From owner-freebsd-security Mon Nov 12 2:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id 1210F37B417; Mon, 12 Nov 2001 02:11:42 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mars.thuis (Postfix) with ESMTP id 7AF3249A24; Fri, 9 Nov 2001 10:32:50 +0100 (CET) Received: by mars.thuis (Postfix, from userid 1000) id 01F7849A23; Fri, 9 Nov 2001 10:32:46 +0100 (CET) Date: Fri, 9 Nov 2001 10:32:46 +0100 From: Axel Scheepers To: setantae Cc: questions@freebsd.org, security@freebsd.org Subject: Re: too many dynamic rules Message-ID: <20011109103246.B27252@mars.thuis> Reply-To: Axel Scheepers References: <20011108201207.GA49594@rhadamanth> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011108201207.GA49594@rhadamanth>; from setantae@submonkey.net on Thu, Nov 08, 2001 at 08:12:07PM +0000 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, The man page of ipfw says: net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 The configured and current size of the hash table used to hold dynamic rules. This must be a power of 2. The table can only= be resized when empty, so in order to resize it on the fly you wi= ll probably have to flush and reload the ruleset. These are the standard kernel variabeles for the hash table size, In your c= onfig you should increase these values until you don't get the messages anymore. But, It wont't do any harm to look with tcpdump what is causing the state t= able to overflow, since these rules should be discarded after a while, and it looks like that= doesn't happen. I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe som= eone can find something weird in these what is causing that ? You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=3D and sysctl -w net.inet.ip.fw.curr_dyn_buckets=3D. Keep in mind= that this can't=20 be done when the firewall is running, so you should flush it first, apply t= he changes and load the rules again. Hope this helps, Axel On Thu, Nov 08, 2001 at 08:12:07PM +0000, setantae wrote: > Date: Thu, 8 Nov 2001 20:12:07 +0000 > From: setantae > To: questions@freebsd.org, security@freebsd.org > Subject: too many dynamic rules >=20 >=20 > Can't find anything in the archives at MARC, and not sure which list > I should be talking to, so please set followups appropriately if it > bothers you. >=20 > For approximately 18 seconds today my firewall went apesh*t=20 > (these are all relevant entries) : >=20 > Nov 8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry > Nov 8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permis= sion denied) Stripped down a bit ... >=20 > At the time there was only one user logged onto the box, and no clients > behind the firewall - unfortunately I have no idea what I was doing at the > time, although I have been upgrading older ports today (cannot find any > files that were created at the times above though). >=20 > This box is a dual piii-866 with 512mb of ram, doesn't do much and > has maxusers set to 128. >=20 > The other interesting thing is that although dynamic rules are still being > created (since I can access stuff from another box on the LAN), > ipfw -at l no longer shows them. >=20 The Ruleset: >=20 > ## Deny fragments > add 00105 deny all from any to any frag >=20 > #### 00110 Unprotect the LAN interface > add 00110 allow all from any to any via dc0 >=20 > #### 00200 Stop RFC 1918 traffic > #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0 > #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0 >=20 > add 00202 deny log all from any to 10.0.0.0/8 > add 00203 deny log all from 10.0.0.0/8 to any >=20 > add 00204 deny log all from any to 172.16.0.0/12 > add 00205 deny log all from 172.16.0.0/12 to any >=20 > #add 00206 deny log all from 192.168.0.0/16 to any in via ed0 > #add 00207 deny log all from any to 192.168.0.0/16 in via ed0 >=20 > add 00206 divert natd all from any to any via ed0 >=20 > add 00207 pass all from 192.168.10.0/24 to any via ed0 > add 00208 pass all from any to 192.168.10.0/24 via ed0 > add 00209 deny log all from any to 192.168.0.0/16 via ed0 > add 00210 deny log all from 192.168.0.0/16 to any via ed0 >=20 > #### 00400 Check state and allow tcp connections created by us. > add 00400 check-state > add 00401 allow tcp from any to any out keep-state > #add 00402 deny log tcp from any to any in established > add 00403 allow udp from any to any 53 keep-state > add 00404 allow udp from any to any out >=20 > ##NTP > add 00421 allow udp from 130.88.200.98 123 to any > add 00422 allow udp from 130.88.203.12 123 to any >=20 > #### 00500 DHCP stuff > add 00501 allow udp from 62.252.32.3 to any 68 in via ed0 >=20 > #### 00600 ICMP stuff > # path-mtu > add 00600 allow icmp from any to any icmptypes 3 > # source quench > add 00601 allow icmp from any to any icmptypes 4 > #ping > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > #traceroute > add 00604 allow icmp from any to any icmptypes 11 in >=20 > #### 00700 Services we want to make available. > add 00701 allow tcp from any to any 22 > add 00702 allow tcp from 194.168.4.200 to any 113 > #add 00703 allow tcp from any to any 21 out >=20 > #### 65000 And deny everything else. > add 65007 deny log ip from any to any --=20 Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ In America, any boy may become president and I suppose that's just one of the risks he takes. -- Adlai Stevenson ------------------------------------------ --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBO+uist0okna45S+TAQG58Af6AsdPfB7Lo4ACARgD2gNG1RGbfmblHXZt HuTBxjebgCh6+fOB4cfse+NcPTfOqgX9zgvS+iYvSyTctzAQuTT8/q6i171HinZH BZHSvEokszkKrVlpapJ3BZY4VdZyba+3kSzBr1EAvTEo8w3YBIczO+Vg1OfWJ+Ps i4qIayqrVzkgJUGEoagobd1Xlk3JsbNC/1t1/1jEaxBGK+MyJCDxlF19xZpDOJwh Qgi1HwlAIER/bgEtOMxCHLJ9dPYIYl7uCpy0kUULWdaHKHZD0J9PJdRIfmyhXXlv ZyuNryJ1QFXQLv41NbBgncTEtLYPpK42XovdSuscEwc7ADX1IwYwXQ== =sCJq -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 5:21:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server6.tampabay.rr.com (smtp-server6.tampabay.rr.com [65.32.1.43]) by hub.freebsd.org (Postfix) with ESMTP id DB9F037B405 for ; Mon, 12 Nov 2001 05:21:44 -0800 (PST) Received: from ezri (24129137hfc158.tampabay.rr.com [24.129.137.158]) by smtp-server6.tampabay.rr.com (8.11.2/8.11.2) with ESMTP id fACDLiS26571 for ; Mon, 12 Nov 2001 08:21:44 -0500 (EST) From: "Wade Majors" To: Subject: Filtering packets based on incoming address Date: Mon, 12 Nov 2001 08:21:14 -0500 Message-ID: <000001c16b7c$eb2f0ad0$9700a8c0@ezri> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C16B53.025902D0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C16B53.025902D0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit When reading through http://www.sans.org/top20.htm the other day, I noticed G5. It talks about how packets can be "spoofed" to really target a machine on my network and not the gateway. I added these rules to my /etc/ipfw.rules file: # block spoofed packets going to private network add 00001 deny ip from any to 192.168.0.1/24 in recv fxp0 # block sppoofed packets going to cable modem add 00002 deny ip from any to 10.97.48.1 in recv fxp0 These are the only things before natd, which is rule 00050. In the few days I've had them in; it hasn't caught anything, so I'm going to assume this isn't breaking anything legitimate. The question is: is this the right way to check for this stuff, anyway? Should I even worry about this since my network using private IPs? -Wade ------=_NextPart_000_0001_01C16B53.025902D0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

When reading through http://www.sans.org/top20.htm the other day, I noticed G5. It talks about how packets can be = “spoofed” to really target a machine on my network and not the = gateway.

 

I added these rules to my /etc/ipfw.rules file:

 

# block spoofed packets = going to private network

add 00001 deny ip from any to 192.168.0.1/24 in recv fxp0

# block sppoofed packets going to cable modem

add 00002 deny ip from any to 10.97.48.1 in recv fxp0

 

These are the only things before natd, which is rule 00050.

 

In the few days I’ve had them in; it = hasn’t caught anything, so I’m going to assume this isn’t breaking anything legitimate. The question is: is this the right way to check for = this stuff, anyway? Should I even worry about this since my network using = private IPs?

 

-Wade

 

 

 

 

