From owner-freebsd-security Sun Feb 27 5:42:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.rtsnet.ru (bravo.rtsnet.ru [194.247.132.8]) by hub.freebsd.org (Postfix) with ESMTP id 14DDE37B607; Sun, 27 Feb 2000 05:42:33 -0800 (PST) (envelope-from igor@rtsnet.ru) Received: from shogun.rtsnet.ru (shogun.rtsnet.ru [172.16.4.32]) by relay.rtsnet.ru (Postfix) with ESMTP id 69B08198C19; Sun, 27 Feb 2000 16:42:29 +0300 (MSK) Received: (from igor@localhost) by shogun.rtsnet.ru (8.9.3/8.9.3/Zynaps) id QAA01028; Sun, 27 Feb 2000 16:42:30 +0300 (MSK) Date: Sun, 27 Feb 2000 16:42:30 +0300 From: Igor Vinokurov To: Keith Stevenson Cc: Kris Kennaway , freebsd-security@FreeBSD.org Subject: Re: pw && umask Message-ID: <20000227164230.A947@shogun.rtsnet.ru> References: <20000219200142.A605@shogun.rtsnet.ru> <20000219215109.A46191@osaka.louisville.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <20000219215109.A46191@osaka.louisville.edu>; from Keith Stevenson on Sat, Feb 19, 2000 at 09:51:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 19, 2000 at 21:51 -0500, Keith Stevenson wrote: > On Sat, Feb 19, 2000 at 03:01:46PM -0800, Kris Kennaway wrote: > > On Sat, 19 Feb 2000, Igor Vinokurov wrote: > > > > > May be it is necessary to add support umask? > > > > This should be a trivial amount of hacking (i.e. add another option to > > specify the umask and then use it instead of the hardcoded 0755). Anyone > > up for it? > > Patch attached. Whether commiting it in -STABLE is possible? > > I used -U as the umask option and tried to follow the style of the original > code as closely as possible. It's a bit, um, interesting. Umask code stolen > from /bin/sh. > > Patch has been moderately tested. > > Regards, > --Keith Stevenson-- > > -- > Keith Stevenson > System Programmer - Data Center Services - University of Louisville > k.stevenson@louisville.edu > PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 > Index: pw.8 > =================================================================== > RCS file: /opt/ncvs/src/usr.sbin/pw/pw.8,v > retrieving revision 1.17 > diff -u -r1.17 pw.8 > --- pw.8 1999/08/28 01:19:18 1.17 > +++ pw.8 2000/02/20 02:41:11 > @@ -41,6 +41,7 @@ > .Op Fl u Ar uid > .Op Fl c Ar comment > .Op Fl d Ar dir > +.Op Fl U Ar umask > .Op Fl e Ar date > .Op Fl p Ar date > .Op Fl g Ar group > @@ -346,6 +347,8 @@ > - normally > .Pa /home > with the account name as a subdirectory. > +.It Fl U Ar umask > +Set the umask to be used when creating the account's home directory and skeleton files. Default is parent process umask. > .It Fl e Ar date > Set the account's expiration date. > Format of the date is either a UNIX time in decimal, or a date in > Index: pw.c > =================================================================== > RCS file: /opt/ncvs/src/usr.sbin/pw/pw.c,v > retrieving revision 1.18 > diff -u -r1.18 pw.c > --- pw.c 2000/01/15 00:20:20 1.18 > +++ pw.c 2000/02/20 02:41:12 > @@ -29,6 +29,7 @@ > "$FreeBSD: src/usr.sbin/pw/pw.c,v 1.18 2000/01/15 00:20:20 davidn Exp $"; > #endif /* not lint */ > > +#include > #include > #include > #include > @@ -89,6 +90,8 @@ > > static struct cargs arglist; > > +static int mask; > + > static int getindex(const char *words[], const char *word); > static void cmdhelp(int mode, int which); > > @@ -105,13 +108,13 @@ > static const char *opts[W_NUM][M_NUM] = > { > { /* user */ > - "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y", > - "V:C:qn:u:rY", > - "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY", > - "V:C:qn:u:FPa7", > - "V:C:q", > - "V:C:q", > - "V:C:q" > + "V:C:U:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y", > + "V:C:U:qn:u:rY", > + "V:C:U:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY", > + "V:C:U:qn:u:FPa7", > + "V:C:U:q", > + "V:C:U:q", > + "V:C:U:q" > }, > { /* grp */ > "V:C:qn:g:h:M:pNPY", > @@ -128,7 +131,6 @@ > pw_group > }; > > - umask(0); /* We wish to handle this manually */ > LIST_INIT(&arglist); > > /* > @@ -221,6 +223,30 @@ > setgrdir(etcpath); > } > } > + > + /* > + * Set the umask if specified on the command line > + */ > + > + if (getarg(&arglist, 'U') != NULL) { > + char * um = getarg(&arglist, 'U')-> val; > + if (um != NULL) { > + if (isdigit(*um)) { > + mask = 0; > + do { > + if (*um >= '8' || *um < '0') { > + fprintf(stderr, "Illegal umask: %s\n", um); > + exit(EX_USAGE); > + } > + mask = (mask << 3) + (*um - '0'); > + } while (*++um != '\0'); > + umask(mask); > + } else { > + fprintf(stderr, "Illegal umask: %s\n", um); > + exit(EX_USAGE); > + } > + } > + } > > /* > * Now, let's do the common initialisation > @@ -301,6 +327,7 @@ > "\t-u uid user id\n" > "\t-c comment user name/comment\n" > "\t-d directory home directory\n" > + "\t-U umask Directory/file creation mask\n" > "\t-e date account expiry date\n" > "\t-p date password expiry date\n" > "\t-g grp initial group\n" > Index: pw_user.c > =================================================================== > RCS file: /opt/ncvs/src/usr.sbin/pw/pw_user.c,v > retrieving revision 1.34 > diff -u -r1.34 pw_user.c > --- pw_user.c 2000/01/15 00:20:21 1.34 > +++ pw_user.c 2000/02/20 02:41:16 > @@ -179,7 +179,7 @@ > if (strchr(cnf->home+1, '/') == NULL) { > strcpy(dbuf, "/usr"); > strncat(dbuf, cnf->home, MAXPATHLEN-5); > - if (mkdir(dbuf, 0755) != -1 || errno == EEXIST) { > + if (mkdir(dbuf, 0777) != -1 || errno == EEXIST) { > chown(dbuf, 0, 0); > symlink(dbuf, cnf->home); > } > @@ -191,7 +191,7 @@ > while ((p = strchr(++p, '/')) != NULL) { > *p = '\0'; > if (stat(dbuf, &st) == -1) { > - if (mkdir(dbuf, 0755) == -1) > + if (mkdir(dbuf, 0777) == -1) > goto direrr; > chown(dbuf, 0, 0); > } else if (!S_ISDIR(st.st_mode)) > @@ -200,7 +200,7 @@ > } > } > if (stat(dbuf, &st) == -1) { > - if (mkdir(dbuf, 0755) == -1) { > + if (mkdir(dbuf, 0777) == -1) { > direrr: err(EX_OSFILE, "mkdir '%s'", dbuf); > } > chown(dbuf, 0, 0); > @@ -734,7 +734,7 @@ > * existing files will *not* be overwritten. > */ > if (!PWALTDIR() && getarg(args, 'm') != NULL && pwd->pw_dir && *pwd->pw_dir == '/' && pwd->pw_dir[1]) { > - copymkdir(pwd->pw_dir, cnf->dotdir, 0755, pwd->pw_uid, pwd->pw_gid); > + copymkdir(pwd->pw_dir, cnf->dotdir, 0777, pwd->pw_uid, pwd->pw_gid); > pw_log(cnf, mode, W_USER, "%s(%ld) home %s made", > pwd->pw_name, (long) pwd->pw_uid, pwd->pw_dir); > } -- Igor Vinokurov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 27 13: 4:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 922B637B68F; Sun, 27 Feb 2000 13:04:49 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA50222; Sun, 27 Feb 2000 13:04:49 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 27 Feb 2000 13:04:48 -0800 (PST) From: Kris Kennaway To: Igor Vinokurov Cc: Keith Stevenson , freebsd-security@FreeBSD.org Subject: Re: pw && umask In-Reply-To: <20000227164230.A947@shogun.rtsnet.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Feb 2000, Igor Vinokurov wrote: > On Sat, Feb 19, 2000 at 21:51 -0500, Keith Stevenson wrote: > > On Sat, Feb 19, 2000 at 03:01:46PM -0800, Kris Kennaway wrote: > > > On Sat, 19 Feb 2000, Igor Vinokurov wrote: > > > > > > > May be it is necessary to add support umask? > > > > > > This should be a trivial amount of hacking (i.e. add another option to > > > specify the umask and then use it instead of the hardcoded 0755). Anyone > > > up for it? > > > > Patch attached. > > Whether commiting it in -STABLE is possible? Probably not for a few weeks. 4.0 is in code freeze for release, but once it's opened up again I can commit it there for testing, and then merge it back to -stable once it's known to work. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 27 18:48:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from ds.fed.gov (ds.fed.gov [205.130.48.2]) by hub.freebsd.org (Postfix) with ESMTP id 1EE2537B7A4; Sun, 27 Feb 2000 18:48:09 -0800 (PST) (envelope-from nmtho@dit.hcmut.edu.vn) Received: from hcm-fw1-ext.hcm-fw1.vnn.vn ([202.167.121.195]) by ds.fed.gov (8.9.3+Sun/8.6.12) with SMTP id VAA16417; Sun, 27 Feb 2000 21:48:04 -0500 (EST) Received: from vnuserv.vnuhcm.edu.vn by hcm-fw1-ext.hcm-fw1.vnn.vn via smtpd (for ds.fed.gov [205.130.48.2]) with SMTP; 28 Feb 2000 02:46:10 UT Received: from hcmut.edu.vn (mailhost28 [172.28.1.3]) by vnuserv.vnuhcm.edu.vn (8.9.3/8.8.7) with ESMTP id OAA25405; Fri, 25 Feb 2000 14:26:26 GMT Received: from vnuserv.vnuhcm.edu.vn. by VNU-Gateway with ESMTP Ver (1.1Plus) for recipient addresses : ,, Received: from dit.hcmut.edu.vn by hcmut.edu.vn (8.8.8+Sun/SMI-SVR4) id WAA22210; Fri, 25 Feb 2000 22:35:08 -0700 (GMT) Received: from dit.hcmut.edu.vn by dit.hcmut.edu.vn (8.8.8+Sun/SMI-SVR4) id VAA22380; Fri, 25 Feb 2000 21:39:08 -0700 (GMT) Message-ID: <38B691E1.90566A88@dit.hcmut.edu.vn> Date: Fri, 25 Feb 2000 21:29:53 +0700 From: Nguyen Manh Tho Organization: Database Group - Department of Information Technology X-Mailer: Mozilla 4.51 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Questions , freeBSD Security , manhtho@yahoo.com Subject: What's the purpose of file dhcpdb.bind Content-Type: multipart/mixed; boundary="------------6C077FF423F38AC032C8E201" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------6C077FF423F38AC032C8E201 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Dear All FreeBSD members, I need for your help on this problems. When my FreeBSD has problems (on running), My friend advise me that if I delete the file dhcpdb.bind then it will become better. I found in this file some data such as MAC address, IP address and maybe date time accessing of the clients. I do not know what is the purpose of this file so I would like to know more about it. I also would like to know why when I delete it, my system become more better and where I could find documents on DHCP Server. If any one know about dhcpdb.bind, please instruct me as more details as possible. The only way I could reach these documents (if they have) is accessing through Internet and I can not find any books on FreeBSD in Vietnam here. I am very appreciated for all your helps. Nguyen Manh Tho. ++++++++++++++++++++++++++++++++++++ Engineer, Assistant Lecturer, Database Group, Department of Information Technology, Hochiminh City University of Technology, Block A3, 268 Ly Thuong Kiet Street, Ward 12, District 10, Hochiminh City, Vietnam. Email: nmtho@dit.hcmut.edu.vn URL: http://www.hcmut.edu.vn ++++++++++++++++++++++++++++++++++++ --------------6C077FF423F38AC032C8E201 Content-Type: text/x-vcard; charset=us-ascii; name="nmtho.