From owner-freebsd-security@FreeBSD.ORG Sun Jan 20 09:01:46 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6269A16A417 for ; Sun, 20 Jan 2008 09:01:46 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from batman.home4u.ch (6to4.home4u.ch [IPv6:2002:d908:d3e2::1]) by mx1.freebsd.org (Postfix) with ESMTP id CEEBF13C45A for ; Sun, 20 Jan 2008 09:01:45 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from flashback.wenks.ch (flashback.wenks.ch [IPv6:2002:3e02:55b4:2:20a:95ff:fe8f:6586]) (authenticated bits=0) by batman.home4u.ch (8.13.1/8.13.1) with ESMTP id m0K91Z7w000822 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 20 Jan 2008 10:01:43 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <47930DE9.7070806@wenks.ch> Date: Sun, 20 Jan 2008 10:01:29 +0100 From: Fabian Wenk User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Subject: Re: ident daemon: oIdentd creating a lot of processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jan 2008 09:01:46 -0000 Hello Anjang Aki wrote: > i'm using oidentd-2.0.8 installed through /usr/ports/security/oidentd > for ident authentication > is this normal for those who are using oidentd as ident daemon? or > should i try other ident daemon? Is there a reason why you do not use the identd from FreeBSD itself? It is part of inetd and can be enabled in /etc/inetd.conf. I have changed the default options from: #auth stream [...] auth -r -f -n -o UNKNOWN -t 30 to: auth stream [...] auth -r -t 30 Documentation about the options is in the manpage of inetd (search for "auth"). Hope this helps. bye Fabian From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 07:21:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 252C716A417 for ; Mon, 21 Jan 2008 07:21:12 +0000 (UTC) (envelope-from wes@opensail.org) Received: from mail6.dotsterhost.com (mail6.dotsterhost.com [72.5.54.120]) by mx1.freebsd.org (Postfix) with SMTP id D944B13C469 for ; Mon, 21 Jan 2008 07:21:11 +0000 (UTC) (envelope-from wes@opensail.org) Received: (qmail 19514 invoked from network); 21 Jan 2008 06:54:30 -0000 Received: from unknown (HELO scurvy.softweyr.com) (wes@opensail.org@[66.27.101.161]) by 72.5.54.120 with SMTP; 21 Jan 2008 06:54:29 -0000 Message-Id: <9019C94F-5618-44F3-9590-D63C19A36B60@opensail.org> From: Wes Peters To: freebsd-security@freebsd.org In-Reply-To: <20080120120016.6EBDA16A4DF@hub.freebsd.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Sun, 20 Jan 2008 22:54:28 -0800 References: <20080120120016.6EBDA16A4DF@hub.freebsd.org> X-Mailer: Apple Mail (2.915) Subject: Re: ident daemon: oIdentd creating a lot of processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 07:21:12 -0000 On Jan 20, 2008, at 4:00 AM, Fabian Wenk wrote: > > Anjang Aki wrote: >> i'm using oidentd-2.0.8 installed through /usr/ports/security/oidentd >> for ident authentication > >> is this normal for those who are using oidentd as ident daemon? or >> should i try other ident daemon? > > Is there a reason why you do not use the identd from FreeBSD itself? Alternativey, use 'liedentd' from ports and it won't give away information about your users. It also won't create any additional processes - I promise. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@opensail.org From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 09:50:15 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50E1E16A420 for ; Mon, 21 Jan 2008 09:50:15 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (mail.opengea.org [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id E251A13C467 for ; Mon, 21 Jan 2008 09:50:14 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id CF957D50039 for ; Mon, 21 Jan 2008 10:53:38 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (mail.opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cv92m6EUMy4e for ; Mon, 21 Jan 2008 10:53:38 +0100 (CET) Received: from jespasac.cdmon.com (62.Red-217-126-43.staticIP.rima-tde.net [217.126.43.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 7B7D2D50033 for ; Mon, 21 Jan 2008 10:53:38 +0100 (CET) Message-ID: <47946AD3.2020601@opengea.org> Date: Mon, 21 Jan 2008 10:50:11 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.9 (X11/20071219) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 09:50:15 -0000 Hi all, żIs there any app like denyhosts[1] but intended for MySQLd service? We have a mysql ports (3306) opened for remote connections, and obviously the /var/db/mysql/machine_name.log is full of these kind of entries: ........... 