IPs on machine if robot is capable of simultaneous scan of several IPs), so I can just ignore them. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Mon Aug 21 01:33:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1521716A4DE; Mon, 21 Aug 2006 01:33:05 +0000 (UTC) (envelope-from rip@overflow.no) Received: from [66.135.109.170] (wm6700hi-109.170.Maroon.NetSurf.Net [66.135.109.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7737543D45; Mon, 21 Aug 2006 01:33:04 +0000 (GMT) (envelope-from rip@overflow.no) Received: from [10.1.182.212] ([10.1.182.212]) by [66.135.109.170] (8.13.6/8.13.6) with ESMTP id k7L1Wq35006027; Sun, 20 Aug 2006 21:32:52 -0400 Message-ID: <44E90D4A.6080700@overflow.no> Date: Sun, 20 Aug 2006 21:32:58 -0400 From: Chris User-Agent: Thunderbird 1.5.0.5 (X11/20060728) MIME-Version: 1.0 To: Chris References: <44E76B21.8000409@thedarkside.nl> <47517034.20060819233730@rulez.sk> <44E7AE0F.2000103@overflow.no> <3aaaa3a0608192042k2f079d96re0592109dd6d0d69@mail.gmail.com> In-Reply-To: <3aaaa3a0608192042k2f079d96re0592109dd6d0d69@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Daniel Gerzo , Pieter de Boer Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 01:33:05 -0000 As requested, here you go. Please read the README file for further information. http://irchost.no/ssh-4.3p2+timelox+chroot.tgz Chris wrote: > On 20/08/06, Chris wrote: >> I'm maintaining a patch for OpenSSH portable that allows configurable >> blocking(firewalling, ipfw,ipf,iptables) of such bruteforce attempts. I >> will post it if anyone is interested in it. >> >> Daniel Gerzo wrote: >> > Hello Pieter, >> > >> > Saturday, August 19, 2006, 9:48:49 PM, you wrote: >> > >> > >> >> Gang, >> >> >> > >> > >> >> For months now, we're all seeing repeated bruteforce attempts on SSH. >> >> I've configured my pf install to ratelimit TCP connections to port 22 >> >> and to automatically add IP-addresses that connect too fast to a >> table >> >> that's filtered: >> >> >> > >> > >> >> table { } >> >> >> > >> > >> >> block quick from to any >> >> >> > >> > >> >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) >> port 22 >> >> modulate state (source-track rule max-src-nodes 8 max-src-conn 8 >> >> max-src-conn-rate 3/60 overload flush global) >> >> >> > >> > >> > >> >> This works as expected, IP-addresses are added to the 'lamers'-table >> >> every once in a while. >> >> >> > >> > >> >> However, there apparently are SSH bruteforcers that simply use one >> >> connection to perform a brute-force attack: >> >> >> > >> > >> >> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from >> 83.19.113.122 >> >> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from >> 83.19.113.122 >> >> >> > >> > >> > >> >> My theory was/is that this particular scanner simply multiplexes >> >> multiple authentication attempts over a single connection. I 'used >> the >> >> source luke' of OpenSSH to find support for this theory, but found >> the >> >> source a bit too wealthy for my brain to find such support. >> >> >> > >> > >> >> So, my question is: Does anyone know how this particular attack works >> >> and if there's a way to stop this? If my theory is sound and OpenSSH >> >> does not have provisions to limit the authentication requests per TCP >> >> session, I'd find that an inadequacy in OpenSSH, but I'm probably >> >> missing something here :) >> >> >> > >> > try http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html >> > or my pet project http://danger.rulez.sk/projects/bruteforceblocker/ >> > >> > >> >> Regards, >> >> Pieter >> >> >> > >> > >> > > I am interested in this patch thanks. > > Chris > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Mon Aug 21 13:11:43 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F10516A4DA for ; Mon, 21 Aug 2006 13:11:43 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01EE143D5F for ; Mon, 21 Aug 2006 13:11:32 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (twvaro@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k7LDBPmY032156 for ; Mon, 21 Aug 2006 15:11:31 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k7LDBPms032155; Mon, 