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Nguyen Manh Tho Content-Disposition: attachment; filename="nmtho.vcf" begin:vcard n:Manh Tho;Nguyen tel;home:83/903 D 26/3 Street Ward 17, Go Vap Dist, Hochiminh City, Vietnam tel;work:Engineer, Database Group, Lecturer of Information Department, University of Technology, Hochiminh city, Vietnam x-mozilla-html:FALSE url:www.dit.hcmut.edu.vn org:Database Group;Department of Information Technology adr:;;268 Ly Thuong Kiet Street, Ward 12, District 10.;Hochiminh City;;;Vietnam version:2.1 email;internet:nmtho@dit.hcmut.edu.vn title:Engineer, Lecturer fn:Nguyen Manh Tho end:vcard --------------6C077FF423F38AC032C8E201-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 27 20:44: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from pegasus.cc.ucf.edu (Pegasus.cc.ucf.edu [132.170.240.30]) by hub.freebsd.org (Postfix) with ESMTP id DFABF37B7EF for ; Sun, 27 Feb 2000 20:43:59 -0800 (PST) (envelope-from ewayte@pegasus.cc.ucf.edu) Received: from pegasus.cc.ucf.edu (pegasus.cc.ucf.edu [132.170.240.30]) Ident [ewayte] by pegasus.cc.ucf.edu (Postfix) with ESMTP id 2CE5D3565; Sun, 27 Feb 2000 23:43:59 -0500 (EST) Date: Sun, 27 Feb 2000 23:43:57 -0500 (EST) From: Eric Wayte To: Youlgok Cc: freebsd-security@freebsd.org Subject: Re: [Q] comparison of sshes In-Reply-To: <38B7E56B.8B2201C@attglobal.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to the OpenSSH page (http://www.openssh.org/), support of SSH 2.0 is in progress. This will be a Good Thing as SSH 2.0 is currently supported only in an expensive commercial product. More details here: http://www.openssh.org/history.html On Sat, 26 Feb 2000, Youlgok wrote: > Date: Sat, 26 Feb 2000 09:38:36 -0500 > From: Youlgok > To: freebsd-security@freebsd.org > Subject: [Q] comparison of sshes > > What is the major differences in OpenSSH-1.2.2, SSH-1.2.27 and > SSH2-2.0.13? As I understand, OpenSSH is inter operable with SSH, but > SSH2. Which one is more secure: OpenSSH or SSH and SSH2? > > I just installed OpenSSH-1.2.2 and from Windows machine it can be > connected by ssh, but ssh2. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 12:15:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from freya.circle.net (morrigu.circle.net [209.95.64.11]) by hub.freebsd.org (Postfix) with ESMTP id 3445E37B8CF for ; Mon, 28 Feb 2000 12:15:38 -0800 (PST) (envelope-from tcreed@staff.circle.net) Received: by FREYA with Internet Mail Service (5.5.2448.0) id ; Mon, 28 Feb 2000 15:19:16 -0500 Message-ID: <307D63ED6749CF11AAE9005004461A5B196F40@FREYA> From: tcreed@staff.circle.net To: freebsd-security@freebsd.org Subject: SUBSCRIBE Date: Mon, 28 Feb 2000 15:19:05 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 14:35:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 54BD737B678 for ; Mon, 28 Feb 2000 14:35:11 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id XAA14359 for freebsd-security@freebsd.org; Mon, 28 Feb 2000 23:35:05 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id A25828864; Mon, 28 Feb 2000 23:14:20 +0100 (CET) Date: Mon, 28 Feb 2000 23:14:20 +0100 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: [Q] comparison of sshes Message-ID: <20000228231420.A15195@keltia.freenix.fr> Mail-Followup-To: freebsd-security@freebsd.org References: <38B7E56B.8B2201C@attglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0i In-Reply-To: ; from ewayte@pegasus.cc.ucf.edu on Sun, Feb 27, 2000 at 11:43:57PM -0500 X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Eric Wayte: > According to the OpenSSH page (http://www.openssh.org/), support of SSH > 2.0 is in progress. This will be a Good Thing as SSH 2.0 is currently > supported only in an expensive commercial product. More details here: > http://www.openssh.org/history.html That's not right. You must have missed the announce of LSH: From: nisse@lysator.liu.se (Niels Möller) Newsgroups: comp.security.ssh Subject: ANNOUNCE: LSH-0.9 Date: 20 Feb 2000 22:12:45 +0100 I'd like to announce a new version of LSH, the GNU implementation of the secure shell protocols. LSH includes a client, a server, and a few scripts and utility programs. FEATURES Some of the LSH-0.9 features are o Strong encryption and data authentication. o Strong host authentication using public key techniques. o Spawning of remote shells, including pseudo tty support. o Forwarding of TCP connections, in both directions. o User authentication by either ordinary UN*X passwords or public key techniques. o Zlib compression. o A draft manual. COMPATIBILITY AND PORTABILITY LSH implements the secsh protocol as defined by the latest drafts from the IETF secsh working group. It is also bug-compatible with Datafellow's SSH2 products. Note that LSH is *not* compatible with SSH1, although the lshd deamon can fall back to an SSH1 implementation (e.g. OpenSSH or Datafellow's) when an ssh1 client connects. LSH is reported to have worked at least once on GNU/Linux on Sparc and Intel, FreeBSD, Solaris and IRIX. There may well be portability problems left, please report them to me. QUALITY However, LSH does *NOT* try to provide any security on systems that lack a good /dev/random. LSH-0.9 should be considered a beta release; use on production systems is not recommended. LSH is provided AS IS, ABSOLUTELY no GUARANTEES, etc. Please report any bugs you find. PLANNED FEATURES Some features that are planned but not yet implemented are o Execution of remote commands (like rsh). o A "gateway" interface, to let external programs access an LSH connection easily and securely. o Forwarding of X, ssh-agent, UDP. o Support for SPKI certificates, for both authorization and host authentication. o Support for the Secure Remote Password (SRP) protocol. o Kerberos authentication. o A file transfer service. o IPv6 support. COPYRIGHT LSH is distributed under the terms and conditions of the GNU General Public License. Unlike other secsh implementations, you can use LSH freely for any purpose. AVAILABILITY AND FURTHER INFORMATION The main LSH archive is located at ftp://ftp.lysator.liu.se/pub/security/lsh Discussions about LSH takes place on the psst mailing list. See the psst home page, http://www.net.lut.ac.uk/psst, for details. Happy hacking, /Niels Möller, -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #77: Thu Dec 30 12:49:51 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 14:46:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.wplus.net (relay.wplus.net [195.131.52.179]) by hub.freebsd.org (Postfix) with ESMTP id BE54137B990 for ; Mon, 28 Feb 2000 14:46:31 -0800 (PST) (envelope-from lev@imc.macro.ru) Received: from kernigan.wplus.net (kernigan.wplus.net [195.131.52.178]) by relay.wplus.net (8.9.1/8.9.1/wplus.2) with ESMTP id BAA25514 for ; Tue, 29 Feb 2000 01:45:34 +0300 (MSK) X-Real-To: Received: from lev.sereb.net (ip50-40.dialup.wplus.net [195.131.50.40]) by kernigan.wplus.net (8.9.1/8.9.1/wplus.2) with ESMTP id BAA09649 for ; Tue, 29 Feb 2000 01:45:37 +0300 (GMT+0300) Date: Tue, 29 Feb 2000 01:46:53 +0300 From: Lev Serebryakov X-Mailer: The Bat! (v1.36) S/N F29DEE5D / Educational X-Priority: 3 (Normal) Message-ID: <1774.000229@imc.macro.ru> To: All Subject: ipfw log accounting Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, All! Are there some tools to analyze output of "deny log ip from any to any" ipfw rule and find dangerous activity, like portscans and other? I want to analyze log every hour, and reset log counters after it. I don't want to receive messages about every single dropped packet. And one more question: How could I write rule, which skip all broadcast traffic? My computer is on big provider's net, and here is more than one broadcast address (many subnets on one wire)... Lev Serebryakov, 2:5030/661.0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 15:13:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9E58837B9D1; Mon, 28 Feb 2000 15:13:09 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA76183; Mon, 28 Feb 2000 15:13:08 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 28 Feb 2000 15:13:07 -0800 (PST) From: Kris Kennaway To: Ollivier Robert Cc: freebsd-security@freebsd.org Subject: Re: [Q] comparison of sshes In-Reply-To: <20000228231420.A15195@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 28 Feb 2000, Ollivier Robert wrote: > According to Eric Wayte: > > According to the OpenSSH page (http://www.openssh.org/), support of SSH > > 2.0 is in progress. This will be a Good Thing as SSH 2.0 is currently > > supported only in an expensive commercial product. More details here: > > http://www.openssh.org/history.html > > That's not right. You must have missed the announce of LSH: Port? :) Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 15:46:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id D001337B92F for ; Mon, 28 Feb 2000 15:46:15 -0800 (PST) (envelope-from dave@elvis.mu.org) Received: (from dave@localhost) by elvis.mu.org (8.9.1/8.9.1) id RAA72031; Mon, 28 Feb 2000 17:46:19 -0600 (CST) (envelope-from dave) Date: Mon, 28 Feb 2000 17:46:19 -0600 From: Dave McKay To: Lev Serebryakov Cc: All Subject: Re: ipfw log accounting Message-ID: <20000228174619.A71978@elvis.mu.org> References: <1774.000229@imc.macro.ru> Mime-Version: 1.0 Content-Type: multipart/signed; boundary=y0ulUmNC+osPPQO6; micalg=pgp-md5; protocol="application/pgp-signature" X-Mailer: Mutt 0.95.7i In-Reply-To: <1774.000229@imc.macro.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Lev Serebryakov (lev@imc.macro.ru) wrote: > Hi, All! >=20 > Are there some tools to analyze output of "deny log ip from any to > any" ipfw rule and find dangerous activity, like portscans and other? > I want to analyze log every hour, and reset log counters after it. > I don't want to receive messages about every single dropped packet. >=20 > And one more question: > How could I write rule, which skip all broadcast traffic? My > computer is on big provider's net, and here is more than one > broadcast address (many subnets on one wire)... >=20 A tool such as you are asking would be easily written in perl. Just have your ipfw log to a file through syslogd or ipfw itself. Then write a tool to check and analyse the data and send you mail on it every hour. --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBOLsIy3Y8vP7IQ1TlAQHGIwQArBTO9mlUSy2vb65l5oHflctgwnij7cU9 Zj5lmqelBuFJ9i5sTJuIUz91+eqZgqc1j6lzNQJlVpfVGlcxXxUQSW3h2PDtzIgr l8KyvqEHt+9kgeb+6V+54FiI88a+SCnmhfLvdDPtphgpreIWbtrQWFedK7uYiJUP BnWgvFMBb+c= =K3vJ -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 18:54:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 07B9837BA27 for ; Mon, 28 Feb 2000 18:54:25 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA32131; Mon, 28 Feb 2000 21:59:04 -0500 (EST) (envelope-from cjc) Date: Mon, 28 Feb 2000 21:59:04 -0500 From: "Crist J. Clark" To: Lev Serebryakov Cc: All Subject: Re: ipfw log accounting Message-ID: <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <1774.000229@imc.macro.