936012 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936013 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936014 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936016 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936018 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936019 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) ............. The idea is blocking the abusive IPs in automated way. [1] http://denyhosts.sourceforge.net/ -- Thanks, Jordi Espasa Clofent From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 10:35:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87F8616A420 for ; Mon, 21 Jan 2008 10:35:53 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (mail.opengea.org [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id 2AB9913C4EA for ; Mon, 21 Jan 2008 10:35:53 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id A7C66D50039 for ; Mon, 21 Jan 2008 11:39:17 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (mail.opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ePEadwgW4qkY for ; Mon, 21 Jan 2008 11:39:17 +0100 (CET) Received: from jespasac.cdmon.com (62.Red-217-126-43.staticIP.rima-tde.net [217.126.43.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 56942D50033 for ; Mon, 21 Jan 2008 11:39:17 +0100 (CET) Message-ID: <47947587.2010106@opengea.org> Date: Mon, 21 Jan 2008 11:35:51 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.9 (X11/20071219) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> In-Reply-To: <200801211226.51852.tim@priebe.alt.na> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 10:35:53 -0000 > Hi, > > There is a functionality in pf, that allows you to have an application to > update a list of hosts, that is used in a rule. You could have a script > harvest the addresses from your log files, and then update the table in pf. I > have not tried it myself, but was looking at adopting an implementation to > create a tarpit for spammers based on this idea. Yes Tim, I know it. The "problem" is the servers are builded in IPFW as firewall solution. I've tried the "limit" IPFW's option... but isn't exactly what I'm looking for. -- Thanks, Jordi Espasa Clofent From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 11:19:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF92E16A41B for ; Mon, 21 Jan 2008 11:19:08 +0000 (UTC) (envelope-from djv@iki.fi) Received: from gw02.mail.saunalahti.fi (gw02.mail.saunalahti.fi [195.197.172.116]) by mx1.freebsd.org (Postfix) with ESMTP id 737AB13C467 for ; Mon, 21 Jan 2008 11:19:08 +0000 (UTC) (envelope-from djv@iki.fi) Received: from [192.168.1.5] (a91-153-148-73.elisa-laajakaista.fi [91.153.148.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gw02.mail.saunalahti.fi (Postfix) with ESMTP id 14E67139445 for ; Mon, 21 Jan 2008 13:19:05 +0200 (EET) Message-ID: <47947FAA.6040605@iki.fi> Date: Mon, 21 Jan 2008 13:19:06 +0200 From: Tuomo Latto User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> In-Reply-To: <47946AD3.2020601@opengea.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 11:19:08 -0000 Jordi Espasa Clofent wrote: > żIs there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/ How about ports/security/bruteblock? No OOTB support, but adding it should be very easy. (You just write a config file for it.) -- Tuomo ... All I want is a warm bed, a kind word and unlimited power From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 11:55:21 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AAE716A46C for ; Mon, 21 Jan 2008 11:55:21 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id CFA2213C458 for ; Mon, 21 Jan 2008 11:55:19 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id WAA09328; Mon, 21 Jan 2008 22:55:10 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 21 Jan 2008 22:55:09 +1100 (EST) From: Ian Smith To: Jordi Espasa Clofent In-Reply-To: <47947587.2010106@opengea.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 11:55:21 -0000 On Mon, 21 Jan 2008, Jordi Espasa Clofent wrote: > > There is a functionality in pf, that allows you to have an application to > > update a list of hosts, that is used in a rule. You could have a script > > harvest the addresses from your log files, and then update the table in pf. I > > have not tried it myself, but was looking at adopting an implementation to > > create a tarpit for spammers based on this idea. > > Yes Tim, I know it. The "problem" is the servers are builded in IPFW as > firewall solution. > I've tried the "limit" IPFW's option... but isn't exactly what I'm > looking for. No problem; IPFW has tables too, and sets, with which you could enable/disable or swap your script-constructed tables atomically. Might be easier to allow good hosts rather than exclude baddies? cheers, Ian From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 12:14:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11D1B16A417 for ; Mon, 21 Jan 2008 12:14:33 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [78.128.