------=_NextPart_000_0001_01C16B53.025902D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 5:52:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server6.tampabay.rr.com (smtp-server6.tampabay.rr.com [65.32.1.43]) by hub.freebsd.org (Postfix) with ESMTP id B66F937B417 for ; Mon, 12 Nov 2001 05:52:05 -0800 (PST) Received: from ezri (24129137hfc158.tampabay.rr.com [24.129.137.158]) by smtp-server6.tampabay.rr.com (8.11.2/8.11.2) with ESMTP id fACDq1S17531 for ; Mon, 12 Nov 2001 08:52:01 -0500 (EST) From: "Wade Majors" To: Subject: RE: Filtering packets based on incoming address Date: Mon, 12 Nov 2001 08:51:33 -0500 Message-ID: <000601c16b81$26a957b0$9700a8c0@ezri> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >In the few days I've had them in; it hasn't caught anything, > > How do you determine this? You don't specify "log" for the rules. `ipfw show` shows 0-0 for both rules > For my own network (behind a single static routable IP address), I check > for & block quite a bit more, both before & after NAT. I used the > "simple" /etc/rc.firewall as a starting-point, and augmented it > considrably -- especially when I deployed a second, untrusted, net that > is also behind my firewall (for the wireless access). I am doing per port blocking/allowing after the natd rule, which seems to be working okay for me. -Wade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 6: 0:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server2.tampabay.rr.com (smtp-server2.tampabay.rr.com [65.32.1.39]) by hub.freebsd.org (Postfix) with ESMTP id 8897D37B405 for ; Mon, 12 Nov 2001 06:00:17 -0800 (PST) Received: from ezri (24129137hfc158.tampabay.rr.com [24.129.137.158]) by smtp-server2.tampabay.rr.com (8.11.2/8.11.2) with ESMTP id fACE0GO11932 for ; Mon, 12 Nov 2001 09:00:16 -0500 (EST) From: "Wade Majors" To: Subject: Filtering packets based on incoming address [ack. plaintext now] Date: Mon, 12 Nov 2001 08:59:47 -0500 Message-ID: <001201c16b82$4da9d1e0$9700a8c0@ezri> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When reading through http://www.sans.org/top20.htm the other day, I noticed G5. It talks about how packets can be "spoofed" to really target a machine on my network and not the gateway. I added these rules to my /etc/ipfw.rules file: # block spoofed packets going to private network add 00001 deny ip from any to 192.168.0.1/24 in recv fxp0 # block sppoofed packets going to cable modem add 00002 deny ip from any to 10.97.48.1 in recv fxp0 These are the only things before natd, which is rule 00050. In the few days I've had them in; it hasn't caught anything, so I'm going to assume this isn't breaking anything legitimate. The question is: is this the right way to check for this stuff, anyway? Should I even worry about this since my network using private IPs? -Wade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 6:10:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 38C9B37B405 for ; Mon, 12 Nov 2001 06:10:36 -0800 (PST) Received: (qmail 23773 invoked by uid 1000); 12 Nov 2001 14:10:34 -0000 Date: Mon, 12 Nov 2001 15:10:34 +0100 From: Bart Matthaei To: Wade Majors Cc: freebsd-security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112151034.A23730@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <001201c16b82$4da9d1e0$9700a8c0@ezri> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 12, 2001 at 08:59:47AM -0500, Wade Majors wrote: > These are the only things before natd, which is rule 00050. Thats a good thing. Its wise to set those rules before you pass any packet to natd. > In the few days I've had them in; it hasn't caught anything, so I'm > going to assume this isn't breaking anything legitimate. The question > is: is this the right way to check for this stuff, anyway? Should I even > worry about this since my network using private IPs? The chance of people using this technique isnt very big, nevertheless, securing yourself from it is a good thing. The way you deny access to your services (set up for your private net) from the outside world depends on your technique of firewalling. I set a default rule on deny, and allow everything coming in from my private network's interface (so not with ip classes).=20 If you allow services from your internal net by allowing certain ipclasses, its wise to block packets coming from those ipclasses via the external interface. (deny all from $ipclass to any recv $extrnl_if) Hope this helps ;) Rgds, B. --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE779hagcc6pR+tCegRAqUrAKDN/Frks+earJglUHUXduEXziYRbgCgvqey 7NhHCFATwG/5NCerBFa31ko= =DAl1 -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 6:25: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 929D037B417 for ; Mon, 12 Nov 2001 06:25:00 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fACEOx429530 for ; Mon, 12 Nov 2001 08:24:59 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA08880 for ; Mon, 12 Nov 2001 08:24:59 -0600 (CST) Message-ID: <3BEFDB90.9CD7AEB7@centtech.com> Date: Mon, 12 Nov 2001 08:24:16 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: NAT vs Application layer proxy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What are some of the advantages/disadvantages of an application layer proxy server, versus a box running NAT with packet filtering on it (like ipfilter or IPFW)? Eric -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology No single raindrop believes it is to blame for the flood. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 6:28:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id CA43437B405 for ; Mon, 12 Nov 2001 06:28:54 -0800 (PST) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id fACESqp05474; Mon, 12 Nov 2001 09:28:53 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011112091952.06b2cb30@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 12 Nov 2001 09:22:20 -0500 To: anderson@centtech.com, freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: NAT vs Application layer proxy In-Reply-To: <3BEFDB90.9CD7AEB7@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:24 AM 11/12/01 -0600, Eric Anderson wrote: >What are some of the advantages/disadvantages of an >application layer proxy server, versus a box running NAT >with packet filtering on it (like ipfilter or IPFW)? Auditing is a big one. Also, you can do neat things like block NIMDA infected sites with Squid. ---Mike >Eric > > >-- >------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology >No single raindrop believes it is to blame for the flood. >------------------------------------------------------------- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 8:21:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222]) by hub.freebsd.org (Postfix) with ESMTP id 6A3E637B416 for ; Mon, 12 Nov 2001 08:21:55 -0800 (PST) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by koza.acecape.com (8.10.1/8.9.3) with ESMTP id fACGLcd22786; Mon, 12 Nov 2001 11:21:42 -0500 (EST) Date: Mon, 12 Nov 2001 11:22:08 -0500 (EST) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: "Martin J. Muench" Cc: Francisco Reyes , FreeBSD Security List Subject: Re: Free or Commercial crypto filesystem? In-Reply-To: <20011104203304.X3191-100000@gomorrha.mjmnet> Message-ID: <20011112112045.B42614-100000@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 4 Nov 2001, Martin J. Muench wrote: > > Any currently working crypto filesystem for FreeBSD? > CFS (Cryptographic File System): /usr/ports/security/cfs I looked at cfs and it doesn't seem like any work is been done on it. > > I found tcfs, but it seems they don't have the BSD version ready yet. > There is only a NetBSD and an OpenBSD version at the moment at > http://tcfs.dia.unisa.it/ That URL doesn't seem to work. So far my search for a crypto fs for FreeBSD has not been very successfull. I guess I will have to wait to see if anything from the TrustedBSD project will help on this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 9:28:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from SRDMAIL.SINP.MSU.RU (bigking.sinp.msu.ru [213.131.9.130]) by hub.freebsd.org (Postfix) with ESMTP id 7B7E937B405 for ; Mon, 12 Nov 2001 09:28:38 -0800 (PST) Received: from [194.220.213.239] (helo=sinp.msu.ru) by SRDMAIL.SINP.MSU.RU with esmtp (Exim 3.33 #3) id 163Krg-0009Yn-00 for freebsd-security@freebsd.org; Mon, 12 Nov 2001 20:27:20 +0300 Message-ID: <3BF006B6.8090803@sinp.msu.ru> Date: Mon, 12 Nov 2001 20:28:22 +0300 From: Dmitry Mottl Organization: SINP MSU User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.4) Gecko/20011004 X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: jail questions Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org HI, ALL! 1. How can I put a process into existing jail? 2. Can I setup quotas (processor, memory, disk) for root in jail environment? 3. Any links to articles about configuring FreeBSD box for virtual hosting? THANK YOU! -- Dmitry Mottl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 9:40:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (ofc.agava.net [213.59.3.194]) by hub.freebsd.org (Postfix) with ESMTP id 40FE337B405 for ; Mon, 12 Nov 2001 09:40:43 -0800 (PST) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by relay2.agava.net.ru (Postfix) with ESMTP id CEB18667BF for ; Mon, 12 Nov 2001 20:40:41 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id A9264CCFC for ; Mon, 12 Nov 2001 20:40:41 +0300 (MSK) Date: Mon, 12 Nov 2001 20:40:41 +0300 (MSK) From: Alexey Zakirov X-X-Sender: Cc: Subject: Re: jail questions In-Reply-To: <3BF006B6.8090803@sinp.msu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 12 Nov 2001, Dmitry Mottl wrote: > 1. How can I put a process into existing jail? no chances. Waiting for the jailNG. Generally you can start something like sshd in the jail and start processes using it. > 2. Can I setup quotas (processor, memory, disk) for root in jail environment? quotactl(2) doesn't work inside jail(2). All other limits can be easily overriden by superuser. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 9:48:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id 34AE837B405 for ; Mon, 12 Nov 2001 09:48:24 -0800 (PST) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id 75D0F6A141C; Mon, 12 Nov 2001 17:48:22 +0000 (GMT) Message-ID: <3BF00B66.11A3F4AF@algroup.co.uk> Date: Mon, 12 Nov 2001 17:48:22 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Francisco Reyes Cc: "Martin J. Muench" , FreeBSD Security List Subject: Re: Free or Commercial crypto filesystem? References: <20011112112045.B42614-100000@zoraida.natserv.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Francisco Reyes wrote: > > On Sun, 4 Nov 2001, Martin J. Muench wrote: > > > > Any currently working crypto filesystem for FreeBSD? > > CFS (Cryptographic File System): /usr/ports/security/cfs > > I looked at cfs and it doesn't seem like any work is been done on it. meaning what? since it already works, what work would you like done on it? incidentally, there was some talk recently about a new release on the netbsd crypto mailing list, but i can't remember where it ended up... i use cfs.1.4.0.beta2 and it works fine for me... cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 10:15:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 43E0D37B405 for ; Mon, 12 Nov 2001 10:15:30 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.6/8.11.6) with ESMTP id fACIEaL22433; Mon, 12 Nov 2001 19:14:36 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Dmitry Mottl Cc: freebsd-security@FreeBSD.ORG Subject: Re: jail questions In-Reply-To: Your message of "Mon, 12 Nov 2001 20:28:22 +0300." <3BF006B6.8090803@sinp.msu.ru> Date: Mon, 12 Nov 2001 19:14:36 +0100 Message-ID: <22431.1005588876@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <3BF006B6.8090803@sinp.msu.ru>, Dmitry Mottl writes: >HI, ALL! > >1. How can I put a process into existing jail? you can't. >2. Can I setup quotas (processor, memory, disk) for root in jail environment? You can not for cpu/ram. You can for disk using normal quota, make one partition per jail >3. Any links to articles about configuring FreeBSD box for virtual hosting? Not sure about this... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 10:18:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from snmail.softnet.ro (snmail.softnet.ro [193.231.173.3]) by hub.freebsd.org (Postfix) with ESMTP id 8B41937B416 for ; Mon, 12 Nov 2001 10:18:25 -0800 (PST) Received: from softnet.ro ([193.231.173.125]) by snmail.softnet.ro (Lotus Domino Release 5.0.5) with ESMTP id 2001111220193071:9083 ; Mon, 12 Nov 2001 20:19:30 +0200 Message-ID: <3BF01433.CCD4F09A@softnet.ro> Date: Mon, 12 Nov 2001 20:25:55 +0200 From: Florin MANAILA Organization: SoftNet Services X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: BSD Subject: Secure X-MIMETrack: Itemize by SMTP Server on server1/softnet(Release 5.0.5 |September 22, 2000) at 11/12/2001 08:19:30 PM, Serialize by Router on server1/softnet(Release 5.0.5 |September 22, 2000) at 11/12/2001 08:19:40 PM, Serialize complete at 11/12/2001 08:19:40 PM Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, Question: How secure is FreeBSD compared with OpenBSD , NetBSD , Linux ??? Best regards, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 10:24:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 95C4C37B418 for ; Mon, 12 Nov 2001 10:24:37 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 6ED6481D05; Mon, 12 Nov 2001 12:24:37 -0600 (CST) Date: Mon, 12 Nov 2001 12:24:37 -0600 From: Alfred Perlstein To: Florin MANAILA Cc: BSD Subject: Re: Secure Message-ID: <20011112122437.Q89342@elvis.mu.org> References: <3BF01433.CCD4F09A@softnet.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF01433.CCD4F09A@softnet.ro>; from florin.manaila@softnet.ro on Mon, Nov 12, 2001 at 08:25:55PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Florin MANAILA [011112 12:18] wrote: > Hi all, > Question: > > How secure is FreeBSD compared with OpenBSD , NetBSD , Linux ??? FreeBSD has a strong focus on security, we do a lot of our own investigation as well as tracking and collaborating with what's going on in OpenBSD , NetBSD , Linux to make sure we're up to date and they are as well. Nowadays with full disclosure everyone is doing pretty well relatively. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 10:26:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id BFF1137B417 for ; Mon, 12 Nov 2001 10:26:49 -0800 (PST) Received: (qmail 45421 invoked by uid 1007); 12 Nov 2001 18:26:49 -0000 Date: Mon, 12 Nov 2001 18:26:49 +0000 From: Alex Holst To: BSD Subject: Re: Secure Message-ID: <20011112182649.GA44570@area51.dk> Mail-Followup-To: Alex Holst , BSD References: <3BF01433.CCD4F09A@softnet.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3BF01433.CCD4F09A@softnet.ro> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Florin MANAILA (florin.manaila@softnet.ro): > How secure is FreeBSD compared with OpenBSD , NetBSD , Linux ??? The answers you are looking for are: "42" and "Monday." -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 10:27:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id A16CA37B417 for ; Mon, 12 Nov 2001 10:27:48 -0800 (PST) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id fACIRiS14482; Mon, 12 Nov 2001 10:27:44 -0800 Date: Mon, 12 Nov 2001 10:27:44 -0800 From: Brooks Davis To: Florin MANAILA Cc: BSD Subject: Re: Secure Message-ID: <20011112102744.A13750@Odin.AC.HMC.Edu> References: <3BF01433.CCD4F09A@softnet.ro> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF01433.CCD4F09A@softnet.ro>; from florin.manaila@softnet.ro on Mon, Nov 12, 2001 at 08:25:55PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 12, 2001 at 08:25:55PM +0200, Florin MANAILA wrote: > How secure is FreeBSD compared with OpenBSD , NetBSD , Linux ??? That depends entierly on the administrator. If you don't run any services all of them are pretty similar. If you do run services, you are generally exposed to the same vulnerabilities as the others. The default FreeBSD install is a little more liberal then OpenBSD and significantly less liberal then the commercial Linux distros, but all of them can be made more or less equivalently secure. -- Broks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE78BSfXY6L6fI4GtQRAilqAJwPY8Yx3W372HcPNQbahIU3fA3UKQCeIgUG dCt+l3uNKX79y5Q9PRLK7yQ= =v4Ct -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 11:46: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.208]) by hub.freebsd.org (Postfix) with SMTP id 79AC037B405 for ; Mon, 12 Nov 2001 11:45:58 -0800 (PST) Received: (qmail 14404 invoked by uid 64014); 12 Nov 2001 19:45:57 -0000 Received: from matiss@bkc.lv by mail with qmail-scanner-0.96 (. Clean. Processed in 0.352273 secs); 12 Nov 2001 19:45:57 -0000 Received: from weed.astranet.lv (HELO weird) (159.148.83.140) by mail.latnet.lv with SMTP; 12 Nov 2001 19:45:56 -0000 Message-ID: <007f01c16bb2$b01c7410$0300a8c0@weird> From: "Matiss Elsbergs" To: "Florin MANAILA" Cc: References: <3BF01433.CCD4F09A@softnet.ro> Subject: Re: Secure Date: Mon, 12 Nov 2001 21:46:08 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Depends on an administrator. If you are an experienced individual, and know a lot about a issue, you can make an WindowsNT or RedHat linux box as secure as hell. ----- Original Message ----- From: "Florin MANAILA" To: "BSD" Sent: Monday, November 12, 2001 8:25 PM Subject: Secure > Hi all, > Question: > > How secure is FreeBSD compared with OpenBSD , NetBSD , Linux ??? > > > Best regards, > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 11:52:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id DC3C337B417 for ; Mon, 12 Nov 2001 11:52:33 -0800 (PST) Received: (from dillon@localhost) by apollo.backplane.com (8.11.6/8.9.1) id fACJqLZ06073; Mon, 12 Nov 2001 11:52:21 -0800 (PST) (envelope-from dillon) Date: Mon, 12 Nov 2001 11:52:21 -0800 (PST) From: Matthew Dillon Message-Id: <200111121952.fACJqLZ06073@apollo.backplane.com> To: "Anthony Atkielski" Cc: Subject: Re: FreeBSD and i386 VM hardware References: <01b301c16918$be1763a0$0a00000a@atkielski.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :To what extent does FreeBSD actually use all the fancy virtual-memory features :of latter-day i386 processors? As I recall (it has been several years since I :looked into it), the Intel microprocessors provide some very elaborate features :for management of virtual memory, I/O operations, and security, allowing total :hardware isolation of untrusted processes. How much of this is used by FreeBSD? :I know that UNIX is supposed to isolate users from each other, but how much of :this is done in hardware, and how much of it is simulated in software? Very :tight security usually requires a lot of interdependency between the hardware :and the OS, and since UNIX is supposed to be a multiplatform OS, I'm wondering :how much hardware support for security is actually used by the system. Well, All UNIX OS's running in intel hardware, including FreeBSD, use most of the major MMU/VM features of the processor. Not all of them, because some just don't work properly, but certainly most of them. For example, FreeBSD uses ring 0 and ring 3 but ring 1 and ring 2 are completely useless to us due to the way interrupt stacks are designed in the intel architecture. We use 4K MMU pages predominantly but only use 4M MMU pages in certain (kernel-related) situations. At least for the moment. We use interrupt and trap gates but do not use the call-argument-crossing-ring-boundry or hardware tasking crap. This is really true of all UNIXes... it is the UNIX model, after all! While it is possible for root processes to access portions of the hardware directly, the number that do can be counted on one hand, must ask for it explicitly, and the feature can be disabled through the securelevel sysctl. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 12:21:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f4.law3.hotmail.com [209.185.241.4]) by hub.freebsd.org (Postfix) with ESMTP id 190D437B405 for ; Mon, 12 Nov 2001 12:21:22 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 12 Nov 2001 12:21:22 -0800 Received: from 12.109.240.252 by lw3fd.law3.hotmail.msn.com with HTTP; Mon, 12 Nov 2001 20:21:21 GMT X-Originating-IP: [12.109.240.252] From: "WebSec WebSec" To: florin.manaila@softnet.ro Cc: freebsd-security@FreeBSD.ORG Subject: Fwd: Re: Secure Date: Mon, 12 Nov 2001 20:21:21 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 12 Nov 2001 20:21:22.0086 (UTC) FILETIME=[9843EC60:01C16BB7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think it is important to differentiate between "network" security and "local user" security. I assume that this question is about network security. In this case, the security of the machine depends on the number of services required to operate this machine and the security of all network services running on that machine. To give you an example, if you have a trojan horse running on any *BSD machine - you understand the rest. As far as the number of services required - I think all BSDs are the same :) This is unlike Win NT and especially Win2K! It is important to understand that in many cases very similar applications ae running on *BSDs and Linux! Remember this trojan horse example? The key is to not have extra services and hand-pick those that face the Internet. Sometimes, it means a sacrifice in functionality... But than again, one can always load a trojan... and ask which platform is more secure... I choose FreeBSD because it supports more advanced HW configurations. As far as security, it can be secure if it is not that one big firm. >To: florin.manaila@softnet.ro >cc: freebsd-security@FreeBSD.ORG >Date: 11/12/2001 02:46 PM >From: owner-freebsd-security@FreeBSD.ORG >Subject: Re: Secure > > >Depends on an administrator. > >If you are an experienced individual, and know a lot about a issue, you can >make an WindowsNT or RedHat linux box as secure as hell. > >----- Original Message ----- >From: "Florin MANAILA" >To: "BSD" >Sent: Monday, November 12, 2001 8:25 PM >Subject: Secure > > > > Hi all, > > Question: > > > > How secure is FreeBSD compared with OpenBSD , NetBSD , Linux ??? > > > > > > Best regards, > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 12:21:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 7773C37B416 for ; Mon, 12 Nov 2001 12:21:24 -0800 (PST) Received: (qmail 24889 invoked by uid 1000); 12 Nov 2001 20:21:20 -0000 Date: Mon, 12 Nov 2001 21:21:20 +0100 From: Bart Matthaei To: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112212120.A24857@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <001201c16b82$4da9d1e0$9700a8c0@ezri> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 12, 2001 at 08:59:47AM -0500, Wade Majors wrote: > These are the only things before natd, which is rule 00050. Thats a good thing. Its wise to set those rules before you pass any = = =20 packet to natd. = = =20 = = =20 > In the few days I've had them in; it hasn't caught anything, so I'm > going to assume this isn't breaking anything legitimate. The question > is: is this the right way to check for this stuff, anyway? Should I even > worry about this since my network using private IPs? The chance of people using this technique on a home-gateway isnt very big, nevertheless, securing yourself from it is a good thing. The way you deny access to your services (set up for your private net) from the outside world depends on your technique of firewalling. I set a default rule on deny, and allow everything coming in from my private network's interface (so not with ip classes). If you allow services for your internal net by allowing certain ipclasses, its wise to block packets coming from those ipclasses received by the external interface. (deny all from $ipclass to any recv $external_if) Hope this helps ;) Regards, B. = = =20 --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78C9Agcc6pR+tCegRAm10AJ45seRA38hPPyaqI7hk/nXrN5HwhgCeL5P7 2AmROa0JlUlUvT5q7EouujM= =MBkY -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 13:42:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100]) by hub.freebsd.org (Postfix) with SMTP id A4D2037B416 for ; Mon, 12 Nov 2001 13:42:56 -0800 (PST) Received: (qmail 51181 invoked by uid 1001); 12 Nov 2001 21:43:18 -0000 Date: Mon, 12 Nov 2001 13:43:17 -0800 From: Greg White To: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112134317.A46767@greg.cex.ca> Mail-Followup-To: security@freebsd.org References: <001201c16b82$4da9d1e0$9700a8c0@ezri> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001201c16b82$4da9d1e0$9700a8c0@ezri>; from wade@ezri.org on Mon, Nov 12, 2001 at 08:59:47AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon Nov 11/12/01, 2001 at 08:59:47AM -0500, Wade Majors wrote: > Should I even worry about this since my network using private IPs? Since most ISPs do absolutely no filtering of RFC1918 addresses anywhere, you positively _must_ do this. Try the following: 1. Remove the 'spoof' rules for RFC1918 addresses (temporarily). 2. Get to a host on an outside network. 3. On that host, "route add -net 192.168.0.0/24 ip.of.gate.way", where the 192.168.0.0 matches your internal network, and 'ip.of.gate.way' matches your host's external interface. 4. Sit back and enjoy unfettered access to all those internal hosts. 'Private' addresses are only private if all the routers on the internet refuse to route them. Most do not. :( -- Greg White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 13:54:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 5AE0337B405 for ; Mon, 12 Nov 2001 13:54:09 -0800 (PST) Received: (qmail 25131 invoked by uid 1000); 12 Nov 2001 21:54:07 -0000 Date: Mon, 12 Nov 2001 22:54:07 +0100 From: Bart Matthaei To: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112225407.A25048@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011112134317.A46767@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Mon, Nov 12, 2001 at 01:43:17PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote: > Since most ISPs do absolutely no filtering of RFC1918 addresses > anywhere, you positively _must_ do this. Try the following: [snap] > 'Private' addresses are only private if all the routers on the internet > refuse to route them. Most do not. :( Very true, but its possible for small home gateways to filter on interface (allow everything from the private interface). In that case, your not firewalling on ip level, so spoofing makes no difference. B. --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78ET/gcc6pR+tCegRAqFCAJ96LBAyWqbS+H8Eg72/mkyuQ1JkIACgnEWh BmcMl5fPpvlO37pKPbVBbT4= =1Zl5 -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 16:11:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdone.bsdwins.com (www.bsdwins.com [192.58.184.33]) by hub.freebsd.org (Postfix) with ESMTP id 894FB37B41A for ; Mon, 12 Nov 2001 16:11:31 -0800 (PST) Received: (from jwd@localhost) by bsdone.bsdwins.com (8.11.6/8.11.0) id fAD0App08815; Mon, 12 Nov 2001 19:10:51 -0500 (EST) (envelope-from jwd) Date: Mon, 12 Nov 2001 19:10:50 -0500 From: John De Boskey To: Francisco Reyes Cc: "Martin J. Muench" , FreeBSD Security List Subject: Re: Free or Commercial crypto filesystem? Message-ID: <20011112191050.A8585@bsdwins.com> References: <20011104203304.X3191-100000@gomorrha.mjmnet> <20011112112045.B42614-100000@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011112112045.B42614-100000@zoraida.natserv.net>; from lists@natserv.com on Mon, Nov 12, 2001 at 11:22:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Francisco Reyes's Original Message ----- > On Sun, 4 Nov 2001, Martin J. Muench wrote: > > > > Any currently working crypto filesystem for FreeBSD? > > CFS (Cryptographic File System): /usr/ports/security/cfs > > I looked at cfs and it doesn't seem like any work is been done on it. Install the cfs port. freebsd2:ports %make search key=cfs Port: cfs-1.4.0b2 Path: /usr/ports/security/cfs Info: A cryptographic file system implemented as a user-space NFS server Maint: green@FreeBSD.org Index: security reboot or otherwise make sure the daemon is started/running. mkdir /crypt Set up a mount line: localhost:/null /crypt nfs rw,noauto,port=3049,intr,nfsv2 0 0 cmkdir to create an encrypted directory; cattach to attach to the directory each time you log in; eg, cattach /ext/obtuse now /crypt/obtuse is the plaintext view of the encrypted /ext/obtuse directory. Without knowing what you mean by no work being done on it it's hard to provide any specific answers. Is this really a -security issue or more of a -questions topic? -John > > > I found tcfs, but it seems they don't have the BSD version ready yet. > > There is only a NetBSD and an OpenBSD version at the moment at > > http://tcfs.dia.unisa.it/ > > That URL doesn't seem to work. > > So far my search for a crypto fs for FreeBSD has not been very > successfull. I guess I will have to wait to see if anything from the > TrustedBSD project will help on this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 16:28:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id D8A8237B419 for ; Mon, 12 Nov 2001 16:28:30 -0800 (PST) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id LAA60927; Tue, 13 Nov 2001 11:35:46 +1100 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3BF068F6.565EB1B2@kpi.com.au> Date: Tue, 13 Nov 2001 11:27:34 +1100 From: Andrew Johns X-Mailer: Mozilla 4.7 [en-gb] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Francisco Reyes Cc: "Martin J. Muench" , FreeBSD Security List Subject: Re: Free or Commercial crypto filesystem? References: <20011112112045.B42614-100000@zoraida.natserv.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There's also rubberhose, although the website says that the Net|FreeBSD kernel module has not (yet) been completed. http://www.rubberhose.org/ Francisco Reyes wrote: > > On Sun, 4 Nov 2001, Martin J. Muench wrote: > > > > Any currently working crypto filesystem for FreeBSD? > > CFS (Cryptographic File System): /usr/ports/security/cfs > > I looked at cfs and it doesn't seem like any work is been done on it. > > > > I found tcfs, but it seems they don't have the BSD version ready yet. > > There is only a NetBSD and an OpenBSD version at the moment at > > http://tcfs.dia.unisa.it/ > > That URL doesn't seem to work. > > So far my search for a crypto fs for FreeBSD has not been very > successfull. I guess I will have to wait to see if anything from the > TrustedBSD project will help on this. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Andrew Johns ================================================================ BUGS:This utility is a prototype which lasted several years past its expiration date and is greatly in need of death. - from FreeBSD sysinstall man page To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 16:57:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38]) by hub.freebsd.org (Postfix) with ESMTP id 0999D37B405 for ; Mon, 12 Nov 2001 16:57:38 -0800 (PST) Received: from [192.168.69.11] (unknown [192.168.69.11]) by warez.scriptkiddie.org (Postfix) with ESMTP id B0F7862D02 for ; Mon, 12 Nov 2001 16:57:37 -0800 (PST) Date: Mon, 12 Nov 2001 16:57:39 -0800 (PST) From: Lamont Granquist To: FreeBSD Security List Subject: Bump-in-the-Road IPsec? In-Reply-To: <3BF00B66.11A3F4AF@algroup.co.uk> Message-ID: <20011112164936.F538-100000@coredump.scriptkiddie.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm trying to implement a transparent IPsec gateway and am wondering if I can make it work under FreeBSD? What I want is a transparent bridge which will encrypt communications between a set of machines on two different subnets with real IP numbers. Something like: other servers | Server1 -- SG1 --+-- Router - - - INET - - - Router --- SG2 --- Server2 Server1 should have a real IP address, SG1 should have at least one real IP address on one of its interfaces for administration. Server1 should be able to talk to the other servers on its subnet with SG1 acting like a transpart bridge. Server1 should also be able to talk to machines on the internet through the router, unecrypted. However, for talking to Server2 (also with a real IP address) the traffic should go between SG1 and SG2 encrypted. I've tried doing this with OpenBSD and have run into a problem in that I can setup the transparent bridge, but from SG1 i cannot connect to Server1 (the routing tables and the bridging tables don't seem to communicate with each other). Can I make something like this work under FreeBSD and what kind of magic do I need to do? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 17:15:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id EEA4E37B405 for ; Mon, 12 Nov 2001 17:15:23 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 9D74481D05; Mon, 12 Nov 2001 19:15:18 -0600 (CST) Date: Mon, 12 Nov 2001 19:15:18 -0600 From: Bill Fumerola To: Greg White Cc: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112191518.C81711@elvis.mu.org> References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011112134317.A46767@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Mon, Nov 12, 2001 at 01:43:17PM -0800 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote: > 1. Remove the 'spoof' rules for RFC1918 addresses (temporarily). > 2. Get to a host on an outside network. > 3. On that host, "route add -net 192.168.0.0/24 ip.of.gate.way", where > the 192.168.0.0 matches your internal network, and 'ip.of.gate.way' > matches your host's external interface. > 4. Sit back and enjoy unfettered access to all those internal hosts. no, if you actually tried this, you'd be sitting back and wondering why it doesn't work. continue reading. > 'Private' addresses are only private if all the routers on the internet > refuse to route them. Most do not. :( incorrect, most do. todays lesson: you can't control nexthop across the modern internet. q: how is attacker getting to victim's gateway? a: through attacker's gateway. q: what will this router do when it gets a packet for 192.168.0.0/24? a: pass the packet to its default gateway (if it has one) or drop it on the floor because it has learned no route for it. q: what will the next router do when it gets a packet for 192.168.0.0/24? a: see previous question. so the 'attack' you describe only works: if you can directly reach the victim over the victim's public interface's link layer. now you have his mac address (or other lladdr) and the manager of the broadcast domain can determine what equipment that mac address (or other lladdr) is hanging off of. OR you have a tunnel between the attacker and victim gateway (ipsec, gre, etc) OR every router in-between is ({un,}willingly) participating in the attack. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 17:41: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 43EFC37B416 for ; Mon, 12 Nov 2001 17:41:05 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 3595481D05; Mon, 12 Nov 2001 19:41:05 -0600 (CST) Date: Mon, 12 Nov 2001 19:41:05 -0600 From: Alfred Perlstein To: Bill Fumerola Cc: Greg White , security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112194105.C13393@elvis.mu.org> References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca> <20011112191518.C81711@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011112191518.C81711@elvis.mu.org>; from billf@mu.org on Mon, Nov 12, 2001 at 07:15:18PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Bill Fumerola [011112 19:15] wrote: > > every router in-between is ({un,}willingly) participating in the attack. Bad router, no source routing plz! (right? :) ) -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 18: 7:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.cluster.oleane.net (smtp2.cluster.oleane.net [195.25.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 1A68037B405 for ; Mon, 12 Nov 2001 18:07:18 -0800 (PST) Received: from diabolic-cow.chatgris.net (c2ce7707.fsp.oleane.fr [194.206.119.7]) by smtp2.cluster.oleane.net with ESMTP id fAD27BL52963; Tue, 13 Nov 2001 03:07:12 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id AD62C2F8; Mon, 12 Nov 2001 23:33:02 +0100 (CET) Date: Mon, 12 Nov 2001 23:33:02 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-security@freebsd.org Cc: anderson@centtech.com Subject: Re: NAT vs Application layer proxy Message-ID: <20011112233302.A68973@diabolic-cow.chatgris.net> References: <3BEFDB90.9CD7AEB7@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3BEFDB90.9CD7AEB7@centtech.com>; from anderson@centtech.com on Mon, Nov 12, 2001 at 08:24:16AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 08:24:16AM -0600, Eric Anderson wrote: > What are some of the advantages/disadvantages of an > application layer proxy server, versus a box running NAT > with packet filtering on it (like ipfilter or IPFW)? An application layer proxy server requires specific client support most of the time. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 18:14:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp5.cluster.oleane.net (smtp5.cluster.oleane.net [195.25.12.27]) by hub.freebsd.org (Postfix) with ESMTP id C0A4B37B418 for ; Mon, 12 Nov 2001 18:14:40 -0800 (PST) Received: from diabolic-cow.chatgris.net (c2ce7707.fsp.oleane.fr [194.206.119.7]) by smtp5.cluster.oleane.net with ESMTP id fAD2EVb68813; Tue, 13 Nov 2001 03:14:32 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id 5D82C1D5; Tue, 13 Nov 2001 03:14:38 +0100 (CET) Date: Tue, 13 Nov 2001 03:14:38 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: Lamont Granquist Cc: FreeBSD Security List Subject: Re: Bump-in-the-Road IPsec? Message-ID: <20011113031438.A45472@diabolic-cow.chatgris.net> References: <20011112164936.F538-100000@coredump.scriptkiddie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011112164936.F538-100000@coredump.scriptkiddie.org>; from lamont@scriptkiddie.org on Mon, Nov 12, 2001 at 04:57:39PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 04:57:39PM -0800, Lamont Granquist wrote: > > I'm trying to implement a transparent IPsec gateway and am wondering if I > can make it work under FreeBSD? What I want is a transparent bridge which > will encrypt communications between a set of machines on two different > subnets with real IP numbers. Something like: > > > other servers > | > Server1 -- SG1 --+-- Router - - - INET - - - Router --- SG2 --- Server2 > > > Server1 should have a real IP address, SG1 should have at least one real > IP address on one of its interfaces for administration. Server1 should be > able to talk to the other servers on its subnet with SG1 acting like a > transpart bridge. Server1 should also be able to talk to machines on the > internet through the router, unecrypted. However, for talking to Server2 > (also with a real IP address) the traffic should go between SG1 and SG2 > encrypted. > > I've tried doing this with OpenBSD and have run into a problem in that I > can setup the transparent bridge, but from SG1 i cannot connect to > Server1 (the routing tables and the bridging tables don't seem to > communicate with each other). On OpenBSD, use the gif device, along with IPSec in transport mode and the same bridge setup as described below. Btw, the OpenBSD approach is probably faster (completely kernel-based) and need less overhead (no udp headers) than the FreeBSD solution. > Can I make something like this work under FreeBSD and what kind of magic > do I need to do? On FreeBSD I would use /usr/ports/net/vtun/ with a tap(4) device. VTun is a pretty neat tuneling software. It can do {ip,ethernet,tty,pipe}-in-{udp,tcp}. It can also compress and/or encrypt the tcp or udp stream after the encapsulation stage. Since its crypt machinery is a bit too 'simple', you could use IPSec in transport mode do encrypt its streams. other servers | a b | b a Server1 -- SG1 --+-- Router - - - INET - - - Router --- SG2 --- Server2 Vtun will create a tap(4) pseudo-interface. You can (hopefuly) do with this interface everything you can do with a real interface. On SG1, create two bridges : - SG1a + SG1b - SG1a + tap0 Same thing on SG2 : - SG2a + SG2b - SG2a + tap0 Simply for completeness, there's an ongoing port of FreeBSD's tap device to OpenBSD. But using gifs is probably better on OpenBSD. PS: I didn't tested such a setup, but it should work, modulo bugs :) -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 18:31:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from diabolo.ifn.fr (diabolo.ifn.fr [195.25.216.97]) by hub.freebsd.org (Postfix) with ESMTP id D9B4237B405 for ; Mon, 12 Nov 2001 18:31:54 -0800 (PST) Received: from 127.0.0.1 (localhost.ifn.fr [127.0.0.1]) by localhost.ifn.fr (Postfix) with SMTP id BE307CB8AC; Tue, 13 Nov 2001 03:31:52 +0100 (CET) Received: by diabolo.ifn.fr (Postfix, from userid 1000) id 7CF61CB7DD; Tue, 13 Nov 2001 03:31:51 +0100 (CET) Date: Tue, 13 Nov 2001 03:31:51 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: Lamont Granquist , FreeBSD Security List Subject: Re: Bump-in-the-Road IPsec? Message-ID: <20011113033151.A56326@diabolo.ifn.fr> References: <20011112164936.F538-100000@coredump.scriptkiddie.org> <20011113031438.A45472@diabolic-cow.chatgris.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011113031438.A45472@diabolic-cow.chatgris.net>; from rguyom@pobox.com on Tue, Nov 13, 2001 at 03:14:38AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 13, 2001 at 03:14:38AM +0100, Rémi Guyomarch wrote: ... > On OpenBSD, use the gif device, along with IPSec in transport mode > and the same bridge setup as described below. Damn! I just realised that gif(4) only handles IP frames :-( Still a transparent bridge, but only suitable for IP... [same thing with gre(4)] So far, for full ethernet-over-ip the only solution I see is vtun with a tap(4) device. Maybe someone there will feel creative with netgraph ? ;) -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 19: 6:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 25BE837B416 for ; Mon, 12 Nov 2001 19:06:55 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id E3EE581D05; Mon, 12 Nov 2001 21:06:49 -0600 (CST) Date: Mon, 12 Nov 2001 21:06:49 -0600 From: Bill Fumerola To: Alfred Perlstein Cc: security@freebsd.org Subject: Re: Filtering packets based on incoming address [ack. plaintext now] Message-ID: <20011112210649.E81711@elvis.mu.org> References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca> <20011112191518.C81711@elvis.mu.org> <20011112194105.C13393@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011112194105.C13393@elvis.mu.org>; from bright@mu.org on Mon, Nov 12, 2001 at 07:41:05PM -0600 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 07:41:05PM -0600, Alfred Perlstein wrote: > * Bill Fumerola [011112 19:15] wrote: > > > > every router in-between is ({un,}willingly) participating in the attack. > > Bad router, no source routing plz! (right? :) ) right. hence my careful wording about "the modern internet". that or the case where someone has manually added a static route on each router inbetween victim and attacker. this is probably just as improbable as finding a path where all routers respect source routing... -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 19:33:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38]) by hub.freebsd.org (Postfix) with ESMTP id B22F537B405 for ; Mon, 12 Nov 2001 19:33:23 -0800 (PST) Received: from [192.168.69.11] (unknown [192.168.69.11]) by warez.scriptkiddie.org (Postfix) with ESMTP id 5036262D01; Mon, 12 Nov 2001 19:33:23 -0800 (PST) Date: Mon, 12 Nov 2001 19:33:25 -0800 (PST) From: Lamont Granquist To: =?iso-8859-1?Q?R=E9mi_Guyomarch?= Cc: FreeBSD Security List Subject: Re: Bump-in-the-Road IPsec? In-Reply-To: <20011113033151.A56326@diabolo.ifn.fr> Message-ID: <20011112193144.N1819-100000@coredump.scriptkiddie.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 13 Nov 2001, [iso-8859-1] R=E9mi Guyomarch wrote: > On Tue, Nov 13, 2001 at 03:14:38AM +0100, R=E9mi Guyomarch wrote: > ... > > On OpenBSD, use the gif device, along with IPSec in transport mode > > and the same bridge setup as described below. > > Damn! I just realised that gif(4) only handles IP frames :-( > Still a transparent bridge, but only suitable for IP... > [same thing with gre(4)] only suitable for IP is fine by me. the thing is that i really want these to be two completely seperate networks with real ip #s. the stuff i've found on the net so far suggests using gif to bridge between two remote networks that share the same private ip space. > So far, for full ethernet-over-ip the only solution I see is vtun with > a tap(4) device. Maybe someone there will feel creative with netgraph ? ;= ) i'll have to check out vtun+tap... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 19:56:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38]) by hub.freebsd.org (Postfix) with ESMTP id 409B137B405 for ; Mon, 12 Nov 2001 19:56:35 -0800 (PST) Received: from [192.168.69.11] (unknown [192.168.69.11]) by warez.scriptkiddie.org (Postfix) with ESMTP id 9CA7F62D01; Mon, 12 Nov 2001 19:56:34 -0800 (PST) Date: Mon, 12 Nov 2001 19:56:36 -0800 (PST) From: Lamont Granquist To: =?iso-8859-1?Q?R=E9mi_Guyomarch?= Cc: FreeBSD Security List Subject: Re: Bump-in-the-Road IPsec? In-Reply-To: <20011112193144.N1819-100000@coredump.scriptkiddie.org> Message-ID: <20011112195514.I2161-100000@coredump.scriptkiddie.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 12 Nov 2001, Lamont Granquist wrote: > On Tue, 13 Nov 2001, [iso-8859-1] R=E9mi Guyomarch wrote: > > On Tue, Nov 13, 2001 at 03:14:38AM +0100, R=E9mi Guyomarch wrote: > > ... > > > On OpenBSD, use the gif device, along with IPSec in transport mode > > > and the same bridge setup as described below. > > > > Damn! I just realised that gif(4) only handles IP frames :-( > > Still a transparent bridge, but only suitable for IP... > > [same thing with gre(4)] > > only suitable for IP is fine by me. the thing is that i really want thes= e > to be two completely seperate networks with real ip #s. the stuff i've > found on the net so far suggests using gif to bridge between two remote > networks that share the same private ip space. Would it work doing it with two bridge devices? So you'd have bridge0 with xl0 (external) and xl1 (internal) and then bridge1 with xl1 (internal) and gif0 (tunnel)? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 12 19:59:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100]) by hub.freebsd.org (Postfix) with SMTP id BA4E537B419 for ; Mon, 12 Nov 2001 19:59:52 -0800 (PST) Received: (qmail 52747 invoked by uid 1001); 13 Nov 2001 04:00:13 -0000 Date: Mon, 12 Nov 2001 20:00:13 -0800 From: Greg White To: Bill Fumerola Cc: security@freebsd.org Subject: Source routed packets Message-ID: <20011112200013.C46767@greg.cex.ca> Mail-Followup-To: Bill Fumerola , security@freebsd.org References: <001201c16b82$4da9d1e0$9700a8c0@ezri> <20011112134317.A46767@greg.cex.ca> <20011112191518.C81711@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011112191518.C81711@elvis.mu.org>; from billf@mu.org on Mon, Nov 12, 2001 at 07:15:18PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon Nov 11/12/01, 2001 at 07:15:18PM -0600, Bill Fumerola wrote: > On Mon, Nov 12, 2001 at 01:43:17PM -0800, Greg White wrote: > > > 1. Remove the 'spoof' rules for RFC1918 addresses (temporarily). > > 2. Get to a host on an outside network. > > 3. On that host, "route add -net 192.168.0.0/24 ip.of.gate.way", where > > the 192.168.0.0 matches your internal network, and 'ip.of.gate.way' > > matches your host's external interface. > > 4. Sit back and enjoy unfettered access to all those internal hosts. > > no, if you actually tried this, you'd be sitting back and wondering why > it doesn't work. continue reading. Actually, I wouldn't have wondered. I might have been surprised (and was, in fact surprised that two small ISPs I deal with are now doing the right thing with this sort of packet. :) I'll admit, I had not tried this 'attack' in years... See below. > > > 'Private' addresses are only private if all the routers on the internet > > refuse to route them. Most do not. :( > > incorrect, most do. > [snip routing lesson] > > > > OR > > every router in-between is ({un,}willingly) participating in the attack. When I first discovered the source routing 'attack', the problem of accepting source routed packets was already well understood, but not widely blocked. I was able to pass such an 'attack' in most cases (about three years ago) on small ISP networks, and large incompetent ones. The level of 'unwilling' participation was quite high. That level has dropped to near-negligible now, apparently. Since it worked then, and the problem was already well understood and all current-best-practices explicitly contained workarounds or rules to avoid them, I assumed incorrectly that most would never bother. :( Any network I've ever bothered to work on has these rules in place, and usually egress filters to prevent it outbound, so testing became irrelevant and impractical. To me, those rules became like NetBIOS rules on Windows networks, you just _know_ you need them. ;) Live and learn. -- Greg White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 0:31:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.RWTH-Aachen.DE [137.226.46.168]) by hub.freebsd.org (Postfix) with ESMTP id 5EE3637B405 for ; Tue, 13 Nov 2001 00:31:45 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.11.1/8.9.3) id fAD8Vik70191 for freebsd-security@freebsd.org; Tue, 13 Nov 2001 09:31:44 +0100 (CET) (envelope-from kuku) Date: Tue, 13 Nov 2001 09:31:44 +0100 (CET) From: Christoph Kukulies Message-Id: <200111130831.fAD8Vik70191@gilberto.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: nosuid, suidperl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When mounting a CD or other removable media mounting it noexec,nosuid should prevent from running suid programs and compromising the system. The mount(8) manpage says: nosuid Do not allow set-user-identifier or set-group-identifier bits to take effect. Note: this option is worthless if a public available suid or sgid wrapper like suidperl(1) is installed on your system. In howfar does this compromise security? What can one do about it? (having suidperl in the system and having security) -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 0:33:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-send.myrealbox.com (smtp-send.myrealbox.com [192.108.102.143]) by hub.freebsd.org (Postfix) with ESMTP id 1B4C337B417 for ; Tue, 13 Nov 2001 00:33:26 -0800 (PST) Received: from davidloc.myrealbox.com Locky@smtp-send.myrealbox.com [203.206.18.90] by smtp-send.myrealbox.com with Novell NIMS $Revision: 2.87 $ on Novell NetWare via secured & encrypted transport (TLS); Tue, 13 Nov 2001 01:33:23 -0700 Message-Id: <5.1.0.14.0.20011113193644.00a1e3e0@mail.myrealbox.com> X-Sender: Locky@mail.myrealbox.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 13 Nov 2001 19:36:56 +1100 To: security@freebsd.org From: Locky Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 0:46:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 9FD3737B405 for ; Tue, 13 Nov 2001 00:46:16 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 163ZDX-0006Bg-00; Tue, 13 Nov 2001 10:46:51 +0200 From: Sheldon Hearn To: Christoph Kukulies Cc: freebsd-security@freebsd.org Subject: Re: nosuid, suidperl In-reply-to: Your message of "Tue, 13 Nov 2001 09:31:44 +0100." <200111130831.fAD8Vik70191@gilberto.physik.rwth-aachen.de> Date: Tue, 13 Nov 2001 10:46:51 +0200 Message-ID: <23787.1005641211@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 13 Nov 2001 09:31:44 +0100, Christoph Kukulies wrote: > The mount(8) manpage says: > > nosuid Do not allow set-user-identifier or set-group-identifier > bits to take effect. Note: this option is worthless if a > public available suid or sgid wrapper like suidperl(1) is > installed on your system. > > In howfar does this compromise security? The default FreeBSD distribution doesn't offer a setuid root suidperl(1) program, but it's worth checking your specific installation with 'ls -l /usr/bin/suidperl'. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 1:24: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f74.pav1.hotmail.com [64.4.31.74]) by hub.freebsd.org (Postfix) with ESMTP id 3B95537B405 for ; Tue, 13 Nov 2001 01:23:59 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 13 Nov 2001 01:23:55 -0800 Received: from 212.30.183.204 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 13 Nov 2001 09:23:54 GMT X-Originating-IP: [212.30.183.204] From: "Magdalinin Kirill" To: sheldonh@starjuice.net Cc: freebsd-security@freebsd.org Subject: Re: nosuid, suidperl Date: Tue, 13 Nov 2001 12:23:54 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 13 Nov 2001 09:23:55.0157 (UTC) FILETIME=[EA79FC50:01C16C24] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >The default FreeBSD distribution doesn't offer a setuid root suidperl does it? Do you know if it comes with apache(suexec)? The reason I ask is that there is suidperl and the only distribution that might use it is apache. Can I safely chmod it to 750? thanks, Kirill Magdalinin bsdforumen@hotmail.com >From: Sheldon Hearn >To: Christoph Kukulies >CC: freebsd-security@freebsd.org >Subject: Re: nosuid, suidperl >Date: Tue, 13 Nov 2001 10:46:51 +0200 > >On Tue, 13 Nov 2001 09:31:44 +0100, Christoph Kukulies wrote: > > > The mount(8) manpage says: > > > > nosuid Do not allow set-user-identifier or >set-group-identifier > > bits to take effect. Note: this option is >worthless if a > > public available suid or sgid wrapper like >suidperl(1) is > > installed on your system. > > > > In howfar does this compromise security? > >The default FreeBSD distribution doesn't offer a setuid root suidperl(1) >program, but it's worth checking your specific installation with 'ls -l >/usr/bin/suidperl'. > >Ciao, >Sheldon. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 1:30:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 9F6E937B417 for ; Tue, 13 Nov 2001 01:30:28 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 163Zui-0006KM-00; Tue, 13 Nov 2001 11:31:28 +0200 From: Sheldon Hearn To: "Magdalinin Kirill" Cc: freebsd-security@freebsd.org Subject: Re: nosuid, suidperl In-reply-to: Your message of "Tue, 13 Nov 2001 12:23:54 +0300." Date: Tue, 13 Nov 2001 11:31:28 +0200 Message-ID: <24325.1005643888@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 13 Nov 2001 12:23:54 +0300, "Magdalinin Kirill" wrote: > >The default FreeBSD distribution doesn't offer a setuid root suidperl > > does it? Do you know if it comes with apache(suexec)? > The reason I ask is that there is suidperl and the > only distribution that might use it is apache. > > Can I safely chmod it to 750? The default FreeBSD distribution offers a suidperl binary that isn't setuid root. If you insist on offering a suituid root suidperl binary, you can 'chmod u+s' it. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 1:34: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 31B9837B419 for ; Tue, 13 Nov 2001 01:34:01 -0800 (PST) Received: (qmail 28147 invoked by uid 1000); 13 Nov 2001 09:33:59 -0000 Date: Tue, 13 Nov 2001 10:33:59 +0100 From: Bart Matthaei To: security@freebsd.org Subject: Re: nosuid, suidperl Message-ID: <20011113103359.A28119@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsdforumen@hotmail.com on Tue, Nov 13, 2001 at 12:23:54PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 13, 2001 at 12:23:54PM +0300, Magdalinin Kirill wrote: > Can I safely chmod it to 750? If you don't use suidperl, you can. (Most people don't, so its fairly safe to make it 750 :) B. --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78OkHgcc6pR+tCegRAs2pAJ43ksvPma0fOBdBylF5QTt/EEb/mACgoaCm ummibE0eblvjAFw/I0/2fNM= =rqcq -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 2:29:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id BFFC137B405 for ; Tue, 13 Nov 2001 02:29:35 -0800 (PST) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id NAA24081; Tue, 13 Nov 2001 13:29:25 +0300 (MSK) Date: Tue, 13 Nov 2001 13:28:39 +0300 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <2758909837.20011113132839@internethelp.ru> To: Matthew Dillon Cc: freebsd-security@freebsd.org Subject: Re[2]: FreeBSD and i386 VM hardware In-reply-To: <200111121952.fACJqLZ06073@apollo.backplane.com> References: <01b301c16918$be1763a0$0a00000a@atkielski.com> <200111121952.fACJqLZ06073@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Matthew, Monday, November 12, 2001, 10:52:21 PM, you wrote: MD> :To what extent does FreeBSD actually use all the fancy virtual-memory features MD> :of latter-day i386 processors? As I recall (it has been several years since I MD> :looked into it), the Intel microprocessors provide some very elaborate features MD> :for management of virtual memory, I/O operations, and security, allowing total MD> :hardware isolation of untrusted processes. How much of this is used by FreeBSD? MD> :I know that UNIX is supposed to isolate users from each other, but how much of MD> :this is done in hardware, and how much of it is simulated in software? Very MD> :tight security usually requires a lot of interdependency between the hardware MD> :and the OS, and since UNIX is supposed to be a multiplatform OS, I'm wondering MD> :how much hardware support for security is actually used by the system. MD> Well, All UNIX OS's running in intel hardware, including FreeBSD, MD> use most of the major MMU/VM features of the processor. Not all of MD> them, because some just don't work properly, but certainly most of MD> them. For example, FreeBSD uses ring 0 and ring 3 but ring 1 and ring 2 MD> are completely useless to us due to the way interrupt stacks are designed MD> in the intel architecture. We use 4K MMU pages predominantly but only MD> use 4M MMU pages in certain (kernel-related) situations. At least for MD> the moment. We use interrupt and trap gates but do not use the MD> call-argument-crossing-ring-boundry or hardware tasking crap. MD> This is really true of all UNIXes... it is the UNIX model, after all! MD> While it is possible for root processes to access portions of the MD> hardware directly, the number that do can be counted on one hand, MD> must ask for it explicitly, and the feature can be disabled through the MD> securelevel sysctl. MD> -Matt MD> Matthew Dillon MD> Maybe it is not so important, but I think that Matt have forgot something. In i386 Intel has implemented two independent branches of hardware-level security - segment-level and page-level. Segment level security is IMHO `stronger' than page-level, because can mark some areas as Readable_But_Not_eXecutable, which page-level security can't and some other features. Since FreeBSD uses `flat' memory model, it does not take use very much of Intel's segment registers. I mean that all of DS, ES, SS are pointing to one `flat' descriptor with the same base, limit and permissions. CS descriptor is somewhat different in limit (I do not know why yet). Thus all security (at least for userland) relies on page-level security which consists of only two bits: Readable/Writable and Supervisor/User . I suppose, that there were some strong reasons for FreeBSD team to choose page-level security model instead of segment-level. If you want to know these reasons you should ask freebsd team directly. Their emails are at http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributors/staff-core.html Summary: FreeBSD uses _some_ i386 security features, but not the _most_ of them. Anyway, I suppose, that your question has a little to do with freebsd-security, and you better contact freebsd-hardware, freebsd-hackers or maybe freebsd-core mailing lists for further information, or send e-mails directly to me if you need some explanations on this posting. I strongly advise you to read "Intel Architecture Software Developer’s Manual" which can be found on Intel's FTP servers (I don't have correct links right now). Good Luck PS: I am using FreeBSD 3.3-RELEASE, so some changes since that versions are possible, that contradict words. ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 6:56:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3809337B405 for ; Tue, 13 Nov 2001 06:56:55 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id EC67F14C2E; Tue, 13 Nov 2001 15:56:53 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Jano Lukac Cc: security@freebsd.org Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd References: <20011108050109.25500.qmail@web14501.mail.yahoo.com> From: Dag-Erling Smorgrav Date: 13 Nov 2001 15:56:53 +0100 In-Reply-To: <20011108050109.25500.qmail@web14501.mail.yahoo.com> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jano Lukac writes: > But a small warning: I've been working about a month now trying to > figgure out how to allow users to change passwords, without luck. It should "just work" thanks to PAM, though I suspect it doesn't. I'll look into it at some point. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 9:17:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id 511AA37B416 for ; Tue, 13 Nov 2001 09:17:39 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fADHIfm18724; Wed, 14 Nov 2001 00:18:41 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 00:16:47 +0700 Message-Id: <5.1.0.14.2.20011114000437.02050a70@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 00:13:21 +0700 To: freebsd-security@FreeBSD.ORG From: Stefan Probst Subject: Adore worm Cc: Rob Hurle In-Reply-To: <20011113170655.A9FE737B416@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Good Evening, sorry for newbie-posting, but I don't have too much time to sift through archives.... Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a worm - or infested by purpose: I found a new directory /usr/lib/.fx/ which contains all kind of stuff. One README file says: >%cat README > AdoreBSD 0.34 - Based off Linux Adore by Stealth > Copyright (c) 2001 bind@gravitino.net > >Developed on FreeBSD 4.3-STABLE > >Installation: > # make; make load > >Features: > * hide file or directory from view > * make processes invisible > * hide promiscuous flag and syslog messages > * execute as root > * hide sysctl mib entries > * netstat service hiding > * authentication > * module hiding I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped"). "rc.conf" was modified and three lines with "/bin/xterm" added. I deleted this "xterm" program, since it was also created/modified by the worm. "rc" itself shows the date of the infection, but I don't know, what was done. Anything known? Any ideas what to do? Looking forward to pointers.... Rgds, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 9:22:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail6.speakeasy.net (mail6.speakeasy.net [216.254.0.206]) by hub.freebsd.org (Postfix) with ESMTP id 1DAA037B405 for ; Tue, 13 Nov 2001 09:22:35 -0800 (PST) Received: (qmail 15754 invoked from network); 13 Nov 2001 17:22:00 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail6.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 13 Nov 2001 17:22:00 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <5.1.0.14.2.20011114000437.02050a70@MailServer> Date: Tue, 13 Nov 2001 09:22:33 -0800 (PST) From: John Baldwin To: Stefan Probst Subject: RE: Adore worm Cc: Rob Hurle , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 13-Nov-01 Stefan Probst wrote: > Good Evening, > > sorry for newbie-posting, but I don't have too much time to sift through > archives.... > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > worm - or infested by purpose: It's a rootkit, and your box has been compromised. Backup your data and reinstall unless someone else has a better idea. -- John Baldwin -- http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 9:40:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6C8F037B416 for ; Tue, 13 Nov 2001 09:40:33 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fADHdqJ48373; Tue, 13 Nov 2001 12:39:52 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Tue, 13 Nov 2001 12:39:51 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Stefan Probst Cc: freebsd-security@FreeBSD.org, Rob Hurle Subject: Re: Adore worm In-Reply-To: <5.1.0.14.2.20011114000437.02050a70@MailServer> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's not a worm, unless it's part of a larger system, it is a backdoor. I'd reinstall. On Wed, 14 Nov 2001, Stefan Probst wrote: :Good Evening, : :sorry for newbie-posting, but I don't have too much time to sift through :archives.... : :Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a :worm - or infested by purpose: : :I found a new directory /usr/lib/.fx/ :which contains all kind of stuff. :One README file says: :>%cat README :> AdoreBSD 0.34 - Based off Linux Adore by Stealth :> Copyright (c) 2001 bind@gravitino.net :> :>Developed on FreeBSD 4.3-STABLE :> :>Installation: :> # make; make load :> :>Features: :> * hide file or directory from view :> * make processes invisible :> * hide promiscuous flag and syslog messages :> * execute as root :> * hide sysctl mib entries :> * netstat service hiding :> * authentication :> * module hiding : :I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped"). :"rc.conf" was modified and three lines with "/bin/xterm" added. I deleted :this "xterm" program, since it was also created/modified by the worm. :"rc" itself shows the date of the infection, but I don't know, what was done. : :Anything known? Any ideas what to do? Looking forward to pointers.... :Rgds, :Stefan : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 9:55: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id B126937B416; Tue, 13 Nov 2001 09:54:57 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by axel.truedestiny.net (Postfix) with ESMTP id EB52849A24; Tue, 13 Nov 2001 18:54:55 +0100 (CET) Received: by axel.truedestiny.net (Postfix, from userid 1000) id D127649A23; Tue, 13 Nov 2001 18:54:52 +0100 (CET) Date: Tue, 13 Nov 2001 18:54:52 +0100 From: Axel Scheepers To: John Baldwin Cc: Stefan Probst , Rob Hurle , freebsd-security@FreeBSD.ORG Subject: Re: Adore worm Message-ID: <20011113185452.B19098@mars.thuis> Reply-To: Axel Scheepers References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jhb@FreeBSD.org on Tue, Nov 13, 2001 at 09:22:33AM -0800 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Best thing to do is to 'pull the plug' immediately (your net connection). Backup up the machine for later inspection, then reinstall fBSD and if you got a seprate data backup put that back. Then you might put the previous made backup on a clean machine for inspection. Usual vulnerable things like telnet, ftp etc. is a good place to start looking for in your logs. (In case you didn't block them) Gr, Axel On Tue, Nov 13, 2001 at 09:22:33AM -0800, John Baldwin wrote: > X-Mailer: XFMail 1.4.0 on FreeBSD > Date: Tue, 13 Nov 2001 09:22:33 -0800 (PST) > From: John Baldwin > To: Stefan Probst > Subject: RE: Adore worm > Cc: Rob Hurle , freebsd-security@FreeBSD.ORG > > > On 13-Nov-01 Stefan Probst wrote: > > Good Evening, > > > > sorry for newbie-posting, but I don't have too much time to sift through > > archives.... > > > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > > worm - or infested by purpose: > > It's a rootkit, and your box has been compromised. Backup your data and > reinstall unless someone else has a better idea. > > -- > > John Baldwin -- http://www.FreeBSD.org/~jhb/ > "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ "I can't complain, but sometimes I still do." -- Joe Walsh ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 10: 3:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from raven.mail.pas.earthlink.net (raven.mail.pas.earthlink.net [207.217.120.39]) by hub.freebsd.org (Postfix) with ESMTP id E7BF537B405 for ; Tue, 13 Nov 2001 10:03:25 -0800 (PST) Received: from cpe-24-221-47-19.az.sprintbbd.net ([24.221.47.19] helo=sparky.suntreeaz.com) by raven.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 163hu9-0007IZ-00; Tue, 13 Nov 2001 10:03:25 -0800 Received: from drs (drs.suntreeaz.com [192.168.254.19]) by sparky.suntreeaz.com (8.11.3/8.11.3) with SMTP id fADI2wD14436; Tue, 13 Nov 2001 11:02:58 -0700 (MST) (envelope-from drs@suntreeaz.com) Message-ID: <005a01c16c6d$6f2ade40$13fea8c0@drs> From: "Don Sutter" To: "Stefan Probst" Cc: References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Subject: Re: Adore worm Date: Tue, 13 Nov 2001 11:03:01 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone tried looking at: http://www.sophos.com/virusinfo/analyses/linuxadore.html? ----- Original Message ----- From: "Stefan Probst" To: Cc: "Rob Hurle" Sent: Tuesday, November 13, 2001 10:13 AM Subject: Adore worm > Good Evening, > > sorry for newbie-posting, but I don't have too much time to sift through > archives.... > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > worm - or infested by purpose: > > I found a new directory /usr/lib/.fx/ > which contains all kind of stuff. > One README file says: > >%cat README > > AdoreBSD 0.34 - Based off Linux Adore by Stealth > > Copyright (c) 2001 bind@gravitino.net > > > >Developed on FreeBSD 4.3-STABLE > > > >Installation: > > # make; make load > > > >Features: > > * hide file or directory from view > > * make processes invisible > > * hide promiscuous flag and syslog messages > > * execute as root > > * hide sysctl mib entries > > * netstat service hiding > > * authentication > > * module hiding > > I can't use "ps" anymore ("cannot fork" or "segmentation fault - core dumped"). > "rc.conf" was modified and three lines with "/bin/xterm" added. I deleted > this "xterm" program, since it was also created/modified by the worm. > "rc" itself shows the date of the infection, but I don't know, what was done. > > Anything known? Any ideas what to do? Looking forward to pointers.... > Rgds, > Stefan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 10: 8:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id D930C37B419; Tue, 13 Nov 2001 10:08:28 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fADI8Nm19124; Wed, 14 Nov 2001 01:08:24 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 01:06:02 +0700 Message-Id: <5.1.0.14.2.20011114005803.0207ed70@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 01:01:27 +0700 To: Axel Scheepers , John Baldwin From: Stefan Probst Subject: Re: Adore worm Cc: Rob Hurle , freebsd-security@FreeBSD.org In-Reply-To: <20011113185452.B19098@mars.thuis> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks everybody for "encouraging" answers so far. I am in Vietnam, and the box is a dedicated server in the US :( There was nearly nothing installed, when I got it about two months ago, and I installed several packages - all of them downloaded from the original sites, in order to be sure to get the latest version. Will go to bed now and pray..... I still can telnet to the box. Maybe somebody finds an idea what to do... Will see at my eMail tomorrow. Good Night! Stefan At 18:54 13.11.2001 +0100, Axel Scheepers wrote: ------------------------- >Hi, >Best thing to do is to 'pull the plug' immediately (your net connection). >Backup up the machine for later inspection, then reinstall fBSD and if >you got a seprate data backup put that back. >Then you might put the previous made backup on a clean machine for inspection. >Usual vulnerable things like telnet, ftp etc. is a good place to start looking >for in your logs. (In case you didn't block them) >Gr, >Axel > >On Tue, Nov 13, 2001 at 09:22:33AM -0800, John Baldwin wrote: > > X-Mailer: XFMail 1.4.0 on FreeBSD > > Date: Tue, 13 Nov 2001 09:22:33 -0800 (PST) > > From: John Baldwin > > To: Stefan Probst > > Subject: RE: Adore worm > > Cc: Rob Hurle , freebsd-security@FreeBSD.ORG > > > > > > On 13-Nov-01 Stefan Probst wrote: > > > Good Evening, > > > > > > sorry for newbie-posting, but I don't have too much time to sift through > > > archives.... > > > > > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit > by a > > > worm - or infested by purpose: > > > > It's a rootkit, and your box has been compromised. Backup your data and > > reinstall unless someone else has a better idea. > > > > -- > > > > John Baldwin -- http://www.FreeBSD.org/~jhb/ > > "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >Axel Scheepers >UNIX System Administrator > >email: axel@axel.truedestiny.net > ascheepers@vianetworks.nl >http://axel.truedestiny.net/~axel >------------------------------------------ >"I can't complain, but sometimes I still do." > -- Joe Walsh >------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 10:10:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id 4BA4C37B41B for ; Tue, 13 Nov 2001 10:10:53 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fADIBom19138; Wed, 14 Nov 2001 01:11:51 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 01:09:53 +0700 Message-Id: <5.1.0.14.2.20011114010342.02046b00@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 01:05:08 +0700 To: "Don Sutter" From: Stefan Probst Subject: Re: Adore worm Cc: In-Reply-To: <005a01c16c6d$6f2ade40$13fea8c0@drs> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:03 13.11.2001 -0700, Don Sutter wrote: ------------------------- >Has anyone tried looking at: >http://www.sophos.com/virusinfo/analyses/linuxadore.html? It looks different on FreeBSD :( Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 10:15:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 38E9237B41A; Tue, 13 Nov 2001 10:15:30 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fADIFCf49526; Tue, 13 Nov 2001 13:15:12 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Tue, 13 Nov 2001 13:15:12 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Stefan Probst Cc: Axel Scheepers , John Baldwin , Rob Hurle , freebsd-security@FreeBSD.org Subject: Re: Adore worm In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 14 Nov 2001, Stefan Probst wrote: : :Will go to bed now and pray..... :I still can telnet to the box. :Maybe somebody finds an idea what to do... :Will see at my eMail tomorrow. : Not that it really matters, but start using SSH. Also, I believe the version of telnetd you're running is most likely the cause of your demise. There was an advisory released in July that states it is vulnerable and should be updated or not used. I say not used :-) Andrew -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 10:32:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.hq.newdream.net (mail.hq.newdream.net [216.246.35.10]) by hub.freebsd.org (Postfix) with ESMTP id 75D9937B405 for ; Tue, 13 Nov 2001 10:32:26 -0800 (PST) Received: from zugzug.hq.newdream.net (zugzug.hq.newdream.net [127.0.0.1]) by ravscan.zugzug.hq.newdream.net (Postfix) with SMTP id 3889C3B394 for ; Tue, 13 Nov 2001 10:32:26 -0800 (PST) Received: by mail.hq.newdream.net (Postfix, from userid 1012) id 58A8F3B37C; Tue, 13 Nov 2001 10:32:25 -0800 (PST) Date: Tue, 13 Nov 2001 10:32:25 -0800 From: Will Yardley To: freebsd-security@FreeBSD.org Subject: Re: Adore worm Message-ID: <20011113103225.A1184@hq.newdream.net> Mail-Followup-To: freebsd-security@FreeBSD.org References: <5.1.0.14.2.20011114000437.02050a70@MailServer> <5.1.0.14.2.20011114005803.0207ed70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer> User-Agent: Mutt/1.3.23i Organization: New Dream Network Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stefan Probst wrote: > > Will go to bed now and pray..... > I still can telnet to the box. please don't telnet to your box with the root username, the name you use to su to root from, or a username that has root access via the 'sudo' facility. this makes it easy for someone to sniff your unencrypted traffic. use ssh instead. as someone mentioned, there's a telnetd exploit as well, which is most likely how your box got rooted. if you can POSSIBLY require your users to use ssh instead, you should do so, as running telnetd is asking for trouble. try to run only ssh v2 as well. if you must run telnet, make sure that users who have any sort of high level access don't use it. there are free ssh clients available for pretty much any platform imaginable.... http://freessh.org/ has some good ones listed. for 'doze i'd recommend putty or securecrt. if the machine is dedicated and geographically far (as you say), then i don't know what to tell you - have your provider give you a new box with a fresh install if possible. i'm not sure if this runs any risks, but you could try cvsupping your source tree and rebuilding your system (others might have more insight into this, and possible risks of doing so). since you don't know for sure what they've modified or what information is compromised, a fresh install of some sort is really important. w -- GPG Public Key: http://infinitejazz.net/will/pgp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 10:59: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by hub.freebsd.org (Postfix) with ESMTP id DFFE237B405 for ; Tue, 13 Nov 2001 10:59:03 -0800 (PST) Received: (qmail 8700 invoked from network); 13 Nov 2001 18:59:03 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 13 Nov 2001 18:59:03 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer> Date: Tue, 13 Nov 2001 10:59:02 -0800 (PST) From: John Baldwin To: Stefan Probst Subject: Re: Adore worm Cc: freebsd-security@FreeBSD.org, Rob Hurle , Axel Scheepers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 13-Nov-01 Stefan Probst wrote: > Thanks everybody for "encouraging" answers so far. > > I am in Vietnam, and the box is a dedicated server in the US :( > > There was nearly nothing installed, when I got it about two months ago, and > I installed several packages - all of them downloaded from the original > sites, in order to be sure to get the latest version. > > Will go to bed now and pray..... > I still can telnet to the box. > Maybe somebody finds an idea what to do... > Will see at my eMail tomorrow. > > Good Night! > Stefan Telnet is probably what killed you. There was a remote hole in telnet that allowed root access. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 11:35: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 2A59637B405; Tue, 13 Nov 2001 11:34:50 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1000) id EC08881D0B; Tue, 13 Nov 2001 13:34:44 -0600 (CST) Date: Tue, 13 Nov 2001 11:34:44 -0800 From: Paul Saab To: Don Sutter Cc: freebsd-security@freebsd.org, abuse@freebsd.org Subject: Re: mx2.FreeBSD.org issue Message-ID: <20011113113444.A53010@elvis.mu.org> References: <004801c16c6c$4fc28360$13fea8c0@drs> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004801c16c6c$4fc28360$13fea8c0@drs>; from drs@suntreeaz.com on Tue, Nov 13, 2001 at 10:54:59AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Read the header.. It was sent to freebsd-questions and mx2 just relays all mail that hub sends it. It doesn't relay for anything else but freebsd.org machines. Don Sutter (drs@suntreeaz.com) wrote: > What does anyone make of the following spam and sendmail > error message (multiple error messages) I'm getting on my > server. Has mx2.FreeBSD.org somehow become an open relay? > I'm new at this and would appreciate your input. > > The error message I'm getting on my FreeBSD 4.3 server is > (X's are irrelevant dates, times or ID's): > > Nov xx xx:xx:xx sparky sendmail[xxxxx]: xxxxxxxxxxxx: > SYSERR(root): collect: I/O > error on connection from mx2.FreeBSD.org, > from= digest-FreeBSD.ORG>: connection reset by mx2.FreeBSD.org > > Both issues revolve around mx2.FreeBSD.org but different > from lines - digest vs. just owner-freebsd-questions > > ------------------------------------------------ Message > Header ------------------------------------------------ > > Return-Path: > Received: from mx2.freebsd.org (mx2.FreeBSD.org > [216.136.204.119]) > by sparky.suntreeaz.com (8.11.3/8.11.3) with ESMTP id > fAD1IbD11850 > for ; Mon, 12 Nov 2001 18:18:37 -0700 > (MST) > (envelope-from owner-freebsd-questions@FreeBSD.ORG) > Received: from hub.freebsd.org (hub.FreeBSD.org > [216.136.204.18]) > by mx2.freebsd.org (Postfix) with ESMTP > id F3F4355D3A; Mon, 12 Nov 2001 17:18:25 -0800 (PST) > (envelope-from owner-freebsd-questions@FreeBSD.ORG) > Received: by hub.freebsd.org (Postfix, from userid 538) > id B3E1237B416; Mon, 12 Nov 2001 17:18:23 -0800 (PST) > Received: from localhost (localhost [127.0.0.1]) > by hub.freebsd.org (Postfix) with SMTP > id 8D0FD2E8045; Mon, 12 Nov 2001 17:18:23 -0800 (PST) > Received: by hub.freebsd.org (bulk_mailer v1.12); Mon, 12 > Nov 2001 17:18:23 -0800 > Delivered-To: freebsd-questions@freebsd.org > Received: from smtp1.mx.pitdc1.stargate.net > (smtp1.mx.pitdc1.stargate.net [206.210.69.141]) > by hub.freebsd.org (Postfix) with SMTP id 992D337B405 > for ; Mon, 12 Nov 2001 > 17:18:04 -0800 (PST) > Received: (qmail 202 invoked from network); 13 Nov 2001 > 01:17:56 -0000 > Received: from unknown (HELO local) (63.17.144.5) > by smtp1.mx.pitdc1.stargate.net with SMTP; 13 Nov 2001 > 01:17:56 -0000 > X-Sender: delight_labs@xmail.com > From: Delight Labs > To: "Customer" > Date: Mon, 12 Nov 2001 20:20:23 -0500 > Subject: ATTRACT WOMEN FAST!! SUPERCHARGE YOUR SEX LIFE!! > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_001__93017190_73223.09" > Message-Id: <20011113011804.992D337B405@hub.freebsd.org> > Sender: owner-freebsd-questions@FreeBSD.ORG > List-ID: > List-Archive: (Web Archive) > List-Help: (List > Instructions) > List-Subscribe: > estions> > List-Unsubscribe: > questions> > X-Loop: FreeBSD.ORG > Precedence: bulk > X-UIDL: 30[!!ZM%"!U[O!!j[O!! > > ------------------------------------------------ Message > Content ------------------------------------------------ > > > > Science has finally done it! > > Attract the opposite sex with scientifically engineered > human pheromones! > > The human pheromone > that attracts females has > finally been synthesized > in the laboratory! Found > in tiny amounts in the > perspiration of men, > these natural pheromones > are an evolutionary > remnant from a time > when human males > relied on scent to attract > female mates. > > When you use Androstenone > Pheromone Concentrate, > even in small amounts, > you will see why men > everywhere are reporting > astounding results! Armed > with the power of > pheromones, you will > soon experience the joy > of having women > approach you, make > eye contact, smile and start > up a conversation. Even > women you hardly know! > > Order Now! > Available for both men and women! > > > In creating Androstenone Pheromone Concentrate, pure human > pheromones are blended with essential oils that produce a > scent > so seductive that women won't be able to resist you. > > This is one of the strongest mixtures available today, > anywhere, > at any price. If you want to attract beautiful and sexy > women, > nothing works faster! > > > > How many times have you walked past a gorgeous woman, > looked into her eyes, and hoped she would notice you? If > you're like most people, the answer is TOO MANY! With > Androstenone Pheromone Concentrate, women will be > irresistably drawn to you without knowing why. Wearing > human pheromones is like cheating because they simply CAN'T > resist you. > > > Improve your sex appeal 1000% for less than the cost of a > good meal! How much is it worth to attract beautiful, > sexywomen? > > > In the 80's, you could visit your local bar, have a few > drinks, and > expect to go home with a lady. Times have changed since > then, > and these days picking up a woman is not so easy. Unless > you're > a body builder or part of the "in" crowd at college, your > chances > for finding the woman of your dreams are rather dim. And if > you're the least bit shy about making the first move, you > can > forget about it. Until now ... > > With Androstenone Pheromone Concentrate, you don't need > to worry about how well you dress or whether you comb your > hair perfectly. The pheromone spray triggers a biological > urge > in any nearby female. And they won't be able to resist you! > > > > > Order Now! > Available for both men and women! > > > You'll be able to pick up women anywhere - GUARANTEED! > > In the office ... > > On the beach ... > > In a nightclub ... > > At college ... > > On city streets ... > > Imagine what it will be like to score a > different woman every week! > > > Just listen to what some of our customers have to say ... > > "Just wanted to compliment you on the pheromone spray. I > went to > college with a girl who never seemed to notice me. We were > in most > of the same classes, and I always smiled at her, but she was > so distracted. > I found your pheromone spray on the Internet and thought to > myself, > 'well, it's only twenty bucks, so what the heck'. The first > day I tried it, > she sat down next to me in class and started talking. I knew > what to > do from there!" -- Brent from Spokane WA > > > "Hi Dave, just writing to thank you for your product. I'm a > single > guy who's never had much luck with women. I don't think I'm > bad > looking, but whenever I go to bars I never come home with > anyone. > I had heard about pheromone sprays from newspaper ads, but I > figured it was all just hype. I mean, a cologne that women > can't > resist? That sounded too good to be true. Well I bought > your > stuff more out of curiousity than anything else, but when I > went to > my favorite club last week, my luck changed! Could be a > coincidence, but I'm hooked! -- John from Dallas TX > > "Dave, your sex spray works like magic! I was always shy > about > making the first move, so I never scored too many chicks in > high > school and college. I ran personal ads, spent hours in > internet > chatrooms, and got really depressed when I couldn't find a > woman. > But now that I use your pheromone spray, women come to ME, > and I don't have to risk hearing the awful words "no, > thanks"! > -- Dustin from Portland OR > > > > > Seductive. > > Scientifically-engineered. > > Irresistable to women. > > And actually less expensive than most colognes! > > > Human pheromones sound like something out of a > science fiction novel. You're probably thinking to > yourself, "could women really be attracted to me > just because of some biological stimulant that I'm > wearing?" Actually, the answer is YES! Science > has recently confirmed the existence of human > pheromones and their role in sexual attraction. The > following articles from academic websites should > dispel any doubts that pheromones do indeed cause > intense sexual desire in the opposite gender. > > NOTE: The sites below are not affiliated with our company > in any way. They do not endorse, support, or manufacture > any of our products. These links are provided only for the > purpose of explaining the existence of human pheromones. > > Study Finds Signs of Elusive Pheromones in Humans > http://library.uchc.edu/bhn/cite/nyt/0315pher.html > > Getting in the Mood - With Human Pheromones > http://www.academicpress.com/inscight/03102000/graphc.htm > > University of Chicago Researchers Establish Proof of Human > Pheromones > http://www-news.uchicago.edu/releases/98/980311.McClintock.s > html > > > > Our Promise ... > > If you do not see an immediate and dramatic improvement in > the way women respond to you, simply return the unused > portion for a prompt refund. No questions asked. > > > Order Now! > Available for both men and women! > > > Androstenone Pheromone Concentrate is available for men or > women. Please make sure to select your preference when > ordering > so that we send you the correct pheromone formula. > > We offer a full 30-day, no questions asked money-back > guarantee. To order a one-month supply (17 ml) of > Androstenone Pheromone Concentrate right now for only > $24.99, just click on the link below to pay with a > Visa, Mastercard or American Express: > > Order Now! > Available for both men and women! > > Or you may pay with cash, check or money order by printing > the order > form below and sending it with your payment. > > ------------------------- CUT HERE ----------------------- > > Product: "The Pheromone Concentrate" > Price: $24.99 + $4.01 shipping/handling > > HOW TO ORDER BY MAIL: Print out this order form and send > cash, > personal check, money order or cashier's check to the > address listed below: > > Quiksilver Enterprises Inc. > 816 Elm Street, #472 > Manchester, NH 03101-2101 > > Your Shipping Information: > > Your Name_____________________________________________ > Your Address__________________________________________ > Your City_____________________________________________ > State / Zip___________________________________________ > Phone #: _____________________________________________ > (For problems with your order only. No salesmen will call.) > > Email Address________________________________________ > > Please note that mail-in orders may be delayed 2-3 weeks. > > Please check one of the following. > > [ ] I am enclosing a check or money order for $29.00 for one > bottle. > > [ ] I am enclosing a check or money order for $44.98 for two > bottles. > > [ ] I am enclosing a check or money order for $99.96 for > five bottles. > > [ ] I am mailing my credit card number and wish to purchase > ______ bottles. (Note your card will be charged for the > specified amount above) > > If paying by credit card, please fill in the information > below: > > Credit Card Number:________________________________ > Expiration Date:___________________________ > Signature:_________________________ > Date:____________________ > > *Shipping Outside USA add $3.00 > -- Paul Saab Technical Yahoo ps@mu.org - ps@yahoo-inc.com - ps@freebsd.org Do You .. uhh .. Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 13:10:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id AC79637B417 for ; Tue, 13 Nov 2001 13:10:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by axel.truedestiny.net (Postfix) with ESMTP id 05D7F49A24; Tue, 13 Nov 2001 22:10:08 +0100 (CET) Received: by axel.truedestiny.net (Postfix, from userid 1000) id 6596849A23; Tue, 13 Nov 2001 22:10:05 +0100 (CET) Date: Tue, 13 Nov 2001 22:10:05 +0100 From: Axel Scheepers To: Stefan Probst Cc: freebsd-security@FreeBSD.org Subject: Re: Adore worm Message-ID: <20011113221005.C19098@mars.thuis> Reply-To: Axel Scheepers References: <5.1.0.14.2.20011114000437.02050a70@MailServer> <20011113185452.B19098@mars.thuis> <5.1.0.14.2.20011114005803.0207ed70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer>; from stefan.probst@opticom.v-nam.net on Wed, Nov 14, 2001 at 01:01:27AM +0700 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I think you should try to get someone who does a quick reinstall, since someone clearly got in and important binaries are replaced by trojan ones. (Imagine a make world with a dirty gcc for example) After the install use ssh to log in, and disable anything you don't use in /etc/inetd.conf. (Or use the tcpwrappers and edit /etc/hosts.allow) Furthermore I suggest you use a firewall like ipfw or ipfilter to block and log unwanted traffic, but this requires a custom kernel. (See /usr/src/i386/conf/ and the handbook) Gr, Axel On Wed, Nov 14, 2001 at 01:01:27AM +0700, Stefan Probst wrote: > X-Mailer: QUALCOMM Windows Eudora Version 5.1 > Date: Wed, 14 Nov 2001 01:01:27 +0700 > To: Axel Scheepers , > John Baldwin > From: Stefan Probst > Subject: Re: Adore worm > Cc: Rob Hurle , freebsd-security@FreeBSD.org > > Thanks everybody for "encouraging" answers so far. > > I am in Vietnam, and the box is a dedicated server in the US :( > > There was nearly nothing installed, when I got it about two months ago, and > I installed several packages - all of them downloaded from the original > sites, in order to be sure to get the latest version. > > Will go to bed now and pray..... > I still can telnet to the box. > Maybe somebody finds an idea what to do... > Will see at my eMail tomorrow. > > Good Night! > Stefan > > > At 18:54 13.11.2001 +0100, Axel Scheepers wrote: > ------------------------- > >Hi, > >Best thing to do is to 'pull the plug' immediately (your net connection). > >Backup up the machine for later inspection, then reinstall fBSD and if > >you got a seprate data backup put that back. > >Then you might put the previous made backup on a clean machine for inspection. > >Usual vulnerable things like telnet, ftp etc. is a good place to start looking > >for in your logs. (In case you didn't block them) > >Gr, > >Axel > > > >On Tue, Nov 13, 2001 at 09:22:33AM -0800, John Baldwin wrote: > > > X-Mailer: XFMail 1.4.0 on FreeBSD > > > Date: Tue, 13 Nov 2001 09:22:33 -0800 (PST) > > > From: John Baldwin > > > To: Stefan Probst > > > Subject: RE: Adore worm > > > Cc: Rob Hurle , freebsd-security@FreeBSD.ORG > > > > > > > > > On 13-Nov-01 Stefan Probst wrote: > > > > Good Evening, > > > > > > > > sorry for newbie-posting, but I don't have too much time to sift through > > > > archives.... > > > > > > > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit > > by a > > > > worm - or infested by purpose: > > > > > > It's a rootkit, and your box has been compromised. Backup your data and > > > reinstall unless someone else has a better idea. > > > > > > -- > > > > > > John Baldwin -- http://www.FreeBSD.org/~jhb/ > > > "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > >-- > >Axel Scheepers > >UNIX System Administrator > > > >email: axel@axel.truedestiny.net > > ascheepers@vianetworks.nl > >http://axel.truedestiny.net/~axel > >------------------------------------------ > >"I can't complain, but sometimes I still do." > > -- Joe Walsh > >------------------------------------------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ "What is the robbing of a bank compared to the FOUNDING of a bank?" -- Bertold Brecht ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 13:56:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from ve6kik.bohica.net (h24-65-50-126.ed.shawcable.net [24.65.50.126]) by hub.freebsd.org (Postfix) with ESMTP id ED47937B419; Tue, 13 Nov 2001 13:56:25 -0800 (PST) Received: (from kirk@localhost) by ve6kik.bohica.net (8.11.6/8.11.3) id fADLuO517143; Tue, 13 Nov 2001 14:56:24 -0700 (MST) (envelope-from kirk) From: Kirk Davis Message-Id: <200111132156.fADLuO517143@ve6kik.bohica.net> Subject: porting OpenSSH to 2.2.8 To: hackers@freebsd.org, freebsd-security@freebsd.org Date: Tue, 13 Nov 2001 14:56:24 -0700 (MST) X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have a number of older FreeBSD boxes (running 2.2.8-STABLE) and I am not able to upgrade beyond 2.2.8 due to some custom software. Has anyone managed to get a newer version of OpenSSH running on a 2.2.8 box? I'm not a C programer but I have ported some programs in the past. I'm not having a lot of luck and was hoping that someone out there had already invented the wheel. --- Kirk kirk@bohica.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 15:33:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from MAIL.netspeed.com.au (mail.netspeed.com.au [203.31.48.12]) by hub.freebsd.org (Postfix) with ESMTP id 4CD3837B405 for ; Tue, 13 Nov 2001 15:33:16 -0800 (PST) Received: from [203.22.237.29] by MAIL.netspeed.com.au (NTMail 5.06.0016/NU0474.00.d45cc3bb) with ESMTP id pyyxyaaa for freebsd-security@FreeBSD.ORG; Wed, 14 Nov 2001 10:33:31 +1100 Received: from localhost (localhost [127.0.0.1]) by freebsd.connect-a.com.au (8.11.6/8.11.3) with ESMTP id fADNVI500631; Wed, 14 Nov 2001 10:31:19 +1100 (EST) (envelope-from rob@freebsd.connect-a.com.au) Date: Wed, 14 Nov 2001 10:31:18 +1100 (EST) From: Rob Hurle To: Stefan Probst Cc: Subject: Re: Adore worm In-Reply-To: <5.1.0.14.2.20011114000437.02050a70@MailServer> Message-ID: <20011114100516.L432-100000@freebsd.connect-a.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Stefan, > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > worm - or infested by purpose: > > I found a new directory /usr/lib/.fx/ > which contains all kind of stuff. > One README file says: > >%cat README > > AdoreBSD 0.34 - Based off Linux Adore by Stealth > > Copyright (c) 2001 bind@gravitino.net > > > >Developed on FreeBSD 4.3-STABLE > > > >Installation: >.... > Anything known? Any ideas what to do? Looking forward to pointers.... This is a common one I think. I was hit by it a few weeks ago too. Not sure if there's a safe way to undo the damage - in my case I had been putting off the upgrade to 4.4 because of the usual laziness, and so I just upgraded. A couple of pointers. I had noticed (by using `last`) a few pokes at my system in the weeks prior to the attack (from somewhere with a *.de domain name). The first thing the attack does is to delete everything in /var/log so that you can not see what is going on. The `ps` that is installed works on 4.3 (obviously not on 4.2) and hides some processes from you. The /bin/xterm is activated at startup (the call is installed in rc.conf), and a new telnetd is installed. I'm not sure what these things do, but they may poo over everything - the best advice is what others have said, re-install. As for how to avoid it, I'm not sure. telnetd had a problem, and I seem to remember there was a security advisory on inetd before 4.4. People advise ssh, but I notice that this particular attack also has a new version of ssh to install, so I don't know about that. I've had a brief look at ssh, but it needs some careful configuration. Firewalls are not much help, because it starts with a legitimate request to telnetd or inetd, and then crashes them. Sorry to be not of much help. Cheers, Rob ----------------------------------------------------- Rob Hurle Tel: +61 2 6247 2397 PO Box 13 Fax: +61 2 6247 2397 Ainslie Cell phone: 0417 293 603 Australia e-mail: rob@coombs.anu.edu.au ----------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 16:11:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp5.cluster.oleane.net (smtp5.cluster.oleane.net [195.25.12.27]) by hub.freebsd.org (Postfix) with ESMTP id DFF1837B416 for ; Tue, 13 Nov 2001 16:11:35 -0800 (PST) Received: from diabolic-cow.chatgris.net (c2ce776b.fsp.oleane.fr [194.206.119.107]) by smtp5.cluster.oleane.net with ESMTP id fAE0BVx75561 for ; Wed, 14 Nov 2001 01:11:33 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id D77B0100; Wed, 14 Nov 2001 01:09:41 +0100 (CET) Date: Wed, 14 Nov 2001 01:09:41 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: FreeBSD Security List Subject: Re: Bump-in-the-Road IPsec? Message-ID: <20011114010941.A46471@diabolic-cow.chatgris.net> References: <20011113033151.A56326@diabolo.ifn.fr> <20011112193144.N1819-100000@coredump.scriptkiddie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011112193144.N1819-100000@coredump.scriptkiddie.org>; from lamont@scriptkiddie.org on Mon, Nov 12, 2001 at 07:33:25PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 07:33:25PM -0800, Lamont Granquist wrote: > > On Tue, 13 Nov 2001, Rémi Guyomarch wrote: > > On Tue, Nov 13, 2001 at 03:14:38AM +0100, Rémi Guyomarch wrote: > > ... > > > On OpenBSD, use the gif device, along with IPSec in transport mode > > > and the same bridge setup as described below. > > > > Damn! I just realised that gif(4) only handles IP frames :-( > > Still a transparent bridge, but only suitable for IP... > > [same thing with gre(4)] After reading the gif(4) and brconfig(8) OpenBSD's manpages, it seems gif isn't limited to IP traffic but really handles full ethernet. > only suitable for IP is fine by me. the thing is that i really want these > to be two completely seperate networks with real ip #s. Yuk! I got it. Basically you're trying to do a "tranparent IP router". I think this violates nearly every routing-related RFC ever published ! It might be possible but it would require horrible hacks. > the stuff i've > found on the net so far suggests using gif to bridge between two remote > networks that share the same private ip space. Yes, a bridge only makes sense when the two segments share the same IP address space, or you use some non-routable protocol (ex: NetBEUI, AppleTalk). -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 17:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id DB59B37B416; Tue, 13 Nov 2001 17:48:14 -0800 (PST) Received: from fledge.watson.org (ak82hjs7hex92j@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fAE1m0B57756; Tue, 13 Nov 2001 20:48:00 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 13 Nov 2001 20:48:00 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Stefan Probst Cc: Axel Scheepers , John Baldwin , Rob Hurle , freebsd-security@FreeBSD.org Subject: Re: Adore worm In-Reply-To: <5.1.0.14.2.20011114005803.0207ed70@MailServer> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 14 Nov 2001, Stefan Probst wrote: > Thanks everybody for "encouraging" answers so far. > > I am in Vietnam, and the box is a dedicated server in the US :( > > There was nearly nothing installed, when I got it about two months ago, > and I installed several packages - all of them downloaded from the > original sites, in order to be sure to get the latest version. > > Will go to bed now and pray..... I still can telnet to the box. Maybe > somebody finds an idea what to do... Will see at my eMail tomorrow. Well, what you really need to do is reinstall from scratch, because once the machine has had a privileged account compromised, it will be effectively impossible to guarantee that no backdoors remain, and that you've successfully cleaned up. This is the big caveat, and common sense probably dictates it is the only reasonable choice. It's not a purely theoretical concern either :-). However, if you're willing to assume that the attacker limited their activities to those provided by the backdoor kit they used, then recovery is relatively straight-forward. Your first concern is to prevent additional access to the machine by both the current attackers, and anybody else who turns up. I don't know anything about the rootkit in question, but assuming its activities are limited to those described, you should be able to make use of ipfw to lock down the host such that only you source IP address can talk to it. You'll want to do this to prevent misuse of the host (i.e., as a stepping off point for additional attacks), and prevent additional intrusion. It may be you can ask your provider to provide this service at the router; you may also need to be careful about allowing appropriate DNS, or you may risk locking youself out. You then have two concerns: (1) disabling the kernel module and disabling effects of the kit, and (2) upgrading your system so that it is no longer vulnerable to whatever it was that let the attacker in in the first place. (1) probably consists of studying the kit to determine how it maintains its presence across reboots, and then disabling and rebooting, and then (2) requires you to remotely upgrade the operating system software. For relatively minor updates (4.2 -> 4.4), a remote upgrade is a feasible operation--ideally, you'll have access to a serial console so you can take care of the inevitable problem, but making use of the documented source upgrade procedures should be sufficient. Once you know the rootkit is disabled, mergemaster should also be an effective tool for helping you look for any changes to system configuration files. In particular, you'll want to look for changes to inetd.conf, password files, ssh configuration files, etc. Also, take this opportunity to check ~/.ssh/authorized_keys, ~/.ssh/.shosts for each user, .rhosts for each user, etc. Do not begin the upgrade until after you know the module and rootkit have been disabled, or they may interfere with the upgrade process. Finally, you'll need to do some more work to harden your hosts. As has been pointed out, you need to use encrypted services to access the host, rather than telnet. Especially in shared network environments, the risk of using unencrypted communications is very high. SSH can provide both remote login and file transfer services that are, in most cases, superior to the unencrypted alternatives, making it an easy switch for most :-). You'll want to clamp down on unnecessary services--recent versions of FreeBSD make this a lot easier by disabling most services by default. Finally, some words of warning: the procedure I've described above assumes that the hacker did only the bare minimum to leave the system in the state you've described it in. That they fairly mindlessly applied a remote exploit, and then fairly mindlessly applied a standard kit to the system. If they did anything more, then this procedure may not help. In fact, it could make it worse by giving you a false sense of assurance that things are fine :-). To recover properly, you must reinstall from trusted media, and using a trusted interface: in particular, when reinstalling, you must not boot from any writable media present in the system when or after the compromise occurred, and you must not rely on anything on the writable media during the recovery (in particular, binaries, but also many other things). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 18:23:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 9354537B405; Tue, 13 Nov 2001 18:23:42 -0800 (PST) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.11.6/8.11.6) id fAE2N3i77869; Wed, 14 Nov 2001 09:23:03 +0700 (KRAT) (envelope-from eugen) Date: Wed, 14 Nov 2001 09:23:03 +0700 From: Eugene Grosbein To: Kirk Davis Cc: hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: porting OpenSSH to 2.2.8 Message-ID: <20011114092303.A77520@svzserv.kemerovo.su> References: <200111132156.fADLuO517143@ve6kik.bohica.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111132156.fADLuO517143@ve6kik.bohica.net>; from kirk@bohica.net on Tue, Nov 13, 2001 at 02:56:24PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 13, 2001 at 02:56:24PM -0700, Kirk Davis wrote: > I have a number of older FreeBSD boxes (running 2.2.8-STABLE) and > I am not able to upgrade beyond 2.2.8 due to some custom software. > Has anyone managed to get a newer version of OpenSSH running on > a 2.2.8 box? I'm not a C programer but I have ported some programs in > the past. I'm not having a lot of luck and was hoping that someone out > there had already invented the wheel. I had installed OpenSSH to 2.2.5 a couple of months ago. All that you need is: 1. Only if you do not have perl5 installed. Take distfile and patches from current ports tree for perl5. You can build and install it manually with no problems. 2. Take distfile and patches from current ports tree for openssl. You can build and install it manually with no problems, too. 3. The same with openssh-portable from ports. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 18:39:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id E991737B405 for ; Tue, 13 Nov 2001 18:39:34 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAE2eVm25591; Wed, 14 Nov 2001 09:40:32 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 09:38:19 +0700 Message-Id: <5.1.0.14.2.20011114091904.0425b660@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 09:38:00 +0700 To: freebsd-security@FreeBSD.ORG From: Stefan Probst Subject: Re: Adore worm Cc: Rob Hurle In-Reply-To: References: <5.1.0.14.2.20011114005803.0207ed70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear All, thanks so far for good advices. On my site, there is a webmail form, which is VERY rarely used. About 20 minutes before the hijack, there were three mails coming from that form, where the sender gave addresses etc. in Romania... Status update here: I am right now in the background using an FTP client to backup the whole directory structure, so that I can later browse faster and check modification dates etc. Will still take some time until that is finished over the slow line here. The only "good" thing: I have access to another FreeBSD 4.2 server, which has got patched. Problem is only, that this is a custom build (virtual hosting), so I am not too sure. And for the time being, I assume, that the intruder "just" installed the SW and didn't do more. Means: I will try to find out what happened, and if possible restore without going through a re-install. My questions: 1. Any problem, if I download "ps" and the patched "telnetd" from the good site and just replace on the corrupted site? 2. I tried to patch as written in SA-01:49, but the directory /usr/src/ is empty, and when I run the "patch -p ..." command, I get: >Hmm... Looks like a unified diff to me... >The text leading up to this was: >-------------------------- >|Index: libexec/telnetd/ext.h >|=================================================================== >|RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v >|retrieving revision 1.8 >|retrieving revision 1.10 >|diff -u -r1.8 -r1.10 >|--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 >|+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 >-------------------------- >File to patch: What should I enter here??? The documentation says nothing. TIA, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 19: 3:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id C844E37B416 for ; Tue, 13 Nov 2001 19:03:30 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAE349m26958; Wed, 14 Nov 2001 10:04:20 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 10:02:14 +0700 Message-Id: <5.1.0.14.2.20011114095526.0425eec0@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 10:01:48 +0700 To: Mikel King From: Stefan Probst Subject: Re: Adore worm Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3BF157B9.EBA6AFAB@ocsinternet.com> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Mikel, At 12:26 13.11.2001 -0500, you wrote: ------------------------- >Suggest, that you tarball the .fx directory and make it available for >others to >crack. Quite possibly some one on the list may be able to tell you exactly >what >was done, in the very least we can look for way's to plug the holes... http://team-teso.net/releases.php about the Linux original http://packetstorm.decepticons.org/filedesc/adorebsd-0.34.tar.html to download the FreeBSD variant of the package The author of the AdoreBSD claims to be bind@gravitino.net Rgds, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 22: 2: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from members4.karasxxx.com (members4.cavecreek.net [64.38.226.15]) by hub.freebsd.org (Postfix) with ESMTP id BCFD637B405 for ; Tue, 13 Nov 2001 22:02:02 -0800 (PST) Received: from smtp.com (localhost [127.0.0.1]) by members4.karasxxx.com (8.9.3/8.9.3) with SMTP id EAA03087 for ; Tue, 13 Nov 2001 04:14:12 -0700 (MST) (envelope-from tereza@emailerotica.com) From: tereza@emailerotica.com Message-Id: <200111131114.EAA03087@members4.karasxxx.com> Date: Tue, 13 Nov 2001 04:14:12 -0700 Subject: Email Erotica Newsletter To: freebsd-security@freebsd.org Content-Type: text/html MIME-Version: 1.0 Reply-To: support@emailerotica.com X-Bulkmail: 2.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org <<< No Message Collected >>> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 13 22:16:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from daemon.weird.dnsalias.org (pD9518139.dip.t-dialin.net [217.81.129.57]) by hub.freebsd.org (Postfix) with ESMTP id A210E37B417 for ; Tue, 13 Nov 2001 22:16:26 -0800 (PST) Received: (from smg@localhost) by daemon.weird.dnsalias.org (8.11.6/8.11.3) id fAE6Ht528087 for freebsd-security@freebsd.org; Wed, 14 Nov 2001 07:17:55 +0100 (CET) (envelope-from smg) Date: Wed, 14 Nov 2001 07:17:55 +0100 From: Sven Giersig To: freebsd-security Subject: listrl0: no memory for tx Message-ID: <20011114071755.A27911@weird.dnsalias.org> Mail-Followup-To: Sven Giersig , freebsd-security Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello List, since the last night I have entries in my syslog like listrl0: no memory for tx ... (repeated) rl0 is the internal interface on a fw-machine - and should have had less traffic at night! does it mean - I have to add more memory? - my NIC is broken? - cable? thanks for any hints, Sven -- Sven Giersig | mailto: smg@weird.dnsalias.org | Unix Inter-Networking mobile: +49-172-8049514 | Directory Services https://weird.dnsalias.org/~smg | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 0:39: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 8F22037B405 for ; Wed, 14 Nov 2001 00:39:02 -0800 (PST) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id LAA34622; Wed, 14 Nov 2001 11:38:51 +0300 (MSK) Date: Wed, 14 Nov 2001 11:38:06 +0300 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <13049006858.20011114113806@internethelp.ru> To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Adore worm In-reply-To: <5.1.0.14.2.20011114091904.0425b660@MailServer> References: <5.1.0.14.2.20011114005803.0207ed70@MailServer> <5.1.0.14.2.20011114091904.0425b660@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Stefan, Wednesday, November 14, 2001, 5:38:00 AM, you wrote: SP> Dear All, SP> thanks so far for good advices. SP> On my site, there is a webmail form, which is VERY rarely used. About 20 SP> minutes before the hijack, there were three mails coming from that form, SP> where the sender gave addresses etc. in Romania... SP> Status update here: SP> I am right now in the background using an FTP client to backup the whole SP> directory structure, so that I can later browse faster and check SP> modification dates etc. Will still take some time until that is finished SP> over the slow line here. SP> The only "good" thing: I have access to another FreeBSD 4.2 server, which SP> has got patched. Problem is only, that this is a custom build (virtual SP> hosting), so I am not too sure. AFAIK with CVS you can build binary for quite any version of FreeBSD. But I can be wrong here. Any comments are very good. SP> And for the time being, I assume, that the intruder "just" installed the SW SP> and didn't do more. Means: I will try to find out what happened, and if SP> possible restore without going through a re-install. This is dangerous assume. Be very careful and do not rely on this. SP> My questions: SP> 1. Any problem, if I download "ps" and the patched "telnetd" from the good SP> site and just replace on the corrupted site? you shoud just try. download them with different names (let's say new_ps and new_telnetd) and try to run them. For new_ps just type `chmod 700 /path/to/new/ps/new_ps && /path/to/new/ps/new_ps' in shell prompt. For new_telnetd add following line to /etc/inetd.conf: 55555 stream tcp nowait root /path/to/new/telnetd/new_telnetd new_telnetd and do "kill -1 `cat /var/run/inetd.pid`". After that try to telnet localhost at port 55555 and `tail' the logs for errors. SP> 2. I tried to patch as written in SA-01:49, but the directory /usr/src/ is SP> empty, and when I run the "patch -p ..." command, I get: >>Hmm... Looks like a unified diff to me... >>The text leading up to this was: >>-------------------------- >>|Index: libexec/telnetd/ext.h >>|=================================================================== >>|RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v >>|retrieving revision 1.8 >>|retrieving revision 1.10 >>|diff -u -r1.8 -r1.10 >>|--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 >>|+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 >>-------------------------- >>File to patch: SP> What should I enter here??? SP> The documentation says nothing. If your /usr/src directory is empty you cannot apply this patch. SP> TIA, SP> Stefan ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 2: 0:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from grumbler.org (g.ural.org [217.106.61.2]) by hub.freebsd.org (Postfix) with ESMTP id 973F037B417 for ; Wed, 14 Nov 2001 02:00:18 -0800 (PST) Received: from g.grumbler.pvt (g.grumbler.pvt [172.21.0.16]) by grumbler.org with ESMTP for ; Wed, 14 Nov 2001 13:01:27 +0500 (YEKT) (envelope-from g@ural.org) Date: Wed, 14 Nov 2001 13:01:26 +0500 From: stas X-Mailer: The Bat! (v1.34a) S/N 49AB3874 / Educational Reply-To: g@ural.org X-Priority: 3 (Normal) Message-ID: <12542.011114@ural.org> To: freebsd-security Subject: Re: listrl0: no memory for tx X-Sender: stas Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Sven, Wednesday, November 14, 2001, 11:17:55 AM, you wrote: SG> Hello List, This question not an security question, what you write to "freebsd-security", not hardware mailing list? SG> since the last night I have entries in my syslog like SG> listrl0: no memory for tx ... (repeated) SG> rl0 is the internal interface on a fw-machine - and should have had less traffic at night! This is normal situation for RTL81x9 chip: too low NIC input buffer. This NIC is china's bargain, i congratulate you wish poor purchasing :). SG> does it mean SG> - I have to add more memory? SG> - my NIC is broken? SG> - cable? Best regards, stas mailto:g@grumbler.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 2:19: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from daemon.weird.dnsalias.org (pD9518139.dip.t-dialin.net [217.81.129.57]) by hub.freebsd.org (Postfix) with ESMTP id EBB9737B416 for ; Wed, 14 Nov 2001 02:18:59 -0800 (PST) Received: (from smg@localhost) by daemon.weird.dnsalias.org (8.11.6/8.11.3) id fAEAKUx34972 for freebsd-security@FreeBSD.ORG; Wed, 14 Nov 2001 11:20:30 +0100 (CET) (envelope-from smg) Date: Wed, 14 Nov 2001 11:20:28 +0100 From: Sven Giersig To: freebsd-security Subject: Re: listrl0: no memory for tx Message-ID: <20011114112028.A34775@weird.dnsalias.org> Mail-Followup-To: Sven Giersig , freebsd-security References: <12542.011114@ural.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <12542.011114@ural.org>; from g@grumbler.org on Wed, Nov 14, 2001 at 01:01:26PM +0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Wed, Nov 14, 2001 at 01:01:26PM +0500 schrieb stas: > This question not an security question, what you write to > "freebsd-security", not hardware mailing list? Sorry for that! i was a little confused it seems ;) > This is normal situation for RTL81x9 chip: too low NIC input buffer. > This NIC is china's bargain, i congratulate you wish poor purchasing :). thanks... regards, Sven -- Sven Giersig | mailto: smg@weird.dnsalias.org | Unix Inter-Networking mobile: +49-172-8049514 | Directory Services https://weird.dnsalias.org/~smg | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 2:38:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from members4.karasxxx.com (members4.cavecreek.net [64.38.226.15]) by hub.freebsd.org (Postfix) with ESMTP id 0D74437B417 for ; Wed, 14 Nov 2001 02:38:36 -0800 (PST) Received: from smtp.com (localhost [127.0.0.1]) by members4.karasxxx.com (8.9.3/8.9.3) with SMTP id DAA71131 for ; Wed, 14 Nov 2001 03:51:01 -0700 (MST) (envelope-from tereza@emailerotica.com) From: tereza@emailerotica.com Message-Id: <200111141051.DAA71131@members4.karasxxx.com> Date: Wed, 14 Nov 2001 03:51:01 -0700 Subject: Email Erotica Newsletter To: freebsd-security@freebsd.org Content-Type: text/html MIME-Version: 1.0 Reply-To: support@emailerotica.com X-Bulkmail: 2.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Today's Erotic Email