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <1774.000229@imc.macro.ru>; from lev@imc.macro.ru on Tue, Feb 29, 2000 at 01:46:53AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: [snip] > And one more question: > How could I write rule, which skip all broadcast traffic? My > computer is on big provider's net, and here is more than one > broadcast address (many subnets on one wire)... Never tried this and haven't glanced at the source to see if it has a chance of working, but _theoretically_ is there a reason that, deny ip from 0.0.0.255:0.0.0.255 to any A "reversed" netmask won't work? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 19:44: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id B834337B9E1 for ; Mon, 28 Feb 2000 19:44:06 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA29113; Mon, 28 Feb 2000 19:43:28 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29111; Mon Feb 28 19:43:15 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id TAA03762; Mon, 28 Feb 2000 19:43:15 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdDz3760; Mon Feb 28 19:43:08 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id TAA07654; Mon, 28 Feb 2000 19:43:08 -0800 (PST) Message-Id: <200002290343.TAA07654@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdje7650; Mon Feb 28 19:42:42 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: cjclark@home.com Cc: Lev Serebryakov , All Subject: Re: ipfw log accounting In-reply-to: Your message of "Mon, 28 Feb 2000 21:59:04 EST." <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 Feb 2000 19:42:42 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com>, "Crist J. Cl ark" writes: > On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: > [snip] > > And one more question: > > How could I write rule, which skip all broadcast traffic? My > > computer is on big provider's net, and here is more than one > > broadcast address (many subnets on one wire)... > > Never tried this and haven't glanced at the source to see if it has a > chance of working, but _theoretically_ is there a reason that, > > deny ip from 0.0.0.255:0.0.0.255 to any > > A "reversed" netmask won't work? Been there done that. This works using either IPFW or IP Filter, however you'll want to code it as the following, as the destination is the broadcast address: deny ip from any to 0.0.0.255:0.0.0.255 Or if you use IP Filter, block in on xl0 from any to 0.0.0.255:0.0.0.255 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 20:53:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from enigma.jaded.net (enigma.jaded.net [209.161.250.4]) by hub.freebsd.org (Postfix) with ESMTP id 1B26D37B8EA for ; Mon, 28 Feb 2000 20:53:44 -0800 (PST) (envelope-from pjp@dn.toronto.on.ca) Received: from daemon.home (unknown [209.161.250.4]) by enigma.jaded.net (Postfix) with ESMTP id 9BA8366B02; Tue, 29 Feb 2000 04:53:42 +0000 (GMT) Received: by daemon.home (Postfix, from userid 1000) id 41A7B150E; Mon, 28 Feb 2000 23:46:04 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by daemon.home (Postfix) with ESMTP id 31244A813; Mon, 28 Feb 2000 23:46:04 -0500 (EST) Date: Mon, 28 Feb 2000 23:46:04 -0500 (EST) From: Peter Philipp X-Sender: pjp@daemon.home To: Eric Wayte Cc: Youlgok , freebsd-security@freebsd.org Subject: Re: [Q] comparison of sshes In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Feb 2000, Eric Wayte wrote: > According to the OpenSSH page (http://www.openssh.org/), support of SSH > 2.0 is in progress. This will be a Good Thing as SSH 2.0 is currently > supported only in an expensive commercial product. More details here: > http://www.openssh.org/history.html Just because this is after all a security mailing list I'd like to to correct you on that URL. openssh.org is not officially registered by the OpenBSD folks and AFAIK only redirects for them. --- openssh.org is not the official openssh site Open SSH Project (OPENSSH2-DOM) Zaanstraat 250 AMSTERDAM, NL-1013 RZ NL ... NS1.KYARITSU.COM 194.109.9.44 NS2.KYARITSU.COM 192.87.30.19 --- --- openssh.com is the official openssh site --- Registrant Todd T. Fries (template COCO-21730) OpenBSD, the REAL open group 1523 North Pierson Apt F W. Peoria, IL 61604 USA ... zeus.theos.com 199.185.137.1 cvs.openbsd.org 199.185.137.3 ns0.fries.net 209.251.96.130 --- Sincerely, Peter Philipp (PP2441) Daemonic Networks "We will survive our loss and we will remember" - RFC 2468 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 28 21:26:53 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6291337BA3B; Mon, 28 Feb 2000 21:26:46 -0800 (PST) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:05.mysql322-server Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000229052646.6291337BA3B@hub.freebsd.org> Date: Mon, 28 Feb 2000 21:26:46 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:05 Security Advisory FreeBSD, Inc. Topic: MySQL allows bypassing of password authentication Category: ports Module: mysql322-server Announced: 2000-02-28 Affects: Ports collection before the correction date. Corrected: 2000-02-15 FreeBSD only: NO I. Background MySQL is a popular SQL database client/server distributed as part of the FreeBSD ports collection. II. Problem Description The MySQL database server (versions prior to 3.22.32) has a flaw in the password authentication mechanism which allows anyone who can connect to the server to access databases without requiring a password, given a valid username on the database - in other words, the normal password authentication mechanism can be completely bypassed. MySQL is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact The successful attacker will have all of the access rights of that database user and may be able to read, add or modify records. If you have not chosen to install the mysql322-server port/package, then your system is not vulnerable. IV. Workaround Use appropriate access-control lists to limit which hosts can initiate connections to MySQL databases - see: http://www.mysql.com/Manual_chapter/manual_Privilege_system.html for more information. If unrestricted remote access to the database is not required, consider using ipfw(8) or ipf(8), or your network perimeter firewall, to prevent remote access to the database from untrusted machines (MySQL uses TCP port 3306 for network communication). Note that users who have access to machines which are allowed to initiate database connections (e.g. local users) can still exploit the security hole. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mysql322-server port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/mysql-server-3.22.32.tgz 3) download a new port skeleton for the mysql322-server port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOLtYEVUuHi5z0oilAQHtbwP/TF0hNZwrO/wAuBjYF8Eff5aDU1KtnA9D u0bcUakDgF/nODVxgOFZ1MfaK95PAhRqdYvtwssTqTXwlRB+PU0vtwjdt3p3l8d3 SixfhxT+Ys/v222jK+o6lJdxfKOC4chNDseboSRoCSLEESNl2NDGkBKezKSzzlng vzxtva695bI= =KYqf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 0:16: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from aurora.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id AB05637BA4C for ; Tue, 29 Feb 2000 00:15:59 -0800 (PST) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by aurora.scoop.co.nz (8.9.3/8.9.3) with SMTP id VAA28296; Tue, 29 Feb 2000 21:13:58 +1300 (NZDT) Date: Tue, 29 Feb 2000 21:13:58 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aurora.scoop.co.nz Reply-To: andrew@scoop.co.nz To: cjclark@home.com Cc: Lev Serebryakov , All Subject: Re: ipfw log accounting In-Reply-To: <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 28 Feb 2000, Crist J. Clark wrote: > On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: > [snip] > > And one more question: > > How could I write rule, which skip all broadcast traffic? My > > computer is on big provider's net, and here is more than one > > broadcast address (many subnets on one wire)... > > Never tried this and haven't glanced at the source to see if it has a > chance of working, but _theoretically_ is there a reason that, > > deny ip from 0.0.0.255:0.0.0.255 to any > > A "reversed" netmask won't work? I use this. It works just fine. -- Andrew McNaughton andrew@scoop.co.nz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 0:17:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 986F637BA91 for ; Tue, 29 Feb 2000 00:17:44 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA81399; Tue, 29 Feb 2000 00:14:45 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200002290814.AAA81399@gndrsh.dnsmgr.net> Subject: Re: ipfw log accounting In-Reply-To: <200002290343.TAA07654@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Feb 28, 2000 07:42:42 pm" To: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group) Date: Tue, 29 Feb 2000 00:14:44 -0800 (PST) Cc: cjclark@home.com, lev@imc.macro.ru (Lev Serebryakov), freebsd-security@FreeBSD.ORG (All) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com>, > "Crist J. Cl > ark" writes: > > On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: > > [snip] > > > And one more question: > > > How could I write rule, which skip all broadcast traffic? My > > > computer is on big provider's net, and here is more than one > > > broadcast address (many subnets on one wire)... > > > > Never tried this and haven't glanced at the source to see if it has a > > chance of working, but _theoretically_ is there a reason that, > > > > deny ip from 0.0.0.255:0.0.0.255 to any > > > > A "reversed" netmask won't work? > > Been there done that. This works using either IPFW or IP Filter, > however you'll want to code it as the following, as the destination is > the broadcast address: Actually you need to be a bit selective, your host is going to have a real hard time doing arp's if you block all broadcast packets. Make sure you have a directly connected network specific ``allow'' of broadcast destinations. Also you really do want to block source broadcast address packets too, they are often abuse by attacks. Ping with src address = bcast and watch all the icmp fly when the echo reply goes back to the bcast address (need broken host that will do this on the network) :-(. > > deny ip from any to 0.0.0.255:0.0.0.255 > > Or if you use IP Filter, > > block in on xl0 from any to 0.0.0.255:0.0.0.255 And do add: deny ip from 0.0.0.255:0.0.0.255 to any -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 2:45:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from scylla.sovam.com (scylla.sovam.com [194.67.2.97]) by hub.freebsd.org (Postfix) with SMTP id 7BC0A37BABC for ; Tue, 29 Feb 2000 02:45:27 -0800 (PST) (envelope-from sergey@GLB.NET) Received: from SPARC.GLB.NET (glb.net) by scylla.sovam.com with SMTP id AA23260 (5.67b8s3p1/IDA-1.5); Tue, 29 Feb 2000 13:48:37 +0300 Received: GLOBALNET_ISP from sergey@GLB.NET (dima.glb.net [192.168.0.1]) by GLB.NET INTERNET SERVER 2000(GLOBALNET-ISP) with ESMTP id PAA24806; Tue, 29 Feb 2000 15:39:51 +0500 (UZT) (envelope-from sergey@GLB.NET) Date: Tue, 29 Feb 2000 15:39:51 +0500 (UZT) From: "Sergey V. Kart" To: "Rodney W. Grimes" Cc: Cy Schubert - ITSD Open Systems Group , cjclark@home.com, Lev Serebryakov , All Subject: Re: ipfw log accounting In-Reply-To: <200002290814.AAA81399@gndrsh.dnsmgr.