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id 8B18513C457 for ; Mon, 21 Jan 2008 12:14:32 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id m0LCEH3n012718 for ; Mon, 21 Jan 2008 13:14:18 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <47948C99.8060504@obluda.cz> Date: Mon, 21 Jan 2008 13:14:17 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.11) Gecko/20071204 SeaMonkey/1.1.7 MIME-Version: 1.0 To: freebsd security References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 12:14:33 -0000 Ian Smith napsal/wrote, On 01/21/08 12:55: > No problem; IPFW has tables too, and sets, with which you could > enable/disable or It interests me: > swap your script-constructed tables atomically. I know how to create new set of rules then move it using "ipfw set move" atomically but I don't know how to fill new table then move it in it's place atomically. So, how to swap tables in one step ? Thank you Dan From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 10:50:44 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A954416A420 for ; Mon, 21 Jan 2008 10:50:44 +0000 (UTC) (envelope-from tim@priebe.alt.na) Received: from pinnacle-networks.com (mx1.pinnacle-networks.com [196.44.153.3]) by mx1.freebsd.org (Postfix) with ESMTP id C637A13C500 for ; Mon, 21 Jan 2008 10:50:43 +0000 (UTC) (envelope-from tim@priebe.alt.na) Received: from [196.216.45.66] by pinnacle-networks.com with esmtp (Exim 4.67 (FreeBSD)) (envelope-from ) id 1JGtvN-000FP7-PD; Mon, 21 Jan 2008 12:30:48 +0200 From: Tim Priebe To: freebsd-security@freebsd.org Date: Mon, 21 Jan 2008 12:26:51 +0200 User-Agent: KMail/1.9.7 References: <47946AD3.2020601@opengea.org> In-Reply-To: <47946AD3.2020601@opengea.org> X-disclaimer: this is a test MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200801211226.51852.tim@priebe.alt.na> X-Mailman-Approved-At: Mon, 21 Jan 2008 12:49:49 +0000 Cc: Jordi Espasa Clofent Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 10:50:44 -0000 Hi, There is a functionality in pf, that allows you to have an application to=20 update a list of hosts, that is used in a rule. You could have a script=20 harvest the addresses from your log files, and then update the table in pf.= I=20 have not tried it myself, but was looking at adopting an implementation to= =20 create a tarpit for spammers based on this idea. On Monday 21 January 2008 11:50:11 am Jordi Espasa Clofent wrote: > Hi all, > > =BFIs there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/ From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 10:52:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 441BF16A419 for ; Mon, 21 Jan 2008 10:52:12 +0000 (UTC) (envelope-from tim@priebe.alt.na) Received: from pinnacle-networks.com (mx1.pinnacle-networks.com [196.44.153.3]) by mx1.freebsd.org (Postfix) with ESMTP id AF1FD13C4F0 for ; Mon, 21 Jan 2008 10:52:11 +0000 (UTC) (envelope-from tim@priebe.alt.na) Received: from [196.216.45.66] by pinnacle-networks.com with esmtp (Exim 4.67 (FreeBSD)) (envelope-from ) id 1JGuLS-000FSv-Ci; Mon, 21 Jan 2008 12:57:44 +0200 From: Tim Priebe To: freebsd-security@freebsd.org Date: Mon, 21 Jan 2008 12:53:48 +0200 User-Agent: KMail/1.9.7 References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> <47947587.2010106@opengea.org> In-Reply-To: <47947587.2010106@opengea.org> X-disclaimer: this is a test MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200801211253.48663.tim@priebe.alt.na> X-Mailman-Approved-At: Mon, 21 Jan 2008 12:50:07 +0000 Cc: Jordi Espasa Clofent Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 10:52:12 -0000 On Monday 21 January 2008 12:35:51 pm Jordi Espasa Clofent wrote: > > Hi, > > > > There is a functionality in pf, that allows you to have an application to > > update a list of hosts, that is used in a rule. You could have a script > > harvest the addresses from your log files, and then update the table in > > pf. I have not tried it myself, but was looking at adopting an > > implementation to create a tarpit for spammers based on this idea. > > Yes Tim, I know it. The "problem" is the servers are builded in IPFW as > firewall solution. > I've tried the "limit" IPFW's option... but isn't exactly what I'm > looking for. As far as I know you can run both. You can just have minimal rules in pf to deal with this, and pass everything else, and deal with the rest in ipfw. From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 13:06:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 196EB16A474 for ; Mon, 21 Jan 2008 13:06:34 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 98BAD13C468 for ; Mon, 21 Jan 2008 13:06:32 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id AAA11380; Tue, 22 Jan 2008 00:06:18 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 22 Jan 2008 00:06:17 +1100 (EST) From: Ian Smith To: Dan Lukes In-Reply-To: <47948C99.8060504@obluda.cz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd security Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 13:06:34 -0000 On Mon, 21 Jan 2008, Dan Lukes wrote: > Ian Smith napsal/wrote, On 01/21/08 12:55: > > No problem; IPFW has tables too, and sets, with which you could > > enable/disable or > > It interests me: > > > swap your script-constructed tables atomically. > > I know how to create new set of rules then move it using "ipfw set move" > atomically but I don't know how to fill new table then move it in it's > place atomically. > > So, how to swap tables in one step ? ipfw(8) usage, probably should be followed up on questions@ .. Clearly, rules in different sets can refer to the same or to different table/s, so a 'set swap' can accomplish a 'table swap'. 