21 Aug 2006 15:11:25 +0200 (CEST) (envelope-from olli) Date: Mon, 21 Aug 2006 15:11:25 +0200 (CEST) Message-Id: <200608211311.k7LDBPms032155@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: <44E76B21.8000409@thedarkside.nl> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 21 Aug 2006 15:11:31 +0200 (CEST) X-Mailman-Approved-At: Mon, 21 Aug 2006 14:40:23 +0000 Cc: Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 13:11:43 -0000 Personally I have solved the problem in a different way. I let sshd listen on port 22 as well as a different port (e.g. 322). In the packet filter configuration (IPFW in my case) the alternate port is open from anywhere, but port 22 is restricted to a few well-known IPs. Most of those automated SSH scans only scan networks on port 22 (for efficiency, I assume), so they never hit the alternate port. If they scan port 22, they're dropped silently. The result is that I get zero scans in my logs and the nightly reports. I can log into the machines normally from my usual workstations. And if I'm somewhere where port 22 isn't allowed, I can still log in using the alternate port number. In fact, I could get rid of port 22 altogether. You can set the default port number per host in ~/.ssh/config, so you don't have to type the port number every time. Note that this is _not_ a security measure (it would only be "security by obscurity" anyway). It's only to get rid of the annoying scans. You still have to use good pass- words (or use other authentication, such as ssh keys), and make sure that you do not allow root (or other pseudo users) login via ssh passwords. Best regards Oliver PS: I try to avoid things like automatic blocking of IP addresses. They can be dangerous, because such automatisms can be used to run DoS attacks against you, by spoofing source IPs. Whitelists can help a bit, but you still have to be extremely careful. I know one case where someone had a similar setup, blocking IPs completely (not just port 22) if there have been too many connection attempts. He whitelisted the IP addresses of the workstations from which he was usually connecting with ssh, and so he assumed he was save. Well, until a "friend" of him ran an SSH scan against the machine, spoofing the IP addresses of his DNS servers, in effect putting the machine offline. :-) -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. I suggested holding a "Python Object Oriented Programming Seminar", but the acronym was unpopular. -- Joseph Strout From owner-freebsd-security@FreeBSD.ORG Tue Aug 22 08:09:03 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70F7B16A5CE for ; Tue, 22 Aug 2006 08:09:03 +0000 (UTC) (envelope-from gemini@geminix.org) Received: from geminix.org (geminix.org [213.73.82.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7555643D58 for ; Tue, 22 Aug 2006 08:09:02 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <44EABB9B.5040908@geminix.org> Date: Tue, 22 Aug 2006 10:08:59 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20060423 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG References: <200608211311.k7LDBPms032155@lurza.secnetix.de> In-Reply-To: <200608211311.k7LDBPms032155@lurza.secnetix.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.62 (FreeBSD)) (envelope-from ) id 1GFRJk-0009pn-Iw; Tue, 22 Aug 2006 10:09:00 +0200 Cc: Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 08:09:03 -0000 Oliver Fromme wrote: > > PS: I try to avoid things like automatic blocking of IP > addresses. They can be dangerous, because such automatisms > can be used to run DoS attacks against you, by spoofing > source IPs. Whitelists can help a bit, but you still have > to be extremely careful. > > I know one case where someone had a similar setup, blocking > IPs completely (not just port 22) if there have been too > many connection attempts. He whitelisted the IP addresses > of the workstations from which he was usually connecting > with ssh, and so he assumed he was save. Well, until a > "friend" of him ran an SSH scan against the machine, > spoofing the IP addresses of his DNS servers, in effect > putting the machine