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Feb 2000, Rodney W. Grimes wrote: > > In message <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com>, > > "Crist J. Cl > > ark" writes: > > > On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: > > > [snip] > > > > And one more question: > > > > How could I write rule, which skip all broadcast traffic? My > > > > computer is on big provider's net, and here is more than one > > > > broadcast address (many subnets on one wire)... > > > > > > Never tried this and haven't glanced at the source to see if it has a > > > chance of working, but _theoretically_ is there a reason that, > > > > > > deny ip from 0.0.0.255:0.0.0.255 to any > > > > > > A "reversed" netmask won't work? > > > > Been there done that. This works using either IPFW or IP Filter, > > however you'll want to code it as the following, as the destination is > > the broadcast address: > > Actually you need to be a bit selective, your host is going to have > a real hard time doing arp's if you block all broadcast packets. Make > sure you have a directly connected network specific ``allow'' of broadcast > destinations. Actually ARP works at 2 Layer of OSI ... If you'll block all broadcast packets ARP will be working properly ! Signed. ==================================================================== Sergey Kart | GLB.NET ISP Hub Administrator/Telecom Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 3:55:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.wplus.net (relay.wplus.net [195.131.52.179]) by hub.freebsd.org (Postfix) with ESMTP id C9D7637B78F for ; Tue, 29 Feb 2000 03:55:29 -0800 (PST) (envelope-from lev@imc.macro.ru) Received: from kernigan.wplus.net (kernigan.wplus.net [195.131.52.178]) by relay.wplus.net (8.9.1/8.9.1/wplus.2) with ESMTP id OAA06495 for ; Tue, 29 Feb 2000 14:54:27 +0300 (MSK) X-Real-To: Received: from lev.sereb.net (ip-122.dialup.wplus.net [195.131.1.122]) by kernigan.wplus.net (8.9.1/8.9.1/wplus.2) with ESMTP id OAA10469 for ; Tue, 29 Feb 2000 14:54:24 +0300 (GMT+0300) Date: Tue, 29 Feb 2000 14:54:29 +0300 From: Lev Serebryakov X-Mailer: The Bat! (v1.36) S/N F29DEE5D / Educational X-Priority: 3 (Normal) Message-ID: <8621.000229@imc.macro.ru> To: Dave McKay Subject: Re[2]: ipfw log accounting In-reply-To: <20000228174619.A71978@elvis.mu.org> References: <20000228174619.A71978@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Dave! Tuesday, February 29, 2000, 2:46:19 AM, you wrote: >> Are there some tools to analyze output of "deny log ip from any to >> any" ipfw rule and find dangerous activity, like portscans and other? >> I want to analyze log every hour, and reset log counters after it. >> I don't want to receive messages about every single dropped packet. DM> A tool such as you are asking would be easily written in perl. DM> Just have your ipfw log to a file through syslogd or ipfw How could I filter all ipfw messages to separate file with syslogd? There is no special facility for it :( DM> itself. Then write a tool to check and analyse the data and DM> send you mail on it every hour. It is not a problem to analyze, when you know what is attack and what is not. I wander, is there some conditions (developed by security specialists) to distinguish attacks and mistakes... Lev Serebryakov, 2:5030/661.0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 5:50:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 1610C37BB5F for ; Tue, 29 Feb 2000 05:50:17 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id IAA33663; Tue, 29 Feb 2000 08:51:45 -0500 (EST) (envelope-from cjc) Date: Tue, 29 Feb 2000 08:51:45 -0500 From: "Crist J. Clark" To: "Rodney W. Grimes" Cc: Cy Schubert - ITSD Open Systems Group , cjclark@home.com, Lev Serebryakov , All Subject: Re: ipfw log accounting Message-ID: <20000229085144.A33597@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <200002290343.TAA07654@cwsys.cwsent.com> <200002290814.AAA81399@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200002290814.AAA81399@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Feb 29, 2000 at 12:14:44AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 29, 2000 at 12:14:44AM -0800, Rodney W. Grimes wrote: > > In message <20000228215904.B31743@cc942873-a.ewndsr1.nj.home.com>, > > "Crist J. Cl > > ark" writes: > > > On Tue, Feb 29, 2000 at 01:46:53AM +0300, Lev Serebryakov wrote: > > > [snip] > > > > And one more question: > > > > How could I write rule, which skip all broadcast traffic? My > > > > computer is on big provider's net, and here is more than one > > > > broadcast address (many subnets on one wire)... > > > > > > Never tried this and haven't glanced at the source to see if it has a > > > chance of working, but _theoretically_ is there a reason that, > > > > > > deny ip from 0.0.0.255:0.0.0.255 to any > > > > > > A "reversed" netmask won't work? > > > > Been there done that. This works using either IPFW or IP Filter, > > however you'll want to code it as the following, as the destination is > > the broadcast address: > > Actually you need to be a bit selective, your host is going to have > a real hard time doing arp's if you block all broadcast packets. Make > sure you have a directly connected network specific ``allow'' of broadcast > destinations. The above only would block broadcast _IP_ packets (and as was pointed out in the reply with the lost attribution, you would want to block the broadcast _destination_ not source). ARP is not an IP protocol so they are not effected by the rule. In fact IIRC, since ARP packets do not even have source or desitnation IPs (they use the MAC addresses and the MAC broadcast, ff:ff:ff:ff:ff:ff), the only ipfw rule that can catch them is ' all from any to any'. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 9:52:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0C8D437BCA6 for ; Tue, 29 Feb 2000 09:52:45 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA82610; Tue, 29 Feb 2000 09:50:56 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200002291750.JAA82610@gndrsh.dnsmgr.net> Subject: Re: ipfw log accounting In-Reply-To: from "Sergey V. Kart" at "Feb 29, 2000 03:39:51 pm" To: sergey@GLB.NET (Sergey V. Kart) Date: Tue, 29 Feb 2000 09:50:56 -0800 (PST) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), cjclark@home.com, lev@imc.macro.ru (Lev Serebryakov), freebsd-security@FreeBSD.ORG (All) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Actually you need to be a bit selective, your host is going to have > > a real hard time doing arp's if you block all broadcast packets. Make > > sure you have a directly connected network specific ``allow'' of broadcast > > destinations. > Actually ARP works at 2 Layer of OSI ... If you'll block all broadcast > packets ARP will be working properly ! Perhaps ARP will work, but your going to have problems if you block all broadcast traffic, unless you have a very rare installation that does not need broadcast packets to work on the directly attached network. (Rip will defanitly not work) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 10:10: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 48E1937B82C for ; Tue, 29 Feb 2000 10:10:03 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA57250; Tue, 29 Feb 2000 13:09:55 -0500 (EST) (envelope-from wollman) Date: Tue, 29 Feb 2000 13:09:55 -0500 (EST) From: Garrett Wollman Message-Id: <200002291809.NAA57250@khavrinen.lcs.mit.edu> To: "Rodney W. Grimes" Cc: freebsd-security@FreeBSD.ORG (All) Subject: Re: ipfw log accounting In-Reply-To: <200002291750.JAA82610@gndrsh.dnsmgr.net> References: <200002291750.JAA82610@gndrsh.dnsmgr.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > all broadcast traffic, unless you have a very rare installation that > does not need broadcast packets to work on the directly attached network. Not rare at all -- you've just described every network in the world which has not been inflicted with either RIP or YP/NIS. (This *is* the security list, after all!) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 10:28:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.79.126]) by hub.freebsd.org (Postfix) with ESMTP id 1D07837BC4C for ; Tue, 29 Feb 2000 10:28:47 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.79.115]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA25648; Tue, 29 Feb 2000 11:28:27 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id LAA26051; Tue, 29 Feb 2000 11:28:26 -0700 (MST) (envelope-from nate) Date: Tue, 29 Feb 2000 11:28:26 -0700 (MST) Message-Id: <200002291828.LAA26051@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Garrett Wollman Cc: "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG (All) Subject: Re: ipfw log accounting In-Reply-To: <200002291809.NAA57250@khavrinen.lcs.mit.edu> References: <200002291750.JAA82610@gndrsh.dnsmgr.net> <200002291809.NAA57250@khavrinen.lcs.mit.edu> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > < said: > > > all broadcast traffic, unless you have a very rare installation that > > does not need broadcast packets to work on the directly attached network. > > Not rare at all -- you've just described every network in the world > which has not been inflicted with either RIP or YP/NIS. (This *is* > the security list, after all!) Or DHCP, or BOOTP, or NetBUI, or some forms of NTP, etc... I agree that broadcast protocols are to be avoided, but sometimes they are the best (most effecient as well as most effective) ways of skinning a cat. Sometimes they can't be avoided.... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 10:46:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from gate.webclub.ru (gate.web2000.ru [195.58.61.2]) by hub.freebsd.org (Postfix) with ESMTP id 9662337BC6C for ; Tue, 29 Feb 2000 10:46:46 -0800 (PST) (envelope-from scriber@webclub.ru) Received: from novikov.web2000.ru ([195.58.61.36]) by gate.webclub.ru with smtp (Exim 3.02 #1) id 12Pre3-0000cc-00 for freebsd-security@freebsd.org; Tue, 29 Feb 2000 21:45:19 +0300 From: Andrey Novikov Organization: WebClub To: freebsd-security@freebsd.org Subject: schg flag Date: Tue, 29 Feb 2000 21:40:00 +0300 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00022921443000.05868@novikov.web2000.ru> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, It seems to me that it will be more secure for my public server to say at least: chflags schg /bin/* chflags schg /sbin/* chflags schg /usr/bin/* chflags schg /usr/sbin/* chflags schg /usr/local/bin/* chflags schg /usr/local/sbin/* to prevent any troyans in my system binaries, am I wrong? Would it confuse future makeworlds on that system? ------------------------------------------------------------ Program source is just a special case of a patch Andrey Novikov NAG-RIPN Web2000 Ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 11:44:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id BC6DF37BDAA for ; Tue, 29 Feb 2000 11:44:23 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id NAA25753; Tue, 29 Feb 2000 13:43:43 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-103.max1.wa.cyberlynk.net(207.227.118.103) by peak.mountin.net via smap (V1.3) id sma025751; Tue Feb 29 13:43:36 2000 Message-Id: <3.0.3.32.20000229134214.00804590@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 29 Feb 2000 13:42:14 -0600 To: Andrey Novikov , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: schg flag In-Reply-To: <00022921443000.05868@novikov.web2000.