'ipfw set [disable number ...] [enable number ...]' is atomic also. cheers, Ian From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 13:08:50 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F8CF16A46E for ; Mon, 21 Jan 2008 13:08:50 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from mail.digiware.nl (www.tegenbosch28.nl [217.21.251.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4643013C4D3 for ; Mon, 21 Jan 2008 13:08:50 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from localhost (localhost.digiware.nl [127.0.0.1]) by mail.digiware.nl (Postfix) with ESMTP id 7767F170FD; Mon, 21 Jan 2008 13:38:01 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.nl Received: from mail.digiware.nl ([127.0.0.1]) by localhost (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9d+lCIBV60S; Mon, 21 Jan 2008 13:37:59 +0100 (CET) Received: from [192.168.2.10] (unknown [192.168.2.10]) by mail.digiware.nl (Postfix) with ESMTP id 58242170F3; Mon, 21 Jan 2008 13:37:59 +0100 (CET) Message-ID: <4794922F.8090009@digiware.nl> Date: Mon, 21 Jan 2008 13:38:07 +0100 From: Willem Jan Withagen Organization: Digiware User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Jordi Espasa Clofent References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> <47947587.2010106@opengea.org> In-Reply-To: <47947587.2010106@opengea.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 21 Jan 2008 13:14:46 +0000 Cc: freebsd-security@freebsd.org Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 13:08:50 -0000 Jordi Espasa Clofent wrote: >> Hi, >> >> There is a functionality in pf, that allows you to have an application >> to update a list of hosts, that is used in a rule. You could have a >> script harvest the addresses from your log files, and then update the >> table in pf. I have not tried it myself, but was looking at adopting >> an implementation to create a tarpit for spammers based on this idea. > > Yes Tim, I know it. The "problem" is the servers are builded in IPFW as > firewall solution. > I've tried the "limit" IPFW's option... but isn't exactly what I'm > looking for. Have a look at swatch in the ports, and build some rules that add blocking rules to the beginning of your firewall rule set. I've got servers running with > 3500 rules ;), and the box doesn't even notices it. (you can even/easily do things in perl embedded in the rules.) The best suggestion is of course to only let those in, you want to let in. Block others by default. I'm using the above scenario on public mailservers, with harvesting from the postgrey output. And from the ssh log output. --WjW From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 14:18:28 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C3BB16A41B for ; Mon, 21 Jan 2008 14:18:28 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 1E8BF13C4D9 for ; Mon, 21 Jan 2008 14:18:28 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 536212082; Mon, 21 Jan 2008 15:18:19 +0100 (CET) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: -0.2/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on tim.des.no Received: from ds4.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id BC6C9207E; Mon, 21 Jan 2008 15:18:18 +0100 (CET) Received: by ds4.des.no (Postfix, from userid 1001) id 9919D8449D; Mon, 21 Jan 2008 15:18:18 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Wes Peters References: <20080120120016.6EBDA16A4DF@hub.freebsd.org> <9019C94F-5618-44F3-9590-D63C19A36B60@opensail.org> Date: Mon, 21 Jan 2008 15:18:18 +0100 In-Reply-To: <9019C94F-5618-44F3-9590-D63C19A36B60@opensail.org> (Wes Peters's message of "Sun\, 20 Jan 2008 22\:54\:28 -0800") Message-ID: <86bq7fntxx.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: ident daemon: oIdentd creating a lot of processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 14:18:28 -0000 Wes Peters writes: > Fabian Wenk writes: > > Is there a reason why you do not use the identd from FreeBSD itself? > Alternativey, use 'liedentd' from ports and it won't give away > information about your users. It also won't create any additional > processes - I promise. uh, inetd's own identd can also be configured to not reveal any information, and doesn't create any additional processes either, so what's your upside? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 19:29:36 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40ED216A418 for ; Mon, 21 Jan 2008 19:29:36 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (mail.opengea.org [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id D3D3E13C4DB for ; Mon, 21 Jan 2008 19:29:35 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 94F74D50039 for ; Mon, 21 Jan 2008 20:33:01 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (mail.opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wUkrj3yzcVVO for ; Mon, 21 Jan 2008 20:33:01 +0100 (CET) Received: from [192.168.1.33] (78.Red-83-46-134.dynamicIP.rima-tde.net [83.46.134.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 356C2D50033 for ; Mon, 21 Jan 2008 20:33:01 +0100 (CET) Message-ID: <4794F29E.2060602@opengea.org> Date: Mon, 21 Jan 2008 20:29:34 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> <47947587.2010106@opengea.org> <200801211253.48663.tim@priebe.alt.na> In-Reply-To: <200801211253.48663.tim@priebe.alt.na> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 19:29:36 -0000 > As far as I know you can run both. You can just have minimal rules in pf to > deal with this, and pass everything else, and deal with the rest in ipfw. I'm not a coder... but I think it shouldn't be a good idea. -- Thanks, Jordi Espasa Clofent From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 00:40:15 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7D4116A418 for ; Tue, 22 Jan 2008 00:40:15 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from balou.adapsec.com (balou.adapsec.com [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id A6E2F13C44B for ; Tue, 22 Jan 2008 00:40:15 +0000 (UTC) (envelope-from mouss@netoyen.net) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by balou.adapsec.com (Postfix) with ESMTPSA id 542804BFC486 for ; Tue, 22 Jan 2008 01:34:38 +0100 (CET) Message-ID: <47953A02.6030306@netoyen.net> Date: Tue, 22 Jan 2008 01:34:10 +0100 From: mouss User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <200801211226.51852.tim@priebe.alt.na> <47947587.2010106@opengea.org> <4794922F.8090009@digiware.nl> In-Reply-To: <4794922F.8090009@digiware.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 00:40:16 -0000 Willem Jan Withagen wrote: > Jordi Espasa Clofent wrote: >>> Hi, >>> >>> There is a functionality in pf, that allows you to have an >>> application to update a list of hosts, that is used in a rule. You >>> could have a script harvest the addresses from your log files, and >>> then update the table in pf. I have not tried it myself, but was >>> looking at adopting an implementation to create a tarpit for >>> spammers based on this idea. >> >> Yes Tim, I know it. The "problem" is the servers are builded in IPFW as >> firewall solution. >> I've tried the "limit" IPFW's option... but isn't exactly what I'm >> looking for. > > Have a look at swatch in the ports, and build some rules that add > blocking rules to the beginning of your firewall rule set. > I've got servers running with > 3500 rules ;), and the box doesn't > even notices it. > (you can even/easily do things in perl embedded in the rules.) make sure to parse the logs "strictly". consider this: # mysql -h yourserver -u foo\'@\'10.1.2.3.4\' ... Access denied for user 'foo'@'10.1.2.3.4''@'yourip' (using password: NO) so you'd better pick the right IP here. > > The best suggestion is of course to only let those in, you want to let > in. Block others by default. > > I'm using the above scenario on public mailservers, with harvesting > from the postgrey output. And from the ssh log output. > > --WjW > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 00:45:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CA4116A418 for ; Tue, 22 Jan 2008 00:45:17 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from balou.adapsec.com (balou.adapsec.com [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 1C3BB13C467 for ; Tue, 22 Jan 2008 00:45:16 +0000 (UTC) (envelope-from mouss@netoyen.net) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by balou.adapsec.com (Postfix) with ESMTPSA id 732884BFC486 for ; Tue, 22 Jan 2008 01:28:32 +0100 (CET) Message-ID: <47953894.8020906@netoyen.net> Date: Tue, 22 Jan 2008 01:28:04 +0100 From: mouss User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> In-Reply-To: <47946AD3.2020601@opengea.