offline. :-) I agree with you that you are vulnerable if your hardening mechanism against SSH scans is based on counting TCP packets with SYN flags. You ought to be safe, though, if you went by monitoring the SSH daemon's logfile because it takes several exchanges between the SSH client and server before a failed login attempt gets logged. It is hard to believe that someone could fake a complete exchange like this from the remote via a TCP connection while using source IP address spoofing. My understanding so far is that source IP address spoofing from the remote works only with connectionless protocols like UDP and ICMP, or TCP SYN packets as a special case. Please correct me if I'm wrong. Regards, Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Tue Aug 22 11:33:01 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E67616A4DA for ; Tue, 22 Aug 2006 11:33:01 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9750643D66 for ; Tue, 22 Aug 2006 11:32:57 +0000 (GMT) (envelope-from scheidell@secnap.net) X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Tue, 22 Aug 2006 07:32:56 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SSH scans vs connection ratelimiting Thread-Index: AcbFw4vyYQV0JexNTgKiwnLGtT0l5AAGq+3g From: "Michael Scheidell" To: "Uwe Doering" , Cc: Subject: RE: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Aug 2006 11:33:01 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Uwe Doering > Sent: Tuesday, August 22, 2006 4:09 AM > To: freebsd-security@FreeBSD.ORG > Subject: Re: SSH scans vs connection ratelimiting >=20 > that someone could fake a complete exchange like this from the remote=20 > via a TCP connection while using source IP address spoofing. My=20 > understanding so far is that source IP address spoofing from=20 > the remote=20 > works only with connectionless protocols like UDP and ICMP,=20 > or TCP SYN=20 > packets as a special case. Please correct me if I'm wrong. You are more or less correct. For all practical purposes, spoofing a three way tcp connection is impossible. (for all practical purposes) There is man in the middle attacks, routing hijacking, and possibly tcp connection id spoofing, but if you are using a modern os that does not suffer from connecting id guessing, its so hard to do that that only someone specifically trying to break into your network, who has the ability to sniff your traffic, might even have a ghost of a chance of doing this. (and if you already have the *keys from known_hosts, ssh will complain about it if it even gets that far) --=20 Michael Scheidell, CTO 561-999-5000, ext 1131 SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news From owner-freebsd-security@FreeBSD.ORG Wed Aug 23 22:18:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFB5F16A4DD; Wed, 23 Aug 2006 22:18:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63CD843D88; Wed, 23 Aug 2006 22:18:29 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7NMISUA072217; Wed, 23 Aug 2006 22:18:29 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7NMISv9072214; Wed, 23 Aug 2006 22:18:28 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 23 Aug 2006 22:18:28 GMT Message-Id: <200608232218.k7NMISv9072214@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:18.ppp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 22:18:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:08.ppp Security Advisory The FreeBSD Project Topic: Buffer overflow in ppp(4) Category: core Module: sys_net Announced: 2006-08-23 Credits: Martin Husemann, Pavel Cahyna Affects: All FreeBSD releases. Corrected: 2006-08-23 22:01:44 UTC (RELENG_6, 6.1-STABLE) 2006-08-23 22:02:25 UTC (RELENG_6_1, 6.1-RELEASE-p4) 2006-08-23 22:02:52 UTC (RELENG_6_0, 6.0-RELEASE-p10) 2006-08-23 22:03:55 UTC (RELENG_5, 5.5-STABLE) 2006-08-23 22:04:28 UTC (RELENG_5_5, 5.5-RELEASE-p3) 2006-08-23 22:04:58 UTC (RELENG_5_4, 5.4-RELEASE-p17) 2006-08-23 22:05:49 UTC (RELENG_5_3, 5.3-RELEASE-p32) 2006-08-23 22:06:08 UTC (RELENG_4, 4.11-STABLE) 2006-08-23 22:06:40 UTC (RELENG_4_11, 4.11-RELEASE-p20) CVE Name: CVE-2006-4304 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ppp(4) driver