No More Penis Pumps Or Weights, Enlarge Your Penis Naturally With The Get Hung Penis Enlargement Program!

HUMP ME DAY!!!!!!!
    Hiya Honey! ;)
    It's me, the Erotica Blonde.
    Let's Get It On!

    Are you ready to rumble? :),
    Yeah baby, it's
    time for today's daily porn!

    Interesting Fact of the day:
    Dolphins and humans are the only known animals that have sex for pleasure.

    Click Here For Karas FREE Daily Picture Page!

    Come play with us at SEDUCITY! If you're into role playing online... if you like to have cybersex... or if you just like trying out new and different things, this is the ultimate playground for you! Choose an avatar (a character you will play the role of) then choose who your character has sex with and how and when and where! We even have an S&M Dungeon! Play in groups or couples or by yourself... it's all good!
    Click Here to Play Now!

    They're young, they're gorgeous, they're hot blooded and they're waiting for you at PETITE LATINAS! All high resolution images of latina babes getting nasty in hot XXX action!
    Click Here for Petite Latinas!

    YOUR DAILY EROTICA PICS:


    Straight Pics
    Teen Pics
    Fetish Pics


    Asian Pics
    Ebony Pics
    Bonus Pics

    YOUR DAILY EROTICA COMIC:
    Comics

    TALK TO ME AND MY FRIENDS ON OUR EROTICA CHAT:
    Chat

    EROTICA MAIL asks you to share the wealth with a friend! There's more than photos and videos on EROTICA MAIL and we want to spread the word!
    Tell A Friend!

    Today's top porn stars are all gathered together at RED HOT PORN STARS for a night (or day!) of porno delights like you've never seen! Watch porn videos on your computer now! No need to run to your local adult store... we've got it all! Hypatia Lee, Carol Crow, Aja, Jill Kelly, Jeanette Littledove, Raquel Darrian and more!
    Click Here for Red Hot Porn Stars!

    Warning! Blonde bombshell megasite ahead! SILKY BLONDES gives you the most of what you're looking for - blondes! Is it true that blondes have more fun? They will if you join them now and show them what you like!
    <>Click Here for Silky Blondes!

    HERE IS YOUR FREE PASS FOR THE VIDEOS: Videos

    The EROTICA STORE has what you're looking for as a naughty surprise for your sweetie! Don't have a sweetie? Treat yourself to a new toy or dirty magazine!
    Erotica Store

    Download an EROTICA DESKTOP and be the envy of every sibling within miles! Hot girls will keep you fantasizing when all the Windows are closed!
    Wallpapers

    ************************************
    Special Non Adult Advertisement
    ************************************

    ***********************************************************
    To get removed from this list (as if you really wanted to),
    go to the online removal form at:
    remove
    ***********************************************************

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 4: 0:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id 91F8637B416 for ; Wed, 14 Nov 2001 04:00:48 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAEC1cm20389; Wed, 14 Nov 2001 19:01:40 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 18:59:43 +0700 Message-Id: <5.1.0.14.2.20011114183520.01e71d20@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 18:56:06 +0700 To: freebsd-security@FreeBSD.ORG From: Stefan Probst Subject: Re: AdoreWorm Cc: Rob Hurle Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, some hours later, lots of grey hair more, but feeling more safe now.... As it looks now, somebody in Romania used most probably the telnetd hole (because there were no other unused services running, and it would be hard to believe, that somebody on a dial-up line in Romania can sniff telnet passwords, which usually go from Vietnam via Hongkong to the EastCost) and got somehow root access. They installed then this AdoreBSD. Luckily, as it looks right now (I might be wrong), they didn't do anything else - at least nothing major. They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, which is obviously kind of an "special" IRC relay ??? This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including some IP numbers, which they used. Not sure, what I should do with that. This psyBNC is installed in a directory, with a single space as the name: /root/ /bsd.tgz /root/ /bsd/scan-a /root/ /bsd/telnet /root/ /bsd/statdx2.tgz /root/ /bsd/statdx2/luckgo /root/ /bsd/statdx2/luckscan-a /root/ /bsd/statdx2/luckstatdx /root/ /bsd/statdx2/wu /root/ /psybnc/ Status as of now: - I deleted /bin/xterm (since I saw that entry in rc.conf) - I replaced ps with a version, which I downloaded from another server Luckily, that worked, and I could see the processes again. - I killed all ./cons.saver processes - I killed all /bin/xterm processes - I killed all ./psybnc processes - To apply the patch as written on the FreeBSD site, didn't work, because my /usr/src/ directory was empty. - I tried ssh (which is ok now) to make sure, that I am not locked out, in case I crash telnetd. - I replaced telnetd with a patched version which I downloaded from the other server. Still can log on. - I restarted inetd successfully. - I renamed .fx/cons.saver to be sure, that this is not restarted again - I changed the root password (not sure, whether this was necessary) - I replaced rc (I am really lucky, that this is one of the few files, which I (nosy) downloaded some time ago, so I have a clean copy here) and rc.conf - I renamed that /root/ / to something different - to be sure, that the files in there cannot be started by an unknown process again. Outstanding - find more remains. - the /var/log/... files are still not written, i.e. size still "0". ??? Open Questions: - I know, that * ps, telnetd have been replaced * /var/log/messages has been renamed to "menssages" * rc, rc.conf have been edited * processes were started: cons.saver, xterm, psybnc What more happened / needs to be re-installed/deleted/killed...? - there is a short file "/etc/syslog.conf.lock" what is this? Delete it? Thanks to everybody, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 4:19:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id E5D7C37B416 for ; Wed, 14 Nov 2001 04:19:17 -0800 (PST) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fAECJHF56198 for ; Wed, 14 Nov 2001 07:19:17 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Wed, 14 Nov 2001 07:19:12 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: AdoreWorm In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer> Message-ID: <20011114071710.B56125-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 14 Nov 2001, Stefan Probst wrote: > Hi, > > some hours later, lots of grey hair more, but feeling more safe now.... > > As it looks now, somebody in Romania used most probably the telnetd hole > (because there were no other unused services running, and it would be hard > to believe, that somebody on a dial-up line in Romania can sniff telnet > passwords, which usually go from Vietnam via Hongkong to the EastCost) and > got somehow root access. They installed then this AdoreBSD. Luckily, as it > looks right now (I might be wrong), they didn't do anything else - at least > nothing major. > > They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, > which is obviously kind of an "special" IRC relay ??? > > This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including > some IP numbers, which they used. Not sure, what I should do with that. Turn them in to the appropriate authorities. The box was in the U.S. right? That brings this under the jurisdiction of the FBI Computer Crimes Squad, which, if they have any bandwidth to spare these days, can handle the international jurisdictional issues. You still are best off reinstalling from trusted media. How you wipe the disk and do this remotely is not something I know how to do. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 6:16: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id CAE3E37B405 for ; Wed, 14 Nov 2001 06:16:03 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fAEEG2400417; Wed, 14 Nov 2001 08:16:02 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA10213; Wed, 14 Nov 2001 08:16:02 -0600 (CST) Message-ID: <3BF27C9E.8700B070@centtech.com> Date: Wed, 14 Nov 2001 08:15:58 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Sven Giersig Cc: freebsd-security Subject: Re: listrl0: no memory for tx References: <20011114071755.A27911@weird.dnsalias.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have seen similar messages on an NFS server that was extremely overloaded. I did a few sysctl tweaks to the tcp window sizes and such, and a few other things, so the machine could keep up with the hundreds of P4's beating the crud out of it. If it's your firewall, I'd be looking at it with a fine toothed comb right now. Eric Sven Giersig wrote: > > Hello List, > since the last night I have entries in my syslog like > listrl0: no memory for tx ... (repeated) > rl0 is the internal interface on a fw-machine - and should have had less traffic at night! > > does it mean > - I have to add more memory? > - my NIC is broken? > - cable? > > thanks for any hints, > Sven > > -- > Sven Giersig | > mailto: smg@weird.dnsalias.org | Unix Inter-Networking > mobile: +49-172-8049514 | Directory Services > https://weird.dnsalias.org/~smg | > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology No single raindrop believes it is to blame for the flood. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 6:57:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.esnx.net (200-161-145-69.dsl.telesp.net.br [200.161.145.69]) by hub.freebsd.org (Postfix) with SMTP id 4A2C637B405 for ; Wed, 14 Nov 2001 06:57:45 -0800 (PST) Received: (qmail 58560 invoked from network); 14 Nov 2001 14:57:49 -0000 Received: from unknown (HELO host) (10.6.49.8) by ns2.esnx.net with SMTP; 14 Nov 2001 14:57:49 -0000 From: "Marcos Martinelli" To: Subject: RE: listrl0: no memory for tx Date: Wed, 14 Nov 2001 12:57:45 -0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: <3BF27C9E.8700B070@centtech.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This means that your network memory buffer is not enough to your network traffic. if you are using FreeBSD, put in your /boot/loader.conf : kern.ipc.nmbclusters="8192" kern.ipc.nmbufs="32768" you can see if the problem is it with the command: netstat -m > [root@pituba root]# netstat -m > 1650/2000/4096 mbufs in use (current/peak/max): > 1469 mbufs allocated to data > 124 mbufs allocated to packet headers > 57 mbufs allocated to socket names and addresses > 1024/1024/1024 mbuf clusters in use (current/peak/max) > 2548 Kbytes allocated to network (82% of mb_map in use) > 8436 requests for memory denied > 71 requests for memory delayed > 0 calls to protocol drain routines Its nothing related to hardware problem -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson Sent: Wednesday, November 14, 2001 11:16 AM To: Sven Giersig Cc: freebsd-security Subject: Re: listrl0: no memory for tx I have seen similar messages on an NFS server that was extremely overloaded. I did a few sysctl tweaks to the tcp window sizes and such, and a few other things, so the machine could keep up with the hundreds of P4's beating the crud out of it. If it's your firewall, I'd be looking at it with a fine toothed comb right now. Eric Sven Giersig wrote: > > Hello List, > since the last night I have entries in my syslog like > listrl0: no memory for tx ... (repeated) > rl0 is the internal interface on a fw-machine - and should have had less traffic at night! > > does it mean > - I have to add more memory? > - my NIC is broken? > - cable? > > thanks for any hints, > Sven > > -- > Sven Giersig | > mailto: smg@weird.dnsalias.org | Unix Inter-Networking > mobile: +49-172-8049514 | Directory Services > https://weird.dnsalias.org/~smg | > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology No single raindrop believes it is to blame for the flood. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 6:59:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from gramsc1.dyndns.org (h00609774e769.ne.mediaone.net [24.91.224.187]) by hub.freebsd.org (Postfix) with ESMTP id 35CDC37B417 for ; Wed, 14 Nov 2001 06:59:10 -0800 (PST) Received: from localhost (resopmok@localhost) by gramsc1.dyndns.org (8.11.6/8.11.6) with ESMTP id fAEEwip21271; Wed, 14 Nov 2001 09:58:44 -0500 (EST) (envelope-from resopmok@gramsc1.dyndns.org) Date: Wed, 14 Nov 2001 09:58:44 -0500 (EST) From: Chris Thomas To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG, Rob Hurle Subject: Re: AdoreWorm In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As other people have suggested numerous times on this list, do not use telnetd! Telnet uses plain text IP packets, meaning _anything_ you type can be read by _anyone_ sniffing packets along the route or at certain machines. If you manage your machine remotely, this means your root password, user account passwords and other sensitive information which can lead to this sort of attack happening again. Please, use ssh, as it encrypts your traffic so that it is unreadable to the human eye, keeping your passwords and activity hidden. Also, be sure to disable login available as root, as this is just not a good idea. In short, whether or not the version of telnetd you are using is patched, telnet is insecure, deprecated and lastly insecure. There is no reason I can think of to use it on any modern server, because ssh clients are widely and freely available for every platform. To end this message out, do not use telnetd! -chris On Wed, 14 Nov 2001, Stefan Probst wrote: > Hi, > > some hours later, lots of grey hair more, but feeling more safe now.... > > As it looks now, somebody in Romania used most probably the telnetd hole > (because there were no other unused services running, and it would be hard > to believe, that somebody on a dial-up line in Romania can sniff telnet > passwords, which usually go from Vietnam via Hongkong to the EastCost) and > got somehow root access. They installed then this AdoreBSD. Luckily, as it > looks right now (I might be wrong), they didn't do anything else - at least > nothing major. > > They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, > which is obviously kind of an "special" IRC relay ??? > > This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including > some IP numbers, which they used. Not sure, what I should do with that. > > This psyBNC is installed in a directory, with a single space as the name: > /root/ /bsd.tgz > /root/ /bsd/scan-a > /root/ /bsd/telnet > /root/ /bsd/statdx2.tgz > /root/ /bsd/statdx2/luckgo > /root/ /bsd/statdx2/luckscan-a > /root/ /bsd/statdx2/luckstatdx > /root/ /bsd/statdx2/wu > /root/ /psybnc/ > > > Status as of now: > - I deleted /bin/xterm (since I saw that entry in rc.conf) > - I replaced ps with a version, which I downloaded from another server > Luckily, that worked, and I could see the processes again. > - I killed all ./cons.saver processes > - I killed all /bin/xterm processes > - I killed all ./psybnc processes > - To apply the patch as written on the FreeBSD site, didn't work, > because my /usr/src/ directory was empty. > - I tried ssh (which is ok now) to make sure, that I am not locked out, > in case I crash telnetd. > - I replaced telnetd with a patched version which I downloaded > from the other server. > Still can log on. > - I restarted inetd successfully. > - I renamed .fx/cons.saver to be sure, that this is not restarted again > - I changed the root password (not sure, whether this was necessary) > - I replaced rc (I am really lucky, that this is one of the few files, > which I (nosy) downloaded some time ago, so I have a clean copy here) > and rc.conf > - I renamed that /root/ / to something different - to be sure, > that the files in there cannot be started by an unknown process again. > > Outstanding > - find more remains. > - the /var/log/... files are still not written, i.e. size still "0". ??? > > Open Questions: > - I know, that > * ps, telnetd have been replaced > * /var/log/messages has been renamed to "menssages" > * rc, rc.conf have been edited > * processes were started: cons.saver, xterm, psybnc > What more happened / needs to be re-installed/deleted/killed...? > - there is a short file "/etc/syslog.conf.lock" what is this? > Delete it? > > > Thanks to everybody, > Stefan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 7: 1:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 840B737B419 for ; Wed, 14 Nov 2001 07:01:21 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fAEF1K401475 for ; Wed, 14 Nov 2001 09:01:20 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA11306 for ; Wed, 14 Nov 2001 09:01:20 -0600 (CST) Message-ID: <3BF2873C.4E47BBFE@centtech.com> Date: Wed, 14 Nov 2001 09:01:16 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: listrl0: no memory for tx References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I actually did this, jacking those nmbclusters way up, buteven then, they would top out and the box would quit responding. So in essence, I jacked those up AND tweaked other stuff, and it's been fine since. Not 100% what Sven's problem is, but I'm with you on the "not hardware" thing. Hardware could suck, but I think you can tweak around it. Eric Marcos Martinelli wrote: > > This means that your network memory buffer is not enough to your network > traffic. > > if you are using FreeBSD, put in your /boot/loader.conf : > > kern.ipc.nmbclusters="8192" > kern.ipc.nmbufs="32768" > > you can see if the problem is it with the command: netstat -m > > > [root@pituba root]# netstat -m > > 1650/2000/4096 mbufs in use (current/peak/max): > > 1469 mbufs allocated to data > > 124 mbufs allocated to packet headers > > 57 mbufs allocated to socket names and addresses > > 1024/1024/1024 mbuf clusters in use (current/peak/max) > > 2548 Kbytes allocated to network (82% of mb_map in use) > > 8436 requests for memory denied > > 71 requests for memory delayed > > 0 calls to protocol drain routines > > Its nothing related to hardware problem > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson > Sent: Wednesday, November 14, 2001 11:16 AM > To: Sven Giersig > Cc: freebsd-security > Subject: Re: listrl0: no memory for tx > > I have seen similar messages on an NFS server that was > extremely overloaded. I did a few sysctl tweaks to the tcp > window sizes and such, and a few other things, so the > machine could keep up with the hundreds of P4's beating the > crud out of it. If it's your firewall, I'd be looking at it > with a fine toothed comb right now. > > Eric > > Sven Giersig wrote: > > > > Hello List, > > since the last night I have entries in my syslog like > > listrl0: no memory for tx ... (repeated) > > rl0 is the internal interface on a fw-machine - and should have had less > traffic at night! > > > > does it mean > > - I have to add more memory? > > - my NIC is broken? > > - cable? > > > > thanks for any hints, > > Sven > > > > -- > > Sven Giersig | > > mailto: smg@weird.dnsalias.org | Unix Inter-Networking > > mobile: +49-172-8049514 | Directory Services > > https://weird.dnsalias.org/~smg | > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------- > Eric Anderson anderson@centtech.com Centaur Technology > No single raindrop believes it is to blame for the flood. > ------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology No single raindrop believes it is to blame for the flood. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 7:16:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from sanyu1.sanyutel.com (sanyu1.sanyutel.com [216.250.215.14]) by hub.freebsd.org (Postfix) with ESMTP id 4926837B405; Wed, 14 Nov 2001 07:16:28 -0800 (PST) Received: from localhost (ksemat@localhost) by sanyu1.sanyutel.com (8.11.3/) with ESMTP id fAEFJDx28426; Wed, 14 Nov 2001 18:19:13 +0300 X-Authentication-Warning: sanyu1.sanyutel.com: ksemat owned process doing -bs Date: Wed, 14 Nov 2001 18:19:13 +0300 (EAT) From: X-X-Sender: To: John Baldwin Cc: Stefan Probst , Rob Hurle , Subject: RE: Adore worm In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I also add my voice to the hullabaloo. Reinstall the machine, use ssh and do a cvsup to the latest stable release of freebsd. Do this regularly in order to keep on top of things. Noah. On Tue, 13 Nov 2001, John Baldwin wrote: > > On 13-Nov-01 Stefan Probst wrote: > > Good Evening, > > > > sorry for newbie-posting, but I don't have too much time to sift through > > archives.... > > > > Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE (GENERIC)) got hit by a > > worm - or infested by purpose: > > It's a rootkit, and your box has been compromised. Backup your data and > reinstall unless someone else has a better idea. > > -- > > John Baldwin -- http://www.FreeBSD.org/~jhb/ > "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 8: 0:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id 8F53C37B405 for ; Wed, 14 Nov 2001 08:00:04 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAEG0Fm25112; Wed, 14 Nov 2001 23:00:16 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Wed, 14 Nov 2001 22:17:54 +0700 Message-Id: <5.1.0.14.2.20011114215959.01e4bd90@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 14 Nov 2001 22:14:31 +0700 To: Chris Thomas From: Stefan Probst Subject: Re: AdoreWorm Cc: freebsd-security@FreeBSD.ORG, Rob Hurle In-Reply-To: References: <5.1.0.14.2.20011114183520.01e71d20@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Chris, At 09:58 14.11.2001 -0500, you wrote: ------------------------- >There is no reason I can think of to use >it [telnetd] on any modern server, because ssh clients are widely and freely >available for every platform. I will give you some reasons: 1. Until a few weeks ago, Vietnam was behind a nation-wide firewall, which didn't let ssh pass. I had no choice than to do everything via telnetd. 2. Encryption is until today technically illegal here. Although people use it permanently for https and ... ssh in the future.... But, just to clarify: On all my machines, root has neither telnet, nor ftp access. And I am not on a cable modem (where the whole neighbourhood can sniff packets), but dial-up to the ISP, and from there comparable direct lines to the server in the US. "Only" provider staff should have access to the lines, i.e. be able to sniff. And, as somebody else has suggested: Yes, I have Putty. I tried it once before and failed at the firewall. I used it today. And had problems to type the "pipe" | on my non-US keyboard.... It ain't that easy... Cheers, Stefan PS: Has somebody already analyzed that "AdoreBSD"? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 9: 8:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 67C1D37B405 for ; Wed, 14 Nov 2001 09:08:11 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fAEH7vm69165; Wed, 14 Nov 2001 12:07:57 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Wed, 14 Nov 2001 12:07:55 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Stefan Probst Cc: freebsd-security@FreeBSD.org, Rob Hurle Subject: Re: AdoreWorm In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : What more happened / needs to be re-installed/deleted/killed...? Look, while it may have not been done well, the person basically backdoored your kernel. For basically everything you do to interact with your machine, you kinda "trust" your kernel for valid information. With that kernel backdoored, you pretty much can't trust anything it says. _reinstall_ Andrew -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 9:20:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id E07ED37B418 for ; Wed, 14 Nov 2001 09:20:24 -0800 (PST) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 94AB31DA7; Wed, 14 Nov 2001 18:20:16 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 0336355A2; Wed, 14 Nov 2001 18:20:15 +0100 (CET) Date: Wed, 14 Nov 2001 18:20:15 +0100 (CET) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Rob Hurle Cc: Stefan Probst , freebsd-security@FreeBSD.ORG Subject: Re: Adore worm In-Reply-To: <20011114100516.L432-100000@freebsd.connect-a.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 14 Nov 2001, Rob Hurle wrote: > People advise ssh, but I notice that this particular attack also has a new > version of ssh to install, so I don't know about that. This may be done for two reasons: 1. To install a version of sshd that is not vulnerable to CRC attack 2. To install a trojaned version of sshd that contains a backdoor allowing remote root access, e.g. based on username. The second possibility looks more probable to me. My PLN 0.02 Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 9:47: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.axelero.hu (cmail.axelero.hu [195.228.240.83]) by hub.freebsd.org (Postfix) with SMTP id 8704537B405 for ; Wed, 14 Nov 2001 09:47:00 -0800 (PST) Received: (qmail 25777 invoked from network); 14 Nov 2001 17:43:59 +0100 Received: from adsl114.230.axelero.hu (HELO Vasarely.Zahemszky.HU) (195.228.230.114) by mail.axelero.hu with SMTP; 14 Nov 2001 17:43:59 +0100 Received: (from uucp@localhost) by Vasarely.Zahemszky.HU (8.10.1/8.10.1) id fAEFjYL32207 for ; Wed, 14 Nov 2001 16:45:34 +0100 (CET) Received: from UNKNOWN(172.16.1.1), claiming to be "Picasso.Zahemszky.HU" via SMTP by Vasarely.Zahemszky.HU, id smtpdm32678; Wed Nov 14 15:45:10 2001 Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.11.6/8.11.6) id fAEFj9T00529 for freebsd-security@freebsd.org; Wed, 14 Nov 2001 16:45:09 +0100 (CET) (envelope-from zgabor) Date: Wed, 14 Nov 2001 16:45:09 +0100 From: =?iso-8859-1?Q?Zahemszky_G=E1bor?= To: freebsd-security@freebsd.org Subject: Re: AdoreWorm Message-ID: <20011114164509.D408@Picasso.Zahemszky.HU> References: <5.1.0.14.2.20011114183520.01e71d20@MailServer> <5.1.0.14.2.20011114215959.01e4bd90@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20011114215959.01e4bd90@MailServer>; from stefan.probst@opticom.v-nam.net on Wed, Nov 14, 2001 at 10:14:31PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 14, 2001 at 10:14:31PM +0700, Stefan Probst wrote: > Hello Chris, > > At 09:58 14.11.2001 -0500, you wrote: > ------------------------- > >There is no reason I can think of to use > >it [telnetd] on any modern server, because ssh clients are widely and freely > >available for every platform. > > I will give you some reasons: > 1. Until a few weeks ago, Vietnam was behind a nation-wide firewall, which > didn't let ssh pass. I had no choice than to do everything via telnetd. And what about /usr/ports/www/httptunnel? And an ssh in that tunnel? ZGabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 12:49:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id D235637B405; Wed, 14 Nov 2001 12:49:32 -0800 (PST) Received: by mail1.zer0.org (Postfix, from userid 1001) id B36F2239A05; Wed, 14 Nov 2001 12:49:32 -0800 (PST) Date: Wed, 14 Nov 2001 12:49:32 -0800 From: Gregory Sutter To: John Baldwin Cc: Stefan Probst , Rob Hurle , freebsd-security@FreeBSD.ORG Subject: Re: Adore worm Message-ID: <20011114124932.J35048@klapaucius.zer0.org> References: <5.1.0.14.2.20011114000437.02050a70@MailServer> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opg8F0UgoHELSI+9" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --opg8F0UgoHELSI+9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2001-11-13 09:22 -0800, John Baldwin wrote: >=20 > It's a rootkit, and your box has been compromised. Backup your data and > reinstall unless someone else has a better idea. I'm not sure if this is a better idea, but it does allow remote cleanup. Tell me if I've missed anything. 1. Insert /etc/hosts.allow rules that only allow connections from your IP or subnet. 2. Change your password, and then change your root password. 3. pkg_delete cvsup # and any variants: cvsup-bin, etc. pkg_add -r cvsup 4. /stand/sysinstall, install a 'minimal' system from an FTP server (to get a clean 'make', 'cc', and libs) 5. Install a fresh OS: rm -rf /usr/src cvsup /usr/share/examples/cvsup/4.x-stable-supfile make buildworld make buildkernel make installkernel make installworld mergemaster 6. check /etc/rc.local for hacks, and chmod a-x /usr/local/etc/rc.d/* 7. Delete all your packages. cd /var/db/pkg; for i in `ls`; do echo $i >> /tmp/installed-packages; \ pkg_delete -f $i; done 8. reboot 9. log in WITH SSH 10. change your password again. change your root password again. 11. find / -perm +a+s > /tmp/setuid_files # then audit them. 12. go through the rest of your filesystem, all of it, to ensure that=20 no evil takeover scripts remain sitting anywhere. Check through 'cron' entries. 13. reinstall all your packages.=20 14. go play, but be safe! read freebsd-security and don't use unencrypted connections! Greg --=20 Gregory S. Sutter The process of scientific discovery mailto:gsutter@zer0.org is, in effect, a continual flight http://www.zer0.org/~gsutter/ from wonder. --Albert Einstein hkp://wwwkeys.pgp.net/0x845DFEDD --opg8F0UgoHELSI+9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE78tjcIBUx1YRd/t0RAjSuAJ9IsFtkLdoyWCFgdWVR/Oo16PfEGQCdE+fL Bp7VS4ptveIfPlaXgppK60Q= =IBBN -----END PGP SIGNATURE----- --opg8F0UgoHELSI+9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 12:52:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail12.speakeasy.net (mail12.speakeasy.net [216.254.0.212]) by hub.freebsd.org (Postfix) with ESMTP id 23D2737B418 for ; Wed, 14 Nov 2001 12:52:55 -0800 (PST) Received: (qmail 425 invoked from network); 14 Nov 2001 20:52:53 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail12.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 14 Nov 2001 20:52:53 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20011114124932.J35048@klapaucius.zer0.org> Date: Wed, 14 Nov 2001 12:52:45 -0800 (PST) From: John Baldwin To: Gregory Sutter Subject: Re: Adore worm Cc: freebsd-security@FreeBSD.ORG, Rob Hurle , Stefan Probst Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 14-Nov-01 Gregory Sutter wrote: > On 2001-11-13 09:22 -0800, John Baldwin wrote: >> >> It's a rootkit, and your box has been compromised. Backup your data and >> reinstall unless someone else has a better idea. > > I'm not sure if this is a better idea, but it does allow remote > cleanup. Tell me if I've missed anything. > > 1. Insert /etc/hosts.allow rules that only allow connections from > your IP or subnet. > > 2. Change your password, and then change your root password. > > 3. pkg_delete cvsup # and any variants: cvsup-bin, etc. > pkg_add -r cvsup > > 4. /stand/sysinstall, install a 'minimal' system from an FTP server > (to get a clean 'make', 'cc', and libs) This also will clean out /etc, so you might want to back up certain bits of etc that you restore later, like the password and group files and rc.conf. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 13: 6:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id A4DF637B417 for ; Wed, 14 Nov 2001 13:06:16 -0800 (PST) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id fAEL6Es92652; Wed, 14 Nov 2001 13:06:14 -0800 (PST) Date: Wed, 14 Nov 2001 13:06:14 -0800 (PST) From: David Kirchner X-X-Sender: To: Stefan Probst Cc: , Rob Hurle Subject: Re: AdoreWorm In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer> Message-ID: <20011114130546.B44499-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 14 Nov 2001, Stefan Probst wrote: > - I changed the root password (not sure, whether this was necessary) This is potentially dangerous if it is done before checking that "passwd" has not been compromised. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 14:59:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 8C9AB37B419 for ; Wed, 14 Nov 2001 14:59:33 -0800 (PST) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id KAA65889; Thu, 15 Nov 2001 10:07:18 +1100 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3BF2F73A.5855391D@kpi.com.au> Date: Thu, 15 Nov 2001 09:59:06 +1100 From: Andrew Johns X-Mailer: Mozilla 4.7 [en-gb] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG Subject: Re: AdoreWorm References: <5.1.0.14.2.20011114183520.01e71d20@MailServer> <5.1.0.14.2.20011114215959.01e4bd90@MailServer> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stefan Probst wrote: > > Hello Chris, > > At 09:58 14.11.2001 -0500, you wrote: > ------------------------- > >There is no reason I can think of to use > >it [telnetd] on any modern server, because ssh clients are widely and freely > >available for every platform. > > I will give you some reasons: > 1. Until a few weeks ago, Vietnam was behind a nation-wide firewall, which > didn't let ssh pass. I had no choice than to do everything via telnetd. Why can't you run sshd on port 23? Surely they don't examine connections to determine the actual protocol running? -- Andrew Johns ================================================================ BUGS:This utility is a prototype which lasted several years past its expiration date and is greatly in need of death. - from FreeBSD sysinstall man page To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 15:24:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip02.mx.aol.com (rly-ip02.mx.aol.com [152.163.225.160]) by hub.freebsd.org (Postfix) with ESMTP id 4681A37B405 for ; Wed, 14 Nov 2001 15:24:39 -0800 (PST) Received: from logs-tk.proxy.aol.com (logs-tk.proxy.aol.com [152.163.206.132]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id SAA10236 for ; Wed, 14 Nov 2001 18:21:34 -0500 (EST) Received: from blah (AC9E7596.ipt.aol.com [172.158.117.150]) by logs-tk.proxy.aol.com (8.10.0/8.10.0) with SMTP id fAENHii334602 for ; Wed, 14 Nov 2001 18:17:44 -0500 (EST) Message-Id: <200111142317.fAENHii334602@logs-tk.proxy.aol.com> Date: Wed, 14 Nov 2001 23:18:27 +0100 To: security@freebsd.org From: eberkut Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd Organization: CNS / Minithins X-Mailer: Opera 5.11 build 904b X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Apparently-From: SinkSuffering@aol.com Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 08/11/01 18:05:20, Alexey Zakirov a écrit: >On Wed, 7 Nov 2001, Jano Lukac wrote: > >> new implementations of the openldap 2 have connections via ssl, or you could >> wrap the old openldap 1 through an stunnel. But a small warning: I've been >> working about a month now trying to figgure out how to allow users to change >> passwords, without luck. I went as far as setting up an ldap v3 with > >something like a custom passwd(1) program would be pretty trivial. A little late but, there is a recent nice C API called EasyLDAP which could help in this purpose. It support password management and SSL/TLS. The main developper is a FreeBSD addict so it works fine :) just my 0.02 euros --eberkut ex diffinientium cognitione diffiniti resultat cognitio . Prelude : http://prelude.sf.net . CNS : http://minithins.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 15:42:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id 986A437B416 for ; Wed, 14 Nov 2001 15:42:17 -0800 (PST) Received: (qmail 1965 invoked by uid 1000); 14 Nov 2001 23:42:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Nov 2001 23:42:47 -0000 Date: Wed, 14 Nov 2001 15:42:47 -0800 (PST) From: Brian Behlendorf X-X-Sender: To: Subject: login: chmod(/dev/tty??): No such file or directory Message-ID: <20011114154008.P1375-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Saw this in last night's logs: Nov 13 15:56:13 taz3 login: chmod(/dev/tty??): No such file or directory Nov 13 15:56:13 taz3 login: chmod(/dev/tty??): No such file or directory Seemed odd to me - I can understand why login does a chmod of the attached tty when setting up the user's environment, but I don't know why it got "/dev/tty??" as the tty. I'm sending this to security@ only because I figure there's the small chance this is some sort of new compromise attempt... anyone else seen this kind of thing? Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 15:48:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail2.ox.ac.uk [163.1.2.1]) by hub.freebsd.org (Postfix) with ESMTP id CBCE137B416 for ; Wed, 14 Nov 2001 15:48:18 -0800 (PST) Received: from heraldgate2.oucs.ox.ac.uk ([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim) by oxmail.ox.ac.uk with esmtp (Exim 3.12 #1) id 1649lP-0006KD-02; Wed, 14 Nov 2001 23:48:15 +0000 Received: from dhcp85.wadham.ox.ac.uk ([163.1.164.212] helo=piii600.wadham.ox.ac.uk) by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1) id 1649lP-00020M-00; Wed, 14 Nov 2001 23:48:15 +0000 Reply-To: cperciva@sfu.ca Message-Id: <5.0.2.1.1.20011114234332.00aefb90@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 14 Nov 2001 23:48:14 +0000 To: Brian Behlendorf , From: Colin Percival Subject: Re: login: chmod(/dev/tty??): No such file or directory In-Reply-To: <20011114154008.P1375-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 15:42 14/11/2001 -0800, Brian Behlendorf wrote: >Saw this in last night's logs: > >Nov 13 15:56:13 taz3 login: chmod(/dev/tty??): No such file or directory >Nov 13 15:56:13 taz3 login: chmod(/dev/tty??): No such file or directory > >... anyone else seen this kind of thing? This happens if login is run without being bound to a pty; the most common example of this is using scp to a machine which has 'UseLogin yes' set in sshd_config. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 15:52: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0A05C37B405 for ; Wed, 14 Nov 2001 15:52:03 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id B253114C2E; Thu, 15 Nov 2001 00:52:01 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG, Rob Hurle Subject: Re: AdoreWorm References: <5.1.0.14.2.20011114183520.01e71d20@MailServer> From: Dag-Erling Smorgrav Date: 15 Nov 2001 00:52:01 +0100 In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer> Message-ID: Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stefan Probst writes: > What more happened / needs to be re-installed/deleted/killed...? Everything. That system is a total write-off; not only can you not trust anything on it after it has been compromised (they might have left a backdoor *anywhere*), but by pointlessly trying to fix it you've stomped all over the crimescene and most likely ruined and/or invalidated any evidence that could have served to track down the attackers. Take the machine off the net, back up your file systems to tape, format the disks, reinstall the OS from trusted read-only media (e.g. a BSDI or WindRiver CD-ROM set), then secure the machine (by turning off any unneeded services and auditing the configuration files for those services you do need) before bringing it back on-line. And don't ever use telnet again. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 16: 4:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 53A6C37B417 for ; Wed, 14 Nov 2001 16:04:16 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 7B8B414C2E; Thu, 15 Nov 2001 01:04:14 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: cperciva@sfu.ca Cc: Brian Behlendorf , Subject: Re: login: chmod(/dev/tty??): No such file or directory References: <5.0.2.1.1.20011114234332.00aefb90@popserver.sfu.ca> From: Dag-Erling Smorgrav Date: 15 Nov 2001 01:04:14 +0100 In-Reply-To: <5.0.2.1.1.20011114234332.00aefb90@popserver.sfu.ca> Message-ID: Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Colin Percival writes: > At 15:42 14/11/2001 -0800, Brian Behlendorf wrote: > >Saw this in last night's logs: > > > >Nov 13 15:56:13 taz3 login: chmod(/dev/tty??): No such file or directory > >Nov 13 15:56:13 taz3 login: chmod(/dev/tty??): No such file or directory > > > >... anyone else seen this kind of thing? > This happens if login is run without being bound to a pty; the most > common example of this is using scp to a machine which has 'UseLogin > yes' set in sshd_config. This is clearly a bug in login(8) (albeit a minor one). Brian, could you please file a PR about this and notify me when you get the PR number back from GNATS? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 16:19:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from lofi.dyndns.org (pD950A3D5.dip.t-dialin.net [217.80.163.213]) by hub.freebsd.org (Postfix) with ESMTP id 0026C37B418 for ; Wed, 14 Nov 2001 16:19:21 -0800 (PST) Received: from gmx.net (lofi@kiste.localdomain [192.168.8.4]) (authenticated) by lofi.dyndns.org with ESMTP id fAF0J5s17775; Thu, 15 Nov 2001 01:19:05 +0100 (CET) Message-ID: <3BF30A0D.9050605@gmx.net> Date: Thu, 15 Nov 2001 01:19:25 +0100 From: Michael Nottebrock User-Agent: Mozilla/5.0 (Windows; U; Win98; de-DE; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: de-DE MIME-Version: 1.0 To: Stefan Probst Cc: Chris Thomas , freebsd-security@FreeBSD.ORG, Rob Hurle Subject: Pipe & Putty (was: Re: AdoreWorm) References: <5.1.0.14.2.20011114183520.01e71d20@MailServer> <5.1.0.14.2.20011114215959.01e4bd90@MailServer> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stefan Probst wrote: > [...] > > And, as somebody else has suggested: Yes, I have Putty. I tried it once > before and failed at the firewall. I used it today. And had problems to > type the "pipe" | on my non-US keyboard.... > > [...] Try enabling "Application and AltGr act as Compose key" in the Settings (Terminal/Keyboard) or use the latest development snapshot. Greetings, Michael Nottebrock To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 17: 2:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay03.esat.net (relay03.esat.net [192.111.39.46]) by hub.freebsd.org (Postfix) with ESMTP id E1D1837B405 for ; Wed, 14 Nov 2001 17:00:39 -0800 (PST) Received: from (cnghotels.com) [193.120.77.171] by relay03.esat.net with esmtp id 164Asz-00021i-00; Thu, 15 Nov 2001 01:00:11 +0000 Received: from ntwork26 [10.108.225.26] by cnghotels.com [10.108.225.3] with SMTP (MDaemon.PRO.v5.0.1.R) for ; Thu, 15 Nov 2001 01:02:07 +0000 From: "Nicola" To: "Travel Deals" Subject: Thought you might be interested in this for the holidays! Date: Thu, 15 Nov 2001 01:05:20 -0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0F35_01C16D71.98D7B510" X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: High X-MDRemoteIP: 10.108.225.26 X-Return-Path: nwalsh@cnghotels.com X-MDaemon-Deliver-To: FreeBSD-security@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0F35_01C16D71.98D7B510 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Travel Deals - © CNG Hotels Network SPECIALS LONDON Description GBP 24.36 pps EUR 39 pps London Claremont Stay at the 2-star Claremont for just GBP 24.36 (EUR 39) per person. ClickandGoNow.com double room rate = GBP 48.72 (EUR 78)! The Claremont Hotel places you at the heart of central London. You will be close to the city's main shopping areas and tourist attractions when you stay here. This discounted rate of GBP 24.36 (EUR 39) applies to visits made between 1 November and 31 December 2001 (subject to availability). LONDON Description GBP 25.76 pps EUR 41.39 pps London Royal Cambridge Stay at the 3-star Royal Cambridge Hotel for just GBP 40.88 (EUR 65) per person. ClickandGoNow.com double room rate = GBP 51.52 (EUR 82)! Originally two town houses located in a charming Victorian Terrace, The Royal Cambridge Hotel has been thoughtfully refurbished to reflect the opulence of that period, while offering all the amenities that one would want to find in a modern first class hotel. This discounted rate of GBP 40.88 (EUR 65) applies to visits made between 1 November and 26 December 2001 (subject to availability). EDINBURGH Description GBP 23.50 pps EUR 37.72 pps Carlton Greens Hotel Stay at the 3-star Carlton Greens for just GBP 23.50 (EUR 37.47) per person. ClickandGoNow.com double room rate = GBP 47 (EUR 75)! The 3-star Carlton Greens Hotel is just a few minutes from Princes Street in the centre of the Scottish capital. Staying in this Georgian town house, you will be able to enjoy easy access to all of Edinburgh. This discounted rate of GBP 23.50 (EUR 37.47) applies to visits made between 1 November and 30 December 2001 (subject to availability). PARIS Description USD 31.66 pps EUR 35.50 pps Hotel Paris France Stay at the 2-star Paris France Hotel for just USD 31.66 (EUR 35.50) per person. ClickandGoNow.com double room rate = USD 63.32 (EUR 71)! Built in 1910 in the middle of the Belle Epoque, the 2-star Hotel Paris France is a charming hotel. It gives you a great Right Bank location from which to explore all of Paris. This discounted rate of USD 63.32 (EUR 32.50) applies to visits made between 1 November and 29 December 2001 (subject to availability). BARCELONA Description USD 33.51 pps EUR 37.00 pps Ramblas Stay at the 3-star Ramblas Hotel for just USD 57.51 (EUR 64.5) per person. ClickandGoNow.com double room rate = USD 66 (EUR 74)! The facade of the Hotel Ramblas is already enough to tempt you into this wonderful 3-star hotel. Situated on Barcelona's Ramblas, the hotel gives you perfect access to all of the city's tourist and business attractions. This discounted rate of USD 57.51 (EUR 64.5) applies to visits made between 1 December and 31 January 2002 (subject to availability - min. 3 day stay). DUBLIN Description See description for room rates Shaw Court Apartments Stay at the 1 and 2 bedroom 3-star Shaw Court Apartments. 1 Bedroom apartment Sunday - Thursday USD 82.45 (EUR 92.50) Friday - Saturday USD 127 (EUR 142.50) 2 Bedroom apartment Sunday - Thursday USD 102 (EUR 114.5) Friday - Saturday USD 164.73 (EUR 184.8) Just a few minutes stroll from the heart of Dublin's Village Quarter, the spacious and comfortable 3-star Shaw Court apartments provide you with real comfort. All the services of the nearby Harcourt Hotel's reception area and conference facilities are at your disposal. These discounted rates apply to visits made between 1 November and 28 Feb 2001 (subject to availability - breakfast not included). AMSTERDAM Description USD 49.00 pps EUR 55.00 pps Ibis Stopera Stay at the 3-star Stoperia Hotel for just USD 49 (EUR 55) per person. ClickandGoNow.com double room rate = USD 98 (EUR 110)! The Ibis Stopera Hotel is a fine 3-star hotel in the centre of Amsterdam. You can take a train to the airport rapidly from the Centraal station. These discounted rates apply to visits made between 1 December and 28 Febuary 2002 (subject to availability). ©CNG Hotels Network Unsubscribe Policy: As part of the CNG Hotels Network we appreciate customer privacy and should you wish to unsubscribe from receiving the travel deals newsletter please send an email to traveldeals@cnghotels.com with Unsubscribe in the title. You have received this mail as we came across your website recently and felt you would appreciate notification of great hotel room bargains. Let us take this opportunity to invite you to forward this mail to colleagues and friends. Happy travelling. Countries Australia Austria Belgium Canada Czech Rep. Denmark Finland France Germany Gibraltar Greece Holland Hungary Ireland Italy Japan Malaysia New Zealand Portugal Russia S. Africa Spain Sweden Switzerland Turkey UK Ukraine USA ------=_NextPart_000_0F35_01C16D71.98D7B510 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Travel Deals - =A9 CNG Hotels Network
=20 SPECIALS
LONDON Description
GBP
24.36=20 pps
EUR
39=20 pps
3D"book