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 00:45:17 -0000 Jordi Espasa Clofent wrote: > Hi all, > > żIs there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. why do you open your mysql port to the world? if you want to let users in from any place, then an ssh tunnel is safer (yes, works even on windows, using putty or whatever. and a user who finds this difficult shouldn't be able to run sql commands!). If this is too much, at least use a different port to reduce the noise (This won't add security, but will somehow limit exposure). From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 03:33:44 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20AD916A419 for ; Tue, 22 Jan 2008 03:33:44 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.freebsd.org (Postfix) with ESMTP id C25E313C455 for ; Tue, 22 Jan 2008 03:33:43 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 5564A387A0C; Tue, 22 Jan 2008 01:24:43 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id 305B63F9B53; Mon, 21 Jan 2008 22:01:17 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 4EF709BF12; Mon, 21 Jan 2008 20:57:22 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 3D82A405B; Mon, 21 Jan 2008 21:57:22 +0100 (CET) Date: Mon, 21 Jan 2008 21:57:22 +0100 From: Jeremie Le Hen To: Jordi Espasa Clofent Message-ID: <20080121205722.GA62295@obiwan.tataz.chchile.org> References: <47946AD3.2020601@opengea.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47946AD3.2020601@opengea.org> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-security@freebsd.org Subject: Re: [fbsd] denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 03:33:44 -0000 Hi, On Mon, Jan 21, 2008 at 10:50:11AM +0100, Jordi Espasa Clofent wrote: > We have a mysql ports (3306) opened for remote connections, and obviously > the /var/db/mysql/machine_name.log is full of these kind of entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/ You may have a look at Fail2Ban: http://www.fail2ban.org/wiki/index.php/Features -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 15:08:23 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC30216A417 for ; Tue, 22 Jan 2008 15:08:23 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (mail.opengea.org [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3F413C442 for ; Tue, 22 Jan 2008 15:08:23 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 68FA2D50039 for ; Tue, 22 Jan 2008 16:11:55 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (mail.opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id WrzeUUMRKaCA for ; Tue, 22 Jan 2008 16:11:55 +0100 (CET) Received: from jespasac.cdmon.com (62.Red-217-126-43.staticIP.rima-tde.net [217.126.43.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 10458D50033 for ; Tue, 22 Jan 2008 16:11:54 +0100 (CET) Message-ID: <479606E4.2070607@opengea.org> Date: Tue, 22 Jan 2008 16:08:20 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.9 (X11/20071219) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <47953894.8020906@netoyen.net> In-Reply-To: <47953894.8020906@netoyen.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 15:08:23 -0000 > why do you open your mysql port to the world? > > if you want to let users in from any place, then an ssh tunnel is safer > (yes, works even on windows, using putty or whatever. and a user who > finds this difficult shouldn't be able to run sql commands!). I completely agree with you; the problem is always the same: the decisions are taken by non-technical staff in a lot of times. I've proposed a ssh tunnels for MySQL remote connections... but it means "so hard" for final customers.... > If this is too much, at least use a different port to reduce the noise > (This won't add security, but will somehow limit exposure).scribe@freebsd.org" Of course. -- Thanks, Jordi Espasa Clofent From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 16:33:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 061F616A41A for ; Tue, 22 Jan 2008 16:33:33 +0000 (UTC) (envelope-from wes@opensail.org) Received: from mail6.dotsterhost.com (mail6.dotsterhost.com [72.5.54.120]) by mx1.freebsd.org (Postfix) with SMTP id A0D0713C468 for ; Tue, 22 Jan 2008 16:33:32 +0000 (UTC) (envelope-from wes@opensail.org) Received: (qmail 9734 invoked from network); 22 Jan 2008 16:33:31 -0000 Received: from unknown (HELO scurvy.softweyr.com) (wes@opensail.org@[66.27.101.161]) by 72.5.54.120 with SMTP; 22 Jan 2008 16:33:31 -0000 Message-Id: From: Wes Peters To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= In-Reply-To: <86bq7fntxx.fsf@ds4.des.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v915) Date: Tue, 22 Jan 2008 08:33:30 -0800 References: <20080120120016.6EBDA16A4DF@hub.freebsd.org> <9019C94F-5618-44F3-9590-D63C19A36B60@opensail.org> <86bq7fntxx.fsf@ds4.des.no> X-Mailer: Apple Mail (2.915) Cc: freebsd-security@freebsd.org Subject: Re: ident daemon: oIdentd creating a lot of processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 16:33:33 -0000 On Jan 21, 2008, at 6:18 AM, Dag-Erling Sm=F8rgrav wrote: > Wes Peters writes: >> Fabian Wenk writes: >>> Is there a reason why you do not use the identd from FreeBSD itself? >> Alternativey, use 'liedentd' from ports and it won't give away >> information about your users. It also won't create any additional >> processes - I promise. > > uh, inetd's own identd can also be configured to not reveal any > information, and doesn't create any additional processes