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:40 PM 2/29/00 +0300, Andrey Novikov wrote: >Hello, > >It seems to me that it will be more secure for my >public server to say at least: > >chflags schg /bin/* >chflags schg /sbin/* >chflags schg /usr/bin/* >chflags schg /usr/sbin/* >chflags schg /usr/local/bin/* >chflags schg /usr/local/sbin/* > >to prevent any troyans in my system binaries, am I wrong? >Would it confuse future makeworlds on that system? Prevent trojans, depends. Makeworld, no. Installworld, yes. Without getting into an often discussed topic, you forgot some dirs and should consider "ro" flags for mounting /usr and a higher securelevel. Also moving services to other servers that do not allow telnet/ssh. Many paths. Read up and choose one. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 11:58:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 5AABF37BDB6 for ; Tue, 29 Feb 2000 11:58:24 -0800 (PST) (envelope-from dave@elvis.mu.org) Received: (from dave@localhost) by elvis.mu.org (8.9.1/8.9.1) id NAA96233; Tue, 29 Feb 2000 13:58:33 -0600 (CST) (envelope-from dave) Date: Tue, 29 Feb 2000 13:58:33 -0600 From: Dave McKay To: Lev Serebryakov Cc: freebsd-security@freebsd.org Subject: Re: ipfw log accounting Message-ID: <20000229135833.A95841@elvis.mu.org> References: <20000228174619.A71978@elvis.mu.org> <8621.000229@imc.macro.ru> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="pWyiEgJYm5f9v55/"; micalg=pgp-md5; protocol="application/pgp-signature" X-Mailer: Mutt 0.95.7i In-Reply-To: <8621.000229@imc.macro.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Lev Serebryakov (lev@imc.macro.ru) wrote: > Hi, Dave! >=20 > Tuesday, February 29, 2000, 2:46:19 AM, you wrote: >=20 > >> Are there some tools to analyze output of "deny log ip from any to > >> any" ipfw rule and find dangerous activity, like portscans and other? > >> I want to analyze log every hour, and reset log counters after it. > >> I don't want to receive messages about every single dropped packet. >=20 > DM> A tool such as you are asking would be easily written in perl. > DM> Just have your ipfw log to a file through syslogd or ipfw > How could I filter all ipfw messages to separate file with syslogd? > There is no special facility for it :( An entry like this in your syslog.conf file should do it. !ipfw *.* /var/log/ipfw.log And of course you will have to HUP syslogd and touch the ipfw.log file before it takes effect. Also in the man pages there are the sysctl variables for ipfw, some deal with logging. > DM> itself. Then write a tool to check and analyse the data and > DM> send you mail on it every hour. > It is not a problem to analyze, when you know what is attack and what > is not. I wander, is there some conditions (developed by security > specialists) to distinguish attacks and mistakes... Yes there are some good measures. Fyodor http://www.insecure.org has written some good papers on remote OS guessing and portscanning. There also reading through the ipfw man pages show examples of useful setups. --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBOLwk6XY8vP7IQ1TlAQGW8AQAtXXSFb2Yknidb+bXp2UjF1HghHclDC8I EHLqmFyI8EThm36PAglHOL13wi91Mz7QIryItI8JdWPw2Xs9MBms+Qjnq6a1ZuPi T8Kewkj9B7KVLiN8I8e4k8nL899LBKiq3dzt/3S1itRzsm0Q0hGVT6xBzlaPFOZS kTiKOQi3Dog= =LW19 -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 13:40:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by hub.freebsd.org (Postfix) with ESMTP id 98FDC37B953 for ; Tue, 29 Feb 2000 13:40:15 -0800 (PST) (envelope-from bokr@accessone.com) Received: from [129.250.38.61] (helo=dfw-mmp1.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp (Exim 3.12 #7) id 12PuNF-0006Rx-00; Tue, 29 Feb 2000 21:40:09 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp1.email.verio.net with smtp (Exim 3.12 #7) id 12PuN5-0002bH-00; Tue, 29 Feb 2000 21:39:59 +0000 Message-Id: <3.0.5.32.20000229134219.008f9100@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 29 Feb 2000 13:42:19 -0800 To: Peter Philipp From: Bengt Richter Subject: Re: [Q] comparison of sshes Cc: freebsd-security@freebsd.org In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 23:46 2000-02-28 -0500, you wrote: >On Sun, 27 Feb 2000, Eric Wayte wrote: > >> According to the OpenSSH page (http://www.openssh.org/), support of SSH >> 2.0 is in progress. This will be a Good Thing as SSH 2.0 is currently >> supported only in an expensive commercial product. More details here: >> http://www.openssh.org/history.html > >Just because this is after all a security mailing list I'd like to to >correct you on that URL. openssh.org is not officially registered by the >OpenBSD folks and AFAIK only redirects for them. > >--- openssh.org is not the official openssh site >Open SSH Project (OPENSSH2-DOM) > Zaanstraat 250 > AMSTERDAM, NL-1013 RZ > NL >... > NS1.KYARITSU.COM 194.109.9.44 > NS2.KYARITSU.COM 192.87.30.19 >--- > >--- openssh.com is the official openssh site --- >Registrant Todd T. Fries (template COCO-21730) > OpenBSD, the REAL open group > 1523 North Pierson Apt F > W. Peoria, IL 61604 USA >... > zeus.theos.com 199.185.137.1 > cvs.openbsd.org 199.185.137.3 > ns0.fries.net 209.251.96.130 >--- > > >Sincerely, > >Peter Philipp (PP2441) >Daemonic Networks >"We will survive our loss and we will remember" - RFC 2468 I get the following (irrelevant lines deleted): ---- [12:28] D:\>ping openssh.org Pinging openssh.org [192.87.30.19] with 32 bytes of data: [12:29] D:\>ping -a 192.87.30.19 Pinging tux.securetux.com [192.87.30.19] with 32 bytes of data: [12:29] D:\>ping openssh.com Pinging openssh.com [199.185.137.4] with 32 bytes of data: [12:29] D:\>ping -a 199.185.137.4 Pinging cvs.openssh.com [199.185.137.4] with 32 bytes of data: ---- But also: http://alpha.terena.nl/ == http://192.87.30.19/ and http://tux.securetux.com => http://www.DeJoode.com/ != http://192.87.30.19/ Just a few added bits, FWIW ... Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 29 18:38:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 79D7B37BD4E for ; Tue, 29 Feb 2000 18:38:32 -0800 (PST) (envelope-from jedgar@fxp.org) Received: by pawn.primelocation.net (Postfix, from userid 1003) id B889A9B17; Tue, 29 Feb 2000 21:38:29 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id B029FBA1D for ; Tue, 29 Feb 2000 21:38:29 -0500 (EST) Date: Tue, 29 Feb 2000 21:38:29 -0500 (EST) From: "Chris D. Faulhaber" X-Sender: jedgar@pawn.primelocation.net To: security@FreeBSD.org Subject: scores permissions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After looking at many games ports, I've found that quite a few install their scores files with permissive permissions (666). Do we have a standard, say 664, group = games, and the user should be in the games group, or perhaps a warning that these files are world-writable? Understandably, I wouldn't suggest we make many of these games sgid (no telling what holes lurk)... ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 8:33:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 10DED37C2FB for ; Wed, 1 Mar 2000 08:33:24 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id LAA37687 for freebsd-security@freebsd.org; Wed, 1 Mar 2000 11:38:47 -0500 (EST) (envelope-from cjc) Date: Wed, 1 Mar 2000 11:38:47 -0500 From: "Crist J. Clark" To: freebsd-security@freebsd.org Subject: @Home Server Scanner? Message-ID: <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I appear to be scanned regularly by an @Home host, Name: ops-scan.home.net Address: 24.0.94.130 It has been scanning my NNTP (119) port several times a day since the beginning of February. Previous to that, it liked to check my HTTP port (80) several times a day. That behavior dates to when I started logging on the firewall in January. Anyone know anything about that host? Any other @Home users seeing this too? My assumption is that it is @Home scanning for "illegal" servers on their network. This machine has earned a, deny log ip from 24.0.94.130 to any In my firewall for now. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 9:13:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by hub.freebsd.org (Postfix) with ESMTP id 9A16537C261 for ; Wed, 1 Mar 2000 09:13:09 -0800 (PST) (envelope-from joseph.scott@owp.csus.edu) Received: from owp.csus.edu (mothra.ecs.csus.edu [130.86.76.220]) by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id JAA25463; Wed, 1 Mar 2000 09:12:59 -0800 (PST) (envelope-from joseph.scott@owp.csus.edu) Message-ID: <38BD4F98.D6AB5887@owp.csus.edu> Date: Wed, 01 Mar 2000 09:12:56 -0800 From: Joseph Scott X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en,pdf MIME-Version: 1.0 To: cjclark@home.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: @Home Server Scanner? References: <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J. Clark" wrote: > > I appear to be scanned regularly by an @Home host, > > Name: ops-scan.home.net > Address: 24.0.94.130 > > It has been scanning my NNTP (119) port several times a day since the > beginning of February. Previous to that, it liked to check my HTTP > port (80) several times a day. That behavior dates to when I started > logging on the firewall in January. A while back ( month or two? ) @HOME was getting some serious heat to do something about the amount of spam their network was generating on the news groups. They promised to be take action and be better about it. They said most of the problem was people running poorly configured NNTP servers connected to @HOME. My cable service is apparently going to be using @HOME when they start offering cable net access, I don't really like the idea of them not allowing me to run a web server or such ( assuming it's properly configured ), but it is in their terms & conditions I believe. > > Anyone know anything about that host? Any other @Home users seeing > this too? My assumption is that it is @Home scanning for "illegal" > servers on their network. > > This machine has earned a, > > deny log ip from 24.0.94.130 to any > > In my firewall for now. -- Joseph Scott joseph.scott@owp.csus.edu Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 9:26:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.workofstone.net (w121.z208177130.sjc-ca.dsl.cnc.net [208.177.130.121]) by hub.freebsd.org (Postfix) with ESMTP id D27A937C3A1 for ; Wed, 1 Mar 2000 09:26:18 -0800 (PST) (envelope-from schluntz@timberwolf.workofstone.net) Received: from timberwolf (c956029-a.haywd2.sfba.home.com [24.0.78.216]) by mail.workofstone.net (8.9.3/8.9.3) with ESMTP id JAA15558; Wed, 1 Mar 2000 09:26:10 -0800 (PST) Message-Id: <200003011726.JAA15558@mail.workofstone.net> To: Joseph Scott Cc: freebsd-security@FreeBSD.ORG Subject: Re: @Home Server Scanner? Reply-To: "Sean J. Schluntz" In-Reply-To: Your message of "Wed, 01 Mar 2000 09:12:56 PST." <38BD4F98.D6AB5887@owp.csus.edu> Date: Wed, 01 Mar 2000 09:24:04 -0800 From: schluntz@timberwolf.workofstone.