London Claremont

Stay at = the 2-star=20 Claremont for just GBP 24.36 (EUR 39) per person. = ClickandGoNow.com double=20 room rate =3D GBP 48.72 (EUR 78)!

The = Claremont Hotel=20 places you at the heart of central London. You will be close to = the city's=20 main shopping areas and tourist attractions when you stay here.=20

This = discounted rate=20 of GBP 24.36 (EUR 39) applies to visits made between 1 November = and 31=20 December 2001 (subject to availability).

3D"Up
 
LONDON Description
GBP
25.76=20 pps
EUR
41.39=20 pps
3D"book
 London = Royal Cambridge=20

Stay at the 3-star Royal Cambridge Hotel for just GBP = 40.88 (EUR=20 65) per person. ClickandGoNow.com double room rate =3D GBP 51.52 = (EUR 82)!=20

Originally two town houses located in a charming = Victorian Terrace,=20 The Royal Cambridge Hotel has been thoughtfully refurbished to = reflect the=20 opulence of that period, while offering all the amenities that one = would=20 want to find in a modern first class hotel.

This discounted rate of GBP 40.88 (EUR 65) applies to = visits made=20 between 1 November and 26 December 2001 (subject to availability). =


3D"Up
 
EDINBURGH Description
GBP
23.50=20 pps
EUR
37.72=20 pps
3D"book
 Carlton = Greens Hotel=20

Stay at the 3-star Carlton Greens for just GBP 23.50 (EUR = 37.47)=20 per person. ClickandGoNow.com double room rate =3D GBP 47 (EUR = 75)!=20

The 3-star Carlton Greens Hotel is just a few minutes = from Princes=20 Street in the centre of the Scottish capital. Staying in this = Georgian=20 town house, you will be able to enjoy easy access to all of = Edinburgh.=20

This discounted rate of GBP 23.50 (EUR 37.47) applies to = visits=20 made between 1 November and 30 December 2001 (subject to=20 availability).

3D"Up
 
PARIS Description
USD
31.66=20 pps
EUR
35.50=20 pps
3D"book
 Hotel = Paris=20 France
Stay at the 2-star Paris France Hotel for just USD 31.66 = (EUR=20 35.50) per person. ClickandGoNow.com double room rate =3D USD = 63.32 (EUR=20 71)!

Built in 1910 in the middle of the Belle Epoque, the = 2-star Hotel=20 Paris France is a charming hotel. It gives you a great Right Bank = location=20 from which to explore all of Paris.

This discounted rate of USD 63.32 (EUR 32.50) applies to = visits=20 made between 1 November and 29 December 2001 (subject to=20 availability).

3D"Up
 
BARCELONA Description
USD
33.51=20 pps
EUR
37.00=20 pps
3D"book
 Ramblas
Stay at the=20 3-star Ramblas Hotel for just USD 57.51 (EUR 64.5) per person.=20 ClickandGoNow.com double room rate =3D USD 66 (EUR 74)!

The facade of the Hotel Ramblas is already enough to = tempt you into=20 this wonderful 3-star hotel. Situated on Barcelona's Ramblas, the = hotel=20 gives you perfect access to all of the city's tourist and business = attractions.

This discounted rate of USD 57.51 (EUR 64.5) applies to = visits made=20 between 1 December and 31 January 2002 (subject to availability - = min. 3=20 day stay).

3D"Up
 
DUBLIN Description
See description=20
for room=20 rates
3D"book
 Shaw Court = Apartments=20
Stay at the 1 and 2 bedroom 3-star Shaw Court Apartments. =

1 Bedroom apartment
Sunday - Thursday USD = 82.45 (EUR=20 92.50) Friday - Saturday USD 127 (EUR 142.50)
2 Bedroom=20 apartment
Sunday - Thursday USD 102 (EUR 114.5)
Friday = -=20 Saturday USD 164.73 (EUR 184.8)

Just a few minutes stroll from the heart of Dublin's = Village=20 Quarter, the spacious and comfortable 3-star Shaw Court apartments = provide=20 you with real comfort. All the services of the nearby Harcourt = Hotel's=20 reception area and conference facilities are at your = disposal.

These discounted rates apply to visits made between 1 = November and=20 28 Feb 2001 (subject to availability - breakfast not=20 included).

3D"Up
 
AMSTERDAM Description
USD
49.00=20 pps
EUR
55.00=20 pps
3D"book

Ibis Stopera
Stay at the 3-star Stoperia Hotel for = just USD 49=20 (EUR 55) per person. ClickandGoNow.com double room rate =3D USD 98 = (EUR=20 110)!

The Ibis Stopera Hotel is a fine 3-star hotel in the = centre of=20 Amsterdam. You can take a train to the airport rapidly from the = Centraal=20 station.

These discounted rates apply to visits made between 1 = December and=20 28 Febuary 2002 (subject to availability).

3D"Up
 
   
=A9CNG Hotels Network
Unsubscribe Policy: As part of the CNG = Hotels Network=20 we appreciate customer privacy and should you wish to = unsubscribe=20 from receiving the travel deals newsletter please send an = email to=20 traveldeals@cnghotels.com with = Unsubscribe in=20 the title. You have received this mail as we came across = your=20 website recently and felt you would appreciate notification = of great=20 hotel room bargains. Let us take this opportunity to invite = you to=20 forward this mail to colleagues and friends. Happy=20 travelling.
=

 

 

 

 

------=_NextPart_000_0F35_01C16D71.98D7B510-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 19:11:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mbm.mobias.com (mbm.mobias.com [195.22.228.130]) by hub.freebsd.org (Postfix) with ESMTP id A5E9637B419; Wed, 14 Nov 2001 19:10:27 -0800 (PST) Received: from clsmtp.edf.fr (XX-8ZBM2OJ7BWYS [209.134.35.18]) by mbm.mobias.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id V0F0Y69M; Thu, 15 Nov 2001 05:04:04 +0200 Message-ID: <000067cf4f5a$000049c7$00007829@smtp.cityweb.de> To: From: "The Mail Man" Subject: Add to your PlayStation collection for $4 per Game LRVU Date: Wed, 14 Nov 2001 19:06:09 -2000 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

COPY ANY DVD MOVIE!
With our revolut= ionary software you can copy virtually
any DVD Movie using your existing equipment! 
Conventional DVD copying equipment can cost tho= usands of $$
Our DVD Wizard cost less than the price of 2 DVD Movies! =

F= ree Live Tech Support With each Order

CLICK HERE To Learn About DVD Wizard!

= CONVERT VHS INTO DVD!
Why pay for a co= py of a movie on DVD that you already
own of VHS???  Not all movies o= n VHS are available on DVD.
So MAKE Them into a DVD yourself!!  DVD Wizard Will teach you. Our Revolutionary DVD Wizard will help you create DVD's!

Copy DVD Movies An= d Create Your Own Personal Collection!
Convert VHS and Camcorder Movies into DVD Movies! 

Free Live Tech Support With each Order
.
CLICK HERE To Learn About VHS Wizard!

3D"VHS.gif

COPY PLAYSTATION=FFFFFFAE GAMES

With our= revolutionary software you can copy virtually any  PlayStation=FFFFFFAE Game using your existing CD Burner!


Conventional Game Coping copying equipment can cost thousands of  dollars. 

The Play= Station =FFFFFFAE Wizard costs less than the price of ONE GAME!


Rent any game for less than $4 and copy it for FREE!


Save HUNDREDS of dollars copying games! For the price of just one game= you can 
own this software and have UNLIMITED GAMES! 

This me= ans the software pays for 
itself the first time you use it!!!

Free Live Tech Support With each Order

CLICK HERE To Learn About PlayStation Wizard!