either, so > what's your upside? Not having to run inetd? No configuration? Simple, easy to audit code? -- Where am I, and what am I doing in this handbasket? Wes Peters = wes@opensail.org From owner-freebsd-security@FreeBSD.ORG Wed Jan 23 01:59:25 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88D9516A419 for ; Wed, 23 Jan 2008 01:59:25 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from balou.adapsec.com (balou.adapsec.com [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 4E3A113C459 for ; Wed, 23 Jan 2008 01:59:25 +0000 (UTC) (envelope-from mouss@netoyen.net) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by balou.adapsec.com (Postfix) with ESMTPSA id 0552B4BFC57E for ; Wed, 23 Jan 2008 02:59:49 +0100 (CET) Message-ID: <47969F79.30500@netoyen.net> Date: Wed, 23 Jan 2008 02:59:21 +0100 From: mouss User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 CC: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <47953894.8020906@netoyen.net> <479606E4.2070607@opengea.org> In-Reply-To: <479606E4.2070607@opengea.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 01:59:25 -0000 Jordi Espasa Clofent wrote: >> why do you open your mysql port to the world? >> >> if you want to let users in from any place, then an ssh tunnel is >> safer (yes, works even on windows, using putty or whatever. and a >> user who finds this difficult shouldn't be able to run sql commands!). > > I completely agree with you; the problem is always the same: the > decisions are taken by non-technical staff in a lot of times. > I've proposed a ssh tunnels for MySQL remote connections... but it > means "so hard" for final customers.... I know it's not easy. but depending on your customers, you may have some chances! - if they can buy a license for sqlyog, it will support sql tunnels directly (otherwise, you need an external tunnel, which you can setup with putty or whatever). - it should not be hard to use an ssl tunnel (stunnel or whatever) - you might be able to ask what IPs are supposed to get there. even if it's not precise, this could reduce risks by only allowing few networks. > >> If this is too much, at least use a different port to reduce the >> noise (This won't add security, but will somehow limit >> exposure).scribe@freebsd.org" > > Of course. > This is generally consider "security by obscurity". I don't think so. This is making it harder for an attacker to get there without being noticed. while a script kiddie can run his script to try a stand port, if he wants to get inside a "local" port, he'll need to try many ports and for each port try the right protocol. This gives us time to get him. From owner-freebsd-security@FreeBSD.ORG Wed Jan 23 21:34:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 014BF16A417 for ; Wed, 23 Jan 2008 21:34:08 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (mail.opengea.org [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id A69D013C4DD for ; Wed, 23 Jan 2008 21:34:07 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id E6940D50044 for ; Wed, 23 Jan 2008 22:32:06 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UBeUwEqF0nAB for ; Wed, 23 Jan 2008 22:32:06 +0100 (CET) Received: from [192.168.1.33] (46.Red-83-33-37.dynamicIP.rima-tde.net [83.33.37.46]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 67C34D50035 for ; Wed, 23 Jan 2008 22:32:06 +0100 (CET) Message-ID: <4797B2D2.3030602@opengea.org> Date: Wed, 23 Jan 2008 22:34:10 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <47953894.8020906@netoyen.net> <479606E4.2070607@opengea.org> <47969F79.30500@netoyen.net> In-Reply-To: <47969F79.30500@netoyen.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 21:34:08 -0000 > I know it's not easy. but depending on your customers, you may have some > chances! > - if they can buy a license for sqlyog, it will support sql tunnels > directly (otherwise, you need an external tunnel, which you can setup > with putty or whatever). This option is, simply, impossible. We cannot "force" the final customers to adquire any kind of product. > - it should not be hard to use an ssl tunnel (stunnel or whatever) Mmmmm.... it means easier than ssh-tunneling (from customers pint of view). I have to investigate this method carefully. > - you might be able to ask what IPs are supposed to get there. even if > it's not precise, this could reduce risks by only allowing few networks. Yes. We already have done it, but the related problem is a lot of customers don't have static IPs. > This is generally consider "security by obscurity". I don't think so. > This is making it harder for an attacker to get there without being > noticed. while a script kiddie can run his script to try a stand port, > if he wants to get inside a "local" port, he'll need to try many ports > and for each port try the right protocol. This gives us time to get him. ;) -- Thanks, Jordi Espasa Clofent