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > My cable service is apparently going to be using @HOME when they >start offering cable net access, I don't really like the idea of them >not allowing me to run a web server or such ( assuming it's properly >configured ), but it is in their terms & conditions I believe. It's an ok service, nice pipe usually. I use it for my personal work. But yes, they do scan you to make sure you are not running a 'service' but you can put up a small web page for your own use (ftp site as well) as long as they don't see your outbound usage spike. (They mail send you an eMail about the web server, and you just need to reply "Pesonal refrence site, etc." and they won't mind. The only reason I posted this back to the list is because I do suggest marking off any of their ops servers in the no-log of your firewall so it won't bug you to much. -Sean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 10:15: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130]) by hub.freebsd.org (Postfix) with ESMTP id 6D97137BFDE for ; Wed, 1 Mar 2000 10:14:56 -0800 (PST) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.10.0.Beta11/8.10.0.Beta6) with ESMTP id e21IEIx03695; Wed, 1 Mar 2000 11:14:18 -0700 (MST) Message-Id: <200003011814.e21IEIx03695@orthanc.ab.ca> To: "Sean J. Schluntz" Cc: Joseph Scott , freebsd-security@FreeBSD.ORG Subject: Re: @Home Server Scanner? In-reply-to: Your message of "Wed, 01 Mar 2000 09:24:04 PST." <200003011726.JAA15558@mail.workofstone.net> Date: Wed, 01 Mar 2000 11:14:14 -0700 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "schluntz" == schluntz writes: schluntz> The only reason I posted this back to the list is schluntz> because I do suggest marking off any of their ops schluntz> servers in the no-log of your firewall so it won't bug schluntz> you to much. My solution was: ipfw add unreach port tcp from scanner.cable.co to myhost any Or you can put up fake services and really mess with their heads ;-) --lyndon (a very EX-cable modem customer) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 11:17: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8E25537B920; Wed, 1 Mar 2000 11:17:05 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 8BA342E8157; Wed, 1 Mar 2000 11:17:05 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 1 Mar 2000 11:17:05 -0800 (PST) From: Kris Kennaway To: cjclark@home.com Cc: freebsd-security@freebsd.org Subject: Re: @Home Server Scanner? In-Reply-To: <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 1 Mar 2000, Crist J. Clark wrote: > Anyone know anything about that host? Any other @Home users seeing > this too? My assumption is that it is @Home scanning for "illegal" > servers on their network. > > This machine has earned a, > > deny log ip from 24.0.94.130 to any > > In my firewall for now. Personally I'd never run my machine without a default-to-deny firewall policy with explicit gaps for the traffic I need. With ipfw being stateful thesedays you can quite easily make it so NO unwanted packets get through from the outside. Running something like snort from ports is also very handy for knowing when someone from the outside world decides to pay you some attention. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 11:20:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id AFD2C37BD88 for ; Wed, 1 Mar 2000 11:20:06 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2366 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Wed, 1 Mar 2000 13:16:32 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Wed, 1 Mar 2000 13:16:32 -0600 (CST) From: James Wyatt To: cjclark@home.com Cc: freebsd-security@freebsd.org Subject: Re: @Home Server Scanner? In-Reply-To: <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You aren't the only one who's swearing at it. 8{) @Home had so many folks (users and cable companies) with security holes installed (esp broken default WinGate settings!) that it reached critical mass. When threatened with a UDP (UseNet Death Penalty where their news peers would disconnect from them), they suddenly had a scanner working and were cleaning up shop with a *big* mop. A lot of local cable companies had NNTP proxies that were wide open - meaning zero-admin for them, but open relays for spamming. Various other holes have been exploited for DDoS purposes. Think of all those Windows/Linux/etc machines out there with security holes, constant decent connection, and eternal power as a Matrix for running a DDoS simulation or DES keyspace carve-up-and-crack... I've gotta watch that movie again... (^_^) I applaud their efforts to tighten their affiliates' infrastructures and the great numbers of client machines. Now if we can get the DSL ISPs to check once in a while or look for attacks, we'll all be better off. - Jy@ On Wed, 1 Mar 2000, Crist J. Clark wrote: > I appear to be scanned regularly by an @Home host, > > Name: ops-scan.home.net > Address: 24.0.94.130 > > It has been scanning my NNTP (119) port several times a day since the > beginning of February. Previous to that, it liked to check my HTTP > port (80) several times a day. That behavior dates to when I started > logging on the firewall in January. > > Anyone know anything about that host? Any other @Home users seeing > this too? My assumption is that it is @Home scanning for "illegal" > servers on their network. > > This machine has earned a, > > deny log ip from 24.0.94.130 to any > > In my firewall for now. > -- > Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 11:26:37 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9550037C2BB; Wed, 1 Mar 2000 11:26:26 -0800 (PST) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:06.htdig Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000301192626.9550037C2BB@hub.freebsd.org> Date: Wed, 1 Mar 2000 11:26:26 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:06 Security Advisory FreeBSD, Inc. Topic: htdig port allows remote reading of files Category: ports Module: htdig Announced: 2000-03-01 Affects: Ports collection before the correction date. Corrected: 2000-02-28 FreeBSD only: NO I. Background The ht://Dig system is a complete world wide web indexing and searching system for a small domain or intranet. II. Problem Description There is a security hole in the htsearch cgi-bin program for versions of htdig prior to 3.1.5, which allows remote users to read any file on the local system that is accessible to the user ID running htsearch (usually the user ID running the webserver process, user 'nobody' in the default installation of apache). Note that the htdig utility is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact If you have not chosen to install the htdig port/package, then your system is not vulnerable. If you have, then local or remote users who can connect to a web server which contains the htsearch cgi-bin executable can read any file on your system which is accessible to the user running the htsearch process (typically user nobody). It is not currently believed that an attacker can exploit this hole to modify or delete files, but they may be able to use the ability to read files to mount a further attack based on other security holes they discover. IV. Workaround Remove the /usr/local/share/apache/cgi-bin/htsearch file, if you do not make use of it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the htdig port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/textproc/htdig-3.1.5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/textproc/htdig-3.1.5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/textproc/htdig-3.1.5.tgz (Note: it may be several days before the new packages appear on the FTP site) 3) download a new port skeleton for the htdig port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOL1um1UuHi5z0oilAQGtnwP+JsTP4KCrAO/fEIMG70a79tPsLeqUiuyP ihPc5Rw/e6wguW8qPLXvLGSsT5zzkXLOeuww+2ViPpYehTkD4cB1zt3UsWeNSGa+ kkWQyYFwK/3BaHbsN8COu4xa5c4B+VdqbFXa3G/cIM+MRRTxlhrDWqaJp58UKpD3 OA7HcbSdSKk= =A+Nm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 12: 2:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8C0F837C4E4 for ; Wed, 1 Mar 2000 12:01:40 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA33977; Wed, 1 Mar 2000 13:01:33 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA96951; Wed, 1 Mar 2000 13:01:24 -0700 (MST) Message-Id: <200003012001.NAA96951@harmony.village.org> To: Andrey Novikov Subject: Re: schg flag Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 29 Feb 2000 21:40:00 +0300." <00022921443000.05868@novikov.web2000.ru> References: <00022921443000.05868@novikov.web2000.ru> Date: Wed, 01 Mar 2000 13:01:24 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <00022921443000.05868@novikov.web2000.ru> Andrey Novikov writes: : Hello, : : It seems to me that it will be more secure for my : public server to say at least: : : chflags schg /bin/* : chflags schg /sbin/* : chflags schg /usr/bin/* : chflags schg /usr/sbin/* : chflags schg /usr/local/bin/* : chflags schg /usr/local/sbin/* : : to prevent any troyans in my system binaries, am I wrong? It will make the much less likely to happen, but you've forgotten all the /etc/rc* scripts, which can be used to drive a torjan truck through the secure level stuff. : Would it confuse future makeworlds on that system? Don't know. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 18: 1:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9C14137BEC8 for ; Wed, 1 Mar 2000 18:01:19 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id VAA54198; Wed, 1 Mar 2000 21:02:09 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Wed, 1 Mar 2000 21:02:09 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Andrey Novikov Cc: freebsd-security@freebsd.org Subject: Re: schg flag In-Reply-To: <00022921443000.05868@novikov.web2000.