From owner-freebsd-security Sun Nov 14 3:41:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id E88FF15033 for ; Sun, 14 Nov 1999 03:41:27 -0800 (PST) (envelope-from vlad@sandy.ru) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.12]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id OAA80899; Sun, 14 Nov 1999 14:36:41 +0300 (MSK) Date: Sun, 14 Nov 1999 14:36:44 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.34) S/N D33CD428 Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <7608.991114@sandy.ru> To: "Mark D. Anderson" , freebsd-security@FreeBSD.ORG Subject: Re: SYN flood and freebsd? In-reply-To: <1923120592.942520958@MDAXKE> References: <1923120592.942520958@MDAXKE> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Mark D. Anderson, 14.11.99 6:22, you wrote: SYN flood and freebsd?; M> i've searched around deja and freebsd.org and come up wanting M> (email archives show rarely show resolutions...). M> what is the current status in stable and latest regarding M> defense against SYN flood, and how is it implemented? I'm interested in this question too. I don't know how it's released inside. From "outside" FreeBSD reaction to Syn flood looks like FreeBSD has limitation (be default) to allow only 100 SYNs to come in ~2 seconds: 1. First 100 SYNs are accepted and replied. 2. If this SYNs came in short time FreeBSD 3.x pauses for approx. 2-3 seconds before answer next 100 SYNs. It seems that SYNs which comes during the pause are queued and are dropped then max queue length is exceeded. I didn't tested the situation then all SYNs come from different IPs and didn't tested for queue length. Am I right? Can someone explain how does it works exactly? And how can I configure this behavior? +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 3:43:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (Postfix) with ESMTP id C2B8415290 for ; Sun, 14 Nov 1999 03:43:06 -0800 (PST) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.3/8.9.3) with ESMTP id MAA17041 for ; Sun, 14 Nov 1999 12:43:04 +0100 (CET) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m11mzZN-000VRMC; Sun, 14 Nov 1999 14:19:49 +0100 (CET) Received: (from ripley@localhost) by server.nostromo.in-berlin.de (8.9.3/8.9.3) id BAA58491 for freebsd-security@FreeBSD.ORG; Sun, 14 Nov 1999 01:52:47 +0100 (CET) (envelope-from ripley) Date: Sun, 14 Nov 1999 01:52:46 +0100 From: "H. Eckert" To: freebsd-security@FreeBSD.ORG Subject: Re: Status of Passwords/etc in FreeBSD-stable Message-ID: <19991114015245.A58093@server.nostromo.in-berlin.de> References: <19991112002328.B81323@server.nostromo.in-berlin.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.6i In-Reply-To: ; from Kris Kennaway on Fri, Nov 12, 1999 at 04:15:09PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Kris Kennaway (kris@hub.freebsd.org): > Probably you switched from DES to MD5 passwords when you upgraded. I didn't upgrade; it was a completely fresh installation. Apparently MD5 hashes are the default method with 3.x > Having said that, your netatalk example shows there's at least some need > for it - it would be a fairly simple matter to copy the minpasswordlen > code. If you submit the patch I'll try and get it committed. Sorry, that's completely out of scope for me. Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 5:25:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from apotheosis.za.org (apotheosis.za.org [137.158.128.27]) by hub.freebsd.org (Postfix) with ESMTP id 3A53414D17 for ; Sun, 14 Nov 1999 05:25:33 -0800 (PST) (envelope-from mwest@uct.ac.za) Date: Sun, 14 Nov 1999 15:25:06 +0200 From: Matthew West To: David Gilbert Cc: security@FreeBSD.ORG Subject: Re: sandboxed bind. Message-ID: <19991114152506.A36773@apotheosis.za.org> References: <14382.11991.536272.989358@trooper.velocet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <14382.11991.536272.989358@trooper.velocet.net>; from "David Gilbert" on Sat, Nov 13, 1999 at 10:39:03PM Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Nov 13, 1999 at 10:39:03PM -0500, David Gilbert wrote: > I went through the motions to sandbox bind. My only real complaint was that > named-xfer was dynamically loaded (greatly increasing the cruft that had to > be in the sandbox). I found it much easier (and neater) to compile "named-xfer" as a static binary. This is described briefly at http://www.antisocial.net/~modred/papers/named.html > Is there an easy way to determine exactly what libraries are required by an > executable, BTW? "ldd" -- mwest@uct.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 7:33:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id 413FD14FD0 for ; Sun, 14 Nov 1999 07:33:47 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: (qmail 625 invoked by uid 1000); 14 Nov 1999 13:54:13 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Nov 1999 13:54:13 -0000 Date: Sun, 14 Nov 1999 08:54:13 -0500 (EST) From: Barrett Richardson To: Brett Glass Cc: Peter Wemm , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <4.2.0.58.19991112102519.045cf510@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 12 Nov 1999, Brett Glass wrote: > It'd be a shame if a PPP dial-up server couldn't sandbox BIND, > since it's a good idea to keep a DNS server as close to the > dial-ups as possible. Any ideas about how one might work around > this, short of going to a capabilities-based security model? > > --Brett > I run bind on my box I dial an ISP with, I just use a directive like listen-on port 53 { 127.0.0.1; }; For a dial up server you should be able to add a routable ip to the loopback and listen on that. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 8: 3:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id BFDD214C9A for ; Sun, 14 Nov 1999 08:03:04 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: (qmail 20498 invoked by uid 1000); 14 Nov 1999 16:03:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Nov 1999 16:03:47 -0000 Date: Sun, 14 Nov 1999 11:03:47 -0500 (EST) From: Barrett Richardson To: Brett Glass Cc: Peter Wemm , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm, I got a bounce from hub on this message but here it is in the list, curious. Oh well I'll add a couple of things. On Sun, 14 Nov 1999, Barrett Richardson wrote: > > > On Fri, 12 Nov 1999, Brett Glass wrote: > > > It'd be a shame if a PPP dial-up server couldn't sandbox BIND, > > since it's a good idea to keep a DNS server as close to the > > dial-ups as possible. Any ideas about how one might work around > > this, short of going to a capabilities-based security model? > > > > --Brett > > > > I run bind on my box I dial an ISP with, I just use a directive like I failed to mention I have it sandboxed with "-u bind -g bind". I get a dynamic ip assignment on dial up and it works ok. > > listen-on port 53 { > 127.0.0.1; > }; > > For a dial up server you should be able to add a routable ip to the > loopback and listen on that. After a little more thought, this is unnecessary, you could add the listen-on directive for any ip on a interface which is not subject to change, like an ethernet. - Barrett (again) > > - > > Barrett > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 8:37:26 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id 071E614C93; Sun, 14 Nov 1999 08:37:24 -0800 (PST) From: "Jonathan M. Bresler" To: barrett@phoenix.aye.net Cc: brett@lariat.org, peter@netplex.com.au, billf@chc-chimes.com, Cy.Schubert@uumail.gov.bc.ca, security@FreeBSD.ORG In-reply-to: (message from Barrett Richardson on Sun, 14 Nov 1999 11:03:47 -0500 (EST)) Subject: Re: Why not sandbox BIND? Message-Id: <19991114163724.071E614C93@hub.freebsd.org> Date: Sun, 14 Nov 1999 08:37:24 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Hmm, I got a bounce from hub on this message but here it is in the > list, curious. Oh well I'll add a couple of things. the bounce may have been some sitees misconfigured mail system sending the bounce to you rather than to teh list owner--freebsd-security-owner@freebsd.org. when that happens, please send me a copy with all the headers. jmb -- Jonathan M. Bresler FreeBSD Core Team, Postmaster jmb@FreeBSD.ORG FreeBSD--The Power to Serve JMB193 http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 10:41:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D0BC614D80; Sun, 14 Nov 1999 10:41:12 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA49007; Sun, 14 Nov 1999 13:40:51 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Sun, 14 Nov 1999 13:40:51 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mike Tancsa Cc: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: <4.1.19991114000355.04d7f230@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've started switching my machines to OpenSSH -- however, our port specifically disables K4 and AFS support :-). If I have time over the next few days (unlikely, traveling to Albuquerque for a DARPA conference), I'll mail in some patches to get K4 working. Otherwise, OpenSSH port seemed to work out of the box for me -- the one other change I made was to enable X forwarding in the ssh server. My feeling is disabling it in the client is far more useful, as it's the client giving out access to its display, not the server :-). so, when the RSA patent runs out, will we be disabling the US_RESIDENT in /etc/make.conf making use of RSAREF? I'm told RSAREF is substantially slower than the OpenSSL implementation, but haven't checked. On Sun, 14 Nov 1999, Mike Tancsa wrote: > > Is there a patch to this ? Or is openssh the way to go ? > > ---Mike > > > >There appears to be a serious vulnerability in ssh 1.2.27. I will let the > >folks who worked on this issue describe. There was brief discussion on > >vuln-dev on the politics of ssh 1 vs. ssh 2, etc... you may or may not > >want to play that out on Bugtraq. One of the key points of the SSH 1 vs. > >SSH 2 debate is regarding licensing. Basically, because of a less strict > >license on SSH 1, more folks are likely to be running that version. (This > >is all referring to the Datafellows implementation that everyone uses, > >rather than standards and protocols, I presume.) > > > >As usually, check the vuln-dev archives if you want the full story. This > >isn't necessarily a dead topic there yet, but this issue should get out > >there sooner rather than later. > > > > BB > > > >------------------------------------------------------------------- > > > >To: Exploit-Dev > >Subject: ssh-1.2.27 remote buffer overflow - exploitable > >Date: Mon Nov 08 1999 16:48:53 > >Author: Frank > >Message-ID: <19991109014853.3239.qmail@securityfocus.com> > > > >This is submitted to the Freebsd bug tracking system, although there are > >doubtless other vendors who leave this package, despite the existence of > >the ssh-2.X. While Debian appears to be immune, I was able to crash my > >ssh daemon (much to my dismay), and there appears the potential to execute > >arbitrary code, as long as you encrypt it first... > > > >Here is the freebsd report.. it describes the method to crash a remote Ssh > >daemon (lets hope you ran sshd from your xinetd, etc). > > > >http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 > > > >------------------------------------------------------------------- > > > >To: Exploit-Dev > >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable > >Date: Mon Nov 08 1999 21:04:19 > >Author: Daniel Jacobowitz > >Message-ID: <19991109110419.A29502@drow.res.cmu.edu> > > > > > >Debian is immune for the (somewhat messy) reasons that they do not link > >ssh to rsaref, last time that I checked. > > > > > >------------------------------------------------------------------- > > > >To: Exploit-Dev > >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable > >Date: Mon Nov 08 1999 21:24:17 > >Author: Daniel Jacobowitz > >Message-ID: <19991109112417.A30046@drow.res.cmu.edu> > > > > > >And here's a patch. Not tested, as I don't use the rsaref glue on any > >machine here. > > > > > >Ed: Patch can be found at: > > > >http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-08& > >msg=19991109112417.A30046@drow.res.cmu.edu > > > >------------------------------------------------------------------- > > > >To: Exploit-Dev > >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable > >Date: Tue Nov 09 1999 04:42:16 > >Author: Jochen Bauer > >Message-ID: <19991109124216.A28812@luna.theo2.physik.uni-stuttgart.de> > > > >I've taken a closer look at the problem. Here's my analysis: > > > >In sshd.c, around line 1513 the client-generated session key, > >that has been encrypted with the server and host public keys, > >is received from the client as a multiple precision integer. > > > >/* Get the encrypted integer. */ > > mpz_init(&session_key_int); > > packet_get_mp_int(&session_key_int); > > > >The encrypted session key is then (around line 1525) passed > >to rsa_private_decrypt to do the first part of the decryption, > >which is either decryption using the server private key or > >decryption using the host private key, depending on which key > >has the larger modulus. > > > >rsa_private_decrypt(&session_key_int, &session_key_int, > > &sensitive_data.private_key); > > > >If RSAREF is used (i.e. RSAREF is defined in the code), the > >rsa_private_decrypt function in rsaglue.c (around line 162) > >looks like: > > > >void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key) > >{ > > unsigned char input_data[MAX_RSA_MODULUS_LEN]; > > unsigned char output_data[MAX_RSA_MODULUS_LEN] > > unsigned int input_len, output_len, input_bits; > > [...] > > input_bits = mpz_sizeinbase(input, 2); > > input_len = (input_bits + 7) / 8; > > gmp_to_rsaref(input_data, input_len, input); > > [...] > >} > > > >The trouble spot is the fixed length buffer > >input_data[MAX_RSA_MODULUS_LEN]. A pointer to this buffer is > >passed to the conversion function gmp_to_rsaref along with a > >pointer to the encrypted session key and the length (input_len) > >of the encrypted session key, which may be greater than > >[MAX_RSA_MODULUS_LEN]. gmp_to_rsaref (located around line 79 of > >rsaglue.c) simply calls mp_linearize_msb_first(buf, len, value). > > > >void gmp_to_rsaref(unsigned char *buf, unsigned int len, MP_INT *value) > >{ > > mp_linearize_msb_first(buf, len, value); > >} > > > >mp_linearize_msb_first is contained in mpaux.c around line 41. > >The function looks like: > > > >void mp_linearize_msb_first(unsigned char *buf, unsigned int len, > > MP_INT *value) > >{ > > unsigned int i; > > MP_INT aux; > > mpz_init_set(&aux, value); > > for (i = len; i >= 4; i -= 4) <------- > > { > > unsigned long limb = mpz_get_ui(&aux); > > PUT_32BIT(buf + i - 4, limb); <------- > > mpz_div_2exp(&aux, &aux, 32); > > } > > [...] > >} > > > >There's the overflow! len is the length of the encrypted session > >key, while buf is a pointer to the fixed length buffer > >input_data[MAX_RSA_MODULUS_LEN] and no check wether len is > >greater than MAX_RSA_MODULUS_LEN is performed. The fix should be > >obvious! > > > >About the possible exploit: > > > >In this particular overflow, the encrypted, client generated session > >key has to be taken as the exploit buffer. I.e. the shellcode, NOPs > >and jump address has to sent to the server instead of the encrypted > >session key. To make that clear: The shellcode, NOPs and jump address > >don't have to be encrypted as they are taken as the ENCRYPTED session > >key. > > > >However, the data that is finally written into the buffer are the > >limbs of the multiple precision integer that session_key_int is > >assumed to be. The exploit buffer code therefore must be converted > >into a multiple precision integer, which upon extraction of the limbs > >into the buffer yields the correct exploit buffer code. The best way > >would probably be to start from the exploit buffer as it should finally > >be to overflow the target buffer and use the functions of the GNU > >multiple precision integer library to reverse the procedure happening > >to the encrypted session key in the sshd code step be step, leading to > >the exploit buffer that has to be sent instead of the encrypted session > >key. > > > >That may be difficult, be it think it's possible. > > ********************************************************************** > Mike Tancsa, Network Admin * mike@sentex.net > Sentex Communications Corp, * http://www.sentex.net/mike > Cambridge, Ontario * 01.519.651.3400 > Canada * > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 11:15:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.myip.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3CE5914A05 for ; Sun, 14 Nov 1999 11:15:21 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost ([127.0.0.1] ident=green) by green.myip.org with esmtp (Exim 3.02 #1) id 11n55u-000BvD-00; Sun, 14 Nov 1999 14:13:47 -0500 Date: Sun, 14 Nov 1999 14:13:46 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.myip.org To: Robert Watson Cc: Mike Tancsa , freebsd-security@freebsd.org Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 14 Nov 1999, Robert Watson wrote: > > I've started switching my machines to OpenSSH -- however, our port > specifically disables K4 and AFS support :-). If I have time over the > next few days (unlikely, traveling to Albuquerque for a DARPA conference), > I'll mail in some patches to get K4 working. Otherwise, OpenSSH port > seemed to work out of the box for me -- the one other change I made was to > enable X forwarding in the ssh server. My feeling is disabling it in the > client is far more useful, as it's the client giving out access to its > display, not the server :-). I have AFS and K4 ?= NO there because I don't have a way to test them, and they rely on other sources not in the base (lots to download if you're not going to use them, so it would be senseless to make them mandatory.) S/KEY I haven't enabled yet because, frankly, I've never used it. The port doesn't actually DISABLE them, just doesn't have the hooks to enable them from the port framework yet. I'll commit your patches as long as they do exactly what they should, bar cleanups. > > so, when the RSA patent runs out, will we be disabling the US_RESIDENT in > /etc/make.conf making use of RSAREF? I'm told RSAREF is substantially > slower than the OpenSSL implementation, but haven't checked. I don't see any reason not to :) When the patent runs out, I'll be happy. > > On Sun, 14 Nov 1999, Mike Tancsa wrote: > > > > > Is there a patch to this ? Or is openssh the way to go ? > > > > ---Mike > > > > > > >There appears to be a serious vulnerability in ssh 1.2.27. I will let the > > >folks who worked on this issue describe. There was brief discussion on > > >vuln-dev on the politics of ssh 1 vs. ssh 2, etc... you may or may not > > >want to play that out on Bugtraq. One of the key points of the SSH 1 vs. > > >SSH 2 debate is regarding licensing. Basically, because of a less strict > > >license on SSH 1, more folks are likely to be running that version. (This > > >is all referring to the Datafellows implementation that everyone uses, > > >rather than standards and protocols, I presume.) > > > > > >As usually, check the vuln-dev archives if you want the full story. This > > >isn't necessarily a dead topic there yet, but this issue should get out > > >there sooner rather than later. > > > > > > BB > > > > > >------------------------------------------------------------------- > > > > > >To: Exploit-Dev > > >Subject: ssh-1.2.27 remote buffer overflow - exploitable > > >Date: Mon Nov 08 1999 16:48:53 > > >Author: Frank > > >Message-ID: <19991109014853.3239.qmail@securityfocus.com> > > > > > >This is submitted to the Freebsd bug tracking system, although there are > > >doubtless other vendors who leave this package, despite the existence of > > >the ssh-2.X. While Debian appears to be immune, I was able to crash my > > >ssh daemon (much to my dismay), and there appears the potential to execute > > >arbitrary code, as long as you encrypt it first... > > > > > >Here is the freebsd report.. it describes the method to crash a remote Ssh > > >daemon (lets hope you ran sshd from your xinetd, etc). > > > > > >http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 > > > > > >------------------------------------------------------------------- > > > > > >To: Exploit-Dev > > >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable > > >Date: Mon Nov 08 1999 21:04:19 > > >Author: Daniel Jacobowitz > > >Message-ID: <19991109110419.A29502@drow.res.cmu.edu> > > > > > > > > >Debian is immune for the (somewhat messy) reasons that they do not link > > >ssh to rsaref, last time that I checked. > > > > > > > > >------------------------------------------------------------------- > > > > > >To: Exploit-Dev > > >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable > > >Date: Mon Nov 08 1999 21:24:17 > > >Author: Daniel Jacobowitz > > >Message-ID: <19991109112417.A30046@drow.res.cmu.edu> > > > > > > > > >And here's a patch. Not tested, as I don't use the rsaref glue on any > > >machine here. > > > > > > > > >Ed: Patch can be found at: > > > > > >http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-08& > > >msg=19991109112417.A30046@drow.res.cmu.edu > > > > > >------------------------------------------------------------------- > > > > > >To: Exploit-Dev > > >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable > > >Date: Tue Nov 09 1999 04:42:16 > > >Author: Jochen Bauer > > >Message-ID: <19991109124216.A28812@luna.theo2.physik.uni-stuttgart.de> > > > > > >I've taken a closer look at the problem. Here's my analysis: > > > > > >In sshd.c, around line 1513 the client-generated session key, > > >that has been encrypted with the server and host public keys, > > >is received from the client as a multiple precision integer. > > > > > >/* Get the encrypted integer. */ > > > mpz_init(&session_key_int); > > > packet_get_mp_int(&session_key_int); > > > > > >The encrypted session key is then (around line 1525) passed > > >to rsa_private_decrypt to do the first part of the decryption, > > >which is either decryption using the server private key or > > >decryption using the host private key, depending on which key > > >has the larger modulus. > > > > > >rsa_private_decrypt(&session_key_int, &session_key_int, > > > &sensitive_data.private_key); > > > > > >If RSAREF is used (i.e. RSAREF is defined in the code), the > > >rsa_private_decrypt function in rsaglue.c (around line 162) > > >looks like: > > > > > >void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key) > > >{ > > > unsigned char input_data[MAX_RSA_MODULUS_LEN]; > > > unsigned char output_data[MAX_RSA_MODULUS_LEN] > > > unsigned int input_len, output_len, input_bits; > > > [...] > > > input_bits = mpz_sizeinbase(input, 2); > > > input_len = (input_bits + 7) / 8; > > > gmp_to_rsaref(input_data, input_len, input); > > > [...] > > >} > > > > > >The trouble spot is the fixed length buffer > > >input_data[MAX_RSA_MODULUS_LEN]. A pointer to this buffer is > > >passed to the conversion function gmp_to_rsaref along with a > > >pointer to the encrypted session key and the length (input_len) > > >of the encrypted session key, which may be greater than > > >[MAX_RSA_MODULUS_LEN]. gmp_to_rsaref (located around line 79 of > > >rsaglue.c) simply calls mp_linearize_msb_first(buf, len, value). > > > > > >void gmp_to_rsaref(unsigned char *buf, unsigned int len, MP_INT *value) > > >{ > > > mp_linearize_msb_first(buf, len, value); > > >} > > > > > >mp_linearize_msb_first is contained in mpaux.c around line 41. > > >The function looks like: > > > > > >void mp_linearize_msb_first(unsigned char *buf, unsigned int len, > > > MP_INT *value) > > >{ > > > unsigned int i; > > > MP_INT aux; > > > mpz_init_set(&aux, value); > > > for (i = len; i >= 4; i -= 4) <------- > > > { > > > unsigned long limb = mpz_get_ui(&aux); > > > PUT_32BIT(buf + i - 4, limb); <------- > > > mpz_div_2exp(&aux, &aux, 32); > > > } > > > [...] > > >} > > > > > >There's the overflow! len is the length of the encrypted session > > >key, while buf is a pointer to the fixed length buffer > > >input_data[MAX_RSA_MODULUS_LEN] and no check wether len is > > >greater than MAX_RSA_MODULUS_LEN is performed. The fix should be > > >obvious! > > > > > >About the possible exploit: > > > > > >In this particular overflow, the encrypted, client generated session > > >key has to be taken as the exploit buffer. I.e. the shellcode, NOPs > > >and jump address has to sent to the server instead of the encrypted > > >session key. To make that clear: The shellcode, NOPs and jump address > > >don't have to be encrypted as they are taken as the ENCRYPTED session > > >key. > > > > > >However, the data that is finally written into the buffer are the > > >limbs of the multiple precision integer that session_key_int is > > >assumed to be. The exploit buffer code therefore must be converted > > >into a multiple precision integer, which upon extraction of the limbs > > >into the buffer yields the correct exploit buffer code. The best way > > >would probably be to start from the exploit buffer as it should finally > > >be to overflow the target buffer and use the functions of the GNU > > >multiple precision integer library to reverse the procedure happening > > >to the encrypted session key in the sshd code step be step, leading to > > >the exploit buffer that has to be sent instead of the encrypted session > > >key. > > > > > >That may be difficult, be it think it's possible. > > > > ********************************************************************** > > Mike Tancsa, Network Admin * mike@sentex.net > > Sentex Communications Corp, * http://www.sentex.net/mike > > Cambridge, Ontario * 01.519.651.3400 > > Canada * > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 12:45:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id DAA93150D9; Sun, 14 Nov 1999 12:45:08 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id PAA24205; Sun, 14 Nov 1999 15:45:03 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991114153939.046249a0@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 14 Nov 1999 15:46:00 -0500 To: Robert Watson From: Mike Tancsa Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Cc: freebsd-security@freebsd.org, torstenb@freebsd.org In-Reply-To: References: <4.1.19991114000355.04d7f230@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:40 PM 11/14/99 , Robert Watson wrote: > >I've started switching my machines to OpenSSH -- however, our port >specifically disables K4 and AFS support :-). If I have time over the >next few days (unlikely, traveling to Albuquerque for a DARPA conference), >I'll mail in some patches to get K4 working. Otherwise, OpenSSH port >seemed to work out of the box for me -- the one other change I made was to >enable X forwarding in the ssh server. My feeling is disabling it in the >client is far more useful, as it's the client giving out access to its >display, not the server :-). I am not so worried at this point about kerb integration, as I dont use it. What I am worried about is remote root exploitation.... Or am I missing something in the bugtraq post ? The poster indicates remote root exploitation is difficult, but possible in http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 I have cc'd the official maintainer. Perhaps he could comment ? ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 13:56:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id BD2E314DA1 for ; Sun, 14 Nov 1999 13:56:50 -0800 (PST) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id C1D6924D0A; Sun, 14 Nov 1999 16:56:49 -0500 (EST) Received: by osaka.louisville.edu (Postfix, from userid 15) id 4550F18605; Sun, 14 Nov 1999 16:56:49 -0500 (EST) Date: Sun, 14 Nov 1999 16:56:49 -0500 From: Keith Stevenson To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Message-ID: <19991114165649.A95613@osaka.louisville.edu> References: <4.1.19991114000355.04d7f230@granite.sentex.ca> <4.1.19991114153939.046249a0@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <4.1.19991114153939.046249a0@granite.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 14, 1999 at 03:46:00PM -0500, Mike Tancsa wrote: > > I am not so worried at this point about kerb integration, as I dont use it. > What I am worried about is remote root exploitation.... Or am I missing > something in the bugtraq post ? The poster indicates remote root > exploitation is difficult, but possible in > http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 > I have cc'd the official maintainer. Perhaps he could comment ? I get the impression from the Bugtraq post that only SSH linked against RSAREF is vulnerable. Pity that those of us in the US are required to use the buggy code. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 13:59:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 765001520B for ; Sun, 14 Nov 1999 13:59:43 -0800 (PST) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 4384824D0E for ; Sun, 14 Nov 1999 16:59:43 -0500 (EST) Received: by osaka.louisville.edu (Postfix, from userid 15) id 3A33518605; Sun, 14 Nov 1999 16:59:43 -0500 (EST) Date: Sun, 14 Nov 1999 16:59:43 -0500 From: Keith Stevenson To: freebsd-security@freebsd.org Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Message-ID: <19991114165943.B95613@osaka.louisville.edu> References: <4.1.19991114000355.04d7f230@granite.sentex.ca> <19991114165649.A95613@osaka.louisville.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <19991114165649.A95613@osaka.louisville.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 14, 1999 at 04:56:49PM -0500, Keith Stevenson wrote: > > I get the impression from the Bugtraq post that only SSH linked against > RSAREF is vulnerable. Pity that those of us in the US are required to use > the buggy code. (Replying to myself) Oops. I think I gave the wrong impression. As I understand it the bug is in the interaction between SSH 1.2.27 and the library call to RSAREF. The combination is buggy, not RSAREF. -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 14: 5:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id A79C514D04 for ; Sun, 14 Nov 1999 14:05:48 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id RAA24712; Sun, 14 Nov 1999 17:05:43 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991114170427.0480a7b0@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 14 Nov 1999 17:06:41 -0500 To: Keith Stevenson , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: <19991114165943.B95613@osaka.louisville.edu> References: <19991114165649.A95613@osaka.louisville.edu> <4.1.19991114000355.04d7f230@granite.sentex.ca> <19991114165649.A95613@osaka.louisville.