implements the Point-to-Point Protocol for using serial lines (e.g., modems) as network interfaces. II. Problem Description While processing Link Control Protocol (LCP) configuration options received from the remote host, ppp(4) fails to correctly validate option lengths. This may result in data being read or written beyond the allocated kernel memory buffer. III. Impact An attacker able to send LCP packets, including the remote end of a ppp(4) connection, can cause the FreeBSD kernel to panic. Such an attacker may also be able to obtain sensitive information or gain elevated privileges. IV. Workaround No workaround is available, but systems which do not use ppp(4) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp4x.patch # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp4x.patch.asc [FreeBSD 5.3] # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp53.patch # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp53.patch.asc [FreeBSD 5.4, 5.5, and 6.x] # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp.patch # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/net/if_spppsubr.c 1.59.2.15 RELENG_4_11 src/UPDATING 1.73.2.91.2.21 src/sys/conf/newvers.sh 1.44.2.39.2.24 src/sys/net/if_spppsubr.c 1.59.2.13.10.1 RELENG_5 src/sys/net/if_spppsubr.c 1.113.2.3 RELENG_5_5 src/UPDATING 1.342.2.35.2.3 src/sys/conf/newvers.sh 1.62.2.21.2.5 src/sys/net/if_spppsubr.c 1.113.2.2.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.26 src/sys/conf/newvers.sh 1.62.2.18.2.22 src/sys/net/if_spppsubr.c 1.113.2.2.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.35 src/sys/conf/newvers.sh 1.62.2.15.2.37 src/sys/net/if_spppsubr.c 1.113.2.1.2.1 RELENG_6 src/sys/net/if_spppsubr.c 1.119.2.3 RELENG_6_1 src/UPDATING 1.416.2.22.2.6 src/sys/conf/newvers.sh 1.69.2.11.2.6 src/sys/net/if_spppsubr.c 1.119.2.2.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.15 src/sys/conf/newvers.sh 1.69.2.8.2.11 src/sys/net/if_spppsubr.c 1.119.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4304 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:18.ppp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFE7NL6FdaIBMps37IRAsJcAJ9adjb9yd1W+MBwMpIhiW/bh5nJ/wCcCkBu pPMIspYV9quwmR36mUf6FEo= =XBTj -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Aug 23 22:35:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2A9A16A4E1 for ; Wed, 23 Aug 2006 22:35:07 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from koef.zs64.net (koef.zs64.net [213.238.47.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2DCD43D70 for ; Wed, 23 Aug 2006 22:34:33 +0000 (GMT) (envelope-from stb@lassitu.de) Received: (from stb@koef.zs64.net) (authenticated) by koef.zs64.net (8.13.8/8.13.7) with ESMTP id k7NMYLpU072528 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO) for ; Thu, 24 Aug 2006 00:34:32 +0200 (CEST) (envelope-from stb@lassitu.de) Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <200608232218.k7NMISv9072214@freefall.freebsd.org> References: <200608232218.k7NMISv9072214@freefall.freebsd.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8E506F0D-FCBD-4FE0-B137-7157EC1D5E22@lassitu.de> Content-Transfer-Encoding: 7bit From: Stefan Bethke Date: Thu, 24 Aug 2006 00:34:20 +0200 To: FreeBSD Security X-Mailer: Apple Mail (2.752.2) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:18.ppp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 22:35:07 -0000 Am 23.08.2006 um 22:18 schrieb FreeBSD Security Advisories: > III. Impact > > An attacker able to send LCP packets, including the remote end of a > ppp(4) > connection, can cause the FreeBSD kernel to panic. Such an > attacker may > also be able to obtain sensitive information or gain elevated > privileges. ... > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch > Revision > Path > - > ---------------------------------------------------------------------- > --- > RELENG_4 > src/sys/net/if_spppsubr.c > 1.59.2.15 ... ppp(4) or sppp(4)? Looking at the patch, it seems to be sppp(4), which is (completely?) seperate from ppp(4), AFAIK. Also, ppp(8), Brian Somers userland PPP implementation, is not affected; a useful bit of information for people who are not as familiar with the multitude of PPP implementations in FreeBSD. Stefan -- Stefan Bethke Fon +49 170 346 0140 From owner-freebsd-security@FreeBSD.ORG Thu Aug 24 02:18:09 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 271B216A4E2 for ; Thu, 24 Aug 2006 02:18:09 +0000 (UTC) (envelope-from yeahchang@frontfree.