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm. mocking:/tmp# mkdir bin mocking:/tmp# cp /bin/* bin/ mocking:/tmp# chflags schg bin/* mocking:/tmp# mv bin binold mocking:/tmp# mkdir bin mocking:/tmp# cp trojan bin/ls Nope. :-) Looks like you really need to protect your hierarchy also :-). mocking:/tmp# cp /bin/* bin mocking:/tmp# chflags schg bin/* bin mocking:/tmp# mv bin binold mv: rename bin to binold/bin: Operation not permitted mocking:/tmp# I.e., other than /, each directory leading to the files that need to be protected. Without doing this, the directories may easily be replaced by rearranging the dir tree, leaving your schg'd binaries safely unmodified, but with users (boot sequence, etc) using the replacements. Robert On Tue, 29 Feb 2000, Andrey Novikov wrote: > Hello, > > It seems to me that it will be more secure for my > public server to say at least: > > chflags schg /bin/* > chflags schg /sbin/* > chflags schg /usr/bin/* > chflags schg /usr/sbin/* > chflags schg /usr/local/bin/* > chflags schg /usr/local/sbin/* > > to prevent any troyans in my system binaries, am I wrong? > Would it confuse future makeworlds on that system? > > ------------------------------------------------------------ > Program source is just a special case of a patch > > Andrey Novikov NAG-RIPN > Web2000 Ltd. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 18: 6:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C186E37BEC8 for ; Wed, 1 Mar 2000 18:06:24 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id VAA54217; Wed, 1 Mar 2000 21:07:21 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Wed, 1 Mar 2000 21:07:21 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Warner Losh Cc: Andrey Novikov , freebsd-security@FreeBSD.ORG Subject: Re: schg flag In-Reply-To: <200003012001.NAA96951@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 1 Mar 2000, Warner Losh wrote: > In message <00022921443000.05868@novikov.web2000.ru> Andrey Novikov writes: > : Hello, > : > : It seems to me that it will be more secure for my > : public server to say at least: > : > : chflags schg /bin/* > : chflags schg /sbin/* > : chflags schg /usr/bin/* > : chflags schg /usr/sbin/* > : chflags schg /usr/local/bin/* > : chflags schg /usr/local/sbin/* > : > : to prevent any troyans in my system binaries, am I wrong? > > It will make the much less likely to happen, but you've forgotten all > the /etc/rc* scripts, which can be used to drive a torjan truck > through the secure level stuff. As well as /boot, /modules, etc. Today's system is really not intended to survive root compromise. The best bet is to use 4.0, and stuff all your nasty-users in jail(). Optionally with all but a writable component of the jail mounted from a read-only file system. Ideally, once we have mandatory access control, integrity-based MAC could be used to protect in the event of compromise. (I'm just waiting for us to allow multiple mounts of a read-only file system in multiple places, currently unsupported...) Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 1 20:11:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 4EAE637B8A6 for ; Wed, 1 Mar 2000 20:11:13 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id FAA16616 for freebsd-security@freebsd.org; Thu, 2 Mar 2000 05:11:11 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 044D18864; Thu, 2 Mar 2000 00:27:31 +0100 (CET) Date: Thu, 2 Mar 2000 00:27:31 +0100 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: @Home Server Scanner? Message-ID: <20000302002731.A33222@keltia.freenix.fr> Mail-Followup-To: freebsd-security@freebsd.org References: <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com>; from cjc@cc942873-a.ewndsr1.nj.home.com on Wed, Mar 01, 2000 at 11:38:47AM -0500 X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Crist J. Clark: > It has been scanning my NNTP (119) port several times a day since the > beginning of February. Previous to that, it liked to check my HTTP It is part of the agreement that was reached with @Home when they were threatened with a UDP (Usenet Death Penalty). They agreed to scan for open NNTP servers/proxies and close them. It was a close call for them... -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #77: Thu Dec 30 12:49:51 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 2 7:41:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id D5FA137C2AF for ; Thu, 2 Mar 2000 07:41:08 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA06372; Thu, 2 Mar 2000 07:41:03 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda06370; Thu Mar 2 07:40:50 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA55605; Thu, 2 Mar 2000 07:40:49 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdW55603; Thu Mar 2 07:40:16 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA04284; Thu, 2 Mar 2000 07:40:16 -0800 (PST) Message-Id: <200003021540.HAA04284@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdbk4272; Thu Mar 2 07:39:29 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: cjclark@home.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: @Home Server Scanner? In-reply-to: Your message of "Wed, 01 Mar 2000 11:38:47 EST." <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Mar 2000 07:39:29 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com>, "Crist J. Cl ark" writes: > I appear to be scanned regularly by an @Home host, > > Name: ops-scan.home.net > Address: 24.0.94.130 > > It has been scanning my NNTP (119) port several times a day since the > beginning of February. Previous to that, it liked to check my HTTP > port (80) several times a day. That behavior dates to when I started > logging on the firewall in January. They were scanning SMTP (port 25) a week or two ago as well. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 2 16:38: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from yoonax.net (c3213-a.tcma1.wa.home.com [24.5.78.155]) by hub.freebsd.org (Postfix) with ESMTP id 6F05C37B5BB for ; Thu, 2 Mar 2000 16:38:03 -0800 (PST) (envelope-from cpm@yoonax.net) Received: from xterminus (host12.yoonax.net [10.0.0.12] (may be forged)) by yoonax.net (8.9.3/8.9.3) with SMTP id QAA57576 for ; Thu, 2 Mar 2000 16:38:02 -0800 (PST) (envelope-from cpm@yoonax.net) From: "Charles Mauch" To: Subject: RE: @Home Server Scanner? Date: Thu, 2 Mar 2000 16:37:28 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200003021540.HAA04284@cwsys.cwsent.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > It has been scanning my NNTP (119) port several times a day since the > > beginning of February. Previous to that, it liked to check my HTTP > > port (80) several times a day. That behavior dates to when I started > > logging on the firewall in January. > > They were scanning SMTP (port 25) a week or two ago as well. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 I notice that they tried relaying email through here as well. If you don't have any of sendmail's anti-spam features enabled, now might be a good time to look into it. You can find out all about controling relaying at http://www.sendmail.org/m4/anti-spam.html Charles / cpm@yoonax.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 3 13: 5:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 2179F37B667; Fri, 3 Mar 2000 13:05:18 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id QAA44752; Fri, 3 Mar 2000 16:10:43 -0500 (EST) (envelope-from cjc) Date: Fri, 3 Mar 2000 16:10:43 -0500 (EST) From: "Crist J. Clark" Message-Id: <200003032110.QAA44752@cc942873-a.ewndsr1.nj.home.com> To: FreeBSD-gnats-submit@freebsd.org Subject: Reply-To: cjc@cc942873-a.ewndsr1.nj.home.com Cc: freebsd-security@freebsd.org X-send-pr-version: 3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Submitter-Id: current-users >Originator: Crist J. Clark >Organization: >Confidential: no >Synopsis: Add mount(8) check to /etc/security >Severity: non-critical >Priority: low >Category: misc >Release: FreeBSD 3.4-STABLE i386 >Class: change-request >Environment: FreeBSD 3.4-STABLE, distributed /etc/security file. >Description: The other day I had to change the way a filesystem was mounted to do some administrative tasks (specifically, I turned off the nosuid option). I guess I became distracted because I never re-enabled it until just noticing it recently. I was surprised and a little bit peeved that my /etc/security script would not notice a change in the way filesystems were mounted. Rather than just complain, I modified my own /etc/security's accordingly and decided the modification was something that no one could really argue against, so I'm submitting it here. >How-To-Repeat: Do anything to your filesystem mounts. /etc/security won't notice. >Fix: The structure of the added commands parallels the existing 'dmesg' check currently in place. Frankly, it's almost exactly the same, just different filenames and another command generating the initial output. The only thing I am unsure of is which is more asthetically pleasing, using 'mount -p' output or taking 'mount' output and running it through a quick sed script to clean out the "writes:" information. At this point, I perfer the more verbose mount-sed combo. Both patches are included. Any contructive comments or criticisms appreciated. The mount-sed combo, --- /usr/src/etc/security Tue Dec 21 04:46:02 1999 +++ security Fri Mar 3 15:56:52 2000 @@ -48,6 +48,21 @@ mv $TMP $LOG/setuid.today fi +if mount | sed 's/, writes: [^\)]*//' > $TMP; then + if [ ! -f $LOG/mount.today ]; then + separator + echo "no $LOG/mount.today" + cp $TMP $LOG/mount.today + fi + if cmp $LOG/mount.today $TMP >/dev/null 2>&1; then :; else + separator + echo "$host changes in mounted filesystems:" + diff -b $LOG/mount.today $TMP + mv $LOG/mount.today $LOG/mount.yesterday + mv $TMP $LOG/mount.today + fi +fi + separator echo "checking for uids of 0:" awk -F: '$3==0 {print $1,$3}' /etc/master.passwd Now for the mount-p version, --- /usr/src/etc/security Tue Dec 21 04:46:02 1999 +++ security Fri Mar 3 15:57:52 2000 @@ -48,6 +48,21 @@ mv $TMP $LOG/setuid.today fi +if mount -p > $TMP; then + if [ ! -f $LOG/mount.today ]; then + separator + echo "no $LOG/mount.today" + cp $TMP $LOG/mount.today + fi + if cmp $LOG/mount.today $TMP >/dev/null 2>&1; then :; else + separator + echo "$host changes in mounted filesystems:" + diff -b $LOG/mount.today $TMP + mv $LOG/mount.today $LOG/mount.yesterday + mv $TMP $LOG/mount.today + fi +fi + separator echo "checking for uids of 0:" awk -F: '$3==0 {print $1,$3}' /etc/master.passwd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 4 7:21: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from mindspring.com (216-1-128-22.akorn.net [216.1.128.22]) by hub.freebsd.org (Postfix) with SMTP id 8573D37B80A for ; Sat, 4 Mar 2000 07:20:31 -0800 (PST) (envelope-from easyspeech@mindspring.com) From: Subject: News for Speakers,Communicators, Executives,and Educators Date: Sat, 4 Mar 2000 10:23:45 Message-Id: <42.153159.618399@mindspring.com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org . Home Page