 
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 19:44:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id 2320A37B405 for ; Wed, 14 Nov 2001 19:44:27 -0800 (PST) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fAF3iMF57866 for ; Wed, 14 Nov 2001 22:44:22 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Wed, 14 Nov 2001 22:44:17 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: AdoreWorm In-Reply-To: <5.1.0.14.2.20011114215959.01e4bd90@MailServer> Message-ID: <20011114224255.C57801-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 14 Nov 2001, Stefan Probst wrote: > Hello Chris, > > At 09:58 14.11.2001 -0500, you wrote: > ------------------------- > >There is no reason I can think of to use > >it [telnetd] on any modern server, because ssh clients are widely and freely > >available for every platform. > > I will give you some reasons: > 1. Until a few weeks ago, Vietnam was behind a nation-wide firewall, which > didn't let ssh pass. I had no choice than to do everything via telnetd. It is possible to tunnel just about anything through a firewall if you're determined enough. > But, just to clarify: On all my machines, root has neither telnet, nor ftp > access. And I am not on a cable modem (where the whole neighbourhood can > sniff packets), but dial-up to the ISP, and from there comparable direct > lines to the server in the US. "Only" provider staff should have access to > the lines, i.e. be able to sniff. How many hops between your ISP and the machine? Even if the answer is "1", you are still vulnerable to such things as dsniff. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 14 23:21:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id 0EA3037B419 for ; Wed, 14 Nov 2001 23:21:40 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAF7MPm22889; Thu, 15 Nov 2001 14:22:28 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Thu, 15 Nov 2001 14:20:20 +0700 Message-Id: <5.1.0.14.2.20011115141606.04298890@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 15 Nov 2001 14:17:54 +0700 To: Andrew Johns From: Stefan Probst Subject: Re: AdoreWorm Cc: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:59 15.11.2001 +1100, Andrew Johns wrote: ------------------------- >Why can't you run sshd on port 23? Surely they don't examine >connections to determine the actual protocol running? Previously, I didn't try too much to change ports - was not worth the time to get all that knowledge, since I had to do this not only on the machine, but also at the LAN firewall here.... And: A decent (national) firewall cannot be spoofed by just changing ports. A good one filters (also) on packet level. Not sure, whether the used one here did. In the end they had anyway to make the rules more and more relaxed, since it couldn't cope with the traffic. Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 0: 1: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id D6E1537B405 for ; Thu, 15 Nov 2001 00:00:52 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fAF81rm24877 for ; Thu, 15 Nov 2001 15:01:53 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP for ; Thu, 15 Nov 2001 14:40:22 +0700 Message-Id: <5.1.0.14.2.20011115143223.04264050@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 15 Nov 2001 14:37:23 +0700 To: freebsd-security@FreeBSD.ORG From: Stefan Probst Subject: Spoofing file information? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear All, how easy/difficult would it be for an intruder to spoof file modification dates and sizes (i.e. the data which show up in an "ls -al")? I have e.g. in my root directory: /kernel (3258128 Nov 20 2000) /kernel.GENERIC (3258128 Nov 20 2000) Can I trust, that those are identical files (i.e. the kernel is still intact), even if somebody intruded? Tnx, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 0:24:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.9.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C45F37B417 for ; Thu, 15 Nov 2001 00:24:39 -0800 (PST) Received: from CONVERSION-DAEMON by mailhub.unibe.ch (PMDF V5.2-32 #42480) id <0GMU00401210RH@mailhub.unibe.ch> for freebsd-security@freebsd.org; Thu, 15 Nov 2001 09:24:37 +0100 (MET) Received: from iamexwi.unibe.ch (haegar.unibe.ch [130.92.63.4]) by mailhub.unibe.ch (PMDF V5.2-32 #42480) with ESMTP id <0GMU00GG9210AP@mailhub.unibe.ch>; Thu, 15 Nov 2001 09:24:36 +0100 (MET) Received: from roy.unibe.ch (roy [130.92.63.46]) by iamexwi.unibe.ch (8.9.3+Sun/8.8.8) with ESMTP id JAA26635; Thu, 15 Nov 2001 09:24:37 +0100 (MET) Received: (from roth@localhost) by roy.unibe.ch (8.10.2+Sun/8.10.2) id fAF8OXj09136; Thu, 15 Nov 2001 09:24:33 +0100 (MET) Date: Thu, 15 Nov 2001 09:24:33 +0100 From: Tobias Roth Subject: Re: Spoofing file information? In-reply-to: <5.1.0.14.2.20011115143223.04264050@MailServer>; from stefan.probst@opticom.v-nam.net on Thu, Nov 15, 2001 at 02:37:23PM +0700 To: Stefan Probst Cc: freebsd-security@freebsd.org Message-id: <20011115092433.A9120@roy.unibe.ch> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT User-Agent: Mutt/1.2.5i References: <5.1.0.14.2.20011115143223.04264050@MailServer> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you run a generic kernel, not a customized one? ;) no, seriously, you generally check if two files are the same by using an md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he replaces binaries such as ls and netstat so they hide his system modifications. As for file modification dates, man touch. So, if you use md5 to compare files, there are those two critera for being sure the your files haven't been tampered with: 1. the md5 binary is has not been modified 2. the checksums you made and to which you are comparing haven't been modified you can achieve this for instance by having both the binary and the checksums on a read only medium. cheers, Tobe On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, > > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 0:31:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.brasapen.org (www.brasapen.org [193.78.174.81]) by hub.freebsd.org (Postfix) with ESMTP id 83A3437B405 for ; Thu, 15 Nov 2001 00:31:56 -0800 (PST) Received: by www.brasapen.org (Postfix, from userid 1000) id 4FB5B1E9F; Thu, 15 Nov 2001 09:31:49 +0100 (CET) Date: Thu, 15 Nov 2001 09:31:48 +0100 From: eilko.bos@brasapen.org To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Spoofing file information? Message-ID: <20011115093148.A46389@www.brasapen.org> References: <5.1.0.14.2.20011115143223.04264050@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20011115143223.04264050@MailServer>; from stefan.probst@opticom.v-nam.net on Thu, Nov 15, 2001 at 02:37:23PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, From the keyboard of Stefan Probst, written on Thu, Nov 15, 2001 at 02:37:23PM +0700: > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? touch(1) can do some spoofing for you. If you want to know more about the integrity of the file, I guess it would be a good idea to also keep a checksum of the file. On the other hand, if somebody can change the access- and creationtime, I guess that that somebody would also be able to change your e.g. MD5-check. Hope this helps. grtz, -- Eilko. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 0:39:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from maild.telia.com (maild.telia.com [194.22.190.101]) by hub.freebsd.org (Postfix) with ESMTP id 889FF37B416 for ; Thu, 15 Nov 2001 00:39:29 -0800 (PST) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by maild.telia.com (8.11.6/8.11.6) with ESMTP id fAF8dSo01455 for ; Thu, 15 Nov 2001 09:39:28 +0100 (CET) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id JAA10202 for ; Thu, 15 Nov 2001 09:39:27 +0100 (CET) Received: (qmail 3515 invoked by uid 1001); 15 Nov 2001 08:39:22 -0000 Date: Thu, 15 Nov 2001 09:39:22 +0100 From: Erik Trulsson To: Stefan Probst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Spoofing file information? Message-ID: <20011115093922.A99781@student.uu.se> Mail-Followup-To: Stefan Probst , freebsd-security@FreeBSD.ORG References: <5.1.0.14.2.20011115143223.04264050@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20011115143223.04264050@MailServer> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, > > how easy/difficult would it be for an intruder to spoof file modification > dates and sizes (i.e. the data which show up in an "ls -al")? It shouldn't be too difficult to modify ls(1) to show wrong data for some specific files. Changing the kernel to give wrong data for some files would be more difficult, and require a reboot to use the modified kernel, but it is not impossible. File modification dates are trivially changed with touch(1) so those should never be trusted. > > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still > intact), even if somebody intruded? No. Those files might well be identical, but there is nothing that says that an intruder didn't change both of them. If an intruder has gained root access on a machine then you can't trust *anything* on that machine. -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 0:39:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.2]) by hub.freebsd.org (Postfix) with ESMTP id 379AA37B405 for ; Thu, 15 Nov 2001 00:39:50 -0800 (PST) Received: from heraldgate2.oucs.ox.ac.uk ([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim) by oxmail.ox.ac.uk with esmtp (Exim 3.33 #3) id 164I3a-0002pF-01; Thu, 15 Nov 2001 08:39:34 +0000 Received: from dhcp85.wadham.ox.ac.uk ([163.1.164.212] helo=piii600.wadham.ox.ac.uk) by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1) id 164I3j-0005Vx-00; Thu, 15 Nov 2001 08:39:43 +0000 Reply-To: cperciva@sfu.ca Message-Id: <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 15 Nov 2001 08:39:41 +0000 To: Tobias Roth , Stefan Probst From: Colin Percival Subject: Re: Spoofing file information? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20011115092433.A9120@roy.unibe.ch> References: <5.1.0.14.2.20011115143223.04264050@MailServer> <5.1.0.14.2.20011115143223.04264050@MailServer> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:24 15/11/2001 +0100, Tobias Roth wrote: >So, if you use md5 to compare files, there are those two critera for being >sure the your files haven't been tampered with: > >1. the md5 binary is has not been modified >2. the checksums you made and to which you are comparing haven't been modified Don't forget 3. you're running a kernel which is polite enough to pass the file to md5 intact A compromised kernel can do anything it pleases, including keeping the original copies of files around and passing them to any integrity-checking code. I remember there were some viruses (back in the MS-DOS days) which operated in this manner. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 0:53:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from dymwsm17.mailwatch.com (dymwsm17.mailwatch.com [204.253.83.165]) by hub.freebsd.org (Postfix) with ESMTP id 75AFC37B405 for ; Thu, 15 Nov 2001 00:53:09 -0800 (PST) Received: from mwsc0210.mw4.mailwatch.com (mwsc0210.mw4.mailwatch.com [204.253.83.228]) by dymwsm17.mailwatch.com (8.11.0/8.11.0) with ESMTP id fAF8TuM24912 for ; Thu, 15 Nov 2001 03:29:56 -0500 Received: from mail pickup service by mwsc0210.mw4.mailwatch.com with Microsoft SMTPSVC; Thu, 15 Nov 2001 03:29:56 -0500 Received: from 204.253.83.39 ([204.253.83.39]) by MWSC0210 with SMTP id 0002000a4a6bfd89-c317-4531-b634-67c95d48a75c; Thu, 15 Nov 2001 03:29:56 -0500 Received: from mail.rescuegroup.com (mail.rescuegroup.com [203.103.84.226]) by dymwsm15.mailwatch.com (8.11.0/8.11.0) with ESMTP id fAF8TsW27757 for ; Thu, 15 Nov 2001 03:29:54 -0500 Received: from iDomain-MTA by mail.rescuegroup.com with Novell_GroupWise; Thu, 15 Nov 2001 16:32:02 +0800 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Thu, 15 Nov 2001 16:31:49 +0800 From: "Shaun De Burgh" To: , Cc: Subject: Re: Spoofing file information? Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline HOP-COUNT: 1 X-MAILWATCH-INSTANCEID: 0102000a4a6bfd89-c317-4531-b634-67c95d48a75c X-OriginalArrivalTime: 15 Nov 2001 08:29:56.0254 (UTC) FILETIME=[B4C41BE0:01C16DAF] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if the intruder gained root access to your system, couldnt he remount the = file system's in rw mode, and modify the binary, or does freebsd prevent = that from occuring. >>> Tobias Roth 11/15/01 04:24pm >>> you run a generic kernel, not a customized one? ;) no, seriously, you generally check if two files are the same by using an = md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he = replaces binaries such as ls and netstat so they hide his system modificati= ons. As for file modification dates, man touch. So, if you use md5 to compare files, there are those two critera for being = sure the your files haven't been tampered with: 1. the md5 binary is has not been modified 2. the checksums you made and to which you are comparing haven't been = modified you can achieve this for instance by having both the binary and the = checksums on a read only medium. cheers, Tobe On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > Dear All, >=20 > how easy/difficult would it be for an intruder to spoof file modification= =20 > dates and sizes (i.e. the data which show up in an "ls -al")? >=20 > I have e.g. in my root directory: > /kernel (3258128 Nov 20 2000) > /kernel.GENERIC (3258128 Nov 20 2000) > Can I trust, that those are identical files (i.e. the kernel is still=20 > intact), even if somebody intruded? To Unsubscribe: send mail to majordomo@FreeBSD.org=20 with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 1:29:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.9.52]) by hub.freebsd.org (Postfix) with ESMTP id 053DC37B416 for ; Thu, 15 Nov 2001 01:29:10 -0800 (PST) Received: from CONVERSION-DAEMON by mailhub.unibe.ch (PMDF V5.2-32 #42480) id <0GMU0020150HFX@mailhub.unibe.ch> for freebsd-security@freebsd.org; Thu, 15 Nov 2001 10:29:08 +0100 (MET) Received: from iamexwi.unibe.ch (haegar.unibe.ch [130.92.63.4]) by mailhub.unibe.ch (PMDF V5.2-32 #42480) with ESMTP id <0GMU00FG850GKC@mailhub.unibe.ch>; Thu, 15 Nov 2001 10:29:05 +0100 (MET) Received: from roy.unibe.ch (roy [130.92.63.46]) by iamexwi.unibe.ch (8.9.3+Sun/8.8.8) with ESMTP id KAA27659; Thu, 15 Nov 2001 10:29:05 +0100 (MET) Received: (from roth@localhost) by roy.unibe.ch (8.10.2+Sun/8.10.2) id fAF9T1H09264; Thu, 15 Nov 2001 10:29:01 +0100 (MET) Date: Thu, 15 Nov 2001 10:29:01 +0100 From: Tobias Roth Subject: Re: Spoofing file information? In-reply-to: ; from sdeburgh@rescuegroup.com on Thu, Nov 15, 2001 at 04:31:49PM +0800 To: Shaun De Burgh Cc: freebsd-security@freebsd.org Message-id: <20011115102901.A9254@roy.unibe.ch> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT User-Agent: Mutt/1.2.5i References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Even root cannot remount a cd-rom in rw mode ;) But seriously, that depends on the secure level of the system, man init for explanations. On Thu, Nov 15, 2001 at 04:31:49PM +0800, Shaun De Burgh wrote: > if the intruder gained root access to your system, couldnt he remount the file system's in rw mode, and modify the binary, or does freebsd prevent that from occuring. > > >>> Tobias Roth 11/15/01 04:24pm >>> > you run a generic kernel, not a customized one? ;) > > no, seriously, you generally check if two files are the same by using an md5 hash or the cksum command. An intruder doesn't 'spoof' file sizes, he replaces binaries such as ls and netstat so they hide his system modifications. > As for file modification dates, man touch. > > So, if you use md5 to compare files, there are those two critera for being sure the your files haven't been tampered with: > > 1. the md5 binary is has not been modified > 2. the checksums you made and to which you are comparing haven't been modified > > you can achieve this for instance by having both the binary and the checksums on a read only medium. > > cheers, Tobe > > > > On Thu, Nov 15, 2001 at 02:37:23PM +0700, Stefan Probst wrote: > > Dear All, > > > > how easy/difficult would it be for an intruder to spoof file modification > > dates and sizes (i.e. the data which show up in an "ls -al")? > > > > I have e.g. in my root directory: > > /kernel (3258128 Nov 20 2000) > > /kernel.GENERIC (3258128 Nov 20 2000) > > Can I trust, that those are identical files (i.e. the kernel is still > > intact), even if somebody intruded? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ------------------------------------------------------ Tobias Roth Phone: +41 31 305 96 29 Buchenweg 22 +41 76 345 66 47 3012 Bern email: caffeine@insomniac.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 3: 5:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from SRDMAIL.SINP.MSU.RU (bigking.sinp.msu.ru [213.131.9.130]) by hub.freebsd.org (Postfix) with ESMTP id E258F37B416; Thu, 15 Nov 2001 03:05:25 -0800 (PST) Received: from [194.220.213.239] (helo=sinp.msu.ru) by SRDMAIL.SINP.MSU.RU with esmtp (Exim 3.33 #3) id 164KJD-000Hwn-00; Thu, 15 Nov 2001 14:03:51 +0300 Message-ID: <3BF3A166.2090009@sinp.msu.ru> Date: Thu, 15 Nov 2001 14:05:10 +0300 From: Dmitry Mottl Organization: SINP MSU User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.4) Gecko/20011004 X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Apache question Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, All I have to configure www virtual hosts under Apache and I need that all virtual hosts have NO access (through cgi execution) to each other. Is it good to start up proxy on 80 and about 100-300 backend httpd (each under it's own uid and gid), which will be paged in (from swap) if connection is requested. Is there a better solution? It seems that suexec apache mechanism will no help, cause I have to give hosters GID to access there files, so I can't specify properly permissions due to UNIX file security (uuugggooo). In this case I need to choose if GID=wwwguest or GID=hoster May be to set up a patch to use UFS extended attributes? (www.trustedbsd.org) I'm using FreeBSD 4.4-RELEASE -- best regards, Dmitry Mottl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 3:15:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 50B2A37B416; Thu, 15 Nov 2001 03:15:18 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fAFBFAB54323; Thu, 15 Nov 2001 12:15:10 +0100 (CET) Message-ID: <008001c16dc6$ca418bd0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Dmitry Mottl" , , References: <3BF3A166.2090009@sinp.msu.ru> Subject: Re: Apache question Date: Thu, 15 Nov 2001 12:15:03 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What exactly do you mean when you say that virtual hosts must have "no access to each other"? ----- Original Message ----- From: "Dmitry Mottl" To: ; Sent: Thursday, November 15, 2001 12:05 Subject: Apache question > Hi, All > > I have to configure www virtual hosts under Apache > and I need that all virtual hosts have NO access (through cgi execution) to each > other. > > Is it good to start up proxy on 80 and > about 100-300 backend httpd (each under it's own uid and gid), > which will be paged in (from swap) if connection is requested. > > Is there a better solution? > > It seems that suexec apache mechanism will no help, > cause I have to give hosters GID to access there files, > so I can't specify properly permissions due to UNIX file security (uuugggooo). > In this case I need to choose if GID=wwwguest or GID=hoster > > May be to set up a patch to use UFS extended attributes? (www.trustedbsd.org) > I'm using FreeBSD 4.4-RELEASE > > -- > best regards, > Dmitry Mottl > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 3:35:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from SRDMAIL.SINP.MSU.RU (bigking.sinp.msu.ru [213.131.9.130]) by hub.freebsd.org (Postfix) with ESMTP id 764B937B419; Thu, 15 Nov 2001 03:35:46 -0800 (PST) Received: from [194.220.213.239] (helo=sinp.msu.ru) by SRDMAIL.SINP.MSU.RU with esmtp (Exim 3.33 #3) id 164KmO-000I11-00; Thu, 15 Nov 2001 14:34:00 +0300 Message-ID: <3BF3A877.90007@sinp.msu.ru> Date: Thu, 15 Nov 2001 14:35:19 +0300 From: Dmitry Mottl Organization: SINP MSU User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.4) Gecko/20011004 X-Accept-Language: ru, en MIME-Version: 1.0 To: Anthony Atkielski Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Apache question References: <3BF3A166.2090009@sinp.msu.ru> <008001c16dc6$ca418bd0$0a00000a@atkielski.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anthony Atkielski wrote: > What exactly do you mean when you say that virtual hosts must have "no access to > each other"? User A can write a cgi script which can read user B files, cause a cgi will run under wwwguest, and user B files must readable by wwwguest So, I don't want A to read B's files. A and B are users that have RW access to their virtual hosts (through ftp) wwwguest is a httpd sandbox. -- best regards, Dmitry Mottl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 4: 9:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by hub.freebsd.org (Postfix) with ESMTP id 5641037B405; Thu, 15 Nov 2001 04:09:26 -0800 (PST) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Thu, 15 Nov 2001 12:09:15 +0000 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 164LHp-0006Bk-00; Thu, 15 Nov 2001 12:06:29 +0000 Date: Thu, 15 Nov 2001 12:06:29 +0000 (GMT) From: Jan Grant X-X-Sender: To: Dmitry Mottl Cc: freebsd-questions , freebsd-security Subject: Re: Apache question In-Reply-To: <3BF3A166.2090009@sinp.msu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Dmitry Mottl wrote: > Hi, All > > I have to configure www virtual hosts under Apache > and I need that all virtual hosts have NO access (through cgi execution) to each > other. > > Is it good to start up proxy on 80 and > about 100-300 backend httpd (each under it's own uid and gid), > which will be paged in (from swap) if connection is requested. > > Is there a better solution? > > It seems that suexec apache mechanism will no help, > cause I have to give hosters GID to access there files, > so I can't specify properly permissions due to UNIX file security (uuugggooo). > In this case I need to choose if GID=wwwguest or GID=hoster > > May be to set up a patch to use UFS extended attributes? (www.trustedbsd.org) > I'm using FreeBSD 4.4-RELEASE This is an interesting problem, certainly; as you point out, the httpd process owner/group needs to be able to view files in all virtual hosts; CGI scripts in each must not. I'd say you should be able to do this with a combination of suExec (with a different uid/gid for each virtual host) - although it might need tinkering with to get the directory restrictions it needs correct - and ACLs on the top of each virtual host's cgi-bin. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk and Nostradamus never dreamed of the Church of the Accellerated Worm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 4:27:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5F00C37B41E for ; Thu, 15 Nov 2001 04:27:13 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA03933; Thu, 15 Nov 2001 04:27:00 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03931; Thu Nov 15 04:26:58 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fAFCQwC16372; Thu, 15 Nov 2001 04:26:58 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdD16360; Thu Nov 15 04:26:51 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fAFCQof21790; Thu, 15 Nov 2001 04:26:50 -0800 (PST) Message-Id: <200111151226.fAFCQof21790@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdm21781; Thu Nov 15 04:26:34 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Mike Tancsa Cc: anderson@centtech.com, freebsd-security@FreeBSD.ORG Subject: Re: NAT vs Application layer proxy In-reply-to: Your message of "Mon, 12 Nov 2001 09:22:20 EST." <5.1.0.14.0.20011112091952.06b2cb30@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Nov 2001 04:26:34 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <5.1.0.14.0.20011112091952.06b2cb30@marble.sentex.ca>, Mike Tancsa w rites: > At 08:24 AM 11/12/01 -0600, Eric Anderson wrote: > >What are some of the advantages/disadvantages of an > >application layer proxy server, versus a box running NAT > >with packet filtering on it (like ipfilter or IPFW)? > > Auditing is a big one. Also, you can do neat things like block NIMDA > infected sites with Squid. I've been playing with SquidGuard lately to filter web traffic based upon content, regexp matches within domainname, and network blocks. Many people at work with children have expressed interest, given that an old PC (who doesn't have an old PC lying around these days) running FreeBSD + IP Filter is all that is needed, not to mention one gets a firewall as a bonus. squidguard.org provides updates to the database. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 4:47:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 77D3A37B41A for ; Thu, 15 Nov 2001 04:47:53 -0800 (PST) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id fAFClkWK025239; Thu, 15 Nov 2001 23:47:46 +1100 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id fAFCljc5025237; Thu, 15 Nov 2001 23:47:45 +1100 (EST) From: Darren Reed Message-Id: <200111151247.fAFCljc5025237@cairo.anu.edu.au> Subject: Re: NAT vs Application layer proxy To: Cy.Schubert@uumail.gov.bc.ca Date: Thu, 15 Nov 2001 23:47:45 +1100 (Australia/NSW) Cc: mike@sentex.net (Mike Tancsa), anderson@centtech.com, freebsd-security@FreeBSD.ORG In-Reply-To: <200111151226.fAFCQof21790@cwsys.cwsent.com> from "Cy Schubert - ITSD Open Systems Group" at Nov 15, 2001 04:26:34 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Cy Schubert - ITSD Open Systems Group, sie said: > > In message <5.1.0.14.0.20011112091952.06b2cb30@marble.sentex.ca>, Mike > Tancsa w > rites: > > At 08:24 AM 11/12/01 -0600, Eric Anderson wrote: > > >What are some of the advantages/disadvantages of an > > >application layer proxy server, versus a box running NAT > > >with packet filtering on it (like ipfilter or IPFW)? > > > > Auditing is a big one. Also, you can do neat things like block NIMDA > > infected sites with Squid. > > I've been playing with SquidGuard lately to filter web traffic based > upon content, regexp matches within domainname, and network blocks. > Many people at work with children have expressed interest, given that > an old PC (who doesn't have an old PC lying around these days) running > FreeBSD + IP Filter is all that is needed, not to mention one gets a > firewall as a bonus. squidguard.org provides updates to the database. IPFilter forms the base for Internet Sheriff, which was originally a hacked squid but not any more... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 5: 3:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from SRDMAIL.SINP.MSU.RU (bigking.sinp.msu.ru [213.131.9.130]) by hub.freebsd.org (Postfix) with ESMTP id C193437B405 for ; Thu, 15 Nov 2001 05:03:49 -0800 (PST) Received: from [194.220.213.239] (helo=sinp.msu.ru) by SRDMAIL.SINP.MSU.RU with esmtp (Exim 3.33 #3) id 164M9k-0001O8-00 for freebsd-security@freebsd.org; Thu, 15 Nov 2001 16:02:12 +0300 Message-ID: <3BF3BD24.7060308@sinp.msu.ru> Date: Thu, 15 Nov 2001 16:03:32 +0300 From: Dmitry Mottl Organization: SINP MSU User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.4) Gecko/20011004 X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ACL with UFS Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, All How can I setup ACL support for UFS under FreeBSD 4.4? I heard, that UFS ACL included in FreeBSD-CURRENT. Is it possible to use it with 4.4-RELEASE? -- best regards, Dmitry Mottl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 5:19:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.siol.net (odin.siol.net [193.189.160.10]) by hub.freebsd.org (Postfix) with ESMTP id DC93237B405 for ; Thu, 15 Nov 2001 05:19:45 -0800 (PST) Received: from t-media.si ([213.250.62.206]) by mail.siol.net (InterMail vK.4.02.00.10 201-232-116-110 license 3b7ff800a4377eede9efc7be81e8a7c4) with ESMTP id <20011115131942.UHAI2093.mail@t-media.si> for ; Thu, 15 Nov 2001 14:19:42 +0100 Message-ID: <3BF3C14C.3000603@t-media.si> Date: Thu, 15 Nov 2001 14:21:16 +0100 From: Tomi =?ISO-8859-2?Q?Malen=B9ek?= Reply-To: tomi@t-media.si Organization: [ t ] MEDIA d.o.o. User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.5) Gecko/20011011 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Question about PPP built-in NAT. Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all. I use FreeBSD 4.4-RELEASE PC with our ADSL line to make internet available to other LAN members. I do this by enabling pppnat in /etc/rc.conf: ---- ppp_nat="YES" # if you want to enable nat for your local network ---- Everything work fine, but there is a little problem :) Our ADSL provider forcibly disconnect every ADSL user on a 12 hour interval (to prevent having static IP) so every 12 hour my FreeBSD box get new IP. But i discover that FreeBSD remember every IP which ADSL device have. After a few days of ruuning on a ADSL connection ifconfig shows that for ADSL device: ---- tun0: flags=8051 mtu 1492 inet6 fe80::280:adff:fe84:6d7e%tun0 prefixlen 64 scopeid 0x8 inet 213.250.63.162 --> 255.255.255.255 netmask 0xffffffff inet 213.250.18.154 --> 255.255.255.255 netmask 0xffffffff inet 213.250.63.99 --> 193.189.161.74 netmask 0xffffff00 Opened by PID 107 ---- How to prevent FreeBSD to remember all IP's they have and use only the last one? Because after a while, when a ADSL device get at least 3 or more IP's internet stop working ans i need to reboot FreeBSD box. Is there any better solution for box to work nonstop wothout rebooting? Thank you for all answers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 11:14:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id E565837B419 for ; Thu, 15 Nov 2001 11:13:54 -0800 (PST) Received: (qmail 24626 invoked by uid 1008); 15 Nov 2001 10:13:51 -0000 Date: Thu, 15 Nov 2001 12:13:51 +0200 From: veedee@c7.campus.utcluj.ro To: cperciva@sfu.ca Cc: Tobias Roth , Stefan Probst , freebsd-security@FreeBSD.ORG Subject: Re: Spoofing file information? Message-ID: <20011115121351.A24535@c7.campus.utcluj.ro> References: <5.1.0.14.2.20011115143223.04264050@MailServer> <5.1.0.14.2.20011115143223.04264050@MailServer> <20011115092433.A9120@roy.unibe.ch> <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca>; from colin.percival@wadham.ox.ac.uk on Thu, Nov 15, 2001 at 08:39:41AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 15, 2001 at 08:39:41AM +0000, Colin Percival wrote: > At 09:24 15/11/2001 +0100, Tobias Roth wrote: > >So, if you use md5 to compare files, there are those two critera for being > >sure the your files haven't been tampered with: > > > >1. the md5 binary is has not been modified > >2. the checksums you made and to which you are comparing haven't been modified > > Don't forget > 3. you're running a kernel which is polite enough to pass the file to md5 > intact > > A compromised kernel can do anything it pleases, including keeping the > original copies of files around and passing them to any integrity-checking > code. > I remember there were some viruses (back in the MS-DOS days) which > operated in this manner. I know, I wrote some of them ;) I'm just taking a wild guess here, but aren't some of you guys getting a little bit paranoid? Next thing you're gonna advise Stefan is that someone flashed some EEPROMs from his hardware that contain some code that activates when blahblah, or simply say "just change the whole fucking thing (eg server)". I know that you can never be 100% sure of something, but one should also take in account the fact that *maybe* his servers are not that important for a hacker, because they do not contain sensitive data *that important* for a certain person so he would have to write all those nasty hacks. And Stefan, if you're really sure that those persons were from Romania, I would take immediate action in tracerouting then e-mailing their ISPs. Some of us are just so anxieous to catch some of these mf*ckers that have nothing better to do that play with others lives, and who, imho, do nothing but make our country really look bad outside our borders. I think that what happened to you, happened to some other thousand people out there. Kids from Romania, having nothing else better to do that hang around all day in "Internet Caffes", looking for *available* servers out there that they can exploit and put their damn IRC scripts there. Ah, by the way, that's what 99% of them do... just install some BNCs or other irc scripts on the targetted machine, then leave it alone, because there's nothing really else that they can use it for. Best regards, Radu Bogdan Rusu (aka veedee) C7 Campus Network System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 11:14:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 9325237B41A for ; Thu, 15 Nov 2001 11:14:24 -0800 (PST) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 263511DA7; Thu, 15 Nov 2001 20:14:14 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id C373655A2 for ; Thu, 15 Nov 2001 20:14:14 +0100 (CET) Date: Thu, 15 Nov 2001 20:14:14 +0100 (CET) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: freebsd-security@freebsd.org Subject: Postfix Memory Exhaustion Attack Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Wieste Venema has posted information about Postfix SMTP server memory exhaustion attack on BUGTRAQ. You may read it at: http://www.securityfocus.org/archive/1/240354 The patch is included. FreeBSD port is probably vulnerable (can someone confirm this?). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 11:25:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.2]) by hub.freebsd.org (Postfix) with ESMTP id 56B1137B405 for ; Thu, 15 Nov 2001 11:25:15 -0800 (PST) Received: from heraldgate2.oucs.ox.ac.uk ([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim) by oxmail.ox.ac.uk with esmtp (Exim 3.33 #3) id 164S7y-0002DT-01; Thu, 15 Nov 2001 19:24:46 +0000 Received: from dhcp85.wadham.ox.ac.uk ([163.1.164.212] helo=piii600.wadham.ox.ac.uk) by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1) id 164S87-0004R7-00; Thu, 15 Nov 2001 19:24:55 +0000 Reply-To: cperciva@sfu.ca Message-Id: <5.0.2.1.1.20011115191853.0e8c8598@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 15 Nov 2001 19:24:53 +0000 To: veedee@c7.campus.utcluj.ro, cperciva@sfu.ca From: Colin Percival Subject: Re: Spoofing file information? Cc: Tobias Roth , Stefan Probst , freebsd-security@FreeBSD.ORG In-Reply-To: <20011115121351.A24535@c7.campus.utcluj.ro> References: <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca> <5.1.0.14.2.20011115143223.04264050@MailServer> <5.1.0.14.2.20011115143223.04264050@MailServer> <20011115092433.A9120@roy.unibe.ch> <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:13 15/11/2001 +0200, veedee@c7.campus.utcluj.ro wrote: > I'm just taking a wild guess here, but aren't some of you guys getting a >little bit paranoid? Next thing you're gonna advise Stefan is that someone >flashed some EEPROMs from his hardware that contain some code that activates >when blahblah, or simply say "just change the whole fucking thing (eg >server)". If he was operating with a writeable EEPROM BIOS, I would indeed be concerned (I note that there are also viruses which zero writeable EEPROMs, making system recovery rather more difficult). Fortunately most motherboards have jumpers which must be moved before the EEPROM can be written to; I therefore would assume that his EEPROM is most likely safe. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 11:38:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 1609937B416 for ; Thu, 15 Nov 2001 11:38:42 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id D406013651; Thu, 15 Nov 2001 14:38:40 -0500 (EST) Date: Thu, 15 Nov 2001 14:38:40 -0500 From: Chris Faulhaber To: Krzysztof Zaraska Cc: freebsd-security@freebsd.org Subject: Re: Postfix Memory Exhaustion Attack Message-ID: <20011115143840.A33388@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Krzysztof Zaraska , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 15, 2001 at 08:14:14PM +0100, Krzysztof Zaraska wrote: > Wieste Venema has posted information about Postfix SMTP server memory > exhaustion attack on BUGTRAQ. You may read it at: >=20 > http://www.securityfocus.org/archive/1/240354 >=20 > The patch is included.=20 >=20 > FreeBSD port is probably vulnerable (can someone confirm this?).=20 >=20 =2E..and was updated a few hours ago. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjv0GcAACgkQObaG4P6BelBwBgCfVR0vL/OGeyvzydKMi3CVWbce e+MAn31otTzlcKQ0nKYB2ZwmXIEwaYHG =uvEi -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 12:53: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-80.dsl.lsan03.pacbell.net [63.207.60.80]) by hub.freebsd.org (Postfix) with ESMTP id A87B337B418 for ; Thu, 15 Nov 2001 12:52:59 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5DE8566D0A; Thu, 15 Nov 2001 12:52:59 -0800 (PST) Date: Thu, 15 Nov 2001 12:52:59 -0800 From: Kris Kennaway To: Dmitry Mottl Cc: freebsd-security@FreeBSD.ORG Subject: Re: ACL with UFS Message-ID: <20011115125259.C67849@xor.obsecurity.org> References: <3BF3BD24.7060308@sinp.msu.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rJwd6BRFiFCcLxzm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF3BD24.7060308@sinp.msu.ru>; from dima@sinp.msu.ru on Thu, Nov 15, 2001 at 04:03:32PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 15, 2001 at 04:03:32PM +0300, Dmitry Mottl wrote: > Hi, All >=20 > How can I setup ACL support for UFS under FreeBSD 4.4? > I heard, that UFS ACL included in FreeBSD-CURRENT. > Is it possible to use it with 4.4-RELEASE? I don't believe so, but check www.trustedbsd.org -- there may be some old experimental patches for 4.x. You should probably wait for 5.0-RELEASE though. Kris --rJwd6BRFiFCcLxzm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE79CsqWry0BWjoQKURAk3pAJ0d0WlE72vrV74slyKIKBRrGpNsXwCgh4HO hlxtT26dYFkQ2xf3kfNH9Xg= =5kqB -----END PGP SIGNATURE----- --rJwd6BRFiFCcLxzm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 12:53:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-80.dsl.lsan03.pacbell.net [63.207.60.80]) by hub.freebsd.org (Postfix) with ESMTP id 2AC7637B405 for ; Thu, 15 Nov 2001 12:53:46 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DEF7166D4D; Thu, 15 Nov 2001 12:53:45 -0800 (PST) Date: Thu, 15 Nov 2001 12:53:45 -0800 From: Kris Kennaway To: Tomi Malensek Cc: freebsd-security@FreeBSD.ORG Subject: Re: Question about PPP built-in NAT. Message-ID: <20011115125345.D67849@xor.obsecurity.org> References: <3BF3C14C.3000603@t-media.si> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jousvV0MzM2p6OtC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF3C14C.3000603@t-media.si>; from tomi@t-media.si on Thu, Nov 15, 2001 at 02:21:16PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --jousvV0MzM2p6OtC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 15, 2001 at 02:21:16PM +0100, Tomi Malensek wrote: > Hello all. >=20 > I use FreeBSD 4.4-RELEASE PC with our ADSL line to make internet=20 > available to other LAN members. I do this by enabling pppnat in=20 > /etc/rc.conf: This is not a security questions. Please don't abuse the mailing lists, and ask general support questions on questions@FreeBSD.org. Thanks, Kris --jousvV0MzM2p6OtC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE79CtZWry0BWjoQKURAm2dAKDLH8urCfFoBTdCOReJFoCRoPeDkgCfZwIS /Uo5JwM54NCy2HsNk85wsN0= =TnPz -----END PGP SIGNATURE----- --jousvV0MzM2p6OtC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 13:41:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailout04.sul.t-online.de (mailout04.sul.t-online.com [194.25.134.18]) by hub.freebsd.org (Postfix) with ESMTP id DC74937B405 for ; Thu, 15 Nov 2001 13:41:22 -0800 (PST) Received: from fwd02.sul.t-online.de by mailout04.sul.t-online.de with smtp id 164UGA-0000Vk-01; Thu, 15 Nov 2001 22:41:22 +0100 Received: from gmx.de (520085183262-0001@[217.224.148.110]) by fmrl02.sul.t-online.com with esmtp id 164UG5-0xQDGCC; Thu, 15 Nov 2001 22:41:17 +0100 Message-ID: <3BF4369A.3030503@gmx.de> Date: Thu, 15 Nov 2001 22:41:46 +0100 From: Sven Wittig Organization: Tigga.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: de-DE MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: unusual log in var/log/messages References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Sender: 520085183262-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I recently discovered this entry in my messages-logfile " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" is this a kind of attack or what? Cu Sven Wittig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 13:45:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 2E8F037B417 for ; Thu, 15 Nov 2001 13:45:43 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 275A381D08; Thu, 15 Nov 2001 15:45:43 -0600 (CST) Date: Thu, 15 Nov 2001 15:45:43 -0600 From: Alfred Perlstein To: Sven Wittig Cc: security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages Message-ID: <20011115154543.V13393@elvis.mu.org> References: <3BF4369A.3030503@gmx.