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:59 PM 11/14/99 , Keith Stevenson wrote: >On Sun, Nov 14, 1999 at 04:56:49PM -0500, Keith Stevenson wrote: >> >> I get the impression from the Bugtraq post that only SSH linked against >> RSAREF is vulnerable. Pity that those of us in the US are required to use >> the buggy code. > >(Replying to myself) > >Oops. I think I gave the wrong impression. As I understand it the bug is >in the interaction between SSH 1.2.27 and the library call to RSAREF. The >combination is buggy, not RSAREF. For the Canada and the USA, this is the default install combination no ? I guess a lot of sites will need to be patched out there :-( ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 14:10:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id D7D2A14D04; Sun, 14 Nov 1999 14:10:37 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id RAA24744; Sun, 14 Nov 1999 17:10:36 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991114170852.04805b00@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 14 Nov 1999 17:11:33 -0500 To: freebsd-security@FreeBSD.org From: Mike Tancsa Subject: More BIND bugs (Patch level 5) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello All, Looks like another series of bug fixes to BIND.... From their web page at http://www.isc.org/products/BIND/docs/bind8.2_highlights.html Bug in named-xfer (from patchlevel 4). Portability to IPv6 versions of FreeBSD, OpenBSD, NetBSD. Portability improvements (A/UX, AIX, IRIX, NetBSD, SCO, MPE/IX). "also-notify" option could cause memory allocation errors. IXFR improvements (though client-side is still disabled). Contributed software upgraded (including TIS's "dns_signer"). Several latent denial-of-service bugs fixed (from audits, not abuse). New "make noesw" top-level target for removing encumbered components. The second last point seems to imply other bug fixes not present in the previous patch. ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 17:22:11 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B099014C99; Sun, 14 Nov 1999 17:22:10 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 9F2831CD44A; Sun, 14 Nov 1999 17:22:08 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Sun, 14 Nov 1999 17:22:08 -0800 (PST) From: Kris Kennaway To: "H. Eckert" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Status of Passwords/etc in FreeBSD-stable In-Reply-To: <19991114015245.A58093@server.nostromo.in-berlin.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 14 Nov 1999, H. Eckert wrote: > Quoting Kris Kennaway (kris@hub.freebsd.org): > > Probably you switched from DES to MD5 passwords when you upgraded. > > I didn't upgrade; it was a completely fresh installation. > Apparently MD5 hashes are the default method with 3.x Yes, if you don't select to install the DES libraries. > > Having said that, your netatalk example shows there's at least some need > > for it - it would be a fairly simple matter to copy the minpasswordlen > > code. If you submit the patch I'll try and get it committed. > > Sorry, that's completely out of scope for me. Fair enough (although it would be really trivial, just copy-n-paste from the minpasswordlen source, almost). I might get to it one day.. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 17:35:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from scds.com (d122-h010.rh.rit.edu [129.21.122.138]) by hub.freebsd.org (Postfix) with ESMTP id A22B614C99 for ; Sun, 14 Nov 1999 17:35:29 -0800 (PST) (envelope-from jseger@jseger.scds.com) Received: from localhost (jseger@localhost) by scds.com (8.9.3/8.9.3) with ESMTP id UAA20350; Sun, 14 Nov 1999 20:34:03 -0500 (EST) (envelope-from jseger@jseger.scds.com) Date: Sun, 14 Nov 1999 20:34:03 -0500 (EST) From: "Justin M. Seger" To: Mike Tancsa Cc: freebsd-security@FreeBSD.org Subject: Re: More BIND bugs (Patch level 5) In-Reply-To: <4.1.19991114170852.04805b00@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Port is now at patch level 5. Justin Seger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 17:59:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 0BC1B14BF9; Sun, 14 Nov 1999 17:59:17 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id UAA03774; Sun, 14 Nov 1999 20:59:06 -0500 (EST) (envelope-from wollman) Date: Sun, 14 Nov 1999 20:59:06 -0500 (EST) From: Garrett Wollman Message-Id: <199911150159.UAA03774@khavrinen.lcs.mit.edu> To: Mark Murray Cc: Kris Kennaway , "Jordan K. Hubbard" , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <199911101818.UAA10615@gratis.grondar.za> References: <199911101818.UAA10615@gratis.grondar.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> No objections from me! We will of course need to import OpenSSL as well, >> but I can see only good things coming from that. > Only the libcrypto part of it, as far as I can see. Ummm... guys.... the RSA patent doesn't expire until *next* year. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 18:27:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id EDDAD14A21 for ; Sun, 14 Nov 1999 18:27:38 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id VAA03816; Sun, 14 Nov 1999 21:27:35 -0500 (EST) (envelope-from wollman) Date: Sun, 14 Nov 1999 21:27:35 -0500 (EST) From: Garrett Wollman Message-Id: <199911150227.VAA03816@khavrinen.lcs.mit.edu> To: Pierre Beyssac Cc: freebsd-security@FreeBSD.ORG Subject: Re: patch for bind8 port (was: BIND NXT Bug Vulnerability) In-Reply-To: <19991112165545.A18571@fasterix.frmug.org> References: <45563.942403323@verdi.nethelp.no> <19991112165545.A18571@fasterix.frmug.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Actually, the zone is not completely rejected: the secondaries > fetch an up-to-date copy and serve it, but they disable the AA flag > in the replies. It is much better than not serving the zone at all. Well, not really, since this means many people can't send mail to addresses covered by that zone. (Think sendmail.cf `O ResolverOptions=+AAONLY', or MMDF which doesn't even give you an option. This bites me periodically when our primary goes lame for some reason -- it's also our main mail relay, and it runs MMDF.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 18:30:41 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5549E14BDA; Sun, 14 Nov 1999 18:30:39 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 442481CD431; Sun, 14 Nov 1999 18:30:39 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Sun, 14 Nov 1999 18:30:39 -0800 (PST) From: Kris Kennaway To: Garrett Wollman Cc: Mark Murray , "Jordan K. Hubbard" , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <199911150159.UAA03774@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 14 Nov 1999, Garrett Wollman wrote: > < said: > > >> No objections from me! We will of course need to import OpenSSL as well, > >> but I can see only good things coming from that. > > > Only the libcrypto part of it, as far as I can see. > > Ummm... guys.... the RSA patent doesn't expire until *next* year. True..we'd have to split it so that US people import a RSA-less openssl (i.e. just openssl with the rsa directory missing), and the international folks can import the RSA parts as well. The former could go into the existing crypto cvsup collection, and an additional crypto-intl cvsup collection could hold the latter. On the other hand, is it illegal to _have_ RSA sources, as long as you don't compile them? i.e. we can just build openssl with NO_RSA conditional on USA_RESIDENT=YES. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 19:10: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 7624014D32 for ; Sun, 14 Nov 1999 19:10:02 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id WAA04040; Sun, 14 Nov 1999 22:09:53 -0500 (EST) (envelope-from wollman) Date: Sun, 14 Nov 1999 22:09:53 -0500 (EST) From: Garrett Wollman Message-Id: <199911150309.WAA04040@khavrinen.lcs.mit.edu> To: Mark Murray Cc: security@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <199911101824.UAA10746@gratis.grondar.za> References: <199911101824.UAA10746@gratis.grondar.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > How would folk feel about the International CVS Repo holding "better" > crypto thathan the WC one (until the relevant patents expire)? Putting on my hat as the operator of freebsd.lcs.mit.edu... It would make me feel a lot better. If the main source tree contained an unlicensed RSA implementation, MIT's Technology Licensing Office would require me to shut down the mirror. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 19:42:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id DC84014D45; Sun, 14 Nov 1999 19:42:15 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id WAA04215; Sun, 14 Nov 1999 22:42:15 -0500 (EST) (envelope-from wollman) Date: Sun, 14 Nov 1999 22:42:15 -0500 (EST) From: Garrett Wollman Message-Id: <199911150342.WAA04215@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: References: <199911150159.UAA03774@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > On the other hand, is it illegal to _have_ RSA sources, as long as you > don't compile them? Illegal to *have*? No. However, *distributing* them may constitute ``contributory infringement'' (similar to ``accessory'' charges in criminal law). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 19:55:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 85D4414D45 for ; Sun, 14 Nov 1999 19:55:42 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id WAA26927 for ; Sun, 14 Nov 1999 22:55:40 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991114225545.04626d60@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 14 Nov 1999 22:56:40 -0500 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: ssh-1.2.27 remote buffer overflow - work around ?? In-Reply-To: <19991114165649.A95613@osaka.louisville.edu> References: <4.1.19991114153939.046249a0@granite.sentex.ca> <4.1.19991114000355.04d7f230@granite.sentex.ca> <4.1.19991114153939.046249a0@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:56 PM 11/14/99 , Keith Stevenson wrote: >On Sun, Nov 14, 1999 at 03:46:00PM -0500, Mike Tancsa wrote: >> >> I am not so worried at this point about kerb integration, as I dont use it. >> What I am worried about is remote root exploitation.... Or am I missing >> something in the bugtraq post ? The poster indicates remote root >> exploitation is difficult, but possible in >> http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 >> I have cc'd the official maintainer. Perhaps he could comment ? > >I get the impression from the Bugtraq post that only SSH linked against >RSAREF is vulnerable. Pity that those of us in the US are required to use >the buggy code. Actually, in this case, will USA_RESIDENT=NO in the make file then get around this problem ? ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 20:12:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.myip.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 4C04914A0D for ; Sun, 14 Nov 1999 20:12:40 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost ([127.0.0.1] ident=green) by green.myip.org with esmtp (Exim 3.02 #1) id 11nDV6-000CWw-00; Sun, 14 Nov 1999 23:12:20 -0500 Date: Sun, 14 Nov 1999 23:12:19 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.myip.org To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? In-Reply-To: <4.1.19991114225545.04626d60@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 14 Nov 1999, Mike Tancsa wrote: > > Actually, in this case, will USA_RESIDENT=NO in the make file then get > around this problem ? Yes, but it would also be against the patents of our wonderful RSA. Then again, the patent runs out next year; and right now, it's still pretty much "honor system" unless the RSA wants to sue you for some reason. I can't condone this technically illegal action. The better question is why aren't you using OpenSSH? > > ---Mike > ********************************************************************** > Mike Tancsa, Network Admin * mike@sentex.net > Sentex Communications Corp, * http://www.sentex.net/mike > Cambridge, Ontario * 01.519.651.3400 > Canada * > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 20:28:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id A79C514C01; Sun, 14 Nov 1999 20:28:26 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id XAA27138; Sun, 14 Nov 1999 23:28:25 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991114231613.048044c0@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 14 Nov 1999 23:29:25 -0500 To: Brian Fundakowski Feldman From: Mike Tancsa Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? Cc: freebsd-security@FreeBSD.org In-Reply-To: References: <4.1.19991114225545.04626d60@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:12 PM 11/14/99 , Brian Fundakowski Feldman wrote: >On Sun, 14 Nov 1999, Mike Tancsa wrote: > >> >> Actually, in this case, will USA_RESIDENT=NO in the make file then get >> around this problem ? > >Yes, but it would also be against the patents of our wonderful RSA. >Then again, the patent runs out next year; and right now, it's still >pretty much "honor system" unless the RSA wants to sue you for some >reason. I can't condone this technically illegal action. The better >question is why aren't you using OpenSSH? Hi, Thanks for the information. I am not using OpenSSH yet mainly because I have about 30 servers which are effected by this bug, ranging from 2.2-STABLE upto 3.x-STABLE and everything in between-- some mine, some customers. I dont know how OpenSSH will fair on all of them, and I would like to make the upgrade a little more transitioned... i.e. try out OpenSSH on a few machines and make sure everything is there that I need (off the top of my head things like denying ssh access by GID). All my machines are in Canada, but I think our crypto export/import laws were harmonized in the past couple of years.... (Sometime soon after I bought Netscape version 0.9 whenever that was when I got dinged with a 100% munitions import tax!! ) Ideally a patch to the relavant ports would be best. If I had the skills to do so, I would do it, but I dont :-( ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 20:40:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 53D1114C01; Sun, 14 Nov 1999 20:40:31 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id XAA04463; Sun, 14 Nov 1999 23:40:30 -0500 (EST) (envelope-from wollman) Date: Sun, 14 Nov 1999 23:40:30 -0500 (EST) From: Garrett Wollman Message-Id: <199911150440.XAA04463@khavrinen.lcs.mit.edu> To: Brian Fundakowski Feldman Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? In-Reply-To: References: <4.1.19991114225545.04626d60@granite.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Yes, but it would also be against the patents of our wonderful RSA. You missed an important point: >> Sentex Communications Corp, * http://www.sentex.net/mike >> Cambridge, Ontario * 01.519.651.3400 So Mike is located in Canada, and thus the patent may not apply to him (at least not the US patent). A better question is: why does Mike want people to make operator-assisted calls to Peru when trying to reach him? -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 21:45: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id 0F7E814CAD; Sun, 14 Nov 1999 21:44:52 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id HAA31988; Mon, 15 Nov 1999 07:44:39 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199911150544.HAA31988@gratis.grondar.za> To: Garrett Wollman Cc: Kris Kennaway , "Jordan K. Hubbard" , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches Date: Mon, 15 Nov 1999 07:44:38 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Only the libcrypto part of it, as far as I can see. > > Ummm... guys.... the RSA patent doesn't expire until *next* year. Sure - that was why I made my _other_ proposal of importing that into only the International repository. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 22: 2:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id 3C92014CAD; Sun, 14 Nov 1999 22:02:40 -0800 (PST) (envelope-from jhay@zibbi.mikom.csir.co.za) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.9.3/8.9.3) id IAA13567; Mon, 15 Nov 1999 08:02:38 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <199911150602.IAA13567@zibbi.mikom.csir.co.za> Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? In-Reply-To: from Brian Fundakowski Feldman at "Nov 14, 1999 11:12:19 pm" To: green@FreeBSD.ORG (Brian Fundakowski Feldman) Date: Mon, 15 Nov 1999 08:02:38 +0200 (SAT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > reason. I can't condone this technically illegal action. The better > question is why aren't you using OpenSSH? > Well, is there a way of not using rsh to fetch it? Our firewall don't allow incoming tcp connections and rsh needs one. John -- John Hay -- John.Hay@mikom.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 14 22:22:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.myip.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id EE9D514E94 for ; Sun, 14 Nov 1999 22:22:38 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost ([127.0.0.1] ident=green) by green.myip.org with esmtp (Exim 3.02 #1) id 11nFWu-000EGA-00; Mon, 15 Nov 1999 01:22:20 -0500 Date: Mon, 15 Nov 1999 01:22:20 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.myip.org To: John Hay Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? In-Reply-To: <199911150602.IAA13567@zibbi.mikom.csir.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 15 Nov 1999, John Hay wrote: > Well, is there a way of not using rsh to fetch it? Our firewall don't > allow incoming tcp connections and rsh needs one. The two best ways would be to use ssh itself (should work) as CVS_RSH, or download it from somewhere outside the firewall and transfer it (by FTP/HTTP/etc) into the firewall. Know your export laws, of course... > > John > -- > John Hay -- John.Hay@mikom.csir.co.za > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 3:42:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [207.240.212.43]) by hub.freebsd.org (Postfix) with ESMTP id 1D73014F70 for ; Mon, 15 Nov 1999 03:42:30 -0800 (PST) (envelope-from fran@reyes.somos.net) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id GAA50607; Mon, 15 Nov 1999 06:40:00 -0500 (EST) (envelope-from fran@reyes.somos.net) Message-Id: <199911151140.GAA50607@sanson.reyes.somos.net> From: "Francisco Reyes" To: "freebsd-security@FreeBSD.ORG" Cc: "Brian Somers" Date: Mon, 15 Nov 1999 06:38:13 -0500 Reply-To: "Francisco Reyes" X-Mailer: PMMail 98 Professional (2.01.1600) For Windows 98 (4.10.1998) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Is this an attack? ICMP packets coming from my own IP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Some days back I ran a news server, Leafnode++, for 2 days. The server got Hijacked because I failed to secure it. Ever since I have been paying close attention to my logs. I have ICMP packets enabled, but I log them. Last night I noticed numerous ICMP packets, but the ones that worried me the most were some coming from an IP which is the IP I use on that box: 207.240.212.43 Is this some form of attack? ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 out via tun0 ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 How can they forge my own IP? Should I mention this to my ISP? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 4: 8:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id D277C14C89 for ; Mon, 15 Nov 1999 04:08:08 -0800 (PST) (envelope-from vlad@sandy.ru) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.12]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id PAA64035; Mon, 15 Nov 1999 15:03:18 +0300 (MSK) Date: Mon, 15 Nov 1999 15:03:22 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.34) S/N D33CD428 Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <19627.991115@sandy.ru> To: "Francisco Reyes" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is this an attack? ICMP packets coming from my own IP In-reply-To: <199911151140.GAA50607@sanson.reyes.somos.net> References: <199911151140.GAA50607@sanson.reyes.somos.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Francisco Reyes, 15.11.99 14:38, you wrote: Is this an attack? ICMP packets coming from my own IP; F> Some days back I ran a news server, Leafnode++, for 2 days. The server got Hijacked because I failed to F> secure it. Ever since I have been paying close attention to my logs. F> I have ICMP packets enabled, but I log them. Last night I noticed numerous ICMP packets, but the ones F> that worried me the most were some coming from an IP which is the IP I use on that box: 207.240.212.43 F> Is this some form of attack? It's your ping of your own machine. icmp:0.0 is ping request icmp:0.8 is ping reply. As you can see every packet is both in and out. F> ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 F> ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 F> ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 out via tun0 F> ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 in via tun0 F> ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 F> ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 F> How can they forge my own IP? Should I mention this to my ISP? F> To Unsubscribe: send mail to majordomo@FreeBSD.org F> with "unsubscribe freebsd-security" in the body of the message +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 5:32:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [207.240.212.43]) by hub.freebsd.org (Postfix) with ESMTP id BE92914DA4 for ; Mon, 15 Nov 1999 05:32:10 -0800 (PST) (envelope-from fran@reyes.somos.net) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id IAA75221; Mon, 15 Nov 1999 08:29:30 -0500 (EST) (envelope-from fran@reyes.somos.net) Message-Id: <199911151329.IAA75221@sanson.reyes.somos.net> From: "Francisco Reyes" To: "Vladimir Dubrovin" Cc: "freebsd-security@FreeBSD.ORG" Date: Mon, 15 Nov 1999 08:26:51 -0500 Reply-To: "Francisco Reyes" X-Mailer: PMMail 98 Professional (2.01.1600) For Windows 98 (4.10.1998) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Re: Is this an attack? ICMP packets coming from my own IP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 15 Nov 1999 15:03:22 +0300, Vladimir Dubrovin wrote: >F> Is this some form of attack? > >It's your ping of your own machine. icmp:0.0 is ping request icmp:0.8 >is ping reply. As you can see every packet is both in and out. I don't remember pinging myself, but I guess I could have. Besides ping what else goes over ICMP. The reason I was looking at this, is that in the log there were numerous ICMP packets from last night and early morning. They also don't match the 0.0 and 0.8 you described from ping. ipfw: 3100 Accept ICMP:0.0 204.71.200.245 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:3.3 216.145.30.3 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:3.13 155.232.17.2 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:3.3 16.1.0.18 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:3.3 204.123.2.18 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:3.3 209.192.217.104 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:3.1 144.232.9.142 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:3.3 207.240.212.43 207.240.140.102 out via tun0 Any place I could read about ICMP packets? A search in google found mostly info from a list archive. I will go over those messages tonight.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 6:30:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 1D4DA14C83; Mon, 15 Nov 1999 06:30:34 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id JAA14565; Mon, 15 Nov 1999 09:30:31 -0500 (EST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id JAA14467; Mon, 15 Nov 1999 09:30:31 -0500 (EST) Message-Id: <3.0.5.32.19991115092856.0214a100@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 15 Nov 1999 09:28:56 -0500 To: Brian Fundakowski Feldman From: Mike Tancsa Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.1.19991114225545.04626d60@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:12 PM 11/14/99 -0500, Brian Fundakowski Feldman wrote: >Yes, but it would also be against the patents of our wonderful RSA. >Then again, the patent runs out next year; and right now, it's still >pretty much "honor system" unless the RSA wants to sue you for some >reason. I can't condone this technically illegal action. The better >question is why aren't you using OpenSSH? Where is the best place to read about / follow OpenSSH ? I just tried OpenSSH and it does not seem to work with the version of SecureCRT that I am using. I get past the authnetication phase, but then disconnected with the message on the client side saying "Sever does not support Max Packet Size. Continuing" and then nothing. ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 7:40:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 981A514DCD; Mon, 15 Nov 1999 07:40:39 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id KAA24702; Mon, 15 Nov 1999 10:40:36 -0500 (EST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id KAA09746; Mon, 15 Nov 1999 10:40:36 -0500 (EST) Message-Id: <3.0.5.32.19991115103901.00cfcd10@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 15 Nov 1999 10:39:01 -0500 To: Brian Fundakowski Feldman From: Mike Tancsa Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3.0.5.32.19991115092856.0214a100@staff.sentex.ca> References: <4.1.19991114225545.04626d60@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:28 AM 11/15/99 -0500, Mike Tancsa wrote: >"Sever does not support Max Packet Size. Continuing" and then nothing. Just to follow up on my own post about OpenSSHD and the windows ssh client scrt, the above bug is encountered by scrt 2.3.2. I upgraded my client to 2.4, and the problem went away. Version 3.0 also works fine, but eats up 4times as much RAM on the client as 2.4 does. ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 8: 1:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 7F20014EB8; Mon, 15 Nov 1999 08:00:54 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by pawn.primelocation.net (Postfix, from userid 1016) id 9D7809B25; Mon, 15 Nov 1999 11:00:51 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id 90B00BA1D; Mon, 15 Nov 1999 11:00:51 -0500 (EST) Date: Mon, 15 Nov 1999 11:00:51 -0500 (EST) From: "Chris D. Faulhaber" X-Sender: cdf.lists@pawn.primelocation.net To: Mike Tancsa Cc: Brian Fundakowski Feldman , freebsd-security@FreeBSD.ORG Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? In-Reply-To: <3.0.5.32.19991115092856.0214a100@staff.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 15 Nov 1999, Mike Tancsa wrote: > At 11:12 PM 11/14/99 -0500, Brian Fundakowski Feldman wrote: > >Yes, but it would also be against the patents of our wonderful RSA. > >Then again, the patent runs out next year; and right now, it's still > >pretty much "honor system" unless the RSA wants to sue you for some > >reason. I can't condone this technically illegal action. The better > >question is why aren't you using OpenSSH? > > Where is the best place to read about / follow OpenSSH ? I just tried > OpenSSH and it does not seem to work with the version of SecureCRT that I > am using. I get past the authnetication phase, but then disconnected with > the message on the client side saying > > "Sever does not support Max Packet Size. Continuing" and then nothing. > We have the same problem using SecureCRT v2.3.2, however, v3.0 works just fine. ----- Chris D. Faulhaber | All the true gurus I've met never System/Network Administrator, | claimed they were one, and always Reality Check Information, Inc. | pointed to someone better. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 8:58: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id DDC8714BDD for ; Mon, 15 Nov 1999 08:57:56 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA23485; Mon, 15 Nov 1999 08:57:50 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23481; Mon Nov 15 08:57:33 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA61664; Mon, 15 Nov 1999 08:57:25 -0800 (PST) Message-Id: <199911151657.IAA61664@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdi61660; Mon Nov 15 08:56:46 1999 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cschuber To: Peter Wemm Cc: Bill Fumerola , Brett Glass , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-reply-to: Your message of "Fri, 12 Nov 1999 23:45:59 +0800." <19991112154559.DAC251C6D@overcee.netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 15 Nov 1999 08:56:46 -0800 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19991112154559.DAC251C6D@overcee.netplex.com.au>, Peter Wemm writes : > Bill Fumerola wrote: > > On Thu, 11 Nov 1999, Brett Glass wrote: > > > > > I assume you mean rc.conf, not named.conf. > > > > > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > > > that selects a sandboxed configuration and is on by default. > > > Also, it'd be nice to have the user "named" already in /etc/passwd > > > and ready to go. > > > > bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin > > > > You mean like that in src/etc/master.passwd? > > *Beware* - do not do this if you have dyanmic interface configuration, eg > if you run ppp[d] or anything. Bind depends on being able to bind to port > 53 if the interface configuration changes. This is why it's not on by > default. I use the following at home to restart named when I dial into work or my friend's ISP. It passes all arguments to named. /* * Compile with, * cc -O2 -o named8_mom named8_mom.c * strip named8_mom */ #include #include #include #include #include #include #include #define NAMED_PATH "/usr/local/sbin/named" void kill_named(); void exit_named_mom(); int restart_named = 1; pid_t pid; int main(argc, argv) int argc; char **argv; { int status; int prio; if ((pid = fork()) < 0) { perror("daemon error"); exit(1); } else if (pid > 0) { exit(0); } if (setpgid(pid, pid) == -1) { perror("setpgid"); exit(1); } if (signal(SIGHUP, kill_named) == SIG_ERR) { perror("error setting SIGHUP"); exit(1); } if (signal(SIGTERM, exit_named_mom) == SIG_ERR) { perror("error setting SIGTERM"); exit(1); } if (signal(SIGINT, exit_named_mom) == SIG_ERR) { perror("error setting SIGINT"); exit(1); } prio = getpriority(PRIO_PROCESS, 0); if (setpriority(PRIO_PROCESS, 0, -20) != 0) { perror("main setpriority error"); exit(1); } while (restart_named) { if ((pid = vfork()) == 0) { int i; char *named_path = NAMED_PATH; char *nofork = "-f"; char *args[60]; if (setpriority(PRIO_PROCESS, 0, prio) != 0) { perror("child setpriority error"); sleep(10); exit(1); } args[0] = named_path; for (i = 1; i < argc; i++) { args[i] = argv[i]; } args[i++] = nofork; args[i] = NULL; execv(NAMED_PATH, args); perror("execv failed"); sleep(10); exit(1); } else if (pid > 0) { if (wait(&status) == -1) { perror("wait error"); } if (status != 0) { fprintf(stderr, "nonzero return code from named\n"); exit(1); } } else { perror("fork failed"); exit(1); } } exit(0); } void kill_named() { if (kill(pid,SIGTERM) != 0) { perror("named kill failed"); restart_named = 0; exit(1); } } void exit_named_mom() { kill_named(); restart_named = 0; } Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 9:19:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from wall.pdv.de (ns.pdv.de [194.139.111.2]) by hub.freebsd.org (Postfix) with ESMTP id CAB26150C6 for ; Mon, 15 Nov 1999 09:18:43 -0800 (PST) (envelope-from Dirk.Nerling@pdv.de) Received: (from mail@localhost) by wall.pdv.de (8.9.1a/8.9.1) id SAA09494 for ; Mon, 15 Nov 1999 18:18:33 +0100 (CET) X-Authentication-Warning: wall.pdv.de: mail set sender to using -f Received: from khk.pdv.de(192.168.12.37) by wall via smap (V2.1+anti-relay+anti-spam) id xma009492; Mon, 15 Nov 99 18:18:11 +0100 Received: from pc-dirk1.pdv.de by khk.pdv.de with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1460.8) id TT2P2R3D; Mon, 15 Nov 1999 18:22:28 +0100 Reply-To: From: "nerle" To: "'FreeBSD Security (Mlist) (E-Mail)'" Subject: what are these ICMP logs ??? Date: Mon, 15 Nov 1999 18:18:16 +0100 Message-ID: <000001bf2f8d$67938ac0$350ca8c0@pdv.