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAA1643D46 for ; Thu, 24 Aug 2006 02:18:05 +0000 (GMT) (envelope-from yeahchang@frontfree.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 3D3D1EB0EA5 for ; Thu, 24 Aug 2006 10:18:01 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id aYmGfhQXMp6M for ; Thu, 24 Aug 2006 10:17:58 +0800 (CST) Received: from beastie.frontfree.net (unknown [211.71.95.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 011AFEB0E5D for ; Thu, 24 Aug 2006 10:17:55 +0800 (CST) Authentication-Results: tarsier.geekcn.org from=yeahchang@frontfree.net; sender-id=pass; spf=pass Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 0407B130D4B for ; Thu, 24 Aug 2006 10:17:54 +0800 (CST) X-Virus-Scanned: amavisd-new at frontfree.net Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UTn-HtQaKNYu for ; Thu, 24 Aug 2006 10:17:50 +0800 (CST) Received: from zhangamuufcjz4 (unknown [222.131.179.230]) by beastie.frontfree.net (Postfix) with ESMTP id EDD70130C81 for ; Thu, 24 Aug 2006 10:17:49 +0800 (CST) From: "Zhang Ye" To: Date: Thu, 24 Aug 2006 10:17:44 +0800 Message-ID: <000001c6c723$7c6d79d0$bf06a8c0@zhangamuufcjz4> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcbHI3txiJnqt8uGQViNIh4OQ6+AIw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Does FreeBSD Will Support TPM Chip? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 02:18:09 -0000 Hello everyone, With the computers equipped with TPM chip popularizing, many OS begin to support it. And Linux and Vista are some of then. I want to know whether the FreeBSD Project has a plan to support it and some related technology. Can anyone answer me? Ye Zhang (A Developer of Trusted Computing Application) Thursday, August 24, 2006 From owner-freebsd-security@FreeBSD.ORG Thu Aug 24 06:27:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A57C816A4E0 for ; Thu, 24 Aug 2006 06:27:35 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A53743D46 for ; Thu, 24 Aug 2006 06:27:34 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd5mr1so.prod.shaw.ca (pd5mr1so-qfe3.prod.shaw.ca [10.0.141.232]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J4H00IFEOIAX290@l-daemon> for freebsd-security@freebsd.org; Thu, 24 Aug 2006 00:25:22 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd5mr1so.prod.shaw.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J4H00COPOIAT360@pd5mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 24 Aug 2006 00:25:22 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J4H00ID8OI9LZ10@l-daemon> for freebsd-security@freebsd.org; Thu, 24 Aug 2006 00:25:22 -0600 (MDT) Received: (qmail 2754 invoked from network); Thu, 24 Aug 2006 06:25:21 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Thu, 24 Aug 2006 06:25:21 +0000 Date: Wed, 23 Aug 2006 23:25:21 -0700 From: Colin Percival In-reply-to: <8E506F0D-FCBD-4FE0-B137-7157EC1D5E22@lassitu.de> To: Stefan Bethke Message-id: <44ED4651.4070808@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200608232218.k7NMISv9072214@freefall.freebsd.org> <8E506F0D-FCBD-4FE0-B137-7157EC1D5E22@lassitu.de> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: FreeBSD Security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:18.ppp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 06:27:35 -0000 Stefan Bethke wrote: > ppp(4) or sppp(4)? Looking at the patch, it seems to be sppp(4), which > is (completely?) seperate from ppp(4), AFAIK. Umm... I guess it's sppp(4) actually. NetBSD reported the problem to us and I didn't realize that we had more than one version of Point-To-Point Protocol. I'll send out a revised advisory once I'm sure I have all the details right. Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Aug 25 12:34:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E83416A5C5; Fri, 25 Aug 2006 12:34:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E35243D53; Fri, 25 Aug 2006 12:34:09 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7PCY9QT095112; Fri, 25 Aug 2006 12:34:09 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7PCY93f095110; Fri, 25 Aug 2006 12:34:09 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 25 Aug 2006 12:34:09 GMT Message-Id: <200608251234.k7PCY93f095110@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:18.ppp [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 12:34:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:08.ppp Security Advisory The FreeBSD Project Topic: Buffer overflow in sppp(4) Category: core Module: sys_net Announced: 2006-08-23 Credits: Martin Husemann, Pavel Cahyna Affects: All FreeBSD releases. Corrected: 2006-08-23 22:01:44 UTC (RELENG_6, 6.1-STABLE) 2006-08-23 22:02:25 UTC (RELENG_6_1, 6.1-RELEASE-p4) 2006-08-23 22:02:52 UTC (RELENG_6_0, 6.0-RELEASE-p10) 2006-08-23 22:03:55 UTC (RELENG_5, 5.5-STABLE) 2006-08-23 22:04:28 UTC (RELENG_5_5, 5.5-RELEASE-p3) 2006-08-23 22:04:58 UTC (RELENG_5_4, 5.4-RELEASE-p17) 2006-08-23 22:05:49 UTC (RELENG_5_3, 5.3-RELEASE-p32) 2006-08-23 22:06:08 UTC (RELENG_4, 4.11-STABLE) 2006-08-23 22:06:40 UTC (RELENG_4_11, 4.11-RELEASE-p20) CVE Name: CVE-2006-4304 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2006-08-23 Initial release. v1.1 2006-08-25 Corrected name of affected driver. NOTE WELL: The original version of this advisory identified the affected driver as ppp(4). This is incorrect; the problem occurs in the sppp(4) driver instead. I. Background The sppp(4) driver implements the state machine and the Link Control Protocol (LCP) of the Point-to-Point Protocol (PPP) and is used in combination with underlying drivers which provide synchronous point-to-point connections. In particular, sppp(4) is commonly used with i4bisppp(4) and ng_sppp(4). II. Problem Description While processing Link Control Protocol (LCP) configuration options received from the remote host, sppp(4) fails to correctly validate option lengths. This may result in data being read or written beyond the allocated kernel memory buffer. III. Impact An attacker able to send LCP packets, including the remote end of a sppp(4) connection, can cause the FreeBSD kernel to panic. Such an attacker may also be able to obtain sensitive information or gain elevated privileges. IV. Workaround No workaround is available, but systems which do not use sppp(4) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp4x.patch # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp4x.patch.asc [FreeBSD 5.3] # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp53.patch # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp53.patch.asc [FreeBSD 5.4, 5.5, and 6.x] # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp.patch # fetch http://security.FreeBSD.org/patches/SA-06:18/ppp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/net/if_spppsubr.c 1.59.2.15 RELENG_4_11 src/UPDATING 1.73.2.91.2.21 src/sys/conf/newvers.sh 1.44.2.39.2.24 src/sys/net/if_spppsubr.c 1.59.2.13.10.1 RELENG_5 src/sys/net/if_spppsubr.c 1.113.2.3 RELENG_5_5 src/UPDATING 1.342.2.35.2.3 src/sys/conf/newvers.sh 1.62.2.21.2.5 src/sys/net/if_spppsubr.c 1.113.2.2.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.26 src/sys/conf/newvers.sh 1.62.2.18.2.22 src/sys/net/if_spppsubr.c 1.113.2.2.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.35 src/sys/conf/newvers.sh 1.62.2.15.2.37 src/sys/net/if_spppsubr.c 1.113.2.1.2.1 RELENG_6 src/sys/net/if_spppsubr.c 1.119.2.3 RELENG_6_1 src/UPDATING 1.416.2.22.2.6 src/sys/conf/newvers.sh 1.69.2.11.2.6 src/sys/net/if_spppsubr.c 1.119.2.2.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.15 src/sys/conf/newvers.sh 1.69.2.8.2.11 src/sys/net/if_spppsubr.c 1.119.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4304 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:18.ppp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFE7u0+FdaIBMps37IRAhmDAKCVpSUMmugw8j5HEjMfSTln+3KdjwCeNKmx Qna3jib3T9pASUWraImZYL0= =XAoj -----END PGP SIGNATURE-----