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF4369A.3030503@gmx.de>; from Sven.wittig@gmx.de on Thu, Nov 15, 2001 at 10:41:46PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Sven Wittig [011115 15:41] wrote: > Hi, > > I recently discovered this entry in my messages-logfile > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > is this a kind of attack or what? You need to tighten down your arps otherwise they'll scatter all over the place, a 3/8th cresent wrentch and some duct tape ought to do the trick. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 13:48:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mcqueen.wolfsburg.de (pns.wobline.de [212.68.68.5]) by hub.freebsd.org (Postfix) with ESMTP id B187637B417 for ; Thu, 15 Nov 2001 13:48:20 -0800 (PST) Received: from colt.ncptiddische.net (ppp-146.wobline.de [212.68.69.154]) by mcqueen.wolfsburg.de (8.11.3/8.11.3/tw-20010821) with ESMTP id fAFLmHO02253; Thu, 15 Nov 2001 22:48:17 +0100 Received: from jodie.ncptiddische.net (jodie.ncptiddische.net [192.168.0.2]) by colt.ncptiddische.net (8.11.6/8.11.6) with ESMTP id fAFLmtV30200; Thu, 15 Nov 2001 22:48:55 +0100 (CET) (envelope-from nils@tisys.org) Received: from jodie.ncptiddische.net (jodie.ncptiddische.net [192.168.0.2]) by jodie.ncptiddische.net (8.11.6/8.11.6) with ESMTP id fAFLn2a08782; Thu, 15 Nov 2001 22:49:02 +0100 (CET) (envelope-from nils@tisys.org) Date: Thu, 15 Nov 2001 22:49:02 +0100 (CET) From: Nils Holland To: Sven Wittig Cc: security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages In-Reply-To: <3BF4369A.3030503@gmx.de> Message-ID: <20011115224803.Q8780-100000@jodie.ncptiddische.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Sven Wittig wrote: > Hi, > > I recently discovered this entry in my messages-logfile > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" Sounds like two computers with the same IP address. Could theoretically be an attack, but just as well a simple misconfiguration... Greetings Nils Nils Holland Ti Systems - FreeBSD in Tiddische, Germany http://www.tisys.org * nils@tisys.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 13:49:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id 2F4E637B418 for ; Thu, 15 Nov 2001 13:49:10 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 164UNf-0000K3-00; Thu, 15 Nov 2001 13:49:07 -0800 Message-Id: <5.1.0.14.0.20011115134701.02d027b0@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 15 Nov 2001 13:49:06 -0800 To: Sven Wittig , security@FreeBSD.ORG From: Landon Stewart Subject: Re: unusual log in var/log/messages In-Reply-To: <3BF4369A.3030503@gmx.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Probably not. Either someone changed their hardware or you are using an ADSL connection. I've noticed that with my ADSL connection, because my ADSL modem acts as a bridge, sometimes the arp of my gateway is the MAC of the modem and sometimes its the MAC of the actual gateway router. I'm curious though too, so if anyone else knows, post it. At 10:41 PM 11/15/2001 +0100, Sven Wittig wrote: >Hi, > >I recently discovered this entry in my messages-logfile > >" Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from >00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > >is this a kind of attack or what? > >Cu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 13:50:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from lazir.toya.net.pl (lazir.toya.net.pl [217.113.224.3]) by hub.freebsd.org (Postfix) with SMTP id 899F837B405 for ; Thu, 15 Nov 2001 13:50:46 -0800 (PST) Received: (qmail 7519 invoked by uid 791); 15 Nov 2001 21:48:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Nov 2001 21:48:21 -0000 Date: Thu, 15 Nov 2001 22:48:21 +0100 (CET) From: To: Sven Wittig Cc: Subject: Re: unusual log in var/log/messages In-Reply-To: <3BF4369A.3030503@gmx.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Sven Wittig wrote: > Hi, > > I recently discovered this entry in my messages-logfile > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > is this a kind of attack or what? > Nope it only mean that someone changed arp. It could be spoof, or simply someone changed network card. Regards. airot... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 13:53:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id A22A237B41A for ; Thu, 15 Nov 2001 13:53:35 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 164URz-0000ds-00 for security@FreeBSD.ORG; Thu, 15 Nov 2001 13:53:35 -0800 Message-Id: <5.1.0.14.0.20011115135330.02d6fcf8@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 15 Nov 2001 13:53:34 -0800 To: security@FreeBSD.ORG From: Landon Stewart Subject: Re: unusual log in var/log/messages Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, isn't this typical behaviour of a host with a NIC in promiscuous mode? Someone could be running a sniffer on 00:40:33:39:80:d1 and it responded to a ping that was sent to 137.226.141.33. Is this probable? At 10:41 PM 11/15/2001 +0100, Sven Wittig wrote: >Hi, > >I recently discovered this entry in my messages-logfile > >" Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from >00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > >is this a kind of attack or what? > >Cu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 14: 0:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id A784037B416 for ; Thu, 15 Nov 2001 14:00:43 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id AE47881D01; Thu, 15 Nov 2001 16:00:43 -0600 (CST) Date: Thu, 15 Nov 2001 16:00:43 -0600 From: Alfred Perlstein To: Landon Stewart Cc: security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages Message-ID: <20011115160043.W13393@elvis.mu.org> References: <5.1.0.14.0.20011115135330.02d6fcf8@pop.uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011115135330.02d6fcf8@pop.uniserve.com>; from landons@uniserve.com on Thu, Nov 15, 2001 at 01:53:34PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Landon Stewart [011115 15:53] wrote: > Actually, isn't this typical behaviour of a host with a NIC in promiscuous > mode? Someone could be running a sniffer on 00:40:33:39:80:d1 and it > responded to a ping that was sent to 137.226.141.33. > > Is this probable? Only if the sniffer is really stupid. A sniffer is a data sink, it should not be replying unless it's not a sniffer. -- -Alfred Perlstein [alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 14: 1: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.Boerde.DE (relay.boerde.de [193.175.28.66]) by hub.freebsd.org (Postfix) with ESMTP id B6C2937B419 for ; Thu, 15 Nov 2001 14:01:01 -0800 (PST) Received: from localhost by relay.Boerde.DE with smtp id m164UX3-000TliC (Smail-3.2 1996-Jul-4 #2); Thu, 15 Nov 2001 22:58:49 +0100 (CET) Date: Thu, 15 Nov 2001 22:58:49 +0100 (CET) From: Frank Reppin To: airot@lazir.toya.net.pl Cc: Sven Wittig , security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001 airot@lazir.toya.net.pl wrote: > > > On Thu, 15 Nov 2001, Sven Wittig wrote: > > > Hi, > > > > I recently discovered this entry in my messages-logfile > > > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > > > is this a kind of attack or what? > > > > Nope it only mean that someone changed arp. > It could be spoof, or simply someone changed network card. > > Regards. > > airot... i also thought of someone changing the NIC where this ip was originated to before. so i would ask the owner of this host if he made anything that could result in such a message. regards, fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 14: 3:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id 8C84837B419 for ; Thu, 15 Nov 2001 14:03:36 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by axel.truedestiny.net (Postfix) with ESMTP id 9086149A24; Thu, 15 Nov 2001 23:03:34 +0100 (CET) Received: by axel.truedestiny.net (Postfix, from userid 1000) id 9178249A23; Thu, 15 Nov 2001 23:03:31 +0100 (CET) Date: Thu, 15 Nov 2001 23:03:31 +0100 From: Axel Scheepers To: Sven Wittig Cc: security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages Message-ID: <20011115230331.A74754@mars.thuis> Reply-To: Axel Scheepers References: <3BF4369A.3030503@gmx.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF4369A.3030503@gmx.de>; from Sven.wittig@gmx.de on Thu, Nov 15, 2001 at 10:41:46PM +0100 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, As far as I now this is not an attack, but probably caused by a running routed. I (unfortunatly) don't really know the ins and outs of this message, maybe someone can explain it more detail? After browsing for a while I found the following which might be usefull: In the O`reilly book TCP/IP Network Admin. book by Craig Hunt, there is some discussion about ARP_PROXYALL options in the basic BSD kernel config. ...on page 114 "Proxy ARP is a variant on the standard protocol in which a server answers the ARP request for its clients. Here`s how it works. Host A sends out an ARP request for the Ethernet address of host B. The proxy ARP server, C, hears the request and sends an ARP response back to A claiming that C`s Ethernet address is the address of host B. A then sends traffic intended for B to C because it uses C`s Ethernet address. C is therefore responsible for forwarding the traffic on to B. The proxy ARP server is usually a router and proxy ARP is used as a means of forwarding traffic between systems that cannot use normal routing for that traffic" This seems to be what's happening but again, I'm not sure. Gr, Axel On Thu, Nov 15, 2001 at 10:41:46PM +0100, Sven Wittig wrote: > Hi, > > I recently discovered this entry in my messages-logfile > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > is this a kind of attack or what? > > Cu > > Sven Wittig -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ I have great faith in fools -- self confidence my friends call it. -- Edgar Allan Poe ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 14: 4: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail5.doit.wisc.edu (mail5.doit.wisc.edu [144.92.9.76]) by hub.freebsd.org (Postfix) with ESMTP id 107BC37B417 for ; Thu, 15 Nov 2001 14:03:53 -0800 (PST) Received: from [144.92.198.10] by mail5.doit.wisc.edu id QAA60120 (8.9.1/50); Thu, 15 Nov 2001 16:03:48 -0600 Received: from PEN/SpoolDir by plantpath.wisc.edu (Mercury 1.48); 15 Nov 01 16:04:18 -0600 Received: from SpoolDir by PEN (Mercury 1.48); 15 Nov 01 16:04:03 -0600 From: "Jason Haas" Organization: University of Wisconsin To: Sven Wittig , security@FreeBSD.ORG Date: Thu, 15 Nov 2001 16:03:54 CST MIME-Version: 1.0 Subject: Re: unusual log in var/log/messages Reply-To: jjh@plantpath.wisc.edu Message-ID: <3BF3E769.18803.340F95@localhost> In-reply-to: <3BF4369A.3030503@gmx.de> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you running a DHCP server? This could be happening if the server gives out a new IP for a computer. Jason Haas Date sent: Thu, 15 Nov 2001 22:41:46 +0100 From: Sven Wittig Organization: Tigga.org To: security@FreeBSD.ORG Subject: unusual log in var/log/messages > Hi, > > I recently discovered this entry in my messages-logfile > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > is this a kind of attack or what? > > Cu > > Sven Wittig > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 14:16:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from 4ka.mipt.ru (4ka.mipt.ru [194.85.80.95]) by hub.freebsd.org (Postfix) with ESMTP id 1231C37B416 for ; Thu, 15 Nov 2001 14:16:34 -0800 (PST) Received: from deegreez (deegrez.4ka.mipt.ru [194.85.80.111]) by 4ka.mipt.ru (8.11.6/8.11.6) with ESMTP id fAFMIFe15986 for ; Fri, 16 Nov 2001 01:18:15 +0300 (MSK) (envelope-from degreez_@4ka.mipt.ru) Date: Thu, 16 Nov 2000 01:17:42 +0300 From: "deegreez [4ka]" X-Mailer: The Bat! (v1.49) Reply-To: "deegreez [4ka]" X-Priority: 3 (Normal) Message-ID: <723061181.20001116011742@4ka.mipt.ru> To: security@FreeBSD.org Subject: Re: unusual log in var/log/messages In-reply-To: <3BF4369A.3030503@gmx.de> References: <3BF4369A.3030503@gmx.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Sven, Friday, November 16, 2001, 12:41:46 AM, you wrote smth like: SW> Hi, SW> I recently discovered this entry in my messages-logfile SW> " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from SW> 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" SW> is this a kind of attack or what? SW> Cu SW> Sven Wittig i dont think its kind of attack..but it can be a kind of man-in-the-middle sniffing realisations.. use arpwatch for more details about MAC/IP configuration of hosts -- Best regards, deegreez mailto:degreez_@4ka.mipt.ru and let da connect b with U! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 14:25:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id BC5CD37B417 for ; Thu, 15 Nov 2001 14:25:25 -0800 (PST) Received: (qmail 21315 invoked from network); 15 Nov 2001 22:26:43 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 15 Nov 2001 22:26:43 -0000 Message-ID: <002d01c16e24$6bd195a0$0d00a8c0@alexus> From: "alexus" To: "Sven Wittig" , , "Landon Stewart" References: <5.1.0.14.0.20011115134701.02d027b0@pop.uniserve.com> Subject: Re: unusual log in var/log/messages Date: Thu, 15 Nov 2001 17:25:24 -0500 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org this is one is the closest to the truth most likely this fbsd box acts as router and since it has two nic it mixes mac and ips solution: create VLAN on your switch (if its possible) and put local and external ethernet on diff vlans you wont see this error in your life again.. ----- Original Message ----- From: "Landon Stewart" To: "Sven Wittig" ; Sent: Thursday, November 15, 2001 4:49 PM Subject: Re: unusual log in var/log/messages > Probably not. Either someone changed their hardware or you are using an > ADSL connection. I've noticed that with my ADSL connection, because my > ADSL modem acts as a bridge, sometimes the arp of my gateway is the MAC of > the modem and sometimes its the MAC of the actual gateway router. > > I'm curious though too, so if anyone else knows, post it. > > > At 10:41 PM 11/15/2001 +0100, Sven Wittig wrote: > >Hi, > > > >I recently discovered this entry in my messages-logfile > > > >" Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > >00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > > >is this a kind of attack or what? > > > >Cu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 16: 4:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tietoverkot.net (ns.nimipalvelut.net [194.100.91.5]) by hub.freebsd.org (Postfix) with ESMTP id 3D36937B419 for ; Thu, 15 Nov 2001 16:04:18 -0800 (PST) Received: from localhost (lennu@localhost) by mail.tietoverkot.net (8.11.3/8.9.3) with ESMTP id fAG031H76261; Fri, 16 Nov 2001 02:03:01 +0200 (EET) (envelope-from lennu@tietoverkot.net) Date: Fri, 16 Nov 2001 02:03:01 +0200 (EET) From: Len Merikanto To: Sven Wittig Cc: Subject: Re: unusual log in var/log/messages In-Reply-To: <3BF4369A.3030503@gmx.de> Message-ID: <20011116020109.S18296-100000@mail.tietoverkot.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Sven Wittig wrote: > Date: Thu, 15 Nov 2001 22:41:46 +0100 > From: Sven Wittig > To: security@FreeBSD.ORG > Subject: unusual log in var/log/messages > > Hi, > > I recently discovered this entry in my messages-logfile > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > is this a kind of attack or what? > > Cu > > Sven Wittig > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > I have same logs now and then and i guess it comes from multiple interfaces with diffrent ips on same switch i guess i am not sure but this cheapo switch i bought sumhow forgets things and it comes from there. never happened b4 when it was sitting in catalyst. must be something to do with switches. :) ..................................................................... Len Merikanto MMI Tietoverkot Oy Munkkisaarenkatu 2, 4. krs. FIN - 00150 Helsinki lennu@tietoverkot.net GSM: +358 (0)40 900 8494 TEL: +358 (0)9 6869 1950 FAX: +358 (0)9 6869 1935 ..................................................................... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 17:54:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id 150B337B417 for ; Thu, 15 Nov 2001 17:54:19 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 164YCv-0001LQ-00 for ; Fri, 16 Nov 2001 11:54:17 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 164YCv-0006Cn-00 for ; Fri, 16 Nov 2001 11:54:17 +1000 Date: Fri, 16 Nov 2001 11:54:17 +1000 From: Nick Slager To: freebsd-security@freebsd.org Subject: KAME IPsec <--> Cisco Message-ID: <20011116115417.F22136@BlueSkyFrog.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm attempting to set up a VPN between a box running FreeBSD 4.4-RELEASE and a third party using a Cisco 36xx with IOS 12.2(5). Using racoon 20011026a for key exchange. When I ping the other end, racoon logs the following: ... 2001-11-16 11:45:03: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. 2001-11-16 11:45:03: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin. 2001-11-16 11:45:03: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify) 2001-11-16 11:45:03: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed. 2001-11-16 11:45:03: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. 2001-11-16 11:45:03: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found. 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). And that's as far as we get. An SA is not established. I'm guessing that "invalid spi_size" message is the problem; the next line "spi=(size=0)" also seems odd. Is anyone able to shed some light on what is going wrong? Relevant sections of racoon.conf are below. Note that the Cisco supports only DES/MD5. Thanks, Nick remote 203.x.x.x { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address; peers_identifier address; nonce_size 16; lifetime time 24 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1 ; } } sainfo address 203.x.x.x any address 203.y.y.y any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 18: 9:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 403EC37B417 for ; Thu, 15 Nov 2001 18:09:32 -0800 (PST) Received: from localhost ([3ffe:501:41c:2000:e89c:3277:c904:dbcf]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fAG24ix11781; Fri, 16 Nov 2001 11:04:44 +0900 (JST) To: ns@BlueSkyFrog.COM Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> Cisco In-Reply-To: Your message of "Fri, 16 Nov 2001 11:54:17 +1000" <20011116115417.F22136@BlueSkyFrog.COM> References: <20011116115417.F22136@BlueSkyFrog.COM> X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011116110930M.sakane@kame.net> Date: Fri, 16 Nov 2001 11:09:30 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm attempting to set up a VPN between a box running FreeBSD > 4.4-RELEASE and a third party using a Cisco 36xx with IOS 12.2(5). > Using racoon 20011026a for key exchange. > When I ping the other end, racoon logs the following: > 2001-11-16 11:45:03: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. > 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. > 2001-11-16 11:45:03: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin. > 2001-11-16 11:45:03: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify) > 2001-11-16 11:45:03: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed. > 2001-11-16 11:45:03: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. > 2001-11-16 11:45:03: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found. it's not a error, ignore it. > 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. umm, could you show me what the packet is sent by the cisco ? there is a part of the hex dump of the packet in the racoon logs. > 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). the cisco complained about the proposal racoon sent. i'm not sure what the phase was. check if the phase 1 established, and then the proposal if these are same. > Relevant sections of racoon.conf are below. Note that the Cisco > supports only DES/MD5. > sainfo address 203.x.x.x any address 203.y.y.y any > { > pfs_group 1; > lifetime time 30 sec; > encryption_algorithm des ; > authentication_algorithm hmac_md5; > compression_algorithm deflate ; > } does the cisco support PFS ? and can the cisco accept the lifetime of 30 seconds ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 18:28:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id 5EA6F37B417 for ; Thu, 15 Nov 2001 18:28:31 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 164Ygq-0001V1-00; Fri, 16 Nov 2001 12:25:12 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 164Ygq-0006Ka-00; Fri, 16 Nov 2001 12:25:12 +1000 Date: Fri, 16 Nov 2001 12:25:12 +1000 From: Nick Slager To: Shoichi Sakane Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> Cisco Message-ID: <20011116122512.A24232@BlueSkyFrog.COM> References: <20011116115417.F22136@BlueSkyFrog.COM> <20011116110930M.sakane@kame.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011116110930M.sakane@kame.net>; from sakane@kame.net on Fri, Nov 16, 2001 at 11:09:30AM +0900 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Shoichi Sakane (sakane@kame.net): > > 2001-11-16 11:45:03: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. > > umm, could you show me what the packet is sent by the cisco ? > there is a part of the hex dump of the packet in the racoon logs. Sorry, I should have posted the entire log first time: 2001-11-16 12:13:20: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2001-11-16 12:13:20: DEBUG: pfkey.c:1519:pk_recvacquire(): suitable outbound SP found: 203.y.y.y/32[0] 203.x.x.x/32[0] proto=any dir=out. 2001-11-16 12:13:20: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfbff8ac: 203.x.x.x/32[0] 203.y.y.y/32[0] proto=any dir=in 2001-11-16 12:13:20: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a3a08: 203.x.x.x/32[0] 203.y.y.y/32[0] proto=any dir=in 2001-11-16 12:13:20: DEBUG: pfkey.c:1535:pk_recvacquire(): suitable inbound SP found: 203.x.x.x/32[0] 203.y.y.y/32[0] proto=any dir=in. 2001-11-16 12:13:20: DEBUG: pfkey.c:1574:pk_recvacquire(): new acquire 203.y.y.y/32[0] 203.x.x.x/32[0] proto=any dir=out 2001-11-16 12:13:20: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected. 2001-11-16 12:13:20: DEBUG: proposal.c:822:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2001-11-16 12:13:20: DEBUG: proposal.c:856:printsatrns(): (trns_id=3DES encklen=0 authtype=2) 2001-11-16 12:13:20: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 203.x.x.x. 2001-11-16 12:13:20: INFO: isakmp.c:1726:isakmp_post_acquire(): IPsec-SA request for 203.x.x.x queued due to no phase1 found. 2001-11-16 12:13:20: DEBUG: isakmp.c:811:isakmp_ph1begin_i(): === 2001-11-16 12:13:20: INFO: isakmp.c:816:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 203.y.y.y[500]<=>203.x.x.x[500] 2001-11-16 12:13:20: INFO: isakmp.c:821:isakmp_ph1begin_i(): begin Aggressive mode. 2001-11-16 12:13:20: DEBUG: isakmp.c:2038:isakmp_newcookie(): new cookie: 016acbfeb84acd55 2001-11-16 12:13:20: DEBUG: ipsec_doi.c:3181:ipsecdoi_setid1(): use ID type of IPv4_address 2001-11-16 12:13:20: DEBUG: oakley.c:250:oakley_dh_generate(): compute DH's private. 2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump(): dc71c8e9 7a12697d 4ddc032b 97a9ec96 83d4bcb4 8b19294e b67e098a bb982993 cec2a674 e0508cf6 3ef1d89e de726edb 3005ef09 de8f4474 0a3e1f84 a519b0a5 bf441c6a 1061816a 95fe8269 e2eb142b 03110fd2 dde3ed7e c21b1d9f 53e3d0cf 2001-11-16 12:13:20: DEBUG: oakley.c:252:oakley_dh_generate(): compute DH's public. 2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump(): b4b2ea06 c8018285 dac6da9a ceebb01f bf4f804f f77eb508 e2f81cf9 8ead353a 9af1aa03 2c0d0c12 858f7acf 59228fd4 6e8bb08c 4045596d 12233acb 7b58b3d0 624c6b73 cfba70f7 e4824152 d6dd33cd 09248853 cc9f8cd6 276c72b3 97d72bd4 2001-11-16 12:13:20: DEBUG: isakmp_agg.c:157:agg_i1send(): authmethod is pre-shared key 2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 52, next type 4 2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 96, next type 10 2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 96, next type 5 2001-11-16 12:13:20: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 8, next type 0 2001-11-16 12:13:20: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. 2001-11-16 12:13:20: DEBUG: sockmisc.c:424:sendfromto(): sockname 203.y.y.y[500] 2001-11-16 12:13:20: DEBUG: sockmisc.c:426:sendfromto(): send packet from 203.y.y.y[500] 2001-11-16 12:13:20: DEBUG: sockmisc.c:428:sendfromto(): send packet to 203.x.x.x[500] 2001-11-16 12:13:20: DEBUG: isakmp.c:1462:isakmp_send(): 1 times of 296 bytes message will be sent. 2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump(): 016acbfe b84acd55 00000000 00000000 01100400 00000000 00000128 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010001 80030001 80020001 80040001 0a000064 b4b2ea06 c8018285 dac6da9a ceebb01f bf4f804f f77eb508 e2f81cf9 8ead353a 9af1aa03 2c0d0c12 858f7acf 59228fd4 6e8bb08c 4045596d 12233acb 7b58b3d0 624c6b73 cfba70f7 e4824152 d6dd33cd 09248853 cc9f8cd6 276c72b3 97d72bd4 05000064 98a8c643 cb5527b2 7a983c45 7ee0caa6 d05c4e18 a3e9e042 6a0b103d 9660092a b2bee2ad b4eda3a9 98a3a6c8 bc20b204 e6f05da6 40613a81 8b378f76 fd9144e6 315ce547 082b1f95 cb5c9f61 603f745d 336fa671 fb842610 621a6c39 0801ae49 0000000c 011101f4 cbb9df13 2001-11-16 12:13:20: DEBUG: isakmp.c:233:isakmp_handler(): === 2001-11-16 12:13:20: DEBUG: isakmp.c:234:isakmp_handler(): 96 bytes message received from 203.x.x.x[500] 2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump(): 016acbfe b84acd55 19e865f5 2b05b309 0b100500 00000000 00000060 00000044 00000001 0100000e 04000038 00000001 00000001 323b59e8 00000004 00000000 6225c09c 611cf22c 00000001 00000000 612ccc00 00000000 01000000 00000000 2001-11-16 12:13:20: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. 2001-11-16 12:13:20: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. 2001-11-16 12:13:20: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin. 2001-11-16 12:13:20: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify) 2001-11-16 12:13:20: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed. 2001-11-16 12:13:20: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. 2001-11-16 12:13:20: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found. 2001-11-16 12:13:20: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. 2001-11-16 12:13:20: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). 2001-11-16 12:13:51: ERROR: isakmp.c:1818:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 203.x.x.x->203.y.y.y 2001-11-16 12:13:51: INFO: isakmp.c:1823:isakmp_chkph1there(): delete phase 2 handler. > > 2001-11-16 11:45:03: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). > > the cisco complained about the proposal racoon sent. i'm not sure what > the phase was. check if the phase 1 established, and then the proposal > if these are same. I haven't actually seen the Cisco config, but they tell me the router is set to use DES encryption with an MD5 hash. > > sainfo address 203.x.x.x any address 203.y.y.y any > > { > > pfs_group 1; > > lifetime time 30 sec; > > encryption_algorithm des ; > > authentication_algorithm hmac_md5; > > compression_algorithm deflate ; > > } > > does the cisco support PFS ? and can the cisco accept the lifetime of > 30 seconds ? People at the other end tell me the Cisco will support pfs_group 1 or 2. I have also omitted it altogether, with the same result. Regards, Nick -- Excuse of the day: NOTICE: alloc: /dev/null: filesystem full To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 18:55:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy2.ba.best.com (proxy2.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id E5C9137B418 for ; Thu, 15 Nov 2001 18:55:32 -0800 (PST) Received: from renfro.org (ar05ik@sdn-ar-005casjosP115.dialsprint.net [63.180.20.75]) by proxy2.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id SAA28802; Thu, 15 Nov 2001 18:54:07 -0800 (PST) Received: (from scott@localhost) by renfro.org (8.11.4/8.11.4) id fAG2s1H74225; Thu, 15 Nov 2001 18:54:01 -0800 (PST) (envelope-from scott) Date: Thu, 15 Nov 2001 18:54:00 -0800 From: Scott Renfro To: Adam Laurie Cc: Francisco Reyes , "Martin J. Muench" , FreeBSD Security List Subject: Re: Free or Commercial crypto filesystem? Message-ID: <20011115185359.D67294@bonsai.home.renfro.org> References: <20011112112045.B42614-100000@zoraida.natserv.net> <3BF00B66.11A3F4AF@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF00B66.11A3F4AF@algroup.co.uk>; from adam@algroup.co.uk on Mon, Nov 12, 2001 at 05:48:22PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 05:48:22PM +0000, Adam Laurie wrote: > > incidentally, there was some talk recently about a new release on the > netbsd crypto mailing list, but i can't remember where it ended > up... i use cfs.1.4.0.beta2 and it works fine for me... note that there is a serious (but simple) bug in cfs that results is (small amounts) of data loss. the patch and description can be found here: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/30120 also, there's a pr to upgrade cfs to the 1.4.1 release, although this shouldn't have any functional changes from 1.4.0.beta2 on freebsd. that can be found here: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/29638 I use cfs heavily every day and have a 1.5G cfs filesystem. The only issue I've had was the bug above. cheers, --Scott -- Scott Renfro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 19:12:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from westhost32.westhost.net (westhost32.westhost.net [216.71.84.181]) by hub.freebsd.org (Postfix) with ESMTP id 72C2337B417 for ; Thu, 15 Nov 2001 19:12:25 -0800 (PST) Received: from HFTB (cable-14-82-237-24.anchorageak.net [24.237.82.14]) by westhost32.westhost.net (8.11.6/8.11.6) with ESMTP id fAG3CMW26157 for ; Thu, 15 Nov 2001 21:12:22 -0600 Date: Thu, 15 Nov 2001 18:15:37 -0900 From: Greg Wirth X-Mailer: The Bat! (v1.54/10) Personal Reply-To: Greg Organization: RapidFX.com X-Priority: 3 (Normal) Message-ID: <12126694534.20011115181537@rapidfx.com> To: security@FreeBSD.ORG Subject: Re[2]: unusual log in var/log/messages In-Reply-To: <20011116020109.S18296-100000@mail.tietoverkot.net> References: <20011116020109.S18296-100000@mail.tietoverkot.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello... I also see these from time to time, and have never pinned down exactly what it means. I've never found any damage or abuse during or after these messages. I would really like to know. The times always match, and happen at random times. Versions don't seem to matter, as it has happened since 3.3 Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from 00:40:c7:81:22:04 to 00:04:ac:1a:4e:e7 on dc0 Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from 00:04:ac:1a:4e:e7 to 00:40:c7:81:22:04 on dc0 Thursday, November 15, 2001, 3:03:01 PM, you wrote: LM> On Thu, 15 Nov 2001, Sven Wittig wrote: >> I recently discovered this entry in my messages-logfile >> " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from >> 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" >> is this a kind of attack or what? >> Sven Wittig LM> I have same logs now and then and i guess it comes from LM> multiple interfaces with diffrent ips on same switch LM> i guess i am not sure but this cheapo switch i bought sumhow forgets LM> things and it comes from there. LM> never happened b4 when it was sitting in catalyst. LM> must be something to do with switches. :) LM> ..................................................................... LM> Len Merikanto LM> MMI Tietoverkot Oy LM> Munkkisaarenkatu 2, 4. krs. LM> FIN - 00150 Helsinki - -- Greg S. Wirth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 19:14:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 68EA337B405 for ; Thu, 15 Nov 2001 19:14:25 -0800 (PST) Received: from dialup-209.244.102.228.dial1.newyork1.level3.net ([209.244.102.228] helo=laptop.lambertfam.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 164ZSS-0007BK-00 for security@FreeBSD.ORG; Thu, 15 Nov 2001 19:14:25 -0800 Received: by laptop.lambertfam.org (Postfix, from userid 1000) id 42FE728B09; Thu, 15 Nov 2001 22:14:21 -0500 (EST) Date: Thu, 15 Nov 2001 22:14:21 -0500 From: Scott Lambert To: security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages Message-ID: <20011115221421.A42599@laptop.lambertfam.org> Mail-Followup-To: security@FreeBSD.ORG References: <3BF4369A.3030503@gmx.de> <20011116020109.S18296-100000@mail.tietoverkot.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011116020109.S18296-100000@mail.tietoverkot.net>; from lennu@tietoverkot.net on Fri, Nov 16, 2001 at 02:03:01AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Sven Wittig wrote: > I recently discovered this entry in my messages-logfile > > " Nov 14 15:10:44 leo2 /kernel: arp: 137.226.141.33 moved from > 00:40:33:39:80:d1 to 00:50:bf:7e:6e:70 on de0" > > is this a kind of attack or what? This *can* happen with a DHCP environment. -- Scott Lambert KC5MLE Unix SysAdmin -- Looking for work. lambert@lambertfam.org http://www.lambertfam.org/~lambert/resume.html 2.5 years Sr. SysAdmin experience with FreeBSD in small & medium size ISPs. The last 5 months have included exposure to Solaris 7, True64 5, and Linux. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 19:21:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 6C37537B41A for ; Thu, 15 Nov 2001 19:21:48 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id WAA32400; Thu, 15 Nov 2001 22:22:46 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id WAA21816; Thu, 15 Nov 2001 22:21:44 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Thu, 15 Nov 2001 22:21:44 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: Greg Cc: security@FreeBSD.ORG Subject: Re: Re[2]: unusual log in var/log/messages In-Reply-To: <12126694534.20011115181537@rapidfx.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Greg Wirth wrote: > I also see these from time to time, and have never pinned down > exactly what it means. I've never found any damage or abuse > during or after these messages. I would really like to know. > The times always match, and happen at random times. > Versions don't seem to matter, as it has happened since 3.3 > > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > 00:40:c7:81:22:04 to 00:04:ac:1a:4e:e7 on dc0 > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > 00:04:ac:1a:4e:e7 to 00:40:c7:81:22:04 on dc0 Have you checked to find out which system(s) are involved? It has to be someone on the same subnet with you. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 19:25:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 8100B37B405 for ; Thu, 15 Nov 2001 19:25:53 -0800 (PST) Received: from localhost ([3ffe:501:41c:2000:e89c:3277:c904:dbcf]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fAG3L8x12055; Fri, 16 Nov 2001 12:21:09 +0900 (JST) To: ns@BlueSkyFrog.COM Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> Cisco In-Reply-To: Your message of "Fri, 16 Nov 2001 12:25:12 +1000" <20011116122512.A24232@BlueSkyFrog.COM> References: <20011116122512.A24232@BlueSkyFrog.COM> X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011116122553J.sakane@kame.net> Date: Fri, 16 Nov 2001 12:25:53 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 23 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > 2001-11-16 12:13:20: DEBUG: isakmp.c:1462:isakmp_send(): 1 times of 296 bytes message will be sent. : (snip) : > 2001-11-16 12:13:20: DEBUG: isakmp.c:234:isakmp_handler(): 96 bytes message received from 203.x.x.x[500] > 2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump(): > 016acbfe b84acd55 19e865f5 2b05b309 0b100500 00000000 00000060 00000044 > 00000001 0100000e 04000038 00000001 00000001 323b59e8 00000004 00000000 > 6225c09c 611cf22c 00000001 00000000 612ccc00 00000000 01000000 00000000 > 2001-11-16 12:13:20: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. > 2001-11-16 12:13:20: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. > 2001-11-16 12:13:20: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. oh, it's the message for the phase 1 negotiation. and there is a bug to check the buffer size. i've fix it. > 2001-11-16 12:13:20: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). but still the peer complained about something of the phase 1. so check the phase 1 proposal of both. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 20:25:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 1E3E637B417 for ; Thu, 15 Nov 2001 20:25:36 -0800 (PST) Received: from localhost ([3ffe:501:41c:2000:e89c:3277:c904:dbcf]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fAG4Ktx12254; Fri, 16 Nov 2001 13:20:55 +0900 (JST) To: ns@BlueSkyFrog.COM Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> Cisco In-Reply-To: Your message of "Fri, 16 Nov 2001 14:11:53 +1000" <20011116141153.B24232@BlueSkyFrog.COM> References: <20011116141153.B24232@BlueSkyFrog.COM> X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011116132536K.sakane@kame.net> Date: Fri, 16 Nov 2001 13:25:36 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > 2001-11-16 12:13:20: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. > > oh, it's the message for the phase 1 negotiation. and there is a bug > > to check the buffer size. i've fix it. > Are you saying there is a bug, and that it has been corrected in a > later racoon release? Or has it been corrected already in 20011026a? > Should I download a later SNAP release? i've commited the fix to the kame repository, so it will be included into the next kame snap-shot. but, you don't need get the new one. the bug is not a problem in your case. i'm sorry for the ambiguity. > > > 2001-11-16 12:13:20: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). > > but still the peer complained about something of the phase 1. > > so check the phase 1 proposal of both. > OK, I will double check the Cisco config. please. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 20:31:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from d150h247.resnet.uconn.edu (d150h247.resnet.uconn.edu [137.99.150.247]) by hub.freebsd.org (Postfix) with SMTP id 57B6B37B416 for ; Thu, 15 Nov 2001 20:31:52 -0800 (PST) Received: (qmail 421 invoked by uid 1001); 16 Nov 2001 04:30:53 -0000 Date: Thu, 15 Nov 2001 23:30:53 -0500 From: "Peter C. Lai" To: Mitch Collinsworth Cc: Greg , security@FreeBSD.ORG Subject: Re: Re[2]: unusual log in var/log/messages Message-ID: <20011115233053.F80130@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <12126694534.20011115181537@rapidfx.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mitch@collinsworth.info on Thu, Nov 15, 2001 at 10:21:44PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have seen this continously when someone is trying to spoof a router. I have tested this by spoofing a router, but I think it can also be generalized to any pair of hosts with the same IP and neither wants to let it go (which is what is being done when one spoofs a host). On Thu, Nov 15, 2001 at 10:21:44PM -0500, Mitch Collinsworth wrote: > > On Thu, 15 Nov 2001, Greg Wirth wrote: > > > I also see these from time to time, and have never pinned down > > exactly what it means. I've never found any damage or abuse > > during or after these messages. I would really like to know. > > The times always match, and happen at random times. > > Versions don't seem to matter, as it has happened since 3.3 > > > > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > > 00:40:c7:81:22:04 to 00:04:ac:1a:4e:e7 on dc0 > > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > > 00:04:ac:1a:4e:e7 to 00:40:c7:81:22:04 on dc0 > > Have you checked to find out which system(s) are involved? It has > to be someone on the same subnet with you. > > -Mitch > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 203.206.3784 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 20:46:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id C418837B405 for ; Thu, 15 Nov 2001 20:46:30 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 164aM5-0002BN-00; Fri, 16 Nov 2001 14:11:53 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 164aM5-0006hy-00; Fri, 16 Nov 2001 14:11:53 +1000 Date: Fri, 16 Nov 2001 14:11:53 +1000 From: Nick Slager To: Shoichi Sakane Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> Cisco Message-ID: <20011116141153.B24232@BlueSkyFrog.COM> References: <20011116122512.A24232@BlueSkyFrog.COM> <20011116122553J.sakane@kame.