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, where could I find a describtion of the 3.13 and 3.3 ICMP packets? This is an outside one: Nov 15 14:16:29 wall /kernel: ipfw: 500 Accept ICMP:3.13 188.1.x.x 194.139.111.2 in via de1 One from my own IP address: Nov 15 14:18:26 wall /kernel: ipfw: 500 Accept ICMP:3.3 194.139.111.2 194.139.111.2 out via lo0 Nov 15 14:18:26 wall /kernel: ipfw: 500 Accept ICMP:3.3 194.139.111.2 194.139.111.2 in via lo0 an last but not least a localhost one: Nov 15 17:45:00 wall /kernel: ipfw: 500 Accept ICMP:3.3 127.0.0.1 127.0.0.1 in via lo0 Something I have to worry about??? best regards Dirk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 9:57:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id AE62F14A1F for ; Mon, 15 Nov 1999 09:57:21 -0800 (PST) (envelope-from JHowie@msn.com) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Mon, 15 Nov 1999 09:57:16 -0800 Message-ID: <001f01bf2f93$ce326390$fd01a8c0@pacbell.net> From: "John Howie" To: "Francisco Reyes" , "Vladimir Dubrovin" Cc: References: <199911151329.IAA75221@sanson.reyes.somos.net> Subject: Re: Is this an attack? ICMP packets coming from my own IP Date: Mon, 15 Nov 1999 10:04:05 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6000 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Francisco, ----- Original Message ----- From: "Francisco Reyes" To: "Vladimir Dubrovin" Cc: Sent: Monday, November 15, 1999 5:26 AM Subject: Re: Is this an attack? ICMP packets coming from my own IP [STUFF DELETED] > > ipfw: 3100 Accept ICMP:0.0 204.71.200.245 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 216.145.30.3 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.13 155.232.17.2 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 16.1.0.18 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 204.123.2.18 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 209.192.217.104 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.1 144.232.9.142 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 207.240.212.43 207.240.140.102 out via tun0 > ICMP Type 3 packets are sent by a remote host to inform the local system that the destination is unreachable. The Code field elaborares: 0 = Network Unreachable 1 = Host Unreachable 2 = Protocol Unreacahable 3 = Port Unreacahble ... ... 13 = Communication administratively prohibited by filtering. If you have a lot of users trying to telnet, ftp, rsh, rexec, rlogin, etc... remote machines then these messages are quite common. If you have a lot of 3.3's from a single host, it is a good indication that someone is running a portscanner on your machine against that host. Your entries look *fairly* benign. Without timestamps and details of the processes attempting communications thatresulted in these messages, you can never be sure. > Any place I could read about ICMP packets? A search in google found mostly info from a list archive. I > will go over those messages tonight.. Try the ICMP RFC - 792, available from www.ietf.org Cheers, john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 10:31:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 23E5A14A01 for ; Mon, 15 Nov 1999 10:31:50 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id NAA47939; Mon, 15 Nov 1999 13:31:50 -0500 (EST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id NAA08746; Mon, 15 Nov 1999 13:31:50 -0500 (EST) Message-Id: <3.0.5.32.19991115133015.016537e0@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 15 Nov 1999 13:30:15 -0500 To: , "'FreeBSD Security (Mlist) (E-Mail)'" From: Mike Tancsa Subject: Re: what are these ICMP logs ??? In-Reply-To: <000001bf2f8d$67938ac0$350ca8c0@pdv.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:18 PM 11/15/99 +0100, nerle wrote: >Hello, > >where could I find a describtion of the 3.13 and 3.3 ICMP packets? I usually use look at /usr/include/netinet/ip_icmp.h for a quick reference e.g. #define ICMP_UNREACH 3 /* dest unreachable, codes: */ #define ICMP_UNREACH_NET 0 /* bad net */ #define ICMP_UNREACH_HOST 1 /* bad host */ #define ICMP_UNREACH_PROTOCOL 2 /* bad protocol */ #define ICMP_UNREACH_PORT 3 /* bad port */ #define ICMP_UNREACH_NEEDFRAG 4 /* IP_DF caused drop */ #define ICMP_UNREACH_SRCFAIL 5 /* src route failed */ #define ICMP_UNREACH_NET_UNKNOWN 6 /* unknown net */ #define ICMP_UNREACH_HOST_UNKNOWN 7 /* unknown host */ #define ICMP_UNREACH_ISOLATED 8 /* src host isolated */ #define ICMP_UNREACH_NET_PROHIB 9 /* prohibited access */ #define ICMP_UNREACH_HOST_PROHIB 10 /* ditto */ #define ICMP_UNREACH_TOSNET 11 /* bad tos for net */ #define ICMP_UNREACH_TOSHOST 12 /* bad tos for host */ #define ICMP_UNREACH_FILTER_PROHIB 13 /* admin prohib */ #define ICMP_UNREACH_HOST_PRECEDENCE 14 /* host prec vio. */ #define ICMP_UNREACH_PRECEDENCE_CUTOFF 15 /* prec cutoff */ For a complete description, I imagine the relavant RFC or some of the TCP/IP illustrated books for more info. ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 11: 0: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from super-g.com (super-g.com [207.240.140.161]) by hub.freebsd.org (Postfix) with ESMTP id CFD1B14D21; Mon, 15 Nov 1999 10:59:56 -0800 (PST) (envelope-from spork@super-g.com) Received: by super-g.com (Postfix, from userid 1000) id 64FA4BA67; Mon, 15 Nov 1999 13:59:55 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by super-g.com (Postfix) with SMTP id 4A5B0BA66; Mon, 15 Nov 1999 13:59:55 -0500 (EST) Date: Mon, 15 Nov 1999 13:59:55 -0500 (EST) From: spork To: Darren Reed Cc: Thomas Stromberg , freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) In-Reply-To: <199910131302.XAA05892@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I noticed that ipfilter is still gone... Was there any resolution here, or is ipfilter gone for good? All other concerns/features aside, I find the stateful inspection stuff much easier to setup than the ipfw filtering... I only touch my firewall once in a blue moon, and just about everything except for streaming quicktime "just works". It would be a shame to see such a useful piece of software go away. My $0.02, Charles On Wed, 13 Oct 1999, Darren Reed wrote: > Well, if someone had of answered my question (to cvs-committers) > about getting an account fixed up on freefall(?) so I could use > cvs again, it might not have been forgotten about for quite so > long. Maybe I sent the question to the "wrong place", but I > received no answer to even indicate that! hmpf! > > On a conspirital note, I think there are numerous ipfw advocates > within freebsd who hate that ipfilter is better >;-) Both NetBSD and > OpenBSD ship with it, and if you're serious about security, maybe > you should be using OpenBSD anyway, rather than FreeBSD. > > Darren > > In some mail from Thomas Stromberg, sie said: > > > > http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ipnat/Attic/Makefile > > ------------------------------------------------------------------------ > > 1.2 Sun Oct 10 15:08:35 1999 UTC by peter > > CVS Tags: HEAD > > Diffs to 1.1 > > FILE REMOVED > > > > Nuke the old antique copy of ipfilter from the tree. This is old enough > > to be dangerous. It will better serve us as a port building a KLD, > > ala SKIP. > > ------------------------------------------------------------------------ > > > > Although a heads up in -CURRENT or -security about this would of been > > nice, ye old ipfilter is gone. I definitely cannot disagree with the > > fact that it is an antique copy, and it's a shame that no one seems to > > be taking care of it in the tree. At least in the past, ipfilter was for > > many a much better option then ipfw. Has ipfw improved to the point > > where it functions better as a company firewall then ipfilter? (Okay, so > > the group & user firewalling is neat, but not really applicable for a > > corporate border firewall) > > > > ipfilters website: http://coombs.anu.edu.au/~avalon/ip-filter.html > > > > For why I feel ipfilter is better then ipfw (this post was written back > > in December '98, ipfw may have changed greatly since): > > > > http://www.freebsd.org/cgi/getmsg.cgi?fetch=117538+122112+/usr/local/www/db/text/1998/freebsd-current/19981227.freebsd-current > > (the big 'wanton atticizing discussion') > > > > A summary of it being: > > > > - Multiplatform. Runs on IRIX, Solaris, Linux. Comes shipped with > > FreeBSD, OpenBSD, and NetBSD. Keeps us in sync with the other BSD's. > > - Better logging then ipfw (has ipfw improved? Thats why I switched to > > ipfilter in the first place) > > > > It's a shame that no one seems to want to maintain ipfilter in our tree. > > As far as a 'port building kld', I think this may not be the 'smartest' > > way, seeing as anyone who is running a serious firewall would disable > > kld's immediately anyhow. > > > > So my question is, what's the direction we're taking here? > > > > -- > > ======================================================================= > > Thomas Stromberg, Assistant IS Manager / Systems Guru > > smtp://tstromberg@rtci.com Research Triangle Commerce, Inc. > > pots://919.380.9771 x3210 > > ======================================================================= > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 11:26:45 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id E4D7A14D21; Mon, 15 Nov 1999 11:26:43 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id D263E1CD43D; Mon, 15 Nov 1999 11:26:43 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 15 Nov 1999 11:26:43 -0800 (PST) From: Kris Kennaway To: spork Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 15 Nov 1999, spork wrote: > I noticed that ipfilter is still gone... Was there any resolution here, > or is ipfilter gone for good? Surely you read the rest of the thread wherein it was stated it's being worked on by Guido van Rooij? Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 15:16:12 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id A861C1519B; Mon, 15 Nov 1999 15:16:10 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 91FEF1CD43D; Mon, 15 Nov 1999 15:16:10 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 15 Nov 1999 15:16:10 -0800 (PST) From: Kris Kennaway To: John Hay Cc: Brian Fundakowski Feldman , freebsd-security@FreeBSD.ORG Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? In-Reply-To: <199911150602.IAA13567@zibbi.mikom.csir.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 15 Nov 1999, John Hay wrote: > > reason. I can't condone this technically illegal action. The better > > question is why aren't you using OpenSSH? > > Well, is there a way of not using rsh to fetch it? Our firewall don't > allow incoming tcp connections and rsh needs one. Ahh yes, remote cvs uses rsh :-( Short of using the real SSH to fetch openSSH (which won't be useful if you're trying to fetch openssh because you can't legally use SSH in your situation in the first place) I can't think of another way to get it via CVS. Perhaps we'll have to fall back to tarring up the source on a non-US ftp server..this is probably a problem for a lot of people :-( Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 16: 0:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (dynamic-69.max4-du-ws.dialnetwork.pavilion.co.uk [212.74.9.197]) by hub.freebsd.org (Postfix) with ESMTP id 47DE214BD0 for ; Mon, 15 Nov 1999 16:00:05 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id SAA02547; Mon, 15 Nov 1999 18:42:51 GMT (envelope-from brian@lan.awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id SAA01919; Mon, 15 Nov 1999 18:47:08 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <199911151847.SAA01919@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.0 09/18/1999 To: "Francisco Reyes" Cc: "freebsd-security@FreeBSD.ORG" , "Brian Somers" , brian@hak.lan.Awfulhak.org Subject: Re: Is this an attack? ICMP packets coming from my own IP In-Reply-To: Message from "Francisco Reyes" of "Mon, 15 Nov 1999 06:38:13 EST." <199911151140.GAA50607@sanson.reyes.somos.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 15 Nov 1999 18:47:08 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Some days back I ran a news server, Leafnode++, for 2 days. The server got Hijacked because I failed to > secure it. Ever since I have been paying close attention to my logs. > > I have ICMP packets enabled, but I log them. Last night I noticed numerous ICMP packets, but the ones > that worried me the most were some coming from an IP which is the IP I use on that box: 207.240.212.43 > > Is this some form of attack? > > ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 > ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 out via tun0 > ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 > ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 > > How can they forge my own IP? Should I mention this to my ISP? I suspect this is the result of pinging 207.240.212.43 from 207.240.212.43 itself. ppp turns the packets 'round so that they come straight back (see ``enable loopback'' - on by default). -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 16: 6:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 735FC14F09; Mon, 15 Nov 1999 16:06:14 -0800 (PST) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id BAA07277; Tue, 16 Nov 1999 01:06:14 +0100 (CET) Message-ID: <19991116010614.C6673@foobar.franken.de> Date: Tue, 16 Nov 1999 01:06:14 +0100 From: Harold Gutch To: Kris Kennaway , John Hay Cc: Brian Fundakowski Feldman , freebsd-security@FreeBSD.ORG Subject: Re: ssh-1.2.27 remote buffer overflow - work around ?? References: <199911150602.IAA13567@zibbi.mikom.csir.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Kris Kennaway on Mon, Nov 15, 1999 at 03:16:10PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 15, 1999 at 03:16:10PM -0800, Kris Kennaway wrote: > Short of using the real SSH to fetch openSSH (which won't be useful if > you're trying to fetch openssh because you can't legally use SSH in your > situation in the first place) I can't think of another way to get it via > CVS. > > Perhaps we'll have to fall back to tarring up the source on a non-US ftp > server..this is probably a problem for a lot of people :-( I just put OpenSSH on http://www.regensburg.franken.de/~logix/OpenSSH-991116.tgz This simply is a tarball of the ssh-directory I got via "cvs get" from an OpenBSD CVS-mirror. I haven't even checked wether it compiles or wether your patches apply cleanly to it, Kris. Feel free to use it as MASTER_SITE in a port etc. bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 15 19:57:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 23ECB14C9C; Mon, 15 Nov 1999 19:57:48 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA01172; Mon, 15 Nov 1999 20:57:44 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA01885; Mon, 15 Nov 1999 20:57:40 -0700 (MST) Message-Id: <199911160357.UAA01885@harmony.village.org> To: Mike Tancsa Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Cc: freebsd-security@freebsd.org, security-officer@freebsd.org In-reply-to: Your message of "Sun, 14 Nov 1999 00:08:12 EST." <4.1.19991114000355.04d7f230@granite.sentex.ca> References: <4.1.19991114000355.04d7f230@granite.sentex.ca> Date: Mon, 15 Nov 1999 20:57:39 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.1.19991114000355.04d7f230@granite.sentex.ca> Mike Tancsa writes: : Is there a patch to this ? Or is openssh the way to go ? Damn. I had a patch before taking off for the weekend, but didn't have time to commit it. I'll commit it in a little bit if no one has done so already. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 1:37:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from voland.donin.com (voland.donin.com [195.206.224.36]) by hub.freebsd.org (Postfix) with ESMTP id 286CC14D09 for ; Tue, 16 Nov 1999 01:37:33 -0800 (PST) (envelope-from bob@donin.com) Received: from hyppo.anet.donetsk.ua (hyppo.donin.com [195.206.224.33]) by voland.donin.com (8.9.3/8.9.1) with ESMTP id LAA37977 for ; Tue, 16 Nov 1999 11:37:29 +0200 (EET) (envelope-from bob@donin.com) Received: from azazello (azazello.donin.com [195.206.224.38]) by hyppo.anet.donetsk.ua (8.9.1/8.9.1) with SMTP id LAA14350 for ; Tue, 16 Nov 1999 11:33:53 +0200 (EET) (envelope-from bob@donin.com) Message-Id: <199911160933.LAA14350@hyppo.anet.donetsk.ua> Reply-To: "Vladimir A. Pokatilov" From: "Vladimir A. Pokatilov" To: Subject: named = BIND8 by ISC ? Date: Tue, 16 Nov 1999 11:39:45 +0300 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Do I need to do somthing, if I use original named of FreeBSD 3.0-Release ? Are named and bind8 different daemon ? Regards -------------------------------------------------------- Vladimir A. Pokatilov e-mail: bob@donin.com nic-hdl: VP426-RIPE ICQ: 17301477 -------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 1:44:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.interact.se (smtp1.interact.se [193.15.98.9]) by hub.freebsd.org (Postfix) with ESMTP id 91EF1151C6 for ; Tue, 16 Nov 1999 01:44:27 -0800 (PST) (envelope-from je@interact.se) Received: from wolfie.interact.se (wolfie.interact.se [193.15.98.202]) by smtp.interact.se (InterACT Mailer) with ESMTP id KAA04316; Tue, 16 Nov 1999 10:45:30 +0100 (CET) Date: Tue, 16 Nov 1999 10:44:11 +0100 (CET) From: Jonas Eriksson To: "Vladimir A. Pokatilov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: named = BIND8 by ISC ? In-Reply-To: <199911160933.LAA14350@hyppo.anet.donetsk.ua> Message-ID: X-Mascot: Homer Simpson MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You _should_ use the latest bind from ISC: ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-src.tar.gz (Or else some script kiddie will own you) -- Jonas Eriksson On Tue, 16 Nov 1999, Vladimir A. Pokatilov wrote: > Hi, > Do I need to do somthing, if I use original named of FreeBSD 3.0-Release ? > Are named and bind8 different daemon ? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 8:27:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from frosty.purefusion.com (core.fedz.org [216.94.188.115]) by hub.freebsd.org (Postfix) with ESMTP id 19B3314E11 for ; Tue, 16 Nov 1999 08:27:15 -0800 (PST) (envelope-from relapz@purefusion.com) Received: from localhost (relapz@localhost) by frosty.purefusion.com (8.9.3/8.9.3) with ESMTP id LAA01307 for ; Tue, 16 Nov 1999 11:27:12 -0500 (EST) Date: Tue, 16 Nov 1999 11:27:11 -0500 (EST) From: relapz To: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: <199911160357.UAA01885@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org seeing as we are on the OpenSSH/ssh front, i've decided to ditch ssh in favour of OpenSSH. However, I seem to be getting some odd errors when someone connects to the new OpenSSH server daemon: Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource limit datasize: Operation not permitted Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource limit stacksize: Operation not permitted Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource limit maxproc: Operation not permitted Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource limit openfiles: Operation not permitted Can someone shed some light on what exactly causes these? Should i be worried about a misconfig or is this normal. thanx, DJM:> On Mon, 15 Nov 1999, Warner Losh wrote: > In message <4.1.19991114000355.04d7f230@granite.sentex.ca> Mike Tancsa writes: > : Is there a patch to this ? Or is openssh the way to go ? > > Damn. I had a patch before taking off for the weekend, but didn't > have time to commit it. I'll commit it in a little bit if no one has > done so already. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 12:14:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from super-g.com (super-g.com [207.240.140.161]) by hub.freebsd.org (Postfix) with ESMTP id 5CE8814BD4 for ; Tue, 16 Nov 1999 12:14:31 -0800 (PST) (envelope-from spork@super-g.com) Received: by super-g.com (Postfix, from userid 1000) id DE441BADA; Tue, 16 Nov 1999 15:14:29 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by super-g.com (Postfix) with SMTP id C603EBAD8; Tue, 16 Nov 1999 15:14:29 -0500 (EST) Date: Tue, 16 Nov 1999 15:14:29 -0500 (EST) From: spork To: relapz Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Also, has anyone been able to get openssh to compile on a 2.2 system? The openssl port fails due to a flag to ld which does not exist back in 2.2 land, but grabbing the source and compiling from scratch works. However openssh fails as shown below... If anyone has patches for 2.2, please post them. Thanks, Charles /usr/ports/security/openssh/work/ssh/lib/../channels.c: In function `channel_free': /usr/ports/security/openssh/work/ssh/lib/../channels.c:175: `SHUT_RDWR' undeclared (first use this function) /usr/ports/security/openssh/work/ssh/lib/../channels.c:175: (Each undeclared identifier is reported only once /usr/ports/security/openssh/work/ssh/lib/../channels.c:175: for each function it appears in.) /usr/ports/security/openssh/work/ssh/lib/../channels.c: In function `channel_request_local_forwarding': /usr/ports/security/openssh/work/ssh/lib/../channels.c:879: `INADDR_LOOPBACK' undeclared (first use this function) /usr/ports/security/openssh/work/ssh/lib/../channels.c: In function `x11_create_display_inet': /usr/ports/security/openssh/work/ssh/lib/../channels.c:1086: warning: type mismatch with previous external decl /usr/ports/security/openssh/work/ssh/lib/../channels.c:863: warning: previous external decl of `options' /usr/ports/security/openssh/work/ssh/lib/../channels.c:1110: `SHUT_RDWR' undeclared (first use this function) *** Error code 1 --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." On Tue, 16 Nov 1999, relapz wrote: > seeing as we are on the OpenSSH/ssh front, i've decided to ditch ssh in > favour of OpenSSH. > > However, I seem to be getting some odd errors when someone connects to the > new OpenSSH server daemon: > > Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource > limit datasize: Operation not permitted > Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource > limit stacksize: Operation not permitted > Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource > limit maxproc: Operation not permitted > Nov 16 11:18:35 <4.4> frosty sshd[1146]: set class 'default' resource > limit openfiles: Operation not permitted > > Can someone shed some light on what exactly causes these? Should i be > worried about a misconfig or is this normal. thanx, > > DJM:> > > On Mon, 15 Nov 1999, Warner Losh wrote: > > > In message <4.1.19991114000355.04d7f230@granite.sentex.ca> Mike Tancsa writes: > > : Is there a patch to this ? Or is openssh the way to go ? > > > > Damn. I had a patch before taking off for the weekend, but didn't > > have time to commit it. I'll commit it in a little bit if no one has > > done so already. > > > > Warner > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 12:22:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 42017152A5 for ; Tue, 16 Nov 1999 12:22:52 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id PAA99775; Tue, 16 Nov 1999 15:22:51 -0500 (EST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id PAA14011; Tue, 16 Nov 1999 15:22:51 -0500 (EST) Message-Id: <3.0.5.32.19991116152108.0170f850@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 16 Nov 1999 15:21:08 -0500 To: spork From: Mike Tancsa Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:14 PM 11/16/99 -0500, spork wrote: >Also, has anyone been able to get openssh to compile on a 2.2 system? The >openssl port fails due to a flag to ld which does not exist back in 2.2 >land, but grabbing the source and compiling from scratch works. However >openssh fails as shown below... If anyone has patches for 2.2, please >post them. I cant help you with OpenSSH, but the patches for sshd have been commited to fix the exploit in question. ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 13:13:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from super-g.com (super-g.com [207.240.140.161]) by hub.freebsd.org (Postfix) with ESMTP id 9DD7615246 for ; Tue, 16 Nov 1999 13:13:36 -0800 (PST) (envelope-from spork@super-g.com) Received: by super-g.com (Postfix, from userid 1000) id 07E82BAE1; Tue, 16 Nov 1999 16:13:34 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by super-g.com (Postfix) with SMTP id E7D8FBADF; Tue, 16 Nov 1999 16:13:34 -0500 (EST) Date: Tue, 16 Nov 1999 16:13:34 -0500 (EST) From: spork To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: <3.0.5.32.19991116152108.0170f850@staff.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 16 Nov 1999, Mike Tancsa wrote: > I cant help you with OpenSSH, but the patches for sshd have been commited > to fix the exploit in question. It seems www.ssh.fi has removed one of the patches necessary to compile the port (fetch: patch-ssh-1.2.27-bsd.tty.chown: www.ssh.fi: HTTP server returned error code 404). Anyone have a copy of this that could be put up on ftp.freebsd.org under distfiles? Charles > ---Mike > ------------------------------------------------------------------------ > Mike Tancsa, tel +1 519 651 3400 > Network Administrator, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 13:38:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id 74F1B14BED for ; Tue, 16 Nov 1999 13:37:54 -0800 (PST) (envelope-from ust@cert.siemens.de) X-Envelope-Sender-Is: ust@cert.siemens.de (at relayer david.siemens.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11]) by david.siemens.de (8.9.3/8.9.3) with ESMTP id WAA08829; Tue, 16 Nov 1999 22:37:51 +0100 (MET) Received: from mars.cert.siemens.de (ust.mchp.siemens.de [139.23.201.17]) by mail2.siemens.de (8.9.3/8.9.3) with ESMTP id WAA04885; Tue, 16 Nov 1999 22:37:51 +0100 (MET) Received: from alaska.cert.siemens.de (alaska.cert.siemens.de [139.23.202.134]) by mars.cert.siemens.de (8.9.3/8.9.3/Siemens CERT [ $Revision: 1.9 ]) with ESMTP id WAA29096; Tue, 16 Nov 1999 22:37:50 +0100 (CET) Received: (from ust@localhost) by alaska.cert.siemens.de (8.9.3/8.9.3/alaska [ $Revision: 1.2 ]) id VAA02292; Tue, 16 Nov 1999 21:37:50 GMT (envelope-from ust) Date: Tue, 16 Nov 1999 22:37:50 +0100 From: Udo Schweigert To: spork Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Message-ID: <19991116223750.A2271@alaska.cert.siemens.de> References: <3.0.5.32.19991116152108.0170f850@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from spork@super-g.com on Tue, Nov 16, 1999 at 04:13:34PM -0500 X-Operating-System: FreeBSD 3.3-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 16, 1999 at 04:13:34PM -0500, spork wrote: > On Tue, 16 Nov 1999, Mike Tancsa wrote: > > > I cant help you with OpenSSH, but the patches for sshd have been commited > > to fix the exploit in question. > > It seems www.ssh.fi has removed one of the patches necessary to compile > the port (fetch: patch-ssh-1.2.27-bsd.tty.chown: www.ssh.fi: HTTP server > returned error code 404). Anyone have a copy of this that could be put up > on ftp.freebsd.org under distfiles? > I have it here. Whom should I mail it? Regards. ------------------------------------------------------------------------------- Udo Schweigert || Voice : +49 89 636 42170 Siemens AG, Siemens CERT || Fax : +49 89 636 41166 ZT IK 3 || email : Udo.Schweigert@mchp.siemens.de D-81730 Muenchen / Germany || : ust@cert.siemens.de PGP fingerprint || 2A 53 F6 A6 30 59 64 02 6B C4 E0 73 B2 C9 6C E7 ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 13:41:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from nethead.com (nethead.com [207.246.130.2]) by hub.freebsd.org (Postfix) with ESMTP id BC36314CCB for ; Tue, 16 Nov 1999 13:41:38 -0800 (PST) (envelope-from myc@nethead.com) Received: from localhost (myc@localhost) by nethead.com (8.8.5/8.8.3) with SMTP id NAA26079; Tue, 16 Nov 1999 13:40:18 -0800 Date: Tue, 16 Nov 1999 13:40:17 -0800 (PST) From: Mychal McGrew To: Udo Schweigert Cc: spork , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: <19991116223750.A2271@alaska.cert.siemens.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Udo, You could send it to me. Thanks. :-) Mychal L. McGrew UNIX Systems Administrator Flying Crocodile, Inc. myc@nethead.com On Tue, 16 Nov 1999, Udo Schweigert wrote: > On Tue, Nov 16, 1999 at 04:13:34PM -0500, spork wrote: > > On Tue, 16 Nov 1999, Mike Tancsa wrote: > > > > > I cant help you with OpenSSH, but the patches for sshd have been commited > > > to fix the exploit in question. > > > > It seems www.ssh.fi has removed one of the patches necessary to compile > > the port (fetch: patch-ssh-1.2.27-bsd.tty.chown: www.ssh.fi: HTTP server > > returned error code 404). Anyone have a copy of this that could be put up > > on ftp.freebsd.org under distfiles? > > > > I have it here. Whom should I mail it? > > Regards. > ------------------------------------------------------------------------------- > Udo Schweigert || Voice : +49 89 636 42170 > Siemens AG, Siemens CERT || Fax : +49 89 636 41166 > ZT IK 3 || email : Udo.Schweigert@mchp.siemens.de > D-81730 Muenchen / Germany || : ust@cert.siemens.de > PGP fingerprint || 2A 53 F6 A6 30 59 64 02 6B C4 E0 73 B2 C9 6C E7 > ------------------------------------------------------------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 14:40:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from super-g.com (super-g.com [207.240.140.161]) by hub.freebsd.org (Postfix) with ESMTP id CDE91151CA for ; Tue, 16 Nov 1999 14:40:19 -0800 (PST) (envelope-from spork@super-g.com) Received: by super-g.com (Postfix, from userid 1000) id E00E0BAF0; Tue, 16 Nov 1999 17:40:17 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by super-g.com (Postfix) with SMTP id CCCBCBAEF; Tue, 16 Nov 1999 17:40:17 -0500 (EST) Date: Tue, 16 Nov 1999 17:40:17 -0500 (EST) From: spork To: Udo Schweigert Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: <19991116223750.A2271@alaska.cert.siemens.