This email is never sent unsolicited. You had at some point requested from us to receive special news qualified as noteworthy regarding, speaking, writing, or communications.. This is not a regular service by any means, however to unsubscribe, please refer to the bottom of this page. 

Presenting EasySpeech
 Time Saving Software for Speakers, Writers & Executives 

 

 

 

Becoming a Powerful Communicator just got a lot easier!

Nothing advances a Career, or Cause faster than acquiring better Communication skills! Now with Easyspeech the PC software solution becoming a more content rich, better organized and more powerful Communicator is assured.

 Time Saving, Content Enriching Software offers huge Benefits!

EasySpeech helps build all your speeches, presentations, and articles Faster and better! Gives you instant access to tons of quotes (over 15,000 to start), humor, stories, speaker games, icebreakers, Tips & much more! 

 Plus, it's not static but alive! So you can constantly add and Edit all your own material with no limit or restriction!  EasySpeech never becomes dated! Grows as You grow!

7 Living Programs together in One package! Easy to use! It archives, organizes and instantly recalls usable content and all of your finished speeches and works at the touch of a key using our patented floating tool bar!. 

 No more losing great material! Plus, it  Plans all speaking events with ease! It documents every important speaking detail, like contacts, travel, dates, event requirements, themes and much, much more. 

Economical because it finally Tames the Huge Preparation Time Trap!!

You'll feel Less Anxiety because now you're more efficient, creative, and in control Makes speaking and writing more relaxed and fun! Frees up time! Reduces stress! Help produce work that Touches hearts and Excites people

It’s here! PC Software that Empowers the most important thing you do in business and Life...... Communicate with others!  

Easy Speech is a resource that will benefit any speaker or writer. It provides a wide variety of illustrations, quotes and humorous stories, but also allows you the flexibility to add your own. This makes Easy Speech a very valuable tool. I highly recommend it. Mark L. Walker, Senior Pastor, Atlanta

EasySpeech The Software for Speakers, Writers and Communicators!            

Special Offer just $119.00 To find out how order your copy call  ExpressiveSolutions 770-321-1048 

     Please DO NOT REPLY to this message. If this is of no interest we really do apologize...just  send an email to: esicorp@hotmail.com and type- unsubscribe Communicators news  -in the BODY of the email message. Use the same email address that this message was sent to - you will be deselected from our update news.

 

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 4 8:51: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 4170C37B77B for ; Sat, 4 Mar 2000 08:51:04 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id LAA13249 for ; Sat, 4 Mar 2000 11:51:02 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id LAA24215 for ; Sat, 4 Mar 2000 11:51:02 -0500 (EST) Message-Id: <4.2.2.20000304114458.03c48b48@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sat, 04 Mar 2000 11:49:37 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: work around for local DoS ? (kern 17152) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I regular catch and kill accounts that try lamo things like fork bombs, so these sorts of things worry me. Is there any way to protect against the bug mentioned in PR 17152 (kernel panic:aio_write) Current seems to survive just fine, but STABLE panics ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 4 9:28:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 4DABD37B73C for ; Sat, 4 Mar 2000 09:28:46 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id MAA14261 for ; Sat, 4 Mar 2000 12:28:42 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id MAA01009; Sat, 4 Mar 2000 12:28:40 -0500 (EST) Message-Id: <4.2.2.20000304122608.03c1cb08@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sat, 04 Mar 2000 12:27:16 -0500 To: Jonathan Fortin From: Mike Tancsa Subject: Re: work around for local DoS ? (kern 17152) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.2.2.20000304114458.03c48b48@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:21 PM 3/4/2000 -0500, Jonathan Fortin wrote: >ulimit In what way? The bug does not appear to be a resource issue ---Mike >On Sat, 4 Mar 2000, Mike Tancsa wrote: > > > > > I regular catch and kill accounts that try lamo things like fork bombs, so > > these sorts of things worry me. Is there any way to protect against the > > bug mentioned in PR 17152 (kernel panic:aio_write) Current seems to > survive > > just fine, but STABLE panics ? > > > > ---Mike > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 4 10:30: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E2F0937B594 for ; Sat, 4 Mar 2000 10:29:59 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id LAA18582; Sat, 4 Mar 2000 11:00:55 -0800 (PST) Date: Sat, 4 Mar 2000 11:00:55 -0800 From: Alfred Perlstein To: Mike Tancsa Cc: Jonathan Fortin , freebsd-security@FreeBSD.ORG Subject: Re: work around for local DoS ? (kern 17152) Message-ID: <20000304110055.B14279@fw.wintelcom.net> References: <4.2.2.20000304114458.03c48b48@mail.sentex.net> <4.2.2.20000304122608.03c1cb08@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.2.2.20000304122608.03c1cb08@mail.sentex.net>; from mike@sentex.net on Sat, Mar 04, 2000 at 12:27:16PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Mike Tancsa [000304 10:01] wrote: > At 12:21 PM 3/4/2000 -0500, Jonathan Fortin wrote: > >ulimit > > In what way? The bug does not appear to be a resource issue patch your kernel to make all aio calls return ENOSYS. If it hasn't been backported in a bit I think i'll take a look at having it disabled in -stable by default. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 4 14:42:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 9F83037B6FA for ; Sat, 4 Mar 2000 14:42:23 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id RAA24133; Sat, 4 Mar 2000 17:42:22 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id RAA24439; Sat, 4 Mar 2000 17:42:21 -0500 (EST) Message-Id: <4.2.2.20000304173354.03cbf5d8@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sat, 04 Mar 2000 17:40:57 -0500 To: Alfred Perlstein From: Mike Tancsa Subject: Re: work around for local DoS ? (kern 17152) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20000304110055.B14279@fw.wintelcom.net> References: <4.2.2.20000304122608.03c1cb08@mail.sentex.net> <4.2.2.20000304114458.03c48b48@mail.sentex.net> <4.2.2.20000304122608.03c1cb08@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:00 AM 3/4/2000 -0800, Alfred Perlstein wrote: >* Mike Tancsa [000304 10:01] wrote: > > At 12:21 PM 3/4/2000 -0500, Jonathan Fortin wrote: > > >ulimit > > > > In what way? The bug does not appear to be a resource issue > >patch your kernel to make all aio calls return ENOSYS. If it hasn't >been backported in a bit I think i'll take a look at having it disabled >in -stable by default. Thanks. Is there a page somewhere that tells how to do this ? I had a look through the archives and didnt see any reference to this, other then http://x26.deja.com/[ST_rn=ps]/getdoc.xp?AN=588743685&CONTEXT=952209393.1125 318658&hitnum=13 and that is for CURRENT only it seems. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message