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011116122553J.sakane@kame.net>; from sakane@kame.net on Fri, Nov 16, 2001 at 12:25:53PM +0900 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Shoichi Sakane (sakane@kame.net): > > 2001-11-16 12:13:20: DEBUG: isakmp.c:234:isakmp_handler(): 96 bytes message received from 203.x.x.x[500] > > 2001-11-16 12:13:20: DEBUG: plog.c:193:plogdump(): > > 016acbfe b84acd55 19e865f5 2b05b309 0b100500 00000000 00000060 00000044 > > 00000001 0100000e 04000038 00000001 00000001 323b59e8 00000004 00000000 > > 6225c09c 611cf22c 00000001 00000000 612ccc00 00000000 01000000 00000000 > > > 2001-11-16 12:13:20: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. > > > 2001-11-16 12:13:20: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. > > > 2001-11-16 12:13:20: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. > > oh, it's the message for the phase 1 negotiation. and there is a bug > to check the buffer size. i've fix it. Shoichi-san, Are you saying there is a bug, and that it has been corrected in a later racoon release? Or has it been corrected already in 20011026a? Should I download a later SNAP release? > > 2001-11-16 12:13:20: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). > > but still the peer complained about something of the phase 1. > so check the phase 1 proposal of both. OK, I will double check the Cisco config. Thank you very much for your help, Nick -- Excuse of the day: NOTICE: alloc: /dev/null: filesystem full To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 20:50:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 6DA3E37B405 for ; Thu, 15 Nov 2001 20:50:30 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id XAA00864; Thu, 15 Nov 2001 23:51:28 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id XAA21989; Thu, 15 Nov 2001 23:50:26 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Thu, 15 Nov 2001 23:50:26 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: peter.lai@uconn.edu Cc: Greg , security@FreeBSD.ORG Subject: Re: unusual log in var/log/messages In-Reply-To: <20011115233053.F80130@cowbert.2y.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, Peter C. Lai wrote: > I have seen this continously when someone is trying to spoof a router. > I have tested this by spoofing a router, but I think it can > also be generalized to any pair of hosts with the same IP and > neither wants to let it go (which is what is being done when one > spoofs a host). Sure. But since it's an arp the spoofer has to be on your local subnet. You can examine the spanning tree data in your switches to find out which switch port the machine with that mac address is connected to. -Mitch > On Thu, Nov 15, 2001 at 10:21:44PM -0500, Mitch Collinsworth wrote: > > > > On Thu, 15 Nov 2001, Greg Wirth wrote: > > > > > I also see these from time to time, and have never pinned down > > > exactly what it means. I've never found any damage or abuse > > > during or after these messages. I would really like to know. > > > The times always match, and happen at random times. > > > Versions don't seem to matter, as it has happened since 3.3 > > > > > > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > > > 00:40:c7:81:22:04 to 00:04:ac:1a:4e:e7 on dc0 > > > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from > > > 00:04:ac:1a:4e:e7 to 00:40:c7:81:22:04 on dc0 > > > > Have you checked to find out which system(s) are involved? It has > > to be someone on the same subnet with you. > > > > -Mitch > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | > Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 > 203.206.3784 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 15 22:30:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from web20904.mail.yahoo.com (web20904.mail.yahoo.com [216.136.226.226]) by hub.freebsd.org (Postfix) with SMTP id 3D04837B405 for ; Thu, 15 Nov 2001 22:30:33 -0800 (PST) Message-ID: <20011116063032.77688.qmail@web20904.mail.yahoo.com> Received: from [161.142.100.81] by web20904.mail.yahoo.com via HTTP; Thu, 15 Nov 2001 22:30:32 PST Date: Thu, 15 Nov 2001 22:30:32 -0800 (PST) From: xmen koh Subject: How to stop DoS Attack?? To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear security expert, Recently I got a DoS on my web server. Does anyone know how to stop a DoS attack and prevent it from happen again? Some help will be appreciated to explain the below TCPDump which I got during the attack. Here are some of my finding during the attack... 1) There are a lot of connection from different IP at the same time, which tries to overload the system using HTTP by non- stop requests of URLs. Below is the TCPDUMP. 2) The URLs requested as logged by the web server log seems to be quite valid, indicating that the attacker has studied the victim web site and many of these requests are for graphic files, indicating a planned intention to clog up the server & network. 3) Many source IPs, suspected all to be forged. 4) A very close time between each packet timestamp indicates a script is used for this attack. TCPDump: ----------------- Cut here --------------------------------- 21:11:59.268725 218.65.139.107.1051 > universe.victim.com.http: . 855733:855733(0) ack 1145547825 win 8576 (DF) (ttl 113, id 17921) 21:11:59.435873 universe.victim.com.http > 61.138.72.193.64687: P 1141631107:1141632162(1055) ack 7558792 win 17520 (DF) (ttl 64, id 12488) 21:11:59.662313 218.65.139.107.1051 > universe.victim.com.http: . 0:0(0) ack 537 win 8576 (DF) (ttl 113, id 18177) 21:12:00.178267 172.17.7.112.bootpc > 255.255.255.255.bootps: xid:0x680e984d secs:9795 flags:0x8000 [|bootp] (ttl 128, id 47690) 21:12:00.181566 0.0.0.0.bootpc > 255.255.255.255.bootps: secs:35127 [|bootp] (ttl 255, id 51891) 21:12:00.257071 universe.victim.com.1086 > dns1.domain: 50255+ PTR? 107.139.65.218.in-addr.arpa. (45) (ttl 64, id 12489) 21:12:00.301857 61.158.24.149.2707 > universe.victim.com.http: R 7549234:7549234(0) win 0 (DF) (ttl 114, id 4495) 21:12:00.425976 universe.victim.com.http > 61.146.105.9.1029: F 1143393049:1143393049(0) ack 68266 win 16616 (DF) (ttl 64, id 12490) 21:12:00.607501 dns1.domain > universe.victim.com.1086: 50255 NXDomain* q: 107.139.65.218.in-addr.arpa. 0/1/0 (133) (ttl 64, id 26014) 21:12:00.608060 universe.victim.com.1087 > dns1.domain: 50256+ PTR? 193.72.138.61.in-addr.arpa. (44) (ttl 64, id 12491) 21:12:00.608380 dns1.domain > universe.victim.com.1087: 50256 NXDomain q: 193.72.138.61.in-addr.arpa. 0/1/0 (132) (ttl 64, id 26015) 21:12:00.608786 universe.victim.com.1088 > dns1.domain: 50257+ PTR? 112.7.17.172.in-addr.arpa. (43) (ttl 64, id 12492) 21:12:00.609048 dns1.domain > universe.victim.com.1088: 50257 NXDomain* q: 112.7.17.172.in-addr.arpa. 0/1/0 (98) (ttl 64, id 26016) 21:12:00.897316 61.146.105.9.1029 > universe.victim.com.http: . 1:1(0) ack 1 win 6432 (DF) (ttl 47, id 31744) 21:12:01.564885 61.138.72.193.64687 > universe.victim.com.http: P 1:243(242) ack 1055 win 8760 (DF) (ttl 113, id 48854) 21:12:01.565525 universe.victim.com.http > 61.138.72.193.64687: . 1055:2515(1460) ack 243 win 17520 (DF) (ttl 64, id 12493) 21:12:01.565556 universe.victim.com.http > 61.138.72.193.64687: P 2515:3746(1231) ack 243 win 17520 (DF) (ttl 64, id 12494) 21:12:01.606465 universe.victim.com.1089 > dns1.domain: 50258+ PTR? 149.24.158.61.in-addr.arpa. (44) (ttl 64, id 12495) 21:12:01.617176 202.109.240.34.38528 > universe.victim.com.http: S 8997578:8997578(0) win 8192 (DF) (ttl 114, id 19238) 21:12:01.617258 universe.victim.com.http > 202.109.240.34.38528: S 1149696038:1149696038(0) ack 8997579 win 16968 (DF) (ttl 64, id 12496) 21:12:01.785893 universe.victim.com.http > 211.93.83.21.9116: . 1147469686:1147469687(1) ack 20552574 win 17520 (DF) (ttl 64, id 12497) 21:12:01.823491 202.109.240.34.38528 > universe.victim.com.http: . 1:1(0) ack 1 win 1414 (DF) (ttl 114, id 22822) 21:12:01.839369 202.109.240.34.38528 > universe.victim.com.http: P 1:302(301) ack 1 win 8484 (DF) (ttl 114, id 23590) 21:12:01.840166 universe.victim.com.http > 202.109.240.34.38528: P 1:678(677) ack 302 win 16968 (DF) (ttl 64, id 12498) 21:12:01.978307 211.97.70.65.12656 > universe.victim.com.http: S 470548359:470548359(0) win 8192 (ttl 14, id 56864) 21:12:01.978374 universe.victim.com.http > 211.97.70.65.12656: S 1149866959:1149866959(0) ack 470548360 win 17520 (DF) (ttl 64, id 12499) 21:12:02.130537 61.143.113.18.1029 > universe.victim.com.http: S 1530859:1530859(0) win 7168 (ttl 241, id 3328) 21:12:02.130607 universe.victim.com.http > 61.143.113.18.1029: S 1149911075:1149911075(0) ack 1530860 win 16616 (DF) (ttl 64, id 12500) 21:12:02.222128 202.109.240.34.38528 > universe.victim.com.http: . 302:302(0) ack 678 win 7807 (DF) (ttl 114, id 30758) 21:12:02.343543 dns1.domain > universe.victim.com.1089: 50258 NXDomain* q: 149.24.158.61.in-addr.arpa. 0/1/0 (132) (ttl 64, id 26022) 21:12:02.343951 universe.victim.com.1090 > dns1.domain: 50259+ PTR? 9.105.146.61.in-addr.arpa. (43) (ttl 64, id 12501) 21:12:02.453250 211.97.70.65.12656 > universe.victim.com.http: . 1:1(0) ack 1 win 1460 (ttl 14, id 57376) 21:12:02.455759 211.97.70.65.12656 > universe.victim.com.http: P 1:213(212) ack 1 win 8192 (ttl 14, id 57632) 21:12:02.456752 universe.victim.com.http > 211.97.70.65.12656: P 1:461(460) ack 213 win 17520 (DF) (ttl 64, id 12502) 21:12:02.471451 211.93.83.21.9116 > universe.victim.com.http: . 1:1(0) ack 1 win 8759 (DF) (ttl 114, id 43495) 21:12:02.471491 universe.victim.com.http > 211.93.83.21.9116: P 1:1435(1434) ack 1 win 17520 (DF) (ttl 64, id 12503) 21:12:02.525194 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: S 170636440:170636440(0) win 16384 (DF) (ttl 112, id 3296) 21:12:02.525288 universe.victim.com.http > 61-217-184-228.HINET-IP.hinet.net.1205: S 1150083763:1150083763(0) ack 170636441 win 16968 (DF) (ttl 64, id 12504) 21:12:02.551978 61.143.113.18.1029 > universe.victim.com.http: . 1:1(0) ack 1 win 536 (ttl 241, id 4096) 21:12:02.659832 202.109.240.34.38528 > universe.victim.com.http: P 302:515(213) ack 678 win 7807 (DF) (ttl 114, id 34086) 21:12:02.660662 universe.victim.com.http > 202.109.240.34.38528: P 678:1141(463) ack 515 win 16968 (DF) (ttl 64, id 12505) 21:12:02.752176 61.143.113.18.1029 > universe.victim.com.http: P 1:248(247) ack 1 win 7168 (ttl 241, id 4864) 21:12:02.752877 universe.victim.com.http > 61.143.113.18.1029: . 1:537(536) ack 248 win 16616 (DF) (ttl 64, id 12506) 21:12:02.752897 universe.victim.com.http > 61.143.113.18.1029: P 537:676(139) ack 248 win 16616 (DF) (ttl 64, id 12507) 21:12:02.942761 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: . 1:1(0) ack 1 win 1414 (DF) (ttl 112, id 3305) 21:12:03.010518 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: P 1:383(382) ack 1 win 16968 (DF) (ttl 112, id 3306) 21:12:03.011245 universe.victim.com.http > 61-217-184-228.HINET-IP.hinet.net.1205: P 1:678(677) ack 383 win 16968 (DF) (ttl 64, id 12508) 21:12:03.057518 211.97.70.65.12656 > universe.victim.com.http: P 213:563(350) ack 461 win 7732 (ttl 14, id 58400) 21:12:03.058020 universe.victim.com.http > 211.97.70.65.12656: P 461:656(195) ack 563 win 17520 (DF) (ttl 64, id 12509) 21:12:03.104494 202.109.240.34.38528 > universe.victim.com.http: P 515:777(262) ack 1141 win 7344 (DF) (ttl 114, id 38182) 21:12:03.104946 universe.victim.com.http > 202.109.240.34.38528: . 1141:2555(1414) ack 777 win 16968 (DF) (ttl 64, id 12510) 21:12:03.104993 universe.victim.com.http > 202.109.240.34.38528: . 2555:3969(1414) ack 777 win 16968 (DF) (ttl 64, id 12511) 21:12:03.105039 universe.victim.com.http > 202.109.240.34.38528: . 3969:5383(1414) ack 777 win 16968 (DF) (ttl 64, id 12512) 21:12:03.105062 universe.victim.com.http > 202.109.240.34.38528: . 5383:6797(1414) ack 777 win 16968 (DF) (ttl 64, id 12513) 21:12:03.268298 61.146.105.9.1029 > universe.victim.com.http: R 68266:68266(0) win 0 (DF) (ttl 47, id 38656) 21:12:03.296292 61.143.113.18.1029 > universe.victim.com.http: . 248:248(0) ack 1 win 7168 (ttl 241, id 5888) 21:12:03.371321 61.143.113.18.1029 > universe.victim.com.http: . 248:248(0) ack 676 win 7168 (ttl 241, id 6144) 21:12:03.465925 universe.victim.com.http > 211.93.83.21.9116: P 1:1435(1434) ack 1 win 17520 (DF) (ttl 64, id 12514) 21:12:03.529481 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 3969 win 8484 (DF) (ttl 114, id 43302) 21:12:03.529527 universe.victim.com.http > 202.109.240.34.38528: . 6797:8211(1414) ack 777 win 16968 (DF) (ttl 64, id 12515) 21:12:03.529555 universe.victim.com.http > 202.109.240.34.38528: . 8211:9625(1414) ack 777 win 16968 (DF) (ttl 64, id 12516) 21:12:03.529583 universe.victim.com.http > 202.109.240.34.38528: . 9625:11039(1414) ack 777 win 16968 (DF) (ttl 64, id 12517) 21:12:03.574347 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 6797 win 8484 (DF) (ttl 114, id 43558) 21:12:03.574409 universe.victim.com.http > 202.109.240.34.38528: . 11039:12453(1414) ack 777 win 16968 (DF) (ttl 64, id 12518) 21:12:03.574435 universe.victim.com.http > 202.109.240.34.38528: . 12453:13867(1414) ack 777 win 16968 (DF) (ttl 64, id 12519) 21:12:03.574461 universe.victim.com.http > 202.109.240.34.38528: . 13867:15281(1414) ack 777 win 16968 (DF) (ttl 64, id 12520) 21:12:03.585839 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: . 383:383(0) ack 678 win 16291 (DF) (ttl 112, id 3333) 21:12:03.665926 universe.victim.com.http > 218.65.139.107.1051: . 537:1073(536) ack 0 win 16616 (DF) (ttl 64, id 12521) 21:12:03.762617 211.97.70.65.12656 > universe.victim.com.http: . 563:563(0) ack 656 win 8192 (ttl 14, id 58912) 21:12:03.895987 218.65.137.168.1622 > universe.victim.com.http: S 22586894:22586894(0) win 8192 (DF) (ttl 113, id 60204) 21:12:03.896062 universe.victim.com.http > 218.65.137.168.1622: S 1150430160:1150430160(0) ack 22586895 win 16616 (DF) (ttl 64, id 12522) 21:12:03.966719 211.93.83.21.9116 > universe.victim.com.http: . 368:368(0) ack 1435 win 7325 (DF) (ttl 114, id 47847) 21:12:04.101529 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 9625 win 8484 (DF) (ttl 114, id 45094) 21:12:04.101581 universe.victim.com.http > 202.109.240.34.38528: . 15281:16695(1414) ack 777 win 16968 (DF) (ttl 64, id 12523) 21:12:04.101607 universe.victim.com.http > 202.109.240.34.38528: . 16695:18109(1414) ack 777 win 16968 (DF) (ttl 64, id 12524) 21:12:04.223915 61.143.113.18.1029 > universe.victim.com.http: P 248:460(212) ack 676 win 7168 (ttl 241, id 6400) 21:12:04.224797 universe.victim.com.http > 61.143.113.18.1029: P 676:1154(478) ack 460 win 16616 (DF) (ttl 64, id 12525) 21:12:04.245181 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 12453 win 8484 (DF) (ttl 114, id 45350) 21:12:04.245212 universe.victim.com.http > 202.109.240.34.38528: P 18109:18550(441) ack 777 win 16968 (DF) (ttl 64, id 12526) 21:12:04.313373 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 15281 win 8484 (DF) (ttl 114, id 45862) 21:12:04.393548 218.65.139.107.1051 > universe.victim.com.http: . 0:0(0) ack 5855 win 8576 (DF) (ttl 113, id 30721) 21:12:04.466037 universe.victim.com.http > 202.109.240.34.38510: F 1145734464:1145734464(0) ack 8983358 win 16968 (DF) (ttl 64, id 12527) 21:12:04.522510 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 18109 win 8484 (DF) (ttl 114, id 46118) 21:12:04.655950 universe.victim.com.http > nosgp1.x-link.za.net.dectalk: FP 1147610670:1147611210(540) ack 1307333101 win 17520 (DF) (ttl 64, id 12528) 21:12:04.768022 202.109.240.34.38528 > universe.victim.com.http: . 777:777(0) ack 18550 win 8043 (DF) (ttl 114, id 46630) 21:12:04.812669 202.109.240.34.38510 > universe.victim.com.http: . 1:1(0) ack 1 win 8484 (DF) (ttl 114, id 46886) 21:12:05.029121 61.143.113.18.1029 > universe.victim.com.http: . 460:460(0) ack 1154 win 6690 (ttl 241, id 8448) 21:12:05.087460 61.143.113.18.1029 > universe.victim.com.http: P 460:719(259) ack 1154 win 6690 (ttl 241, id 8960) 21:12:05.087862 universe.victim.com.http > 61.143.113.18.1029: . 1154:1690(536) ack 719 win 16616 (DF) (ttl 64, id 12529) 21:12:05.087882 universe.victim.com.http > 61.143.113.18.1029: . 1690:2226(536) ack 719 win 16616 (DF) (ttl 64, id 12530) 21:12:05.087900 universe.victim.com.http > 61.143.113.18.1029: . 2226:2762(536) ack 719 win 16616 (DF) (ttl 64, id 12531) 21:12:05.087941 universe.victim.com.http > 61.143.113.18.1029: . 2762:3298(536) ack 719 win 16616 (DF) (ttl 64, id 12532) 21:12:05.197093 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: P 383:601(218) ack 678 win 16291 (DF) (ttl 112, id 3391) 21:12:05.197955 universe.victim.com.http > 61-217-184-228.HINET-IP.hinet.net.1205: P 678:1141(463) ack 601 win 16968 (DF) (ttl 64, id 12534) 21:12:05.406911 211.97.70.65.12656 > universe.victim.com.http: R 470548922:470548922(0) win 0 (ttl 14, id 59424) 21:12:05.771962 61-217-184-228.HINET-IP.hinet.net.1205 > universe.victim.com.http: . 601:601(0) ack 1141 win 15828 (DF) (ttl 112, id 3427) 21:12:05.852457 61.143.113.18.1029 > universe.victim.com.http: . 719:719(0) ack 2226 win 7168 (ttl 241, id 10752) 21:12:05.852505 universe.victim.com.http > 61.143.113.18.1029: . 3298:3834(536) ack 719 win 16616 (DF) (ttl 64, id 12535) 21:12:05.852525 universe.victim.com.http > 61.143.113.18.1029: . 3834:4370(536) ack 719 win 16616 (DF) (ttl 64, id 12536) 21:12:05.852544 universe.victim.com.http > 61.143.113.18.1029: . 4370:4906(536) ack 719 win 16616 (DF) (ttl 64, id 12537) 21:12:05.951087 nosgp1.x-link.za.net.dectalk > universe.victim.com.http: R 1307333101:1307333101(0) win 0 (ttl 47, id 49171) ---------------------- Cut Here ---------------------------- Any help will be much appreciated, and Thanks in advance... xmenkoh. __________________________________________________ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 16 7:12:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from pony.angelsk.ru (pony.angelsk.ru [213.24.51.4]) by hub.freebsd.org (Postfix) with SMTP id E0F1937B417 for ; Fri, 16 Nov 2001 07:12:22 -0800 (PST) Received: (qmail 6762 invoked by uid 85); 16 Nov 2001 15:12:21 -0000 Received: from andy@angelsk.ru by pony.angelsk.ru with AVP (Clean:0.065772); Received: from ns2.sanet.ru (HELO ash) (213.24.51.3) by pony.angelsk.ru with SMTP; 16 Nov 2001 15:12:21 -0000 Date: Fri, 16 Nov 2001 18:13:29 +0300 From: Andrey Shirshov X-Mailer: The Bat! (v1.53d) Reply-To: Andrey Shirshov Organization: SAnet X-Priority: 3 (Normal) Message-ID: <44113060352.20011116181329@angelsk.ru> To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe FreeBSD-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 16 9:42:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from razor.tuxtendo.nl (cp133353-d.venra1.lb.nl.home.com [213.51.187.141]) by hub.freebsd.org (Postfix) with ESMTP id 8F6C037B416 for ; Fri, 16 Nov 2001 09:42:36 -0800 (PST) Received: from localhost (localhost.localdomain [127.0.0.1]) by razor.tuxtendo.nl (Tuxtendo-ESMTP) with ESMTP id 3F1072736C; Fri, 16 Nov 2001 23:46:18 -0500 (EST) Date: Fri, 16 Nov 2001 23:46:18 -0500 (EST) From: PaZt To: xmen koh Cc: Subject: Re: How to stop DoS Attack?? In-Reply-To: <20011116063032.77688.qmail@web20904.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 15 Nov 2001, xmen koh wrote: > > Dear security expert, > > Recently I got a DoS on my web server. Does anyone > know how to > stop a DoS attack and prevent it from happen again? > Some help > will be appreciated to explain the below TCPDump which > I got > during the attack. > > Here are some of my finding during the attack... > > 1) There are a lot of connection from different IP at > the same > time, which tries to overload the system using HTTP > by non- > stop requests of URLs. Below is the TCPDUMP. > > 2) The URLs requested as logged by the web server log > seems to > be quite valid, indicating that the attacker has > studied the > victim web site and many of these requests are for > graphic > files, indicating a planned intention to clog up > the server > & network. > > 3) Many source IPs, suspected all to be forged. > > 4) A very close time between each packet timestamp > indicates a > script is used for this attack. > > Well, a small DDoS could be stopped by a simple firewall, yet a complex or very big DDoS attack is rather hard to stop, maybe even impossible. If the DDoS isnt all too wisely set up, snort (/usr/ports/security/snort) could find the ips where the dos is coming from, wich would make you able to send abuse mails or whatever. That's about all i can think of right now, Grtz, PaZt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 17 3:56:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from snmail.softnet.ro (snmail.softnet.ro [193.231.173.3]) by hub.freebsd.org (Postfix) with ESMTP id 9925D37B416 for ; Sat, 17 Nov 2001 03:56:38 -0800 (PST) Received: from softnet.ro ([193.231.173.125]) by snmail.softnet.ro (Lotus Domino Release 5.0.5) with ESMTP id 2001111713580754:13916 ; Sat, 17 Nov 2001 13:58:07 +0200 Message-ID: <3BF65250.6E0B8F2E@softnet.ro> Date: Sat, 17 Nov 2001 14:04:32 +0200 From: Florin MANAILA Organization: SoftNet Services X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Subject: IP Masquerade X-MIMETrack: Itemize by SMTP Server on server1/softnet(Release 5.0.5 |September 22, 2000) at 11/17/2001 01:58:07 PM, Serialize by Router on server1/softnet(Release 5.0.5 |September 22, 2000) at 11/17/2001 01:58:12 PM, Serialize complete at 11/17/2001 01:58:12 PM Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, how do I make IP Masquerade on a FreeBSD whit ipfw for 192.168.1.0/24 to be able to communicate with the global Internet ? Best regards, Florin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 17 4:32:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 9909737B405 for ; Sat, 17 Nov 2001 04:32:39 -0800 (PST) Received: (qmail 15187 invoked by uid 1000); 17 Nov 2001 12:32:37 -0000 Date: Sat, 17 Nov 2001 13:32:37 +0100 From: Bart Matthaei To: Florin MANAILA Cc: security@freebsd.org Subject: Re: IP Masquerade Message-ID: <20011117133237.A15176@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <3BF65250.6E0B8F2E@softnet.ro> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BF65250.6E0B8F2E@softnet.ro>; from florin.manaila@softnet.ro on Sat, Nov 17, 2001 at 02:04:32PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 17, 2001 at 02:04:32PM +0200, Florin MANAILA wrote: > Hi all, > how do I make IP Masquerade on a FreeBSD whit ipfw for > 192.168.1.0/24 to be able to communicate with the global > Internet ? This is not a security related issue. But there are good HOWTO's on the net. Look for freebsd + nat. Regards, B. --=20 Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE79ljlgcc6pR+tCegRAs+dAJoDQcMYzG2af2Df/2y7ujF25XLwHgCfWzYw 0Lg7OP1c8aTADJvariJUMOY= =EBDM -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 17 9:35:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.208]) by hub.freebsd.org (Postfix) with SMTP id 88E4F37B416 for ; Sat, 17 Nov 2001 09:35:26 -0800 (PST) Received: (qmail 17836 invoked by uid 64014); 17 Nov 2001 17:35:25 -0000 Received: from matiss@bkc.lv by mail with qmail-scanner-0.96 (. Clean. Processed in 0.087873 secs); 17 Nov 2001 17:35:25 -0000 Received: from weed.astranet.lv (HELO weird) (159.148.83.140) by mail.latnet.lv with SMTP; 17 Nov 2001 17:35:25 -0000 Message-ID: <001701c16f8e$4b02d300$0300a8c0@weird> From: "Matiss Elsbergs" To: "Florin MANAILA" Cc: References: <3BF65250.6E0B8F2E@softnet.ro> Subject: Re: IP Masquerade Date: Sat, 17 Nov 2001 19:35:47 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org man natd ----- Original Message ----- From: "Florin MANAILA" To: "FreeBSD" Sent: Saturday, November 17, 2001 2:04 PM Subject: IP Masquerade > Hi all, > how do I make IP Masquerade on a FreeBSD whit ipfw for > 192.168.1.0/24 to be able to communicate with the global > Internet ? > > > Best regards, > Florin > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 17 12:44:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.senate.phocion.com (mail.phocion.com [66.81.105.8]) by hub.freebsd.org (Postfix) with ESMTP id A31F937B416 for ; Sat, 17 Nov 2001 12:44:29 -0800 (PST) Received: from phocion.com (66-81-29-141-modem.o1.com [66.81.29.141]) by mail.senate.phocion.com (8.11.4/8.11.1) with ESMTP id fAG3kp520236 for ; Thu, 15 Nov 2001 19:46:52 -0800 (PST) (envelope-from oysam@phocion.com) Message-ID: <3BF48BDA.A8593D3D@phocion.com> Date: Thu, 15 Nov 2001 19:45:30 -0800 From: Oleg Samarin Reply-To: oysamarin@yahoo.com Organization: private person X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: unsubscribe Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 17 13:44:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 2BD8C37B416; Sat, 17 Nov 2001 13:44:42 -0800 (PST) Received: from dialup-209.247.143.121.dial1.sanjose1.level3.net ([209.247.143.121] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 165DGS-0004L5-00; Sat, 17 Nov 2001 13:44:41 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAHLiEF66373; Sat, 17 Nov 2001 13:44:14 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Nov 2001 13:44:14 -0800 From: "Crist J. Clark" To: audit@freebsd.org, security@freebsd.org Subject: periodic(8)-ifying Daily Security Check Message-ID: <20011117134414.A66323@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've gone through the /etc/security script and converted it into a bunch of smaller scripts to be run by periodic(8). I think this is one of those things someone has always meant to do, but never gotten around to. The approach was pretty straight forward. The actions actually taken by /etc/security have not been changed or upgraded, just broken into pieces. Continuing to improve the daily security checks can take place once the new format is in place. Attached is a modified shell archive. Save it to a file and, # sh To install the new periodic(8)-ified daily security checks. It will patch /etc/defaults/periodic.conf and /etc/periodic/daily/450.status-security. It will then add the new scripts in /etc/periodic/security. Note that the patch process will leave a 450.status-security.orig in the daily scripts, and _both_ 450.status-security and 450.status-security.orig will be executed by periodic(8). For now, I consider this a debugging feature. Please make sure that the output of the two is the same. If you wish to disable the .orig file, change its permissions so it is not executable. Also note that /etc/security (and any customizations you may have there) is not touched at all. I would really appreciate if a few people would take the time to install these and let them run a few days to make sure they actually work on systems besides mine. The patches and scripts are meant for -CURRENT, but extrapolation to -STABLE is straightforward. If anyone wants -STABLE patches and scripts to test, just say the word. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 17 13:48:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 647F337B416; Sat, 17 Nov 2001 13:47:27 -0800 (PST) Received: from dialup-209.247.143.121.dial1.sanjose1.level3.net ([209.247.143.121] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 165DJ3-0002md-00; Sat, 17 Nov 2001 13:47:21 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAHLkvt66409; Sat, 17 Nov 2001 13:46:57 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Nov 2001 13:46:57 -0800 From: "Crist J. Clark" To: audit@freebsd.org, security@freebsd.org Subject: periodic(8)-ifying Daily Security Check (with attachment) Message-ID: <20011117134657.C63067@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [Let's try this again with the attachment this time.] I've gone through the /etc/security script and converted it into a bunch of smaller scripts to be run by periodic(8). I think this is one of those things someone has always meant to do, but never gotten around to. The approach was pretty straight forward. The actions actually taken by /etc/security have not been changed or upgraded, just broken into pieces. Continuing to improve the daily security checks can take place once the new format is in place. Attached is a modified shell archive. Save it to a file and, # sh To install the new periodic(8)-ified daily security checks. It will patch /etc/defaults/periodic.conf and /etc/periodic/daily/450.status-security. It will then add the new scripts in /etc/periodic/security. Note that the patch process will leave a 450.status-security.orig in the daily scripts, and _both_ 450.status-security and 450.status-security.orig will be executed by periodic(8). For now, I consider this a debugging feature. Please make sure that the output of the two is the same. If you wish to disable the .orig file, change its permissions so it is not executable. Also note that /etc/security (and any customizations you may have there) is not touched at all. I would really appreciate if a few people would take the time to install these and let them run a few days to make sure they actually work on systems besides mine. The patches and scripts are meant for -CURRENT, but extrapolation to -STABLE is straightforward. If anyone wants -STABLE patches and scripts to test, just say the word. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org --HcAYCG3uE/tztfnV Content-Type: application/x-shar Content-Disposition: attachment; filename="periodic_security.shar" cd / (sed 's/^X//' | patch) << 'END-periodic_security.patch' XIndex: etc/defaults/periodic.conf X=================================================================== XRCS file: /export/ncvs/src/etc/defaults/periodic.conf,v Xretrieving revision 1.17 Xdiff -u -r1.17 periodic.conf X--- etc/defaults/periodic.conf 25 Oct 2001 11:27:55 -0000 1.17 X+++ etc/defaults/periodic.conf 17 Nov 2001 20:58:21 -0000 X@@ -105,9 +105,7 @@ X X # 450.status-security X daily_status_security_enable="YES" # Security check X-daily_status_security_inline="NO" # Run inline ? X-daily_status_security_output="root" # user or /file X-daily_status_security_noamd="NO" # Don't check amd mounts X+# See "Security options" below for more options X X # 460.status-mail-rejects X daily_status_mail_rejects_enable="YES" # Check mail rejects X@@ -122,6 +120,51 @@ X X # 999.local X daily_local="/etc/daily.local" # Local scripts X+ X+ X+# Security options X+ X+# These options are used by the security periodic(8) scripts spawned in X+# 450.status-security above. X+daily_status_security_inline="NO" # Run inline ? X+daily_status_security_output="root" # user or /file X+daily_status_security_noamd="NO" # Don't check amd mounts X+daily_status_security_logdir="/var/log" # Directory for logs X+ X+# 100.chksetuid X+daily_status_security_chksetuid_enable="YES" X+ X+# 200.chkmounts X+daily_status_security_chkmounts_enable="YES" X+#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching X+ # FS types X+ X+# 300.chkuid0 X+daily_status_security_chkuid0_enable="YES" X+ X+# 400.passwdless X+daily_status_security_passwdless_enable="YES" X+ X+# 500.ipfwdenied X+daily_status_security_ipfwdenied_enable="YES" X+ X+# 550.ipfwlimit X+daily_status_security_ipfwlimit_enable="YES" X+ X+# 600.ip6fwdenied X+daily_status_security_ip6fwdenied_enable="YES" X+ X+# 650.ip6fwlimit X+daily_status_security_ip6fwlimit_enable="YES" X+ X+# 700.kernelmsg X+daily_status_security_kernelmsg_enable="YES" X+ X+# 800.loginfail X+daily_status_security_loginfail_enable="YES" X+ X+# 900.tcpwrap X+daily_status_security_tcpwrap_enable="YES" X X X # Weekly options XIndex: etc/periodic/daily/450.status-security X=================================================================== XRCS file: /export/ncvs/src/etc/periodic/daily/450.status-security,v Xretrieving revision 1.7 Xdiff -u -r1.7 450.status-security X--- etc/periodic/daily/450.status-security 1 Jun 2001 10:07:16 -0000 1.7 X+++ etc/periodic/daily/450.status-security 17 Nov 2001 20:57:13 -0000 X@@ -16,30 +16,23 @@ X echo "" X echo "Security check:" X X- case "$daily_status_security_noamd" in X- [Yy][Ee][Ss]) X- args=-a;; X- *) X- args=;; X- esac X- X case "$daily_status_security_inline" in X [Yy][Ee][Ss]) X- sh /etc/security -s $args X- rc=$?;; X- X+ export security_output="";; X *) X- case "${daily_status_security_output:=root}" in X+ export security_output="${daily_status_security_output}" X+ case "${daily_status_security_output}" in X+ "") X+ ;; X /*) X- echo " (output logged separately)" X- sh /etc/security -s $args \ X- >$daily_status_security_output 2>&1;; X+ echo " (output logged separately)";; X *) X- echo " (output mailed separately)" X- sh /etc/security $args 2>&1 | X- sendmail $daily_status_security_output;; X+ echo " (output mailed separately)";; X esac;; X- esac;; X+ esac X+ X+ periodic /etc/periodic/security X+ rc=$?;; X X *) rc=0;; X esac END-periodic_security.patch mkdir -p etc/periodic/security # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # etc/periodic/security/100.chksetuid # etc/periodic/security/200.chkmounts # etc/periodic/security/300.chkuid0 # etc/periodic/security/400.passwdless # etc/periodic/security/500.ipfwdenied # etc/periodic/security/550.ipfwlimit # etc/periodic/security/600.ip6fwdenied # etc/periodic/security/650.ip6fwlimit # etc/periodic/security/700.kernelmsg # etc/periodic/security/800.loginfail # etc/periodic/security/900.tcpwrap # echo x - etc/periodic/security/100.chksetuid sed 's/^X//' >etc/periodic/security/100.chksetuid << 'END-of-etc/periodic/security/100.chksetuid' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_chksetuid_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking setuid files and devices:' X # XXX Note that there is the possibility of overrunning the args to ls X MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` X set ${MP} X while [ $# -ge 1 ]; do X mount=$1 X shift X find $mount -xdev -type f \ X \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ X \( -perm -u+s -or -perm -g+s \) -print0 X done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP} X X if [ ! -f ${LOG}/setuid.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "No ${LOG}/setuid.today" X cp ${TMP} ${LOG}/setuid.today || rc=3 X fi X X if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null X then X [ $rc -lt 1 ] && rc=1 X echo "${host} setuid diffs:" X diff -w ${LOG}/setuid.today ${TMP} X mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 X mv ${TMP} ${LOG}/setuid.today || rc=3 X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/100.chksetuid echo x - etc/periodic/security/200.chkmounts sed 's/^X//' >etc/periodic/security/200.chkmounts << 'END-of-etc/periodic/security/200.chkmounts' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show changes in the way filesystems are mounted X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xignore="${daily_status_security_chkmounts_ignore}" Xrc=0 X Xcase "$daily_status_securitychkmounts_enable" in X [Yy][Ee][Ss]) X case "$daily_status_security_noamd" in X [Yy][Ee][Ss]) X ignore="${ignore}|^amd:" X esac X [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat X if mount -p | ${cmd} > ${TMP}; then X if [ ! -f ${LOG}/mount.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/mount.today" X cp ${TMP} ${LOG}/mount.today || rc=3 X fi X if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} changes in mounted filesystems:" X diff -b ${LOG}/mount.today ${TMP} X mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3 X mv ${TMP} ${LOG}/mount}.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/200.chkmounts echo x - etc/periodic/security/300.chkuid0 sed 's/^X//' >etc/periodic/security/300.chkuid0 << 'END-of-etc/periodic/security/300.chkuid0' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X Xrc=0 X Xcase "$daily_status_security_chkuid0_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking for uids of 0:' X n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | X tee /dev/stderr | X sed -e '/^root 0$/d' -e '/^toor 0$/d' | X wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/300.chkuid0 echo x - etc/periodic/security/400.passwdless sed 's/^X//' >etc/periodic/security/400.passwdless << 'END-of-etc/periodic/security/400.passwdless' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X Xrc=0 X Xcase "$daily_status_security_passwdless_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking for passwordless accounts:' X n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/400.passwdless echo x - etc/periodic/security/500.ipfwdenied sed 's/^X//' >etc/periodic/security/500.ipfwdenied << 'END-of-etc/periodic/security/500.ipfwdenied' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show denied packets X# X X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_ipfwdenied_enable" in X [Yy][Ee][Ss]) X if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then X if [ ! -f ${LOG}/ipfw.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/ipfw.today" X cp ${TMP} ${LOG}/ipfw.today || rc=3 X fi X X if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} denied packets:" X diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" X mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3 X mv ${TMP} ${LOG}/ipfw.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/500.ipfwdenied echo x - etc/periodic/security/550.ipfwlimit sed 's/^X//' >etc/periodic/security/550.ipfwlimit << 'END-of-etc/periodic/security/550.ipfwlimit' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show ipfw rules which have reached the log limit X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ Xrc=0 X Xcase "$daily_status_security_ipfwlimit_enable" in X [Yy][Ee][Ss]) X IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` X if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then X ipfw -a l | grep " log " | perl -n -e \ X '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} X if [ -s "${TMP}" ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo 'ipfw log limit reached:' X cat ${TMP} X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/550.ipfwlimit echo x - etc/periodic/security/600.ip6fwdenied sed 's/^X//' >etc/periodic/security/600.ip6fwdenied << 'END-of-etc/periodic/security/600.ip6fwdenied' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show IPv6 denied packets X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_ip6fwdenied_enable" in X [Yy][Ee][Ss]) X if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then X if [ ! -f ${LOG}/ip6fw.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/ip6fw.today" X cp ${TMP} ${LOG}/ip6fw.today || rc=3 X fi X X if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} IPv6 denied packets:" X diff -b ${LOG}/ip6fw.today ${TMP} | X egrep "^>" X mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3 X mv ${TMP} ${LOG}/ip6fw.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/600.ip6fwdenied echo x - etc/periodic/security/650.ip6fwlimit sed 's/^X//' >etc/periodic/security/650.ip6fwlimit << 'END-of-etc/periodic/security/650.ip6fwlimit' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show ip6fw rules which have reached the log limit X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ Xrc=0 X Xcase "$daily_status_security_ip6fwlimit_enable" in X [Yy][Ee][Ss]) X IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` X if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then X ip6fw -a l | grep " log " | perl -n -e \ X '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP} X if [ -s "${TMP}" ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo 'ip6fw log limit reached:' X cat ${TMP} X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/650.ip6fwlimit echo x - etc/periodic/security/700.kernelmsg sed 's/^X//' >etc/periodic/security/700.kernelmsg << 'END-of-etc/periodic/security/700.kernelmsg' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show kernel log messages X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_kernelmsg_enable" in X [Yy][Ee][Ss]) X if dmesg -a 2>/dev/null > ${TMP}; then X if [ ! -f ${LOG}/dmesg.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/dmesg.today" X cp ${TMP} ${LOG}/dmesg.today || rc=3 X fi X X if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} kernel log messages:" X diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" X mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 X mv ${TMP} ${LOG}/dmesg.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/700.kernelmsg echo x - etc/periodic/security/800.loginfail sed 's/^X//' >etc/periodic/security/800.loginfail << 'END-of-etc/periodic/security/800.loginfail' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show login failures X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XLOG="${daily_status_security_logdir}" Xrc=0 X Xcatmsgs() { X find ${LOG} -name 'messages.*' -mtime -2 | X sort -t. -r -n +1 -2 | X xargs zcat -f X [ -f ${LOG}/messages ] && cat $LOG/messages X} X Xcase "$daily_status_security_loginfail_enable" in X [Yy][Ee][Ss]) X echo "" X echo "${host} login failures:" X n=$(catmsgs | grep -ia "^$yesterday.*login failure" | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/800.loginfail echo x - etc/periodic/security/900.tcpwrap sed 's/^X//' >etc/periodic/security/900.tcpwrap << 'END-of-etc/periodic/security/900.tcpwrap' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show tcp_wrapper warning messages X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XLOG="${daily_status_security_logdir}" Xrc=0 X Xcatmsgs() { X find ${LOG} -name 'messages.*' -mtime -2 | X sort -t. -r -n +1 -2 | X xargs zcat -f X [ -f ${LOG}/messages ] && cat $LOG/messages X} X Xcase "$daily_status_security_tcpwrap_enable" in X [Yy][Ee][Ss]) X echo "" X echo "${host} refused connections:" X n=$(catmsgs | grep -i "^$yesterday.*refused connect" | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/900.tcpwrap for F in etc/periodic/security/100.chksetuid \ etc/periodic/security/200.chkmounts \ etc/periodic/security/300.chkuid0 \ etc/periodic/security/400.passwdless \ etc/periodic/security/500.ipfwdenied \ etc/periodic/security/550.ipfwlimit \ etc/periodic/security/600.ip6fwdenied \ etc/periodic/security/650.ip6fwlimit \ etc/periodic/security/700.kernelmsg \ etc/periodic/security/800.loginfail \ etc/periodic/security/900.tcpwrap; do chmod 755 $F done exit --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message