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'll take it, and I can post it to our anon ftp server if that's any help... charles On Tue, 16 Nov 1999, Udo Schweigert wrote: > > I have it here. Whom should I mail it? > > Regards. > ------------------------------------------------------------------------------- > Udo Schweigert || Voice : +49 89 636 42170 > Siemens AG, Siemens CERT || Fax : +49 89 636 41166 > ZT IK 3 || email : Udo.Schweigert@mchp.siemens.de > D-81730 Muenchen / Germany || : ust@cert.siemens.de > PGP fingerprint || 2A 53 F6 A6 30 59 64 02 6B C4 E0 73 B2 C9 6C E7 > ------------------------------------------------------------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 18:51:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id D6F8A14E13 for ; Tue, 16 Nov 1999 18:51:46 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FLB007GZMIZJ3@mta2.snfc21.pbi.net> for freebsd-security@freebsd.org; Tue, 16 Nov 1999 18:49:49 -0800 (PST) Date: Tue, 16 Nov 1999 18:47:49 -0800 From: The Mad Scientist Subject: Tracing Spoofed Packets X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.19991116182120.0094d280@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I doubt it, but is there ANY way to trace spoofed packets coming in from the Internet? I've been getting these packets showing up at my boarder router pretty regularly for the past few days now: Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 10.0.1.2 in via ed0 Nov 15 19:57:37 wormhole last message repeated 36 times Nov 15 19:59:38 wormhole last message repeated 175 times Nov 15 20:00:53 wormhole last message repeated 96 times This goes on for about two hours. The logs don't show anything else abnormal from what I can discern. I don't see any performance hit or bandwidth drop, so it doesn't really bother me. I'd just like to figure out what's going on. Thanks in advance, -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 19: 9:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 9BF2F14C85 for ; Tue, 16 Nov 1999 19:09:19 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id WAA20029; Tue, 16 Nov 1999 22:09:09 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991116215418.03da5a60@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 16 Nov 1999 22:09:27 -0500 To: The Mad Scientist , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Tracing Spoofed Packets In-Reply-To: <4.1.19991116182120.0094d280@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:47 PM 11/16/99 , The Mad Scientist wrote: >I doubt it, but is there ANY way to trace spoofed packets coming in from >the Internet? I've been getting these packets showing up at my boarder >router pretty regularly for the past few days now: Not really... You would probably have to get on the phone with each of your upstreams, and they in turn with their upstreams and so on and so on until you found where the cruft was comming from. How regular is it ? It might not be your case, but lately, I have seen SPAM coming from rouge sites that have reserved addresses for MX records and such, or are pointing the domains back to various core routers. If a mailer on your system wants to bounce back the message to them, and your upstream is actually routing those reserved IPs, you might get IMCP messages about them other than host unreachables... Or if its pointed to a router somewhere, and you have a lot in your queue, you will see a whack of 3.3 ICMP unreachable messages... >Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 >ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 >10.0.1.2 in >via ed0 Is this your ipfw rule blocking the incoming icmp packet ? or your ipfw rule saying block said ip packets from 10.1.6.6. If so, what is 10.1.6.6 sending you ? try something like ipfw add 398 count log ip from 10.0.0.0/12 to any ipfw add 399 count log icmp from 10.0.0.0/12 to any and then your ipfw add 400 deny log ip from 10.0.0.0/12 .... ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 519 651 3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 20: 8:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id F18CF14FBE for ; Tue, 16 Nov 1999 20:08:48 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id UAA20089; Tue, 16 Nov 1999 20:08:38 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911170408.UAA20089@gndrsh.dnsmgr.net> Subject: Re: Tracing Spoofed Packets In-Reply-To: <4.1.19991116182120.0094d280@mail.thegrid.net> from The Mad Scientist at "Nov 16, 1999 06:47:49 pm" To: madscientist@thegrid.net (The Mad Scientist) Date: Tue, 16 Nov 1999 20:08:37 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I doubt it, but is there ANY way to trace spoofed packets coming in from > the Internet? I've been getting these packets showing up at my boarder > router pretty regularly for the past few days now: First step is to complain to your peering ISP on this boarder router, they should be dropping all RFC1918 src or dst addressed packets at their boarder. They probably have an internal leak, or one of their customers does. The only way of tracking these down is getting good cooperation from the technical people you are connected to on this link and having them search their boarders for the source, then instituting correct AS policy and dropping these things like they already should be. Many people have long used a poor filter list for this, simply filtering for dst only, current best practice is to filter on either src or dst being in RFC1918 space (and a few others too, like unless you support mcast peering with your adjacent AS's you should drop src or dst 224/12 as well, and don't forget to filter 127/8, etc, etc... :-) > > Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 > ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 > 10.0.1.2 in > via ed0 > Nov 15 19:57:37 wormhole last message repeated 36 times > Nov 15 19:59:38 wormhole last message repeated 175 times > Nov 15 20:00:53 wormhole last message repeated 96 times > > This goes on for about two hours. The logs don't show anything else > abnormal from what I can discern. I don't see any performance hit or > bandwidth drop, so it doesn't really bother me. I'd just like to figure > out what's going on. > Thanks in advance, > -Dean > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 20:13: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8C2A914FBE for ; Tue, 16 Nov 1999 20:13:02 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id UAA20102; Tue, 16 Nov 1999 20:12:44 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911170412.UAA20102@gndrsh.dnsmgr.net> Subject: Re: Tracing Spoofed Packets In-Reply-To: <4.1.19991116215418.03da5a60@granite.sentex.ca> from Mike Tancsa at "Nov 16, 1999 10:09:27 pm" To: mike@sentex.net (Mike Tancsa) Date: Tue, 16 Nov 1999 20:12:44 -0800 (PST) Cc: madscientist@thegrid.net (The Mad Scientist), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At 09:47 PM 11/16/99 , The Mad Scientist wrote: > >I doubt it, but is there ANY way to trace spoofed packets coming in from > >the Internet? I've been getting these packets showing up at my boarder > >router pretty regularly for the past few days now: > > Not really... You would probably have to get on the phone with each of your > upstreams, and they in turn with their upstreams and so on and so on until > you found where the cruft was comming from. How regular is it ? It might > not be your case, but lately, I have seen SPAM coming from rouge sites that > have reserved addresses for MX records and such, or are pointing the > domains back to various core routers. If a mailer on your system wants to That reminds me of a hack I started working on that someone really should do. In gated for routing we have the ``martians list'' of ip addresses that it won't listen to nobody nohow about routing for, well, it would be really sweet if bind/named could also have this, so that these bogus NS records with RFC1918 addresses in them (mostly due to misconfigured internal nameservers leaking info to the internet) could be easily ignored by those of us who know how to do it correctly. Just to see how bad it is go do an ndc dump on a nameserver handling any large mailing list and search for rfc1918 address, or turning on filter logging to rfc1918 space and watch how often your mail server hits on them... > bounce back the message to them, and your upstream is actually routing > those reserved IPs, you might get IMCP messages about them other than host > unreachables... Or if its pointed to a router somewhere, and you have a lot > in your queue, you will see a whack of 3.3 ICMP unreachable messages... > > >Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 > >ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 > >10.0.1.2 in > >via ed0 > > Is this your ipfw rule blocking the incoming icmp packet ? or your ipfw > rule saying block said ip packets from 10.1.6.6. If so, what is 10.1.6.6 > sending you ? try something like > ipfw add 398 count log ip from 10.0.0.0/12 to any > ipfw add 399 count log icmp from 10.0.0.0/12 to any > and then your > ipfw add 400 deny log ip from 10.0.0.0/12 .... > > ---Mike > ********************************************************************** > Mike Tancsa, Network Admin * mike@sentex.net > Sentex Communications Corp, * http://www.sentex.net/mike > Cambridge, Ontario * 519 651 3400 > Canada * > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 20:25:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id B2AA314F7B for ; Tue, 16 Nov 1999 20:25:09 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FLB001KSQU7PK@mta2.snfc21.pbi.net> for freebsd-security@freebsd.org; Tue, 16 Nov 1999 20:22:57 -0800 (PST) Date: Tue, 16 Nov 1999 20:20:46 -0800 From: The Mad Scientist Subject: Re: Tracing Spoofed Packets In-reply-to: <199911170408.UAA20089@gndrsh.dnsmgr.net> X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.19991116201529.00962920@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" References: <4.1.19991116182120.0094d280@mail.thegrid.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:08 PM 11/16/99 -0800, you wrote: >> I doubt it, but is there ANY way to trace spoofed packets coming in from >> the Internet? I've been getting these packets showing up at my boarder >> router pretty regularly for the past few days now: > >First step is to complain to your peering ISP on this boarder router, >they should be dropping all RFC1918 src or dst addressed packets at >their boarder. They probably have an internal leak, or one of their >customers does. I'll give that a try. I'm just a Pac Bell dsl customer so I'm not expecting too much from them. >The only way of tracking these down is getting good cooperation from the >technical people you are connected to on this link and having them search >their boarders for the source, then instituting correct AS policy and >dropping these things like they already should be. > >Many people have long used a poor filter list for this, simply filtering >for dst only, current best practice is to filter on either src or dst >being in RFC1918 space (and a few others too, like unless you support >mcast peering with your adjacent AS's you should drop src or dst 224/12 >as well, and don't forget to filter 127/8, etc, etc... :-) All taken care of at the boarder. :-) Even filtering for dest only, this one should have been dropped (dest was 10.0.1.2).... I'm not running any routing protocols, so I have no idea how my isp's router got the idea that it should send me packets for 10.0.1.2. >> Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 >> ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 >> 10.0.1.2 in >> via ed0 >> Nov 15 19:57:37 wormhole last message repeated 36 times >> Nov 15 19:59:38 wormhole last message repeated 175 times >> Nov 15 20:00:53 wormhole last message repeated 96 times >> >> This goes on for about two hours. The logs don't show anything else >> abnormal from what I can discern. I don't see any performance hit or >> bandwidth drop, so it doesn't really bother me. I'd just like to figure >> out what's going on. >> Thanks in advance, >> -Dean > > >-- >Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 20:25:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id 62D32150A9 for ; Tue, 16 Nov 1999 20:25:11 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FLB009EDQP1KC@mta2.snfc21.pbi.net> for freebsd-security@freebsd.org; Tue, 16 Nov 1999 20:19:51 -0800 (PST) Date: Tue, 16 Nov 1999 20:15:03 -0800 From: The Mad Scientist Subject: Re: Tracing Spoofed Packets In-reply-to: <4.1.19991116215418.03da5a60@granite.sentex.ca> X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.19991116200004.0094ded0@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" References: <4.1.19991116182120.0094d280@mail.thegrid.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:09 PM 11/16/99 -0500, you wrote: >At 09:47 PM 11/16/99 , The Mad Scientist wrote: >>I doubt it, but is there ANY way to trace spoofed packets coming in from >>the Internet? I've been getting these packets showing up at my boarder >>router pretty regularly for the past few days now: > >Not really... You would probably have to get on the phone with each of your >upstreams, and they in turn with their upstreams and so on and so on until >you found where the cruft was comming from. How regular is it ? That's what I was afraid of. My most immediate upstream is Pac Bell and their oh-so-intelligent customer service department, so I'm not even going to try.... Maybe I'll send an email complaining that they should be dropping these sort of packets. >It might >not be your case, but lately, I have seen SPAM coming from rouge sites that >have reserved addresses for MX records and such, or are pointing the >domains back to various core routers. If a mailer on your system wants to >bounce back the message to them, and your upstream is actually routing >those reserved IPs, you might get IMCP messages about them other than host >unreachables... Or if its pointed to a router somewhere, and you have a lot >in your queue, you will see a whack of 3.3 ICMP unreachable messages... Very clever. I get my incoming mail from my IPS's pop server and block smtp connections at the boarders, so it doesn't sound like that. I wonder if one of my applications is trying to connect to some reserved IP. >>Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 >>ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 >>10.0.1.2 in >>via ed0 > >Is this your ipfw rule blocking the incoming icmp packet ? or your ipfw >rule saying block said ip packets from 10.1.6.6. If so, what is 10.1.6.6 >sending you ? try something like This is my boarder filter reporting that it dropped a packet from 10.1.6.6 destined for 10.0.1.2 of type 3.13. I don't use 10.1.6.6 in my internal networks, but 10.0.1.2 is one of my workstations. If I notice the packets again, I'll set up a sniffer and dump the packets. >ipfw add 398 count log ip from 10.0.0.0/12 to any >ipfw add 399 count log icmp from 10.0.0.0/12 to any >and then your >ipfw add 400 deny log ip from 10.0.0.0/12 .... > > ---Mike >********************************************************************** >Mike Tancsa, Network Admin * mike@sentex.net >Sentex Communications Corp, * http://www.sentex.net/mike >Cambridge, Ontario * 519 651 3400 >Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 20:34:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 2240E14E6D for ; Tue, 16 Nov 1999 20:33:51 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id XAA20556; Tue, 16 Nov 1999 23:33:45 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991116232931.047e6220@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 16 Nov 1999 23:34:03 -0500 To: The Mad Scientist From: Mike Tancsa Subject: Re: Tracing Spoofed Packets Cc: freebsd-security@freebsd.org In-Reply-To: <4.1.19991116201529.00962920@mail.thegrid.net> References: <199911170408.UAA20089@gndrsh.dnsmgr.net> <4.1.19991116182120.0094d280@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:20 PM 11/16/99 , The Mad Scientist wrote: >I'll give that a try. I'm just a Pac Bell dsl customer so I'm not >expecting too much from them. dsl... Hmmm.. It could very well be something in the redback units leaking cruft out. Hard to say, but it might be something innocent like that. ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 519 651 3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 20:41:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from orange.kame.net (orange.kame.net [203.178.141.194]) by hub.freebsd.org (Postfix) with ESMTP id 59BFE14FF7; Tue, 16 Nov 1999 20:41:05 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from localhost (kame209.kame.net [203.178.141.209]) by orange.kame.net (8.9.1+3.1W/3.7W) with ESMTP id NAA17591; Wed, 17 Nov 1999 13:40:43 +0900 (JST) To: phk@critter.freebsd.dk Cc: beyssac@enst.fr Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-Reply-To: <19991110025853X.shin@nd.net.fujitsu.co.jp> References: <19991110022852N.shin@nd.net.fujitsu.co.jp> <24337.942169052@critter.freebsd.dk> <19991110025853X.shin@nd.net.fujitsu.co.jp> <19991110013913.A5181@enst.fr> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991117134132S.shin@nd.net.fujitsu.co.jp> Date: Wed, 17 Nov 1999 13:41:32 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 59 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I'm not against adding IPv6 functionality to jail(2), my point is > > merely that until somebody who has sufficient time & ability to > > fiddle with it does it, it's not going to happen. > > > > The usual rule applies: > > > > "Great idea, why don't you send me patches which does this ?" > > OK, then I'll try making patches and send you. > My current Idea is that adding a new member, a pointer to > sockaddr to the jail structure, and leave current ip_number > member for backward compatibility. > (Also with associated changes in kernel and the jail command) > There's been a discussion a few weeks ago on freebsd-security on > this very matter. See attached mail below. > > The conclusion was that jail(2) should be fixed to use a sockaddr > instead of a 32 bit int to specify the address. > > That seems to be the first logical step, even before making jail(2) > IPv6-compliant. In implementing jail sockaddr extension trial, I found some problems, and now have an possible solution. problems: -Any process in a jail might want to use several protocol families at the same time. So jail(2) need to specify every adress of those possible address families. (AF_INET, AF_INET6, AF_IPX, AF_APPLETALK, and so on) To do this, jail structure need to have not only a sockaddr but several sockaddrs list, and they are specified via jail(2). But I don't like such a extension, because, -It is complicated. Error checking will be diffcult. -User interface will also become complicated, and difficult to use. -As already commented, checking those addresses which already specified by other jail'ed processes is necessary. solution: Don't specify addresses via jail(2), and let kernel select any non binded address. Loop in_ifaddr list and try in_pcblookup_hash() for each of addresses, just as in_pcbbind does it to search for non binded port. A weak point of this solution is that processes in a same jail won't be necessariliy binded to a same address, but does it matters? Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 21:58:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 7D97C14DCF; Tue, 16 Nov 1999 21:58:44 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id GAA28860; Wed, 17 Nov 1999 06:58:16 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Yoshinobu Inoue Cc: beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-reply-to: Your message of "Wed, 17 Nov 1999 13:41:32 +0900." <19991117134132S.shin@nd.net.fujitsu.co.jp> Date: Wed, 17 Nov 1999 06:58:16 +0100 Message-ID: <28858.942818296@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19991117134132S.shin@nd.net.fujitsu.co.jp>, Yoshinobu Inoue writes: >solution: > Don't specify addresses via jail(2), and let kernel select > any non binded address. No, that doesn't work. People want to run servers so they want to know their IP for DNS. >A weak point of this solution is that processes in a same jail >won't be necessariliy binded to a same address, but does it >matters? Yes, that also matters, this is a administrative facility. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 22:12:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from orange.kame.net (orange.kame.net [203.178.141.194]) by hub.freebsd.org (Postfix) with ESMTP id 6D46314A2D; Tue, 16 Nov 1999 22:12:30 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from localhost (kame209.kame.net [203.178.141.209]) by orange.kame.net (8.9.1+3.1W/3.7W) with ESMTP id PAA18229; Wed, 17 Nov 1999 15:12:21 +0900 (JST) To: phk@critter.freebsd.dk Cc: beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-Reply-To: <28858.942818296@critter.freebsd.dk> References: <19991117134132S.shin@nd.net.fujitsu.co.jp> <28858.942818296@critter.freebsd.dk> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991117151309T.shin@nd.net.fujitsu.co.jp> Date: Wed, 17 Nov 1999 15:13:09 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 12 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >solution: > > Don't specify addresses via jail(2), and let kernel select > > any non binded address. > > No, that doesn't work. People want to run servers so they want > to know their IP for DNS. Hmmm, I wish if I could just let jail(2) pass DNS name into the kernel, but the implementation in the kernel won't be easy nor clean.... Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 22:30:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from orange.kame.net (orange.kame.net [203.178.141.194]) by hub.freebsd.org (Postfix) with ESMTP id 8C3C014ECE; Tue, 16 Nov 1999 22:30:51 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from localhost (kame209.kame.net [203.178.141.209]) by orange.kame.net (8.9.1+3.1W/3.7W) with ESMTP id PAA18369; Wed, 17 Nov 1999 15:30:38 +0900 (JST) To: phk@critter.freebsd.dk Cc: beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-Reply-To: <19991117151309T.shin@nd.net.fujitsu.co.jp> References: <19991117134132S.shin@nd.net.fujitsu.co.jp> <28858.942818296@critter.freebsd.dk> <19991117151309T.shin@nd.net.fujitsu.co.jp> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991117153126C.shin@nd.net.fujitsu.co.jp> Date: Wed, 17 Nov 1999 15:31:26 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 30 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Don't specify addresses via jail(2), and let kernel select > > > any non binded address. > > No, that doesn't work. People want to run servers so they want > > to know their IP for DNS. > Hmmm, I wish if I could just let jail(2) pass DNS name into > the kernel, but the implementation in the kernel won't be easy > nor clean.... Then I have a new proposal which might not be so clean but I think it is somewhat practical. -Only think about inet and inet6. Forget about other protocol family and sockaddr. (Just as current jail only think about inet.) -Just add an in6_addr structure(IPv6 address) member "ip6_number" into the jail structure. -Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. -Kernel treat "ip6_number" as just a same kind of extension for IPv6 as "ip_number" for IPv4. -Jail(8) command can also accept DNS name, and then it resolve the name internally and, if A record is obtained, specify its address into "ip_number". if AAAA record is obtained, also specify its address into "ip6_number". Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 22:35:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 290D814ECE for ; Tue, 16 Nov 1999 22:35:30 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 87191 invoked by uid 1001); 17 Nov 1999 06:35:29 +0000 (GMT) To: freebsd@gndrsh.dnsmgr.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tracing Spoofed Packets From: sthaug@nethelp.no In-Reply-To: Your message of "Tue, 16 Nov 1999 20:12:44 -0800 (PST)" References: <199911170412.UAA20102@gndrsh.dnsmgr.net> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 17 Nov 1999 07:35:29 +0100 Message-ID: <87189.942820529@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > That reminds me of a hack I started working on that someone really should > do. In gated for routing we have the ``martians list'' of ip addresses > that it won't listen to nobody nohow about routing for, well, it would > be really sweet if bind/named could also have this, so that these bogus > NS records with RFC1918 addresses in them (mostly due to misconfigured > internal nameservers leaking info to the internet) could be easily ignored > by those of us who know how to do it correctly. BIND already does a similar thing for 0.0.0.0, 127.0.0.1 etc. See the code from BIND 8.2.2-P3 src/bin/named/ns_forw.c included below. It should be easy enough to extend this list - but it would be even better if the list was configurable, of course. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- if (ina_hlong(ina_get(dp->d_data)) == INADDR_ANY) { static const char *complaint = "Bogus (0.0.0.0) A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #ifdef INADDR_LOOPBACK if (ina_hlong(ina_get(dp->d_data))==INADDR_LOOPBACK) { static const char *complaint = "Bogus LOOPBACK A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #endif #ifdef INADDR_BROADCAST if (ina_hlong(ina_get(dp->d_data))==INADDR_BROADCAST){ static const char *complaint = "Bogus BROADCAST A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #endif #ifdef IN_MULTICAST if (IN_MULTICAST(ina_hlong(ina_get(dp->d_data)))) { static const char *complaint = "Bogus MULTICAST A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 16 23:37: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id C8E0E14DAE for ; Tue, 16 Nov 1999 23:37:03 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA20577; Tue, 16 Nov 1999 23:36:47 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911170736.XAA20577@gndrsh.dnsmgr.net> Subject: Re: Tracing Spoofed Packets In-Reply-To: <87189.942820529@verdi.nethelp.no> from "sthaug@nethelp.no" at "Nov 17, 1999 07:35:29 am" To: sthaug@nethelp.no Date: Tue, 16 Nov 1999 23:36:46 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > That reminds me of a hack I started working on that someone really should > > do. In gated for routing we have the ``martians list'' of ip addresses > > that it won't listen to nobody nohow about routing for, well, it would > > be really sweet if bind/named could also have this, so that these bogus > > NS records with RFC1918 addresses in them (mostly due to misconfigured > > internal nameservers leaking info to the internet) could be easily ignored > > by those of us who know how to do it correctly. > > BIND already does a similar thing for 0.0.0.0, 127.0.0.1 etc. See the > code from BIND 8.2.2-P3 src/bin/named/ns_forw.c included below. It > should be easy enough to extend this list - but it would be even better > if the list was configurable, of course. Yea... there is the code that needs hacked^H^H^H^Hfixed to take a config list of addresses. Hard coding this in the source was a mistake, it also leaves out lots of potential ``Bogus''. And, for some of us refuses some data that is actually valid to us: netstat -rn ... OSPF-ALL.MCAST.NET localhost UH 1 607 lo0 OSPF-DSIG.MCAST.NE localhost UH 1 4 lo0 I can't do a forward look up on OSPF-ALL.MCAST.NET due to the code below, something that I would like to do (okay, so I already hacked my named not to reject this one, and hacked it to reject a lot of others, but it is just that, a bunch of hacks!!) Someone with some time on thier hands please de hardcode these addresses, add a configuration item (I like the gated name of ``martians'') and submit it to Vixie for the next release...) or maybe even ask Paul about doing it... > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > ---------------------------------------------------------------------- > if (ina_hlong(ina_get(dp->d_data)) == INADDR_ANY) { > static const char *complaint = > "Bogus (0.0.0.0) A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #ifdef INADDR_LOOPBACK > if (ina_hlong(ina_get(dp->d_data))==INADDR_LOOPBACK) { > static const char *complaint = > "Bogus LOOPBACK A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > #ifdef INADDR_BROADCAST > if (ina_hlong(ina_get(dp->d_data))==INADDR_BROADCAST){ > static const char *complaint = > "Bogus BROADCAST A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > #ifdef IN_MULTICAST > if (IN_MULTICAST(ina_hlong(ina_get(dp->d_data)))) { > static const char *complaint = > "Bogus MULTICAST A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 0:27:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (Postfix) with ESMTP id 13C7A14A0B; Wed, 17 Nov 1999 00:27:41 -0800 (PST) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id D4C91A84A; Wed, 17 Nov 1999 09:27:40 +0100 (CET) Date: Wed, 17 Nov 1999 09:27:40 +0100 From: Guido van Rooij To: spork Cc: Darren Reed , Thomas Stromberg , freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, peter@FreeBSD.ORG Subject: Re: ipfilter no longer in -CURRENT, whats the direction? (off to ipfw?) Message-ID: <19991117092740.A19785@gvr.gvr.org> References: <199910131302.XAA05892@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: ; from spork on Mon, Nov 15, 1999 at 01:59:55PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 15, 1999 at 01:59:55PM -0500, spork wrote: > I noticed that ipfilter is still gone... Was there any resolution here, > or is ipfilter gone for good? > > All other concerns/features aside, I find the stateful inspection stuff > much easier to setup than the ipfw filtering... I only touch my firewall > once in a blue moon, and just about everything except for streaming > quicktime "just works". It would be a shame to see such a useful piece of > software go away. I am in the process of getting it in again. Due to the CVS meister being swamped at this moment things are a bit delayd. Plan is to revive it in the same way it wa sbefore with the addition of a KLD. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 6:50:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 2CED714CA0 for ; Wed, 17 Nov 1999 06:50:50 -0800 (PST) (envelope-from JHowie@msn.com) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Wed, 17 Nov 1999 06:50:50 -0800 Message-ID: <012101bf310c$20c911c0$fd01a8c0@pacbell.net> From: "John Howie" To: "The Mad Scientist" , "Mike Tancsa" Cc: References: <199911170408.UAA20089@gndrsh.dnsmgr.net><4.1.19991116182120.0094d280@mail.thegrid.net> <4.1.19991116232931.047e6220@granite.sentex.ca> Subject: Re: Tracing Spoofed Packets Date: Wed, 17 Nov 1999 06:57:54 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6000 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you have the Alcatel DSL ANT box (the standard with PacBell DSL) it uses an IP address of 10.0.0.138 for its internal Web Server. You can connect to the ANT using a standard browser and carry out administration tasks. It may be that someone's ANT is broken or they have (badly) reconfigured it. From a security standpoint, this would be potentially serious as you could then hack their ANT. john... ----- Original Message ----- From: "Mike Tancsa" To: "The Mad Scientist" Cc: Sent: Tuesday, November 16, 1999 8:34 PM Subject: Re: Tracing Spoofed Packets > At 11:20 PM 11/16/99 , The Mad Scientist wrote: > >I'll give that a try. I'm just a Pac Bell dsl customer so I'm not > >expecting too much from them. > > dsl... Hmmm.. It could very well be something in the redback units leaking > cruft out. Hard to say, but it might be something innocent like that. > > ---Mike > > ********************************************************************** > Mike Tancsa, Network Admin * mike@sentex.net > Sentex Communications Corp, * http://www.sentex.net/mike > Cambridge, Ontario * 519 651 3400 > Canada * > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 7:36:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 44CE214E09; Wed, 17 Nov 1999 07:36:41 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id IAA00291; Wed, 17 Nov 1999 08:59:04 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Yoshinobu Inoue Cc: beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-reply-to: Your message of "Wed, 17 Nov 1999 15:31:26 +0900." <19991117153126C.shin@nd.net.fujitsu.co.jp> Date: Wed, 17 Nov 1999 08:59:03 +0100 Message-ID: <289.942825543@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19991117153126C.shin@nd.net.fujitsu.co.jp>, Yoshinobu Inoue writes: >-Only think about inet and inet6. Forget about other protocol > family and sockaddr. > (Just as current jail only think about inet.) This has basically been the policy until now: Don't worry about a protocol until somebody needs it. >-Just add an in6_addr structure(IPv6 address) member > "ip6_number" into the jail structure. > >-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. Well, I guess we want it to be "and", right ? Will people want to bind both a IPv4 and IPv6 address (does it make sense to do so ?) or will people only need to bind one of them ? >-Kernel treat "ip6_number" as just a same kind of extension > for IPv6 as "ip_number" for IPv4. I'm not against them being sockaddr's. >-Jail(8) command can also accept DNS name, and then it resolve > the name internally and, > if A record is obtained, specify its address into "ip_number". > if AAAA record is obtained, also specify its address into "ip6_number". Sure, this is trivial to do. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 7:49:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from above.net (lowfat.above.net [207.126.96.177]) by hub.freebsd.org (Postfix) with ESMTP id BBDE014EFB for ; Wed, 17 Nov 1999 07:49:19 -0800 (PST) (envelope-from pperreault@above.net) Received: from pete (host-179.above.net [207.126.96.179]) by above.net (8.9.1/8.8.5) with SMTP id HAA03780 for ; Wed, 17 Nov 1999 07:49:18 -0800 (PST) Reply-To: From: "Pete Perreault" To: Subject: MD5/DES passwords Date: Wed, 17 Nov 1999 07:41:32 -0800 Message-ID: <003401bf3112$39165340$c6e211ac@above.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It appears that the encrypted passwords within master.passwd file use the MD5 algorithm. Is there a way to change this to DES? Alternatively, is there a way to create DES encrypted passwords? thanks for the help. Pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 7:54:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from trinity.euromedia.pl (trinity.euromedia.pl [212.160.118.18]) by hub.freebsd.org (Postfix) with ESMTP id 06E92152EF for ; Wed, 17 Nov 1999 07:53:53 -0800 (PST) (envelope-from rafal@euromedia.pl) Received: from pc4.euromedia.pl ([212.160.118.24]:5638 "HELO pc4" ident: "NO-IDENT-SERVICE[2]" smtp-auth: TLS-CIPHER: TLS-CCERT: ) by trinity.euromedia.pl with SMTP id ; Wed, 17 Nov 1999 16:55:40 +0100 Message-ID: <00ba01bf3113$ef7c3ea0$1876a0d4@euromedia.pl> From: "Rafal Banaszkiewicz" To: , References: <003401bf3112$39165340$c6e211ac@above.net> Subject: Odp: MD5/DES passwords Date: Wed, 17 Nov 1999 16:53:37 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2417.2000 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It appears that the encrypted passwords within master.passwd file use the > MD5 algorithm. Is there a way to change this to DES? Alternatively, is > there a way to create DES encrypted passwords? > You must to change some symlinks in /usr/lib directory. It's described in Handbook :) > thanks for the help. > > Pete > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 9: 0:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from super-g.com (super-g.com [207.240.140.161]) by hub.freebsd.org (Postfix) with ESMTP id BBF6314A01 for ; Wed, 17 Nov 1999 09:00:06 -0800 (PST) (envelope-from spork@super-g.com) Received: by super-g.com (Postfix, from userid 1000) id 5532DBB4E; Wed, 17 Nov 1999 12:00:02 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by super-g.com (Postfix) with SMTP id 2A72EBB4D; Wed, 17 Nov 1999 12:00:02 -0500 (EST) Date: Wed, 17 Nov 1999 12:00:02 -0500 (EST) From: spork To: Udo Schweigert Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, I've put the patch here: ftp://ftp2.inch.com/pub/FreeBSD/patch-ssh-1.2.27-bsd.tty.chown Charles On Tue, 16 Nov 1999, spork wrote: > I'll take it, and I can post it to our anon ftp server if that's any > help... > > charles > > On Tue, 16 Nov 1999, Udo Schweigert wrote: > > > > > I have it here. Whom should I mail it? > > > > Regards. > > ------------------------------------------------------------------------------- > > Udo Schweigert || Voice : +49 89 636 42170 > > Siemens AG, Siemens CERT || Fax : +49 89 636 41166 > > ZT IK 3 || email : Udo.Schweigert@mchp.siemens.de > > D-81730 Muenchen / Germany || : ust@cert.siemens.de > > PGP fingerprint || 2A 53 F6 A6 30 59 64 02 6B C4 E0 73 B2 C9 6C E7 > > ------------------------------------------------------------------------------- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 9: 1:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from kronos.alcnet.com (kronos.alcnet.com [63.69.28.22]) by hub.freebsd.org (Postfix) with ESMTP id 538F414A21 for ; Wed, 17 Nov 1999 09:01:44 -0800 (PST) (envelope-from kbyanc@posi.net) X-Provider: ALC Communications, Inc. http://www.alcnet.com/ Received: from localhost (kbyanc@localhost) by kronos.alcnet.com (8.9.3/8.9.3/antispam) with ESMTP id MAA08461 for ; Wed, 17 Nov 1999 12:01:40 -0500 (EST) Date: Wed, 17 Nov 1999 12:01:40 -0500 (EST) From: Kelly Yancey X-Sender: kbyanc@kronos.alcnet.com To: freebsd-security@freebsd.org Subject: kernel stack contents visible from userland Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there any security concern with a portion of the kernel's stack being visible from userland? The reason I ask is that while investigating another issue, I noticed that stat family of calls (and probably others) leave kernel stack contents into userland via spare struct stat fields (I imagine other structures have similar behavior with regards to the padding between fiels for alignment). The attached (simple) patch, applied in /sys/kern fixes it for stat and family. That is, assuming that this is something that needs fixing :) -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Director of Technical Services, ALC Communications http://www.alcnet.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ --- kern_descrip.c.orig Mon Nov 15 22:11:57 1999 +++ kern_descrip.c Mon Nov 15 22:27:43 1999 @@ -548,9 +548,11 @@ panic("ofstat"); /*NOTREACHED*/ } - cvtstat(&ub, &oub); - if (error == 0) + if (error == 0) { + bzero(&oub, sizeof (oub)); + cvtstat(&ub, &oub); error = copyout((caddr_t)&oub, (caddr_t)uap->sb, sizeof (oub)); + } return (error); } #endif /* COMPAT_43 || COMPAT_SUNOS */ @@ -578,6 +580,7 @@ if ((unsigned)uap->fd >= fdp->fd_nfiles || (fp = fdp->fd_ofiles[uap->fd]) == NULL) return (EBADF); + bzero(&ub, sizeof (ub)); switch (fp->f_type) { case DTYPE_FIFO: @@ -646,6 +649,7 @@ /*NOTREACHED*/ } if (error == 0) { + bzero(&nub, sizeof (nub)); cvtnstat(&ub, &nub); error = copyout((caddr_t)&nub, (caddr_t)uap->sb, sizeof (nub)); } --- vfs_syscalls.c.orig Mon Nov 15 23:25:48 1999 +++ vfs_syscalls.c Mon Nov 15 23:29:08 1999 @@ -1514,6 +1514,7 @@ vput(nd.ni_vp); if (error) return (error); + bzero(&osb, sizeof (osb)); cvtstat(&sb, &osb); error = copyout((caddr_t)&osb, (caddr_t)SCARG(uap, ub), sizeof (osb)); return (error); @@ -1552,6 +1553,7 @@ vput(vp); if (error) return (error); + bzero(&osb, sizeof (osb)); cvtstat(&sb, &osb); error = copyout((caddr_t)&osb, (caddr_t)SCARG(uap, ub), sizeof (osb)); return (error); @@ -1613,6 +1615,7 @@ SCARG(uap, path), p); if (error = namei(&nd)) return (error); + bzero(&sb, sizeof (sb)); error = vn_stat(nd.ni_vp, &sb, p); vput(nd.ni_vp); if (error) @@ -1648,6 +1651,7 @@ SCARG(uap, path), p); if (error = namei(&nd)) return (error); + bzero(&sb, sizeof (sb)); vp = nd.ni_vp; error = vn_stat(vp, &sb, p); vput(vp); @@ -1707,6 +1711,7 @@ vput(nd.ni_vp); if (error) return (error); + bzero(&nsb, sizeof (nsb)); cvtnstat(&sb, &nsb); error = copyout((caddr_t)&nsb, (caddr_t)SCARG(uap, ub), sizeof (nsb)); return (error); @@ -1745,6 +1750,7 @@ vput(vp); if (error) return (error); + bzero(&nsb, sizeof (nsb)); cvtnstat(&sb, &nsb); error = copyout((caddr_t)&nsb, (caddr_t)SCARG(uap, ub), sizeof (nsb)); return (error); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 9:28: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 8977B14C59 for ; Wed, 17 Nov 1999 09:27:46 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id JAA64140; Wed, 17 Nov 1999 09:27:42 -0800 (PST) (envelope-from dillon) Date: Wed, 17 Nov 1999 09:27:42 -0800 (PST) From: Matthew Dillon Message-Id: <199911171727.JAA64140@apollo.backplane.com> To: Kelly Yancey Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel stack contents visible from userland References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : : Is there any security concern with a portion of the kernel's stack being :visible from userland? The reason I ask is that while investigating :another issue, I noticed that stat family of calls (and probably others) :leave kernel stack contents into userland via spare struct stat fields (I :imagine other structures have similar behavior with regards to the padding :between fiels for alignment). : : The attached (simple) patch, applied in /sys/kern fixes it for stat and :family. That is, assuming that this is something that needs fixing :) : :-- :Kelly Yancey - kbyanc@posi.net - Richmond, VA Since the kernel stack is per-process, I don't think there is any security concern. But you've definitely uncovered an undesired trait so I think your patch is a good one. -Matt Matthew Dillon :Director of Technical Services, ALC Communications http://www.alcnet.com/ :Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ :Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ : :--- kern_descrip.c.orig Mon Nov 15 22:11:57 1999 :+++ kern_descrip.c Mon Nov 15 22:27:43 1999 :@@ -548,9 +548,11 @@ : panic("ofstat"); : /*NOTREACHED*/ : } :- cvtstat(&ub, &oub); :... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 9:38:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id A4D231533F for ; Wed, 17 Nov 1999 09:38:00 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id SAA01856; Wed, 17 Nov 1999 18:37:26 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Kelly Yancey Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel stack contents visible from userland In-reply-to: Your message of "Wed, 17 Nov 1999 12:01:40 EST." Date: Wed, 17 Nov 1999 18:37:26 +0100 Message-ID: <1854.942860246@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Kelly Y ancey writes: > > Is there any security concern with a portion of the kernel's stack being >visible from userland? Not as far as I can tell. The kernel stack is per process, and the kernel generally doesn't muck with datastructures until it has checked permissions, so there doesn't seem to be much reason to take the performance overhead of zeroing out stuff. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 10:31:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 883F815047; Wed, 17 Nov 1999 10:31:23 -0800 (PST) (envelope-from dcs@newsguy.com) Received: from newsguy.com ([210.163.200.123]) by peach.ocn.ne.jp (8.9.1a/OCN) with ESMTP id DAA24919; Thu, 18 Nov 1999 03:30:48 +0900 (JST) Message-ID: <3832F11A.6D206BEC@newsguy.com> Date: Thu, 18 Nov 1999 03:16:58 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en,pt-BR,ja MIME-Version: 1.0 To: Yoshinobu Inoue Cc: phk@critter.freebsd.dk, beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? References: <19991110022852N.shin@nd.net.fujitsu.co.jp> <24337.942169052@critter.freebsd.dk> <19991110025853X.shin@nd.net.fujitsu.co.jp> <19991110013913.A5181@enst.fr> <19991117134132S.shin@nd.net.fujitsu.co.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yoshinobu Inoue wrote: > > -As already commented, checking those addresses which > already specified by other jail'ed processes is necessary. I disagree. The address is specified by the admin of the machine. Letting him shoot himself in the foot is not particular bad, and the test can be performed by the userland tools used to manage the machine. > solution: > Don't specify addresses via jail(2), and let kernel select > any non binded address. > Loop in_ifaddr list and try in_pcblookup_hash() for each > of addresses, just as in_pcbbind does it to search for non > binded port. > > A weak point of this solution is that processes in a same jail > won't be necessariliy binded to a same address, but does it > matters? Ok, question: I "buy" a virtual server on the machine to run an internet daemon of mine. I need the IP to that server to access the daemon. How do the admin of the machine ensures that _my_ jail will have the fixed IP assigned to me always with your solution? -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org "Then again maybe not going to heaven would be a blessing. Relkin liked a certain amount of peace and harmony, since there'd been a pronounced shortage of them in his own life; however, nothing but peace and harmony, forever and forever? He wasn't sure about that. And no beer? Very dubious proposition." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 13: 1:45 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 78B7614E05; Wed, 17 Nov 1999 13:01:44 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6595B1CD43A; Wed, 17 Nov 1999 13:01:44 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 17 Nov 1999 13:01:44 -0800 (PST) From: Kris Kennaway To: peterp@above.net Cc: freebsd-security@freebsd.org Subject: Re: MD5/DES passwords In-Reply-To: <003401bf3112$39165340$c6e211ac@above.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 Nov 1999, Pete Perreault wrote: > It appears that the encrypted passwords within master.passwd file use the > MD5 algorithm. Is there a way to change this to DES? Alternatively, is > there a way to create DES encrypted passwords? Check the archives. This comes up approx. every 2 weeks. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 13:12:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.myip.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 42CA414EC7 for ; Wed, 17 Nov 1999 13:12:14 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost ([127.0.0.1] ident=green) by green.myip.org with esmtp (Exim 3.02 #1) id 11oCIN-000Iyf-00; Wed, 17 Nov 1999 16:07:16 -0500 Date: Wed, 17 Nov 1999 16:07:14 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.myip.org To: Matthew Dillon Cc: Kelly Yancey , freebsd-security@FreeBSD.ORG Subject: Re: kernel stack contents visible from userland In-Reply-To: <199911171727.JAA64140@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Since the kernel stack is per-process, I don't think there is any > security concern. But you've definitely uncovered an undesired > trait so I think your patch is a good one. > > -Matt > Matthew Dillon > I'd be more inclined to, in any case, zero the memory. If you return a struct, you should be able to know exactly whether or not X data-field is valid. You can't do this if parts contain "random" memory. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 14:21:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8ED9B14D02 for ; Wed, 17 Nov 1999 14:21:27 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA08508; Wed, 17 Nov 1999 15:21:25 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA19404; Wed, 17 Nov 1999 15:21:42 -0700 (MST) Message-Id: <199911172221.PAA19404@harmony.village.org> To: Kelly Yancey Subject: Re: kernel stack contents visible from userland Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 17 Nov 1999 12:01:40 EST." References: Date: Wed, 17 Nov 1999 15:21:42 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kelly Yancey writes: : Is there any security concern with a portion of the kernel's stack being : visible from userland? The reason I ask is that while investigating : another issue, I noticed that stat family of calls (and probably others) : leave kernel stack contents into userland via spare struct stat fields (I : imagine other structures have similar behavior with regards to the padding : between fiels for alignment). These patches look good. I wonder if there might be an easier way to accomplish this. I don't see anything here that is a security risk, per se, since most of the stat struct is always filled in before the copyout. Which fields in stat are not explicitly used? I would have expected them all to be filled in in all cases. It would likely be faster to just wonk on st_lspare and st_qspare[2] in cvstat... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 14:26:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 2951F14D00 for ; Wed, 17 Nov 1999 14:26:15 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA08564; Wed, 17 Nov 1999 15:26:12 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA19501; Wed, 17 Nov 1999 15:26:27 -0700 (MST) Message-Id: <199911172226.PAA19501@harmony.village.org> To: Jonas Eriksson Subject: Re: named = BIND8 by ISC ? Cc: "Vladimir A. Pokatilov" , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 16 Nov 1999 10:44:11 +0100." References: Date: Wed, 17 Nov 1999 15:26:27 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Jonas Eriksson writes: : You _should_ use the latest bind from ISC: : : ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-src.tar.gz : : (Or else some script kiddie will own you) Are you *SURE* about the owning part? 8.1.2 doesn't have a remote root exploit in it. It does have some DoS in it which need to be corrected.... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 14:26:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id BCAE415355 for ; Wed, 17 Nov 1999 14:26:44 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA08574; Wed, 17 Nov 1999 15:26:42 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA19535; Wed, 17 Nov 1999 15:26:59 -0700 (MST) Message-Id: <199911172226.PAA19535@harmony.village.org> To: "Vladimir A. Pokatilov" Subject: Re: named = BIND8 by ISC ? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 16 Nov 1999 11:39:45 +0300." <199911160933.LAA14350@hyppo.anet.donetsk.ua> References: <199911160933.LAA14350@hyppo.anet.donetsk.ua> Date: Wed, 17 Nov 1999 15:26:59 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199911160933.LAA14350@hyppo.anet.donetsk.ua> "Vladimir A. Pokatilov" writes: : Do I need to do somthing, if I use original named of FreeBSD 3.0-Release ? If you are using FreeBSD 3.0 RELEASE you have bigger problems to worry about than just bind... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 14:42:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from kronos.alcnet.com (kronos.alcnet.com [63.69.28.22]) by hub.freebsd.org (Postfix) with ESMTP id A0C6514A1D for ; Wed, 17 Nov 1999 14:42:29 -0800 (PST) (envelope-from kbyanc@alcnet.com) X-Provider: ALC Communications, Inc. http://www.alcnet.com/ Received: from kbyanc (ws-41.alcnet.com [63.69.28.41]) by kronos.alcnet.com (8.9.3/8.9.3/antispam) with SMTP id RAA15573; Wed, 17 Nov 1999 17:42:23 -0500 (EST) From: "Kelly Yancey" To: "'Warner Losh'" , "'Kelly Yancey'" Cc: Subject: RE: kernel stack contents visible from userland Date: Wed, 17 Nov 1999 17:42:22 -0500 Message-ID: <000801bf314d$03fe3f20$291c453f@kbyanc.alcnet.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <199911172221.PAA19404@harmony.village.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > These patches look good. I wonder if there might be an easier way to > accomplish this. I don't see anything here that is a security risk, > per se, since most of the stat struct is always filled in before the > copyout. Which fields in stat are not explicitly used? I would have > expected them all to be filled in in all cases. It would likely be > faster to just wonk on st_lspare and st_qspare[2] in cvstat... > > Warner > Those are the culprits: the 2 spare fields. In the case of the application I was developing when I noticed this, alignment padding was also an issue, that's why I chose bzero(). I'de be glad to make a new patch set tonight when I get home, assuming someone doesn't beat me to it :) Kelly -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Director of Technical Services, ALC Communications http://www.alcnet.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 15:26:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id 1C1D414C1D; Wed, 17 Nov 1999 15:26:50 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (wit395301.student.utwente.nl [130.89.235.121]) by schuimpje.snt.utwente.nl (Postfix) with ESMTP id D806628B2; Thu, 18 Nov 1999 00:26:49 +0100 (CET) Message-ID: <38333989.9C4A0383@vangelderen.org> Date: Thu, 18 Nov 1999 00:26:01 +0100 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Yoshinobu Inoue , beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? References: <289.942825543@critter.freebsd.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > >-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. > > Well, I guess we want it to be "and", right ? Will people want to > bind both a IPv4 and IPv6 address (does it make sense to do so ?) > or will people only need to bind one of them ? What about multiple IPv6 or IPv4 addresses per jail? It might be a good idea while Inoue-san is at it. Or is this an incredibly stupid question? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 15:43:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id DB49B1523B; Wed, 17 Nov 1999 15:43:12 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA23345; Wed, 17 Nov 1999 15:40:49 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911172340.PAA23345@gndrsh.dnsmgr.net> Subject: Re: Should jail treat ip-number? In-Reply-To: <38333989.9C4A0383@vangelderen.org> from "Jeroen C. van Gelderen" at "Nov 18, 1999 00:26:01 am" To: jeroen@vangelderen.org (Jeroen C. van Gelderen) Date: Wed, 17 Nov 1999 15:40:49 -0800 (PST) Cc: phk@critter.freebsd.dk (Poul-Henning Kamp), shin@nd.net.fujitsu.co.jp (Yoshinobu Inoue), beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Poul-Henning Kamp wrote: > > >-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. > > > > Well, I guess we want it to be "and", right ? Will people want to > > bind both a IPv4 and IPv6 address (does it make sense to do so ?) > > or will people only need to bind one of them ? > > What about multiple IPv6 or IPv4 addresses per jail? It might be a > good idea while Inoue-san is at it. Or is this an incredibly stupid > question? I don't know how technically difficult it would be to allow multiple IPv4 and IPv6 addresses per jail, but I can think of a few very good things to do with it. I spend a fair amount of time playing with routing protocols and it would be wonderful to be able to create jailed version of gated/zebra/rodscode on the same box and watch them interact. It would probably cut the size of my hardware lab used for this now in half or maybe even quarter it! -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 17:25:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from kronos.alcnet.com (kronos.alcnet.com [63.69.28.22]) by hub.freebsd.org (Postfix) with ESMTP id 0541415073 for ; Wed, 17 Nov 1999 17:25:46 -0800 (PST) (envelope-from kbyanc@posi.net) X-Provider: ALC Communications, Inc. http://www.alcnet.com/ Received: from localhost (kbyanc@localhost) by kronos.alcnet.com (8.9.3/8.9.3/antispam) with ESMTP id UAA18512; Wed, 17 Nov 1999 20:25:43 -0500 (EST) Date: Wed, 17 Nov 1999 20:25:43 -0500 (EST) From: Kelly Yancey X-Sender: kbyanc@kronos.alcnet.com To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel stack contents visible from userland In-Reply-To: <199911172221.PAA19404@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 Nov 1999, Warner Losh wrote: > These patches look good. I wonder if there might be an easier way to > accomplish this. I don't see anything here that is a security risk, > per se, since most of the stat struct is always filled in before the > copyout. Which fields in stat are not explicitly used? I would have > expected them all to be filled in in all cases. It would likely be > faster to just wonk on st_lspare and st_qspare[2] in cvstat... > I wrote new patches which were less intrusive and only cleared the spare fields rather than bzero'ing the entire structure. I've submitted the patches with PR kern/14966. On a related note, these patches still solve my original problem of being able to compare stat structures. I found that, at least on FreeBSD/i386, I can reliably memcmp() two stat structures and determine when a file's status has changed (even on filesystems without ctime). All is right in the world. :) Thanks for the feedback, Kelly -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Director of Technical Services, ALC Communications http://www.alcnet.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 17:36:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from norn.ca.eu.org (cr965240-b.abtsfd1.bc.wave.home.com [24.113.19.137]) by hub.freebsd.org (Postfix) with ESMTP id 4312914CA0 for ; Wed, 17 Nov 1999 17:36:27 -0800 (PST) (envelope-from cpiazza@norn.ca.eu.org) Received: by norn.ca.eu.org (Postfix, from userid 1000) id C2D67B7; Wed, 17 Nov 1999 17:36:26 -0800 (PST) Date: Wed, 17 Nov 1999 17:36:26 -0800 From: Chris Piazza To: spork Cc: Udo Schweigert , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Message-ID: <19991117173626.B262@norn.ca.eu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from spork@super-g.com on Wed, Nov 17, 1999 at 12:00:02PM -0500 X-Operating-System: FreeBSD 4.0-CURRENT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 17, 1999 at 12:00:02PM -0500, spork wrote: > OK, I've put the patch here: > > ftp://ftp2.inch.com/pub/FreeBSD/patch-ssh-1.2.27-bsd.tty.chown > > Charles Thanks, I added it to the port. -Chris -- cpiazza@home.net cpiazza@FreeBSD.org Abbotsford, BC, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 18:21: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgwmail5.fujitsu.co.jp (fgwmail5.fujitsu.co.jp [192.51.44.35]) by hub.freebsd.org (Postfix) with ESMTP id 8AA1D1501B; Wed, 17 Nov 1999 18:20:58 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m3.gw.fujitsu.co.jp by fgwmail5.fujitsu.co.jp (8.9.3/3.7W-MX9911-Fujitsu Gateway) id LAA20291; Thu, 18 Nov 1999 11:20:56 +0900 (JST) Received: from chisato.nd.net.fujitsu.co.jp by m3.gw.fujitsu.co.jp (8.9.3/3.7W-9910-Fujitsu Domain Master) id LAA18211; Thu, 18 Nov 1999 11:20:56 +0900 (JST) Received: from localhost (dhcp7186.nd.net.fujitsu.co.jp [10.18.7.186]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id LAA21665; Thu, 18 Nov 1999 11:20:55 +0900 (JST) To: phk@critter.freebsd.dk Cc: beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-Reply-To: <289.942825543@critter.freebsd.dk> References: <19991117153126C.shin@nd.net.fujitsu.co.jp> <289.942825543@critter.freebsd.dk> <199911172340.PAA23345@gndrsh.dnsmgr.net> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991118042404X.shin@nd.net.fujitsu.co.jp> Date: Thu, 18 Nov 1999 04:24:04 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 63 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. > > Well, I guess we want it to be "and", right ? Will people want to > bind both a IPv4 and IPv6 address (does it make sense to do so ?) > or will people only need to bind one of them ? I also think it is "and", but maybe some time some application just use one of them and specify another familiy's addr as null. So I used "and/or". > > What about multiple IPv6 or IPv4 addresses per jail? It might be a > > good idea while Inoue-san is at it. Or is this an incredibly stupid > > question? > > I don't know how technically difficult it would be to allow multiple > IPv4 and IPv6 addresses per jail, but I can think of a few very good > things to do with it. I spend a fair amount of time playing with > routing protocols and it would be wonderful to be able to create > jailed version of gated/zebra/rodscode on the same box and watch > them interact. It would probably cut the size of my hardware lab > used for this now in half or maybe even quarter it! I'm not sure if multiple addrs for each address familiy will be useful or not. But at least, I think several other change(e.g. kernel routing table implementation change, or prepare several virtual ones on user-land) will also be necessary for several instances of each routing protocol implementation to operate on a system. > >-Kernel treat "ip6_number" as just a same kind of extension > > for IPv6 as "ip_number" for IPv4. > > I'm not against them being sockaddr's. I think it depends on if we allow multiple addrs per address family. If we don't allow it, I think sockaddr is not better, because, -Need to explicitely forbid multiple same families specification(e.g. either of sockaddr is AF_INET) as API. -Kernel side also need to check (1) case, and do some additional work. (return error, or prefer the former or the latter) -When more sockaddr's are added in the future, things will be more complicated. If we allow it(multiple addrs per address family), then I think sockaddr list pointer member, and total sockaddr's number member should be added, and they are searched in prison_ip(), prison_ip6() or such like that in kernel. But again, I'm not sure how multiple addrs per address family is useful. If explicit needs for "multiple addrs per address family" are not clear now, I would like to try to implement just adding ip6_number member for this time. Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 18:48:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from angelsguardian.netquick.net (angelsguardian.netquick.net [199.72.47.239]) by hub.freebsd.org (Postfix) with ESMTP id 57B2214BEE; Wed, 17 Nov 1999 18:48:18 -0800 (PST) (envelope-from trouble@netquick.net) Received: from localhost ([127.0.0.1] helo=netquick.net) by angelsguardian.netquick.net with esmtp (Exim 3.03 #1) id 11oHcx-000JZN-00; Wed, 17 Nov 1999 21:48:52 -0500 Message-ID: <38336910.AA589DD2@netquick.net> Date: Wed, 17 Nov 1999 21:48:48 -0500 From: TrouBle Reply-To: trouble@netquick.net Organization: Hacked Furbies X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" , freebsd-security@freebsd.org Subject: secure filesystem wiping Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org is there anything that will securely delete data from the freespace of a filesystem, say i have like financial data on my system, and i want it deleted, i can rm some-file-name but in actuality even though its gone, various foprensic utilities make the data recoverable is there something to wipe the freespace on freebsd file systems ???? to make data deleted unrecoverable ??? -- Windows 95 (win-DOH-z), n. A thirty-two bit extension and graphical shell to a sixteen bit patch to an eight bit operating system originally coded for a four bit microprocessor which was used in a PC built by a formerly two bit company that couldn't stand one bit of competition. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 18:58:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 1156F14C95; Wed, 17 Nov 1999 18:57:48 -0800 (PST) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id NAA27440; Thu, 18 Nov 1999 13:58:47 +1100 (EST) From: Darren Reed Message-Id: <199911180258.NAA27440@cairo.anu.edu.au> Subject: Re: secure filesystem wiping To: trouble@netquick.net Date: Thu, 18 Nov 1999 13:58:47 +1100 (Australia/NSW) Cc: freebsd-questions@FreeBSD.ORG (freebsd-questions@freebsd.org), freebsd-security@FreeBSD.ORG In-Reply-To: <38336910.AA589DD2@netquick.net> from "TrouBle" at Nov 17, 1999 09:48:48 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from TrouBle, sie said: > > is there anything that will securely delete data from the freespace of a > filesystem, say i have like financial data on my system, and i want it > deleted, i can rm some-file-name > > but in actuality even though its gone, various foprensic utilities make > the data recoverable > > is there something to wipe the freespace on freebsd file systems ???? to > make data deleted unrecoverable ??? alias rm "cp /dev/zero \!1; rm \!1" or something like that To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 20: 9: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 88F0514FC2 for ; Wed, 17 Nov 1999 20:07:50 -0800 (PST) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id PAA12677; Thu, 18 Nov 1999 15:08:35 +1100 (EST) From: Darren Reed Message-Id: <199911180408.PAA12677@cairo.anu.edu.au> Subject: Re: secure filesystem wiping To: drwho@xnet.com (Michael Maxwell) Date: Thu, 18 Nov 1999 15:08:35 +1100 (Australia/NSW) Cc: freebsd-security@freebsd.org In-Reply-To: <19991117213207.B21362@atlas.topquark.org> from "Michael Maxwell" at Nov 17, 1999 09:32:07 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Michael Maxwell, sie said: > > On Thu, Nov 18, 1999 at 01:58:47PM +1100, Darren Reed wrote: > > alias rm "cp /dev/zero \!1; rm \!1" > > > > or something like that > > I don't know how truthful this is, but I have heard rumor that a skilled > data recovery expert (one with a very strong desire to see what you have > deleted), is capable of reading at least SOME data that has been written > over several times (something to do with extracting recognized patterns, > not really sure). > > U.S. government security "experts" state that one should write random > garbage over data no less than 17 times before it can be considered > secure. for the truely paranoid, the only secure way to delete files is destroying the physical medium used for storage. I know government departments do destroy media. simple over writes is not enough, be it 1, 17 or 17,000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 20:17:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id A19D315060; Wed, 17 Nov 1999 20:17:09 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id UAA23680; Wed, 17 Nov 1999 20:16:48 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911180416.UAA23680@gndrsh.dnsmgr.net> Subject: Re: Should jail treat ip-number? In-Reply-To: <19991118042404X.shin@nd.net.fujitsu.co.jp> from Yoshinobu Inoue at "Nov 18, 1999 04:24:04 am" To: shin@nd.net.fujitsu.co.jp (Yoshinobu Inoue) Date: Wed, 17 Nov 1999 20:16:48 -0800 (PST) Cc: phk@critter.freebsd.dk, beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. > > > > Well, I guess we want it to be "and", right ? Will people want to > > bind both a IPv4 and IPv6 address (does it make sense to do so ?) > > or will people only need to bind one of them ? > > I also think it is "and", but maybe some time some application > just use one of them and specify another familiy's addr as > null. So I used "and/or". > > > > What about multiple IPv6 or IPv4 addresses per jail? It might be a > > > good idea while Inoue-san is at it. Or is this an incredibly stupid > > > question? > > > > I don't know how technically difficult it would be to allow multiple > > IPv4 and IPv6 addresses per jail, but I can think of a few very good > > things to do with it. I spend a fair amount of time playing with > > routing protocols and it would be wonderful to be able to create > > jailed version of gated/zebra/rodscode on the same box and watch > > them interact. It would probably cut the size of my hardware lab > > used for this now in half or maybe even quarter it! > > I'm not sure if multiple addrs for each address familiy will > be useful or not. Just about anything usefull in a non jailed world is useful in a jailed world. Other applications for this would be a jailed NAT router, ability to jail our dual homed DNS and web services where everything is fully redundant right down to dual nics in every box, dual switches and 2 IP's on seperate blocks with DNS running on 2 boxes at 4 IP's. We do things for Telco's and they are really big into redundancy by dualality, and that means 2 IP's inside a jail, or 2 jails. > > But at least, I think several other change(e.g. kernel routing > table implementation change, or prepare several virtual ones > on user-land) will also be necessary for several instances of > each routing protocol implementation to operate on a system. Your correct, I had not taken that thought far enough to think about the fact that the kernel routing table is a shared resouce. Is it protected from modification by a jailed process? > > > >-Kernel treat "ip6_number" as just a same kind of extension > > > for IPv6 as "ip_number" for IPv4. > > > > I'm not against them being sockaddr's. > > I think it depends on if we allow multiple addrs per address > family. > > If we don't allow it, I think sockaddr is not better, because, > > -Need to explicitely forbid multiple same families > specification(e.g. either of sockaddr is AF_INET) as API. > > -Kernel side also need to check (1) case, and do some > additional work. > (return error, or prefer the former or the latter) > > -When more sockaddr's are added in the future, things will > be more complicated. > > If we allow it(multiple addrs per address family), then I > think sockaddr list pointer member, and total sockaddr's > number member should be added, and they are searched in > prison_ip(), prison_ip6() or such like that in kernel. > > But again, I'm not sure how multiple addrs per address family > is useful. > > If explicit needs for "multiple addrs per address family" are > not clear now, I would like to try to implement just adding > ip6_number member for this time. I think that this is probably the best path at this time. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 20:23:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 5205815060; Wed, 17 Nov 1999 20:23:32 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id VAA11225; Wed, 17 Nov 1999 21:23:31 -0700 (MST) From: David G Andersen Message-Id: <199911180423.VAA11225@faith.cs.utah.edu> Subject: Re: secure filesystem wiping To: trouble@netquick.net Date: Wed, 17 Nov 1999 21:23:31 -0700 (MST) Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <38336910.AA589DD2@netquick.net> from "TrouBle" at Nov 17, 99 09:48:48 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This thread was discussed in *agonizing* length about 6 months or a year ago. You might want to check the archive, at: http://www.freebsd.org/search/ Lots of good solutions and advice, and lots of bad, were discussed. But it's all there for you to peruse... Lo and behold, TrouBle once said: > > is there anything that will securely delete data from the freespace of a > filesystem, say i have like financial data on my system, and i want it > deleted, i can rm some-file-name > > but in actuality even though its gone, various foprensic utilities make > the data recoverable > > is there something to wipe the freespace on freebsd file systems ???? to > make data deleted unrecoverable ??? > > -- > Windows 95 (win-DOH-z), n. A thirty-two bit extension and graphical > shell to a sixteen bit patch to an eight bit operating system > originally coded for a four bit microprocessor which was used in a PC > built by a formerly two bit company that couldn't stand one bit of > competition. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 20:50:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from newsfeed.win.net (newsfeed.win.net [216.24.27.8]) by hub.freebsd.org (Postfix) with ESMTP id 020D814C0C; Wed, 17 Nov 1999 20:50:47 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by newsfeed.win.net (8.8.8/8.6.9) with SMTP id XAA09566; Wed, 17 Nov 1999 23:50:30 -0500 (EST) Date: Wed, 17 Nov 1999 23:50:54 -0500 (EST) From: Barrett Richardson To: David G Andersen Cc: trouble@netquick.net, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <199911180423.VAA11225@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 Nov 1999, David G Andersen wrote: > This thread was discussed in *agonizing* length about 6 months or a year > ago. You might want to check the archive, at: > > http://www.freebsd.org/search/ > > Lots of good solutions and advice, and lots of bad, were discussed. But > it's all there for you to peruse... > The thread was "Secure deletion". There is a handy prog in Message-ID <378A58EA.ACF1412F@softweyr.com> - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 21:44: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from angelsguardian.netquick.net (angelsguardian.netquick.net [199.72.47.239]) by hub.freebsd.org (Postfix) with ESMTP id 57879153EB; Wed, 17 Nov 1999 21:43:56 -0800 (PST) (envelope-from trouble@netquick.net) Received: from localhost ([127.0.0.1] helo=netquick.net) by angelsguardian.netquick.net with esmtp (Exim 3.03 #1) id 11oKMu-000IPP-00; Thu, 18 Nov 1999 00:44:28 -0500 Message-ID: <3833923C.10A7208F@netquick.net> Date: Thu, 18 Nov 1999 00:44:28 -0500 From: TrouBle Reply-To: trouble@netquick.net Organization: Hacked Furbies X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Barrett Richardson Cc: David G Andersen , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i appreciate all the help, but this is not what im looking for... i want to WIPE freespace on the disk obliterate only wipes the one file you specify.. i want to wipe all the free space on the disk, without damaging good intact files on it, linux has a progrtam called wipe that does this, now ill ask again is there something similiar for freebsd > > The thread was "Secure deletion". There is a handy prog in Message-ID > <378A58EA.ACF1412F@softweyr.com> > -- Windows 95 (win-DOH-z), n. A thirty-two bit extension and graphical shell to a sixteen bit patch to an eight bit operating system originally coded for a four bit microprocessor which was used in a PC built by a formerly two bit company that couldn't stand one bit of competition. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 17 22:11:48 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9492C14A1F; Wed, 17 Nov 1999 22:11:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 837641CD44A; Wed, 17 Nov 1999 22:11:46 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 17 Nov 1999 22:11:46 -0800 (PST) From: Kris Kennaway To: TrouBle Cc: Barrett Richardson , David G Andersen , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <3833923C.10A7208F@netquick.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, TrouBle wrote: > obliterate only wipes the one file you specify.. i want to wipe all the > free space on the disk, without damaging good intact files on it, linux > has a progrtam called wipe that does this, now ill ask again is there > something similiar for freebsd dd if=/dev/zero of=/usr/bigfile || rm -f /usr/bigfile Replace /dev/zero with /dev/urandom according to taste. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 0:18:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 68E791540D for ; Thu, 18 Nov 1999 00:18:53 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id AAA79001; Thu, 18 Nov 1999 00:18:51 -0800 (PST) (envelope-from dillon) Date: Thu, 18 Nov 1999 00:18:51 -0800 (PST) From: Matthew Dillon Message-Id: <199911180818.AAA79001@apollo.backplane.com> To: Kelly Yancey Cc: Warner Losh , freebsd-security@FreeBSD.ORG Subject: Re: kernel stack contents visible from userland References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :On Wed, 17 Nov 1999, Warner Losh wrote: : :> These patches look good. I wonder if there might be an easier way to :> accomplish this. I don't see anything here that is a security risk, :> per se, since most of the stat struct is always filled in before the :> copyout. Which fields in stat are not explicitly used? I would have :> expected them all to be filled in in all cases. It would likely be :> faster to just wonk on st_lspare and st_qspare[2] in cvstat... :> : : I wrote new patches which were less intrusive and only cleared the spare :fields rather than bzero'ing the entire structure. I've submitted the :patches with PR kern/14966. I've committed your patch to -current and -stable! : On a related note, these patches still solve my original problem of :being able to compare stat structures. I found that, at least on :FreeBSD/i386, I can reliably memcmp() two stat structures and determine :when a file's status has changed (even on filesystems without ctime). All :is right in the world. :) : : Thanks for the feedback, : : Kelly : :-- :Kelly Yancey - kbyanc@posi.net - Richmond, VA In general, it's a really bad idea to compare structures with memcmp(). It's so bad that I believe direct compares were removed from a draft ANSI C standard prior to the final. If you use memcmp() to compare stat structures you aren't going to be portable (i.e. the same bug you found in FreeBSD might exist in other UNIXes). -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 3:12:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id B1278153A2 for ; Thu, 18 Nov 1999 03:12:21 -0800 (PST) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id MAA10126 for freebsd-security@freebsd.org; Thu, 18 Nov 1999 12:12:16 +0100 (MET) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id MAA00778 for freebsd-security@freebsd.org; Thu, 18 Nov 1999 12:12:00 +0100 (CET) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199911181112.MAA00778@CoDe.hu> Subject: ipfw and ifconfig To: freebsd-security@freebsd.org Date: Thu, 18 Nov 1999 12:12:00 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Somebody asked, and I cannot answered: Why in FreeBSD, there is ifconfig _before_ ipfw? ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 4: 1:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from wit395301.student.utwente.nl (wit395301.student.utwente.nl [130.89.235.121]) by hub.freebsd.org (Postfix) with ESMTP id A2D9515105; Thu, 18 Nov 1999 04:01:53 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from [10.235.121.14] (helo=vangelderen.org) by wit395301.student.utwente.nl with esmtp (Exim 2.05 #1) id 11oQCc-00056Q-00; Thu, 18 Nov 1999 12:58:14 +0100 Message-ID: <3833E9AB.13864ECA@vangelderen.org> Date: Thu, 18 Nov 1999 12:57:31 +0100 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Yoshinobu Inoue Cc: phk@critter.freebsd.dk, beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? References: <19991117153126C.shin@nd.net.fujitsu.co.jp> <289.942825543@critter.freebsd.dk> <199911172340.PAA23345@gndrsh.dnsmgr.net> <19991118042404X.shin@nd.net.fujitsu.co.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yoshinobu Inoue wrote: > If explicit needs for "multiple addrs per address family" are > not clear now, I would like to try to implement just adding > ip6_number member for this time. I think sockaddrs are better because it allows you to change to multiple IP-support without changing the interface again. Or you can add IPX (whatever) support without disturbing existing applications... I'd say (but I'm not a real hacker) make jail accept a list of sockaddrs and -for now- disallow anything except a single IPv4 and a single IPv6 address in that list. I'm now pretty sure multiple IPs per jail is a good idea, but you can easily defer implementation to some point in the future... Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 7:14:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from inbox.org (inbox.org [216.22.145.8]) by hub.freebsd.org (Postfix) with ESMTP id 28FAB1533C for ; Thu, 18 Nov 1999 07:14:02 -0800 (PST) (envelope-from bsd@a.servers.aozilla.com) Received: from localhost (bsd@localhost) by inbox.org (8.9.3/8.9.3) with SMTP id KAA01065 for ; Thu, 18 Nov 1999 10:13:58 -0500 (EST) Date: Thu, 18 Nov 1999 10:13:58 -0500 (EST) From: "Mr. K." X-Sender: bsd@inbox.org To: freebsd-security@freebsd.org Subject: localhost.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org this is really bad... today when i got to my computer i noticed that mysql was broken. the message was "Can't connect to MySQL server on localhost". so after half an hour of debugging (and rebooting my server :(, bye uptime), I did a telnet localhost 3306 (the mysql port). lo and behold, I notice: # telnet localhost 3306 Trying 208.211.134.100... telnet: Unable to connect to remote host: Connection refused # nslookup localhost Server: inbox.org Address: 0.0.0.0 Non-authoritative answer: Name: localhost.org Address: 208.211.134.100 ouch. time to reset all my passwords, as this bozo could have stolen them all. I don't know why this just started happening, unless the bozo just registered the domain name, which is why I'm sending along this warning to everyone on here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 7:20:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from nak.zilch.net (nak.zilch.net [209.70.45.162]) by hub.freebsd.org (Postfix) with ESMTP id 5C4441514D for ; Thu, 18 Nov 1999 07:20:41 -0800 (PST) (envelope-from zoonie@zilch.org) Received: from localhost (zoonie@localhost) by nak.zilch.net (8.8.8/8.8.8) with ESMTP id KAA21028; Thu, 18 Nov 1999 10:19:59 -0500 (EST) (envelope-from zoonie@zilch.org) X-Authentication-Warning: nak.zilch.net: zoonie owned process doing -bs Date: Thu, 18 Nov 1999 10:19:59 -0500 (EST) From: zoonie X-Sender: zoonie@localhost To: "Mr. K." Cc: freebsd-security@FreeBSD.ORG Subject: Re: localhost.org In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org according to the whois database it was just registered a few days ago.. On Thu, 18 Nov 1999, Mr. K. wrote: > this is really bad... today when i got to my computer i noticed that > mysql was broken. the message was "Can't connect to MySQL server on > localhost". so after half an hour of debugging (and rebooting my server > :(, bye uptime), I did a telnet localhost 3306 (the mysql port). lo and > behold, I notice: > > # telnet localhost 3306 > Trying 208.211.134.100... > telnet: Unable to connect to remote host: Connection refused > # nslookup localhost > Server: inbox.org > Address: 0.0.0.0 > > Non-authoritative answer: > Name: localhost.org > Address: 208.211.134.100 > > ouch. time to reset all my passwords, as this bozo could have stolen them > all. I don't know why this just started happening, unless the bozo just > registered the domain name, which is why I'm sending along this warning to > everyone on here. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 7:32: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 10C1E15347 for ; Thu, 18 Nov 1999 07:31:48 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id IAA27035; Thu, 18 Nov 1999 08:31:37 -0700 (MST) From: David G Andersen Message-Id: <199911181531.IAA27035@faith.cs.utah.edu> Subject: Re: localhost.org To: bsd@a.servers.aozilla.com (Mr. K.) Date: Thu, 18 Nov 1999 08:31:36 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Mr. K." at Nov 18, 99 10:13:58 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org But why in the world do you have .org in your search path? ... it's like leaving "." in root's executable search path: just don't do it. The only things in your nameserver search space should be domains you trust, or obviously, people are going to be able to pull things like that. -Dave Lo and behold, Mr. K. once said: > > this is really bad... today when i got to my computer i noticed that > mysql was broken. the message was "Can't connect to MySQL server on > localhost". so after half an hour of debugging (and rebooting my server > :(, bye uptime), I did a telnet localhost 3306 (the mysql port). lo and > behold, I notice: > > # telnet localhost 3306 > Trying 208.211.134.100... > telnet: Unable to connect to remote host: Connection refused > # nslookup localhost > Server: inbox.org > Address: 0.0.0.0 > > Non-authoritative answer: > Name: localhost.org > Address: 208.211.134.100 > > ouch. time to reset all my passwords, as this bozo could have stolen them > all. I don't know why this just started happening, unless the bozo just > registered the domain name, which is why I'm sending along this warning to > everyone on here. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 7:41:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from inbox.org (inbox.org [216.22.145.8]) by hub.freebsd.org (Postfix) with ESMTP id DFF2315360 for ; Thu, 18 Nov 1999 07:41:30 -0800 (PST) (envelope-from bsd@a.servers.aozilla.com) Received: from localhost (bsd@localhost) by inbox.org (8.9.3/8.9.3) with SMTP id KAA00776; Thu, 18 Nov 1999 10:41:25 -0500 (EST) Date: Thu, 18 Nov 1999 10:41:24 -0500 (EST) From: "Mr. K." X-Sender: bsd@inbox.org To: David G Andersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: localhost.org In-Reply-To: <199911181531.IAA27035@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I thought it's automatically there because inbox.org is my domain name. I actually can't figure out how to fix this, without setting myself as authoritative for localhost.org. I'm probably just overlooking something though. On Thu, 18 Nov 1999, David G Andersen wrote: > But why in the world do you have .org in your search path? > > ... it's like leaving "." in root's executable search path: just don't do > it. The only things in your nameserver search space should be domains you > trust, or obviously, people are going to be able to pull things like that. > > -Dave > > Lo and behold, Mr. K. once said: > > > > this is really bad... today when i got to my computer i noticed that > > mysql was broken. the message was "Can't connect to MySQL server on > > localhost". so after half an hour of debugging (and rebooting my server > > :(, bye uptime), I did a telnet localhost 3306 (the mysql port). lo and > > behold, I notice: > > > > # telnet localhost 3306 > > Trying 208.211.134.100... > > telnet: Unable to connect to remote host: Connection refused > > # nslookup localhost > > Server: inbox.org > > Address: 0.0.0.0 > > > > Non-authoritative answer: > > Name: localhost.org > > Address: 208.211.134.100 > > > > ouch. time to reset all my passwords, as this bozo could have stolen them > > all. I don't know why this just started happening, unless the bozo just > > registered the domain name, which is why I'm sending along this warning to > > everyone on here. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 7:45:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 083BE15420 for ; Thu, 18 Nov 1999 07:45:24 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id IAA27842; Thu, 18 Nov 1999 08:45:18 -0700 (MST) From: David G Andersen Message-Id: <199911181545.IAA27842@faith.cs.utah.edu> Subject: Re: localhost.org To: bsd@a.servers.aozilla.com (Mr. K.) Date: Thu, 18 Nov 1999 08:45:18 -0700 (MST) Cc: danderse@cs.utah.edu, freebsd-security@FreeBSD.ORG In-Reply-To: from "Mr. K." at Nov 18, 99 10:41:24 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Look at your /etc/resolv.conf It should say something like: domain inbox.org nameserver foo nameserver bar But in reality, yours probably looks like: search inbox.org search org nameserver foo nameserver bar Remove that "search org" line. (Alternately, you might have a "domain org" which would be even worse. :-) -Dave Lo and behold, Mr. K. once said: > > I thought it's automatically there because inbox.org is my domain name. I > actually can't figure out how to fix this, without setting myself as > authoritative for localhost.org. I'm probably just overlooking something > though. > > On Thu, 18 Nov 1999, David G Andersen wrote: > > > But why in the world do you have .org in your search path? > > > > ... it's like leaving "." in root's executable search path: just don't do > > it. The only things in your nameserver search space should be domains you > > trust, or obviously, people are going to be able to pull things like that. > > > > -Dave > > > > Lo and behold, Mr. K. once said: > > > > > > this is really bad... today when i got to my computer i noticed that > > > mysql was broken. the message was "Can't connect to MySQL server on > > > localhost". so after half an hour of debugging (and rebooting my server > > > :(, bye uptime), I did a telnet localhost 3306 (the mysql port). lo and > > > behold, I notice: > > > > > > # telnet localhost 3306 > > > Trying 208.211.134.100... > > > telnet: Unable to connect to remote host: Connection refused > > > # nslookup localhost > > > Server: inbox.org > > > Address: 0.0.0.0 > > > > > > Non-authoritative answer: > > > Name: localhost.org > > > Address: 208.211.134.100 > > > > > > ouch. time to reset all my passwords, as this bozo could have stolen them > > > all. I don't know why this just started happening, unless the bozo just > > > registered the domain name, which is why I'm sending along this warning to > > > everyone on here. > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > -- > > work: dga@lcs.mit.edu me: dga@pobox.com > > MIT Laboratory for Computer Science http://www.angio.net/ > > > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 7:47: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 4106415429 for ; Thu, 18 Nov 1999 07:46:47 -0800 (PST) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id KAA20926; Thu, 18 Nov 1999 10:47:28 -0500 (EST) (envelope-from matt@zigg.com) Date: Thu, 18 Nov 1999 10:47:27 -0500 (EST) From: Matt Behrens To: "Mr. K." Cc: David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: localhost.org In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check /etc/resolv.conf. Make sure there are no ``search'' entries for anything other than inbox.org. On Thu, 18 Nov 1999, Mr. K. wrote: : I thought it's automatically there because inbox.org is my domain name. I : actually can't figure out how to fix this, without setting myself as : authoritative for localhost.org. I'm probably just overlooking something : though. : : On Thu, 18 Nov 1999, David G Andersen wrote: : : > But why in the world do you have .org in your search path? Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 7:49:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from inbox.org (inbox.org [216.22.145.8]) by hub.freebsd.org (Postfix) with ESMTP id 165F81542D for ; Thu, 18 Nov 1999 07:49:05 -0800 (PST) (envelope-from bsd@a.servers.aozilla.com) Received: from localhost (bsd@localhost) by inbox.org (8.9.3/8.9.3) with SMTP id KAA01032; Thu, 18 Nov 1999 10:49:01 -0500 (EST) Date: Thu, 18 Nov 1999 10:49:01 -0500 (EST) From: "Mr. K." X-Sender: bsd@inbox.org To: David G Andersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: localhost.org In-Reply-To: <199911181545.IAA27842@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org actually: # cat /etc/resolv.conf cat: /etc/resolv.conf: No such file or directory apparently the default is what you wrote. On Thu, 18 Nov 1999, David G Andersen wrote: > Look at your /etc/resolv.conf > > It should say something like: > > domain inbox.org > nameserver foo > nameserver bar > > But in reality, yours probably looks like: > > search inbox.org > search org > nameserver foo > nameserver bar > > Remove that "search org" line. (Alternately, you might have a "domain > org" which would be even worse. :-) > > -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 8: 7:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 447CF150EF for ; Thu, 18 Nov 1999 08:07:33 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA53431; Thu, 18 Nov 1999 17:07:16 +0100 (CET) (envelope-from des) To: "Mr. K." Cc: David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: localhost.org References: From: Dag-Erling Smorgrav Date: 18 Nov 1999 17:07:16 +0100 In-Reply-To: "Mr. K."'s message of "Thu, 18 Nov 1999 10:41:24 -0500 (EST)" Message-ID: Lines: 22 User-Agent: Gnus/5.070097 (Pterodactyl Gnus v0.97) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Mr. K." writes: > I thought it's automatically there because inbox.org is my domain name. I > actually can't figure out how to fix this, without setting myself as > authoritative for localhost.org. I'm probably just overlooking something > though. You should have an entry for localhost in the inbox.org zone file: localhost IN A 127.0.0.1 and you should consider setting your search path explicitly in /etc/resolv.conf. Alternatively, put 'hosts' before 'bind' in /etc/host.conf and make sure /etc/hosts contains an entry for localhost. You can use /etc/hosts to override other stuff, too; e.g. make ad.doubleclick.net point to a dummy httpd that returns 404 no matter what URL you request. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 8: 9: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from inbox.org (inbox.org [216.22.145.8]) by hub.freebsd.org (Postfix) with ESMTP id 14FC815433 for ; Thu, 18 Nov 1999 08:08:56 -0800 (PST) (envelope-from bsd@a.servers.aozilla.com) Received: from localhost (bsd@localhost) by inbox.org (8.9.3/8.9.3) with SMTP id LAA01553 for ; Thu, 18 Nov 1999 11:08:53 -0500 (EST) Date: Thu, 18 Nov 1999 11:08:53 -0500 (EST) From: "Mr. K." X-Sender: bsd@inbox.org To: freebsd-security@freebsd.org Subject: Re: [Systalk] localhost.org (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org # man resolv.conf domain Local domain name. Most queries for names within this domain can use short names relative to the local domain. If no domain entry is present, the domain is determined from the local host name returned by gethostname(3); the domain part is taken to be everything after the first `.'. Finally, if the host name does not contain a domain part, the root domain is assumed. so, since my hostname is inbox.org, the default domain is org. it seems very unlikely that anyone would ever want this for a two part hostname. shouldn't this be disabled as a default for those names (but still work for those who explicitly add it)? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 8:16:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from inbox.org (inbox.org [216.22.145.8]) by hub.freebsd.org (Postfix) with ESMTP id BC7CE15440 for ; Thu, 18 Nov 1999 08:16:20 -0800 (PST) (envelope-from bsd@a.servers.aozilla.com) Received: from localhost (bsd@localhost) by inbox.org (8.9.3/8.9.3) with SMTP id LAA01718; Thu, 18 Nov 1999 11:16:11 -0500 (EST) Date: Thu, 18 Nov 1999 11:16:11 -0500 (EST) From: "Mr. K." X-Sender: bsd@inbox.org To: Dag-Erling Smorgrav Cc: David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: localhost.org In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > You should have an entry for localhost in the inbox.org zone file: > > localhost IN A 127.0.0.1 > yep, I already had this but it was ignoring this. in fact, localhost.inbox.org would give me 127.0.0.1, localhost. would give me 127.0.0.1, but localhost would give me a.b.c.d. Turns out that one part domains automatically try the search first. > and you should consider setting your search path explicitly in > /etc/resolv.conf. This solved the problem. > Alternatively, put 'hosts' before 'bind' in /etc/host.conf and make > sure /etc/hosts contains an entry for localhost. You can use > /etc/hosts to override other stuff, too; e.g. make ad.doubleclick.net > point to a dummy httpd that returns 404 no matter what URL you > request. > This seems like a good idea in any case, as it will defeat a hacker who manages to comprimise your nameserver. At least for those listings included in /etc/hosts. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 8:22:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id CEC42153DD for ; Thu, 18 Nov 1999 08:22:21 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id 25915B885; Thu, 18 Nov 1999 11:22:20 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id 1F077E; Thu, 18 Nov 1999 11:22:20 -0500 (EST) Date: Thu, 18 Nov 1999 11:22:20 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: "Mr. K." Cc: freebsd-security@freebsd.org Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, Mr. K. wrote: [...] : so, since my hostname is inbox.org, the default domain is org. it seems : very unlikely that anyone would ever want this for a two part hostname. : shouldn't this be disabled as a default for those names (but still work : for those who explicitly add it)? Forgive me if I'm just being completely daft, but consider this; I have domain.com pointing to a machine, which is named s01.domain.com, is my domain name domain.com or .com ? Now, .org would be the TLD (top level domain), but inbox.com would be your domain name, a hostname would be something.inbox.com. Though I will admit that the wording of the resolv.conf man page could stand to be more clear. Having your domain set like this to .org is a dangerous thing. As you saw with localhost.org. Matt -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 8:29: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 408D715458 for ; Thu, 18 Nov 1999 08:29:04 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id JAA00586; Thu, 18 Nov 1999 09:28:51 -0700 (MST) From: David G Andersen Message-Id: <199911181628.JAA00586@faith.cs.utah.edu> Subject: Re: [Systalk] localhost.org (fwd) To: matt@BabCom.ORG (matt) Date: Thu, 18 Nov 1999 09:28:51 -0700 (MST) Cc: bsd@a.servers.aozilla.com, freebsd-security@FreeBSD.ORG In-Reply-To: from "matt" at Nov 18, 99 11:22:20 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm with matt on this. You should name your machine "something.your.domain", and then CNAME and MX "domain.com" to "something.your.domain". Technically, your machine doesn't _have_ a hostname! :) ... or its domain name is ".org". ... the software is behaving properly. The configuration is wrong. -Dave Lo and behold, matt once said: > > On Thu, 18 Nov 1999, Mr. K. wrote: > [...] > : so, since my hostname is inbox.org, the default domain is org. it seems > : very unlikely that anyone would ever want this for a two part hostname. > : shouldn't this be disabled as a default for those names (but still work > : for those who explicitly add it)? > > Forgive me if I'm just being completely daft, but consider this; > > I have domain.com pointing to a machine, which is named s01.domain.com, > is my domain name domain.com or .com ? Now, .org would be the TLD (top > level domain), but inbox.com would be your domain name, a hostname would > be something.inbox.com. Though I will admit that the wording of the > resolv.conf man page could stand to be more clear. Having your domain > set like this to .org is a dangerous thing. As you saw with localhost.org. > > Matt > -- > "If the primates that we came from had known that someday politicians > would come out of the...the gene pool, they'd a stayed up in the trees > and written evolution off as a bad idea. Hell, I always thought the > opposable thumb was overrated." > -Sheridan, "A Distant Star" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 8:29:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id BBF8A1528D for ; Thu, 18 Nov 1999 08:29:38 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id IAA85609; Thu, 18 Nov 1999 08:29:31 -0800 (PST) (envelope-from dillon) Date: Thu, 18 Nov 1999 08:29:31 -0800 (PST) From: Matthew Dillon Message-Id: <199911181629.IAA85609@apollo.backplane.com> To: matt Cc: "Mr. K." , freebsd-security@FreeBSD.ORG Subject: Re: [Systalk] localhost.org (fwd) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Forgive me if I'm just being completely daft, but consider this; : :I have domain.com pointing to a machine, which is named s01.domain.com, :is my domain name domain.com or .com ? Now, .org would be the TLD (top :level domain), but inbox.com would be your domain name, a hostname would :be something.inbox.com. Though I will admit that the wording of the :resolv.conf man page could stand to be more clear. Having your domain :set like this to .org is a dangerous thing. As you saw with localhost.org. : :Matt No, you are absolutely right. I was about to comment on that myself. My domain is 'backplane.com' but the hostname I use for my main machine is 'apollo.backplane.com', not 'backplane.com'. I then simply route backplane.com's MX records and, of course, www.backplane.com, to apollo. The official name of a host is what gets returned by the 'hostname' program. It doesn't matter how many aliases you have, it is that name which the resolver uses to figure out everything else. It is not generally a good idea to name a host the same as your base domain. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 8:56:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 7732515446 for ; Thu, 18 Nov 1999 08:56:07 -0800 (PST) (envelope-from ilmar@ints.ru) Received: (from uucp@localhost) by ints.ru (8.9.2/8.9.2) id TAA09620; Thu, 18 Nov 1999 19:55:55 +0300 (MSK) Received: from ws-ilmar.ints.ru(194.67.173.16) via SMTP by ints.ru, id smtpdlW9610; Thu Nov 18 19:55:45 1999 Received: from localhost (localhost [127.0.0.1]) by ws-ilmar.ints.ru (8.9.3/8.9.3) with ESMTP id TAA35081; Thu, 18 Nov 1999 19:55:44 +0300 (MSK) Date: Thu, 18 Nov 1999 19:55:44 +0300 (MSK) From: "Ilmar S. Habibulin" To: TrouBle Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <3833923C.10A7208F@netquick.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I started a thread called "secure deletion" about three months ago. All solutions wipe file that you are deleting. If you already delete some files and what to wipe the free space, left on devices, just write some programm, which will create some file and store some random (or not random) data in it. Ran this programm with root priveleges and it will overwrite all the free space on choosen fs. And look here http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 9: 0:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from newsfeed.win.net (newsfeed.win.net [216.24.27.8]) by hub.freebsd.org (Postfix) with ESMTP id 081F31547F; Thu, 18 Nov 1999 09:00:36 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by newsfeed.win.net (8.8.8/8.6.9) with SMTP id MAA07917; Thu, 18 Nov 1999 12:00:27 -0500 (EST) Date: Thu, 18 Nov 1999 12:00:47 -0500 (EST) From: Barrett Richardson To: Kris Kennaway Cc: TrouBle , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 Nov 1999, Kris Kennaway wrote: > On Thu, 18 Nov 1999, TrouBle wrote: > > > obliterate only wipes the one file you specify.. i want to wipe all the > > free space on the disk, without damaging good intact files on it, linux > > has a progrtam called wipe that does this, now ill ask again is there > > something similiar for freebsd > > dd if=/dev/zero of=/usr/bigfile || rm -f /usr/bigfile > > Replace /dev/zero with /dev/urandom according to taste. > > Kris > Excellant idea, and simple. The problem with modern encoding formats is that the previous layer is still somewhat recoverable, and sometimes layers before that. The obliterate program overwrites with carefully chosen patterns intended to obscure the residual stray magnetic fields left by previously written data. A file that big will be a problem for obliterate though, it'll have to be done in strips. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 10: 1:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id 49BE114C39 for ; Thu, 18 Nov 1999 10:01:35 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id A7445B885; Thu, 18 Nov 1999 13:01:33 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id A35C9E; Thu, 18 Nov 1999 13:01:33 -0500 (EST) Date: Thu, 18 Nov 1999 13:01:33 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: David G Andersen Cc: bsd@a.servers.aozilla.com, freebsd-security@FreeBSD.ORG Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: <199911181628.JAA00586@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another thing you (the original poster) could do, is if you want your machine to work on the net like domain.com, You could simply name the machine something.domain.com, CNAME domain.com to it, and reverse the IP address to domain.com. This will do the trick to having the machine show up on the internet (IRC, etc) as domain.com, while leaving your machine with a "hostname" so your domain would be '.com' or in your case, '.org' -Matt On Thu, 18 Nov 1999, David G Andersen wrote: : I'm with matt on this. : : You should name your machine "something.your.domain", and then CNAME and : MX "domain.com" to "something.your.domain". Technically, your machine : doesn't _have_ a hostname! :) ... or its domain name is ".org". : : ... the software is behaving properly. The configuration is wrong. : : -Dave : [...] -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 10: 7:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 15F5B14D82 for ; Thu, 18 Nov 1999 10:07:15 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id KAA19275; Thu, 18 Nov 1999 10:06:51 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: "Mr. K." Cc: freebsd-security@FreeBSD.ORG Subject: Re: localhost.org In-reply-to: Your message of "Thu, 18 Nov 1999 10:13:58 EST." Date: Thu, 18 Nov 1999 10:06:51 -0800 Message-ID: <19271.942948411@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Your DNS is screwed. Localhost should always resolve to 127.0.0.1 "locally" and never fall through to localhost.org. To wit: jkh@zippy-> telnet localhost Trying 127.0.0.1... - J > this is really bad... today when i got to my computer i noticed that > mysql was broken. the message was "Can't connect to MySQL server on > localhost". so after half an hour of debugging (and rebooting my server > :(, bye uptime), I did a telnet localhost 3306 (the mysql port). lo and > behold, I notice: > > # telnet localhost 3306 > Trying 208.211.134.100... > telnet: Unable to connect to remote host: Connection refused > # nslookup localhost > Server: inbox.org > Address: 0.0.0.0 > > Non-authoritative answer: > Name: localhost.org > Address: 208.211.134.100 > > ouch. time to reset all my passwords, as this bozo could have stolen them > all. I don't know why this just started happening, unless the bozo just > registered the domain name, which is why I'm sending along this warning to > everyone on here. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 10:12:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id AE53B14D82 for ; Thu, 18 Nov 1999 10:12:30 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA86247; Thu, 18 Nov 1999 10:12:27 -0800 (PST) (envelope-from dillon) Date: Thu, 18 Nov 1999 10:12:27 -0800 (PST) From: Matthew Dillon Message-Id: <199911181812.KAA86247@apollo.backplane.com> To: matt Cc: David G Andersen , bsd@a.servers.aozilla.com, freebsd-security@FreeBSD.ORG Subject: Re: [Systalk] localhost.org (fwd) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :Another thing you (the original poster) could do, is if you want your :machine to work on the net like domain.com, You could simply name the :machine something.domain.com, CNAME domain.com to it, and reverse the You can't CNAME domain.com, since domain.com must have the NS records and domain's with CNAME's aren't allowed to have other record types. You can direct mail with MX records. You can't map domain.com's IP address to the host's real IP address and have the reverse be domain.com ... for the host's real IP address the reverse must match the hostname, host.domain.com. But you *can* assign two IP addresses to the host (i.e. use an IP alias), making the IP alias resolve to domain.com both forward and reverse while the primary IP for the host resolves properly to host.domain.com both forward and reverse. Fun, eh? -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 10:30:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 05D9E154C7 for ; Thu, 18 Nov 1999 10:30:39 -0800 (PST) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id NAA21260; Thu, 18 Nov 1999 13:31:23 -0500 (EST) (envelope-from matt@zigg.com) Date: Thu, 18 Nov 1999 13:31:23 -0500 (EST) From: Matt Behrens To: Matthew Dillon Cc: David G Andersen , freebsd-security@FreeBSD.ORG, bsd@a.servers.aozilla.com, matt Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: <199911181812.KAA86247@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Today, Matthew Dillon wrote: : You can't map domain.com's IP address to the host's real IP address : and have the reverse be domain.com ... for the host's real IP address : the reverse must match the hostname, host.domain.com. But you *can* : assign two IP addresses to the host (i.e. use an IP alias), making : the IP alias resolve to domain.com both forward and reverse while the : primary IP for the host resolves properly to host.domain.com both : forward and reverse. Strictly speaking, this isn't a practical problem. Situations where reverse and forward lookups must match (i.e. when using TCP wrappers) operate by (a) having an IPv4 address (b) reverse-lookupping it (c) forward-lookupping the result of the reverse lookup. If you assign multiple A records to a single domain name, you are breaking spec, but it doesn't cause any practical problems (presently...) Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 10:34:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 31054154B2 for ; Thu, 18 Nov 1999 10:34:04 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA86668; Thu, 18 Nov 1999 10:33:55 -0800 (PST) (envelope-from dillon) Date: Thu, 18 Nov 1999 10:33:55 -0800 (PST) From: Matthew Dillon Message-Id: <199911181833.KAA86668@apollo.backplane.com> To: Matt Behrens Cc: David G Andersen , freebsd-security@FreeBSD.ORG, bsd@a.servers.aozilla.com, matt Subject: Re: [Systalk] localhost.org (fwd) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :: the IP alias resolve to domain.com both forward and reverse while the :: primary IP for the host resolves properly to host.domain.com both :: forward and reverse. : :Strictly speaking, this isn't a practical problem. Situations :where reverse and forward lookups must match (i.e. when using TCP :wrappers) operate by (a) having an IPv4 address (b) reverse-lookupping :it (c) forward-lookupping the result of the reverse lookup. If :you assign multiple A records to a single domain name, you are :breaking spec, but it doesn't cause any practical problems :(presently...) : :Matt Behrens :Owner/Administrator, zigg.com I'm talking about CNAME records, not IN A records. BTW, assigning multiple A records to a single domain does not break spec at all. in A round robins entail other issues but none are related to the problem of 'domain.com' vs 'host.domain.com'. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 10:48:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 3B52B154BF for ; Thu, 18 Nov 1999 10:47:53 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id SAA18290; Thu, 18 Nov 1999 18:45:38 GMT Message-ID: <38344951.2E63C525@algroup.co.uk> Date: Thu, 18 Nov 1999 18:45:37 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.07 [en] (Win95; I) MIME-Version: 1.0 To: "Mr. K." Cc: Dag-Erling Smorgrav , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: localhost.org References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mr. K. wrote: > > > You should have an entry for localhost in the inbox.org zone file: > > > > localhost IN A 127.0.0.1 > > > yep, I already had this but it was ignoring this. in fact, > localhost.inbox.org would give me 127.0.0.1, localhost. would give me > 127.0.0.1, but localhost would give me a.b.c.d. Turns out that one part > domains automatically try the search first. > > > and you should consider setting your search path explicitly in > > /etc/resolv.conf. > This solved the problem. > > > Alternatively, put 'hosts' before 'bind' in /etc/host.conf and make > > sure /etc/hosts contains an entry for localhost. You can use > > /etc/hosts to override other stuff, too; e.g. make ad.doubleclick.net > > point to a dummy httpd that returns 404 no matter what URL you > > request. > > > This seems like a good idea in any case, as it will defeat a hacker who > manages to comprimise your nameserver. At least for those listings > included in /etc/hosts. Unfortunately this is not all you need to do to protect yourself - the default permissions table in MySQL will also include your fully qualified domain name. An attacker who controls their own reverse resolution can set themselves up to reverse to your box name, and MySQL will let them in (unless you are running it in 'secure' mode, in which case it checks that forward and reverse actually match). Since local connections actually appear to come from 'localhost' and not your fully qualified domain, you can safely delete the fully qualified entries from your MySQL user table. You should also move the TCP port onto a firewalled port if you don't need external access, and to a unix domain socket if you don't need TCP access. Finally, if they got in as a user with File_priv level access, they probably own you by now. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 11: 4:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id D7C51154F2 for ; Thu, 18 Nov 1999 11:04:17 -0800 (PST) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id OAA21333; Thu, 18 Nov 1999 14:05:07 -0500 (EST) (envelope-from matt@zigg.com) Date: Thu, 18 Nov 1999 14:05:06 -0500 (EST) From: Matt Behrens To: Matthew Dillon Cc: David G Andersen , freebsd-security@FreeBSD.ORG, bsd@a.servers.aozilla.com, matt Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: <199911181833.KAA86668@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Today, Matthew Dillon wrote: : I'm talking about CNAME records, not IN A records. : : BTW, assigning multiple A records to a single domain does not break spec : at all. in A round robins entail other issues but none are related : to the problem of 'domain.com' vs 'host.domain.com'. Sorry, I must have misunderstood. I caught the part about CNAMEs but thought you were addressing A records in the second part. In any event, I thought I'd read somewhere that multiple A records with the same IP violated spec. (It has been a few years since I've read the RFCs; that was back when I was working on my now-defunct Java resolver library.) Perhaps that was _formerly_ the case? Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 11: 9: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id F397B1554A for ; Thu, 18 Nov 1999 11:08:52 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id OAA40393; Thu, 18 Nov 1999 14:08:44 -0500 (EST) (envelope-from wollman) Date: Thu, 18 Nov 1999 14:08:44 -0500 (EST) From: Garrett Wollman Message-Id: <199911181908.OAA40393@khavrinen.lcs.mit.edu> To: "Mr. K." Cc: freebsd-security@FreeBSD.ORG Subject: localhost.org In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > # nslookup localhost > Server: inbox.org > Address: 0.0.0.0 > Non-authoritative answer: > Name: localhost.org > Address: 208.211.134.100 Your nameserver configuration is broken. You should be thanking this fellow for pointing it out to you. # mv -f /etc/resolv.conf /etc/resolv.conf~ # (echo 'search inbox.org'; sed -e '/^domain/d' /etc/resolv.conf~) \ > >/etc/resolv.conf -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 11:27:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 5E1EA14D10 for ; Thu, 18 Nov 1999 11:27:25 -0800 (PST) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id OAA21384; Thu, 18 Nov 1999 14:28:14 -0500 (EST) (envelope-from matt@zigg.com) Date: Thu, 18 Nov 1999 14:28:14 -0500 (EST) From: Matt Behrens To: Matthew Dillon Cc: David G Andersen , freebsd-security@FreeBSD.ORG, bsd@a.servers.aozilla.com, matt Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Today, Matt Behrens wrote: : Today, Matthew Dillon wrote: : : : I'm talking about CNAME records, not IN A records. : : : : BTW, assigning multiple A records to a single domain does not break spec : : at all. in A round robins entail other issues but none are related : : to the problem of 'domain.com' vs 'host.domain.com'. : : Sorry, I must have misunderstood. I caught the part about CNAMEs : but thought you were addressing A records in the second part. : : In any event, I thought I'd read somewhere that multiple A records : with the same IP violated spec. (It has been a few years since : I've read the RFCs; that was back when I was working on my now-defunct : Java resolver library.) Perhaps that was _formerly_ the case? And now upon closer inspection I discover that my original message was way off. Sorry about that. I meant to say that I thought it violated spec to have more than one domain name share the same _IP_ with A records, however in practical use it was not a problem. This solves the problem of having to multi-home a host just to give it two different domain names. Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 11:39:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from kithrup.com (kithrup.com [205.179.156.40]) by hub.freebsd.org (Postfix) with ESMTP id D325915487 for ; Thu, 18 Nov 1999 11:39:36 -0800 (PST) (envelope-from sef@kithrup.com) Received: (from sef@localhost) by kithrup.com (8.8.8/8.8.8) id LAA22796; Thu, 18 Nov 1999 11:39:34 -0800 (PST) (envelope-from sef) Date: Thu, 18 Nov 1999 11:39:34 -0800 (PST) From: Sean Eric Fagan Message-Id: <199911181939.LAA22796@kithrup.com> To: security@freebsd.org Reply-To: security@freebsd.org Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: <199911181629.IAA85609.kithrup.freebsd.security@apollo.backplane.com> References: Organization: Kithrup Enterprises, Ltd. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article <199911181629.IAA85609.kithrup.freebsd.security@apollo.backplane.com> you write: > No, you are absolutely right. I was about to comment on that > myself. My domain is 'backplane.com' but the hostname I use for > my main machine is 'apollo.backplane.com', not 'backplane.com'. > I then simply route backplane.com's MX records and, of course, > www.backplane.com, to apollo. I think it may be necessary to document this better... it's something I've been doing for years, and never gave a thought to it. I "just knew" that the domain name shouldn't be used as an actual hostname. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 12: 4:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 7B7C815490 for ; Thu, 18 Nov 1999 12:04:28 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id MAA25442; Thu, 18 Nov 1999 12:02:59 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911182002.MAA25442@gndrsh.dnsmgr.net> Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: from Matt Behrens at "Nov 18, 1999 01:31:23 pm" To: matt@zigg.com (Matt Behrens) Date: Thu, 18 Nov 1999 12:02:58 -0800 (PST) Cc: dillon@apollo.backplane.com (Matthew Dillon), danderse@cs.utah.edu (David G Andersen), freebsd-security@FreeBSD.ORG, bsd@a.servers.aozilla.com, matt@BabCom.ORG (matt) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Today, Matthew Dillon wrote: > > : You can't map domain.com's IP address to the host's real IP address > : and have the reverse be domain.com ... for the host's real IP address > : the reverse must match the hostname, host.domain.com. But you *can* > : assign two IP addresses to the host (i.e. use an IP alias), making > : the IP alias resolve to domain.com both forward and reverse while the > : primary IP for the host resolves properly to host.domain.com both > : forward and reverse. > > Strictly speaking, this isn't a practical problem. Situations > where reverse and forward lookups must match (i.e. when using TCP > wrappers) operate by (a) having an IPv4 address (b) reverse-lookupping > it (c) forward-lookupping the result of the reverse lookup. > If > you assign multiple A records to a single domain name, you are > breaking spec, but it doesn't cause any practical problems > (presently...) That is not correct, infact assigning multiply A records to a given domain is _IN_ spec: gndrsh:root {1098}# host br1.dnsmgr.net br1.dnsmgr.net has address 198.145.92.125 br1.dnsmgr.net has address 198.145.92.1 gndrsh:root {1099}# host br1.chatusa.com br1.chatusa.com has address 206.163.33.174 br1.chatusa.com has address 209.222.137.174 br1.chatusa.com has address 209.222.137.177 br1.chatusa.com has address 209.222.137.14 br1.chatusa.com has address 206.251.69.1 br1.chatusa.com has address 206.251.92.2 br1.chatusa.com has address 206.163.33.14 gndrsh:root {1100}# Yes, those are host based routers, yes they really have that many IP interfaces in them, they are after all routers :-) > > Matt Behrens > Owner/Administrator, zigg.com > Chief Engineer, Nameless IRC Network > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 12:42:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 2394915459 for ; Thu, 18 Nov 1999 12:42:21 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id MAA25511 for security@FreeBSD.ORG; Thu, 18 Nov 1999 12:42:19 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911182042.MAA25511@gndrsh.dnsmgr.net> Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: <199911181939.LAA22796@kithrup.com> from Sean Eric Fagan at "Nov 18, 1999 11:39:34 am" To: security@FreeBSD.ORG Date: Thu, 18 Nov 1999 12:42:19 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In article <199911181629.IAA85609.kithrup.freebsd.security@apollo.backplane.com> you write: > > No, you are absolutely right. I was about to comment on that > > myself. My domain is 'backplane.com' but the hostname I use for > > my main machine is 'apollo.backplane.com', not 'backplane.com'. > > I then simply route backplane.com's MX records and, of course, > > www.backplane.com, to apollo. > > I think it may be necessary to document this better... it's something I've > been doing for years, and never gave a thought to it. I "just knew" that the > domain name shouldn't be used as an actual hostname. It should be in a ``current best practices'' RFC some place, this and a few other things like you shouldn't really ever assign an A record to a 2nd level domain, but rather use MX, etc all. I don't know how many A records on 2nd levels I've had to cleanup for folks, but it seems there are folks out there who think this is the right thing to be doing :-(. And to go alone with this thread it should be verboten to register the domain names ``localhost'' or ``localnet'' as 2 level domains. Infact the .com, .org, .net, .mil, .edu should already have an A record of localhost and localnet in them, just like every other zone. These are after all reserved names with special meanings. IMNSO there should even be a set of TLD's, localhost. and localnet.. Another best practive often not done correctly is the reverse zome for 127.in-addr.arpa. Yes, thats right, I said 127.in-addr.arpa, not 0.0.127.in-addr.arpa. And that is where the error is made, even in the bind documentation and in what FreeBSD distributes. Here is a proper zone file: ; ; 127.in-addr.arpa ; @ IN SOA gndrsh.dnsmgr.net. root.gndrsh.dnsmgr.net. ( 1999031300 ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum IN NS gndrsh.dnsmgr.net. 0.0.0 IN PTR localnet.dnsmgr.net. IN A 255.0.0.0 1.0.0 IN PTR localhost.dnsmgr.net. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 12:52:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id D456B14EBF; Thu, 18 Nov 1999 12:52:46 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40354>; Fri, 19 Nov 1999 07:46:04 +1100 Content-return: prohibited Date: Fri, 19 Nov 1999 07:52:11 +1100 From: Peter Jeremy Subject: Re: secure filesystem wiping In-reply-to: <3833923C.10A7208F@netquick.net> To: TrouBle Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov19.074604est.40354@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <3833923C.10A7208F@netquick.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-18 16:44:28 +1100, TrouBle wrote: >obliterate only wipes the one file you specify.. i want to wipe all the >free space on the disk, without damaging good intact files on it, This isn't technically possible. You can't securely wipe data from a disk using the disks own R/W head/electronics (which is the only way to preserve intact files). I'd suggest the following: 1) Copy wanted files to another disk. 2) Wipe unwanted files off original disk using one of the following: a) Raise temperature of entire disk drive to >>1000 degrees, stir well and (optionally) add plenty of oxygen. Cool and pulverise. b) Open drive housing and gently manicure each platter with an angle grinder. > linux >has a progrtam called wipe that does this, Not securely. >> The thread was "Secure deletion". There is a handy prog in Message-ID >> <378A58EA.ACF1412F@softweyr.com> You can specify a disk partition instead of a file if you want. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 13: 4:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id F09EE14D0B; Thu, 18 Nov 1999 13:04:36 -0800 (PST) (envelope-from jcm@dogma.freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97]) by serenity.mcc.ac.uk with esmtp (Exim 1.92 #3) id 11oYjK-000HkP-00; Thu, 18 Nov 1999 21:04:34 +0000 Received: from localhost (jcm@localhost) by dogma.freebsd-uk.eu.org (8.9.3/8.9.3) with SMTP id VAA07140; Thu, 18 Nov 1999 21:04:33 GMT (envelope-from jcm@dogma.freebsd-uk.eu.org) Date: Thu, 18 Nov 1999 21:04:33 +0000 (GMT) From: Jonathon McKitrick To: peter.jeremy@alcatel.com.au Cc: TrouBle , security@freebsd.org, questions@freebsd.org Subject: Re: secure filesystem wiping In-Reply-To: <99Nov19.074604est.40354@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 19 Nov 1999, Peter Jeremy wrote: >This isn't technically possible. You can't securely wipe data from a >disk using the disks own R/W head/electronics (which is the only way >to preserve intact files). Why isn't it possible to read unallocated sectors and write back sectors full of garbage, or 0xFF? -jm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 13:12:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 1609B154B6; Thu, 18 Nov 1999 13:12:14 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 18 Nov 1999 14:12:13 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma019700; Thu, 18 Nov 99 14:11:43 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id OAA08961; Thu, 18 Nov 1999 14:09:28 -0700 (MST) Date: Thu, 18 Nov 1999 14:09:28 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: TrouBle Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <3833923C.10A7208F@netquick.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, TrouBle wrote: > obliterate only wipes the one file you specify.. i want to wipe all > the free space on the disk, without damaging good intact files on it, > linux has a progrtam called wipe that does this, now ill ask again is > there something similiar for freebsd Have you considered the problem from this angle? Presumably you had sensitive information in a file on the disk at some point. Instead of trying to "securely" remove all traces of files when they're gone, what about using something like CFS (in /usr/ports/security/cfs) for all of these sensitive files to start with? That way, when the files are gone, even if someone did manage to obtain some salvaged remnants they could not be used to yield useful information. That seems much more secure than even the best "secure deletion" or "disk wiping" programs. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 13:13:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [63.77.239.12]) by hub.freebsd.org (Postfix) with ESMTP id 4697915480; Thu, 18 Nov 1999 13:13:05 -0800 (PST) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id 76A611518E; Thu, 18 Nov 1999 16:10:00 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id 52E3614A01; Thu, 18 Nov 1999 16:10:00 -0500 (EST) Date: Thu, 18 Nov 1999 16:09:59 -0500 (EST) From: Dug Song To: Jonathon McKitrick Cc: security@freebsd.org, questions@freebsd.org Subject: Re: secure filesystem wiping In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, Jonathon McKitrick wrote: > Why isn't it possible to read unallocated sectors and write back sectors > full of garbage, or 0xFF? this was the topic of a recent thread on comp.security.unix: http://x44.deja.com/viewthread.xp?AN=542077498&search=thread&svcclass=dncurrent&ST=PS&CONTEXT=942959294.75104298&HIT_CONTEXT=942959294.75104298&HIT_NUM=0&recnum=%3caziS3.1656$4G.29 peter gutmann's excellent paper from the 6th USENIX security symposium is probably the definitive answer: http://www.fish.com/security/secure_del.html -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 13:54:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id DE01D15183; Thu, 18 Nov 1999 13:54:41 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id NAA21085; Thu, 18 Nov 1999 13:53:18 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA03409; Thu, 18 Nov 1999 13:53:17 -0800 Received: from softweyr.com (dyn0.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA22432; Thu, 18 Nov 99 13:53:09 PST Message-Id: <38347544.3D50A536@softweyr.com> Date: Thu, 18 Nov 1999 14:53:08 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Barrett Richardson Cc: David G Andersen , trouble@netquick.net, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson wrote: > > On Wed, 17 Nov 1999, David G Andersen wrote: > > > This thread was discussed in *agonizing* length about 6 months or a year > > ago. You might want to check the archive, at: > > > > http://www.freebsd.org/search/ > > > > Lots of good solutions and advice, and lots of bad, were discussed. But > > it's all there for you to peruse... > > > > The thread was "Secure deletion". There is a handy prog in Message-ID > <378A58EA.ACF1412F@softweyr.com> Or ftp://ftp.xmission.com/pub/users/s/softweyr/pub/obliterate-0.3.tgz if you prefer. I swear I'm going to wrap a port-kit around this and commit it one of these days. Honest! Actually, this afternoon is looking good for that. Comments, jeers, applause, and especially money to wes@softweyr.com. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 13:58:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 9645A154AD; Thu, 18 Nov 1999 13:58:21 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id NAA21159; Thu, 18 Nov 1999 13:57:18 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA03618; Thu, 18 Nov 1999 13:57:17 -0800 Received: from softweyr.com (dyn0.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA22659; Thu, 18 Nov 99 13:57:14 PST Message-Id: <38347633.22E76DE0@softweyr.com> Date: Thu, 18 Nov 1999 14:57:07 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Barrett Richardson Cc: Kris Kennaway , TrouBle , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson wrote: > > On Wed, 17 Nov 1999, Kris Kennaway wrote: > > > On Thu, 18 Nov 1999, TrouBle wrote: > > > > > obliterate only wipes the one file you specify.. i want to wipe all the > > > free space on the disk, without damaging good intact files on it, linux > > > has a progrtam called wipe that does this, now ill ask again is there > > > something similiar for freebsd > > > > dd if=/dev/zero of=/usr/bigfile || rm -f /usr/bigfile > > > > Replace /dev/zero with /dev/urandom according to taste. > > > > Kris > > > > Excellant idea, and simple. The problem with modern encoding formats > is that the previous layer is still somewhat recoverable, and sometimes > layers before that. The obliterate program overwrites with carefully > chosen patterns intended to obscure the residual stray magnetic fields > left by previously written data. > > A file that big will be a problem for obliterate though, it'll have to > be done in strips. I've tested obliterate on some rather large files (250 MB) and it exhausts the system entropy pool very quickly, even on a system with a busy network. Does anyone make a hardware entropy device? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 14: 1:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 2596915478 for ; Thu, 18 Nov 1999 14:01:46 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id OAA21232; Thu, 18 Nov 1999 14:00:31 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id OAA03794; Thu, 18 Nov 1999 14:00:30 -0800 Received: from softweyr.com (dyn0.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA22856; Thu, 18 Nov 99 14:00:28 PST Message-Id: <383476FB.CAAB1A0E@softweyr.com> Date: Thu, 18 Nov 1999 15:00:27 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: trouble@netquick.net Cc: Barrett Richardson , David G Andersen , freebsd-security@FreeBSD.ORG, Greg Lehey Subject: Re: secure filesystem wiping References: <3833923C.10A7208F@netquick.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org TrouBle wrote: > > i appreciate all the help, but this is not what im looking for... i want > to WIPE freespace on the disk > > obliterate only wipes the one file you specify.. i want to wipe all the > free space on the disk, without damaging good intact files on it, linux > has a progrtam called wipe that does this, now ill ask again is there > something similiar for freebsd You've got me thinking about this now, it would be a neat tool to run over your disks in daily or weekly. It would be pretty straightforward to run over a slice on block at a time, checking to see if it is allocated and obliterating the blocks that are not. Problem is, I don't know how you could do this on a mounted filesystem; is it possible to lock the file allocation long enough to zap the block? Pointers to helpful filesystem hackery and/or knowlegable hackers appreciated. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 14: 6: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from angelsguardian.netquick.net (angelsguardian.netquick.net [199.72.47.239]) by hub.freebsd.org (Postfix) with ESMTP id F0EAF15193; Thu, 18 Nov 1999 14:05:53 -0800 (PST) (envelope-from trouble@netquick.net) Received: from localhost ([127.0.0.1] helo=netquick.net) by angelsguardian.netquick.net with esmtp (Exim 3.03 #1) id 11oZh5-000Lxb-00; Thu, 18 Nov 1999 17:06:19 -0500 Message-ID: <3834785B.D1A99603@netquick.net> Date: Thu, 18 Nov 1999 17:06:19 -0500 From: TrouBle Reply-To: trouble@netquick.net Organization: Hacked Furbies X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Wes Peters Cc: Barrett Richardson , David G Andersen , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: <38347544.3D50A536@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org will you all take a look at this, this is what i am looking for!! Wipe is a tool that effectively degauses the surface of a hard disk, making it virtually impossible to retrieve the data that was stored on it. This is the ultimate in making sure secure data that is erased from a hard drive is unrecoverable. wipe by Tom Vier Wipe is a secure file wiping utility. However, it does not set the media access bit on scsi commands, therefore it is not 100% secure, unless your drive has no write cache. For maximum security, disable drive write cache on scsi mode page 8. If possible, disable operating system file cache and driver-level buffers. Wipe tries to sync the data to disk via a call to fdatasync(), fsync(), or using O_SYNC. Under linux, the mount option "mand" must be used (see /usr/src/linux/Documentation/mandatory.txt) for mandatory file locks to be enabled. Wipe should make it extremely difficult for all but the most determined person(s) to recover the original plaintext data. Utilities such as PGP and the GNU Privacy Guard provide strong encryption, but encryption is useless if the original plaintext can be recovered. Wipe uses /dev/urandom, or if unavailable, /dev/random, as a source for entropy. The tiger hash is used for speed. More information on the tiger hash algorithm is at: http://www.cs.technion.ac.il/~biham/Reports/Tiger/ > > Or ftp://ftp.xmission.com/pub/users/s/softweyr/pub/obliterate-0.3.tgz > if you prefer. I swear I'm going to wrap a port-kit around this and > commit it one of these days. Honest! > > Actually, this afternoon is looking good for that. > > Comments, jeers, applause, and especially money to wes@softweyr.com. ;^) Windows 95 (win-DOH-z), n. A thirty-two bit extension and graphical shell to a sixteen bit patch to an eight bit operating system originally coded for a four bit microprocessor which was used in a PC built by a formerly two bit company that couldn't stand one bit of competition. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 14:12:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id C62F815183 for ; Thu, 18 Nov 1999 14:12:29 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 44747 invoked by uid 1001); 18 Nov 1999 22:12:28 +0000 (GMT) To: freebsd@gndrsh.dnsmgr.net Cc: security@FreeBSD.ORG Subject: Re: [Systalk] localhost.org (fwd) From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 18 Nov 1999 12:42:19 -0800 (PST)" References: <199911182042.MAA25511@gndrsh.dnsmgr.net> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 18 Nov 1999 23:12:28 +0100 Message-ID: <44745.942963148@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Another best practive often not done correctly is the reverse zome for > 127.in-addr.arpa. Yes, thats right, I said 127.in-addr.arpa, not > 0.0.127.in-addr.arpa. And that is where the error is made, even in the > bind documentation and in what FreeBSD distributes. Here is a proper > zone file: I see no reason why this is any more correct than the "traditional" $origin 0.0.127.in-addr.arpa. 1 PTR localhost. Maybe you'd like to convince us? Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 14:44: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 488DA154B7; Thu, 18 Nov 1999 14:43:55 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 18 Nov 1999 15:43:55 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma000655; Thu, 18 Nov 99 15:43:30 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id PAA09145; Thu, 18 Nov 1999 15:41:15 -0700 (MST) Date: Thu, 18 Nov 1999 15:41:15 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: TrouBle Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <3834785B.D1A99603@netquick.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, TrouBle wrote: > i appreciate all the help, but this is not what im looking for... i want > to WIPE freespace on the disk > > obliterate only wipes the one file you specify.. i want to wipe all the > free space on the disk, without damaging good intact files on it, linux > has a progrtam called wipe that does this, now ill ask again is there > something similiar for freebsd and later on Thu, 18 Nov 1999, TrouBle wrote: > will you all take a look at this, this is what i am looking for!! > > Wipe is a secure file wiping utility. > > Wipe uses /dev/urandom, or if unavailable, /dev/random, as a source > for entropy. So which is it? In one message, you're asking for a program that wipes all the free space on a drive and claim that wipe does this on Linux and that obliterate on FreeBSD just wipes files. Then, in the next message, you claim that wipe on Linux is a "secure file wiping utility" and that somehow the FreeBSD suggestions you've been given are inadequate. Huh? We've seen means posted of overwriting a single file or remaining disk space (by filling all free space with a dummy file containing garbage) with both /dev/zero and /dev/urandom, so doesn't that answer your question? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 15: 1:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E02CE154F0 for ; Thu, 18 Nov 1999 15:01:23 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA26480; Thu, 18 Nov 1999 15:00:57 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911182300.PAA26480@gndrsh.dnsmgr.net> Subject: Re: [Systalk] localhost.org (fwd) In-Reply-To: <44745.942963148@verdi.nethelp.no> from "sthaug@nethelp.no" at "Nov 18, 1999 11:12:28 pm" To: sthaug@nethelp.no Date: Thu, 18 Nov 1999 15:00:57 -0800 (PST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Another best practive often not done correctly is the reverse zome for > > 127.in-addr.arpa. Yes, thats right, I said 127.in-addr.arpa, not > > 0.0.127.in-addr.arpa. And that is where the error is made, even in the > > bind documentation and in what FreeBSD distributes. Here is a proper > > zone file: > > I see no reason why this is any more correct than the "traditional" > > $origin 0.0.127.in-addr.arpa. > 1 PTR localhost. > > Maybe you'd like to convince us? There is nothing wrong with that, but have you looked at: br1.CN85rd.molalla.net:root{120}# pwd /usr/src/etc/namedb named.conf: zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; and PROTO.localhost.rev: @ IN SOA @host@. root.@host@. ( @date@ ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ) ; Minimum IN NS @host@. 1 IN PTR localhost.@domain@. br1.CN85rd.molalla.net:root{125}# Now do you see what is wrong???? -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 16: 2:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from merlin.onsea.com (p05s04a01.client.global.net.uk [195.147.132.6]) by hub.freebsd.org (Postfix) with ESMTP id 1B8F915528 for ; Thu, 18 Nov 1999 16:02:31 -0800 (PST) (envelope-from dozprompt@onsea.com) Received: from guru (guru.onsea.com [10.0.0.2]) by merlin.onsea.com (8.9.3/8.9.2) with SMTP id SAA06991; Thu, 18 Nov 1999 18:28:21 GMT (envelope-from dozprompt@onsea.com) From: "Cliff Rowley" To: "Jordan K. Hubbard" , "Mr. K." Cc: Subject: RE: localhost.org Date: Thu, 18 Nov 1999 18:27:55 -0000 Message-ID: <000001bf31f2$a19b0100$0200000a@onsea.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <19271.942948411@localhost> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Your DNS is screwed. Localhost should always resolve to 127.0.0.1 > "locally" and never fall through to localhost.org. To wit: was that to wit or twit? *g* sorry :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 18: 2:15 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id EADD914E51; Thu, 18 Nov 1999 18:02:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id D7BE41CD626; Thu, 18 Nov 1999 18:02:11 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Thu, 18 Nov 1999 18:02:11 -0800 (PST) From: Kris Kennaway To: TrouBle Cc: Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <3834785B.D1A99603@netquick.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, TrouBle wrote: > Wipe is a tool that effectively degauses the surface of a hard > disk, making it virtually impossible to retrieve the data that was > stored on it. This is the ultimate in making sure secure data that is > erased from a hard drive is unrecoverable. Impressive words! Now go read the references people have given you in this topic which explain why THIS CLAIM IS EFFECTIVELY BULLSHIT! No, really, go and read them. Read. With your eyes. I don't understand why you think that the person who wrote the Linux tool is privy to some kind of enlightened knowledge which us poor FreeBSD'ers (and the security researches who authored the aforementioned papers on secure deletion) aren't. If Wes Peters wrote some impressive drivel to attach to his 'obliterate' program about how kick-arse it is, would it make you happier? For your future reference, one of the most important axioms in using security software is: AXIOM 1) take all claims made by the vendor about the abilities of their software with a very large handful of NaCl. Exercise for the novice reader: apply Axiom 1 to the Linux 'wipe' program. Exercise 2: apply axiom 1 to the secure deletion utility "FileSpanker" which can be found at http://www.freebsd.org/~kris/filespanker.sh -Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 18:32:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from ib.rc.vix.com (ib.rc.vix.com [204.152.187.22]) by hub.freebsd.org (Postfix) with ESMTP id DEA0E151D2 for ; Thu, 18 Nov 1999 18:32:52 -0800 (PST) (envelope-from Peter_Losher@iengines.com) Received: from bb.rc.vix.com (bb.rc.vix.com [204.152.187.11]) by ib.rc.vix.com (8.9.1/8.9.1) via ESMTP id SAA26592 for ; Thu, 18 Nov 1999 18:32:52 -0800 (PST) env-from (Peter_Losher@iengines.com) Received: from localhost (plosher@localhost) by bb.rc.vix.com (8.9.1/8.9.1) via ESMTP id SAA18439 for ; Thu, 18 Nov 1999 18:32:52 -0800 (PST) env-from (Peter_Losher@iengines.com) Date: Thu, 18 Nov 1999 18:32:51 -0800 (PST) From: Peter Losher To: freebsd-security@freebsd.org Subject: OpenSSH & Kerberos 5? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Has anyone gotten OpenSSH (v1.2) to work with KRB5? I have defined Kerberos by typing 'make KERBEROS=YES' and it defaults to KerberosIV as such in /usr/ports/security/openssh/: -=- cc -O -pipe -I/usr/ports/security/openssh/work/ssh/lib/.. -I/usr/local/include -DKRB4 -I/usr/include/kerberosIV -I/usr/ports/security/openssh/work/ssh/lib/.. -I/usr/local/include -I/usr/local/usr/include -c /usr/ports/security/openssh/work/ssh/lib/../authfd.c -o authfd.o In file included from /usr/ports/security/openssh/work/ssh/lib/../authfd.c:19: /usr/ports/security/openssh/work/ssh/lib/../ssh.h:549: krb.h: No such file or directory In file included from /usr/ports/security/openssh/work/ssh/lib/../authfd.c:19: /usr/ports/security/openssh/work/ssh/lib/../ssh.h:554: parse error before `KTEXT' *** Error code 1 -=- (BTW = I have KRB5_HOME defined in /etc/make.conf) If there is a OpenSSH mailing list that this would be better served in, let me know (I couldn't find one on the OpenSSH web site). Thanks! - Peter ___________________________________________________________________________ Peter Losher | System Administrator | Internet Engines, Inc. plosher@iengines.com | | www.iengines.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 18:54:33 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 84C8E151D2; Thu, 18 Nov 1999 18:54:32 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 740441CD626; Thu, 18 Nov 1999 18:54:32 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Thu, 18 Nov 1999 18:54:32 -0800 (PST) From: Kris Kennaway To: Zahemszky Gabor Cc: freebsd-security@freebsd.org Subject: Re: ipfw and ifconfig In-Reply-To: <199911181112.MAA00778@CoDe.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, Zahemszky Gabor wrote: > Hi! > > Somebody asked, and I cannot answered: > > Why in FreeBSD, there is ifconfig _before_ ipfw? If you have the "default to deny" ipfw kernel config option in place, as you certainly will if you care about security, then it doesn't matter.. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 20:37:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from newsfeed.win.net (newsfeed.win.net [216.24.27.8]) by hub.freebsd.org (Postfix) with ESMTP id 119EC154D4; Thu, 18 Nov 1999 20:37:46 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by newsfeed.win.net (8.8.8/8.6.9) with SMTP id XAA02680; Thu, 18 Nov 1999 23:37:15 -0500 (EST) Date: Thu, 18 Nov 1999 23:37:34 -0500 (EST) From: Barrett Richardson To: Wes Peters Cc: Kris Kennaway , TrouBle , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <38347633.22E76DE0@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > I've tested obliterate on some rather large files (250 MB) and it exhausts > the system entropy pool very quickly, even on a system with a busy network. > Does anyone make a hardware entropy device? ;^) > How about pseudo-random data? Aren't the passes with random data just a little extra icing? Also, will my system choke if I mmap a 250 MB file on a system with 32 MB of ram? That was why I was thinking of obliterating files in strips. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 20:47: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id D6A0B14CB0; Thu, 18 Nov 1999 20:47:00 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id VAA22206; Thu, 18 Nov 1999 21:46:55 -0700 (MST) From: David G Andersen Message-Id: <199911190446.VAA22206@faith.cs.utah.edu> Subject: Re: secure filesystem wiping To: barrett@phoenix.aye.net (Barrett Richardson) Date: Thu, 18 Nov 1999 21:46:55 -0700 (MST) Cc: wes@softweyr.com, kris@hub.freebsd.org, trouble@netquick.net, danderse@cs.utah.edu, freebsd-security@FreeBSD.ORG In-Reply-To: from "Barrett Richardson" at Nov 18, 99 11:37:34 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Barrett Richardson once said: > > Also, will my system choke if I mmap a 250 MB file on a system > with 32 MB of ram? That was why I was thinking of obliterating > files in strips. Not if you do it right. Do it in blocks, and use madvise (try MADV_SEQUENTIAL on the whole region, or simply MADV_DONTNEED each block after you're done). I'd wager that MADV_SEQUENTIAL will give you exactly the behavior you're looking for if you do something like: Blocks in terms of pagesize would be particularly appropriate, yes. :) blocks = filesize/PAGE_SIZE; for (block = 0; block < blocks; block++) { for (i = 0; i < PAGE_SIZE; i++) { scribble, scrabble, Z=10 points. } } Note that the pseudocode doesn't overwrite multiple times, and that's on purpose. If you're going through the mmap interface and not the raw device, I don't think you're really going to have enough control over things to do multiple pass overwrites. But this should work just fine for nuking those unsightly blemishes left over on your filesystem. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 20:54:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 02923152BB; Thu, 18 Nov 1999 20:54:44 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id UAA90603; Thu, 18 Nov 1999 20:54:43 -0800 (PST) (envelope-from dillon) Date: Thu, 18 Nov 1999 20:54:43 -0800 (PST) From: Matthew Dillon Message-Id: <199911190454.UAA90603@apollo.backplane.com> To: David G Andersen Cc: barrett@phoenix.aye.net (Barrett Richardson), wes@softweyr.com, kris@hub.freebsd.org, trouble@netquick.net, danderse@cs.utah.edu, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: <199911190446.VAA22206@faith.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Not if you do it right. Do it in blocks, and use madvise :(try MADV_SEQUENTIAL on the whole region, or simply MADV_DONTNEED each :block after you're done). I'd wager that MADV_SEQUENTIAL will give you :exactly the behavior you're looking for if you do something like: : :Blocks in terms of pagesize would be particularly appropriate, yes. :) :... : -Dave : :-- MADV_SEQUENTIAL will definitely work. In fact, if you scan the file sequentially you do not even need to call madvise(), it will figure it out and do the right thing. But there is no guarentee that the system will flush the pages to disk prior to removal of the file, and removing the file may cancel the pending I/O. Maybe if you msync() the area and then fsync() the file prior to closing it. I would simply use a write() loop, then fsync() and close() the file when done. For this type of scribbling write() will be much faster then mmap(). Don't bother with mmap() at all. Both the VFS interface (read and write) and the mmap interface will properly handle write-behind and reuse pages without loading the system too badly. Current does a somewhat better job at it due to tuning work and a change in the way the file position is cached in regards to determining the file mode. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 20:55:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A99FD14CB0; Thu, 18 Nov 1999 20:55:10 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id XAA42975; Thu, 18 Nov 1999 23:54:58 -0500 (EST) (envelope-from wollman) Date: Thu, 18 Nov 1999 23:54:58 -0500 (EST) From: Garrett Wollman Message-Id: <199911190454.XAA42975@khavrinen.lcs.mit.edu> To: Barrett Richardson Cc: Wes Peters , Kris Kennaway , TrouBle , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: References: <38347633.22E76DE0@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > How about pseudo-random data? Aren't the passes with random data just > a little extra icing? The random(3) PRNG has a period of 2^69 (in its most secure mode), so I'd suggest that it probably is good enough. Just initialize thusly: static char statebuf[256]; initstate(1, statebuf, sizeof statebuf); srandomdev(); > Also, will my system choke if I mmap a 250 MB file on a system > with 32 MB of ram? Not at all. Demand paging works just the same for files as it does for swap. If you look at the output of `systat -v', you'll probably see that you already have many times the size of main memory mapped -- on my 64-MB desktop machine, I have almost 3 GB of extant memory mappings. It is possible, though, that madvise(..., MADV_SEQUENTIAL) might give better behavior. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 21: 5:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 7EC2A1508E for ; Thu, 18 Nov 1999 21:05:08 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40400>; Fri, 19 Nov 1999 15:58:28 +1100 Content-return: prohibited Date: Fri, 19 Nov 1999 16:04:55 +1100 From: Peter Jeremy Subject: Re: secure filesystem wiping In-reply-to: To: Barrett Richardson Cc: freebsd-security@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov19.155828est.40400@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <38347633.22E76DE0@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-19 15:37:34 +1100, Barrett Richardson wrote: >How about pseudo-random data? Aren't the passes with random data just >a little extra icing? As I understand the recovery techniques, it's irrelevant because the difference between the current data and the previous generation is quite clear (otherwise the normal read wouldn't work). This means you can immediately extract the pattern used to perform the over-write (whatever it is) and subtract an idealised version of it to leave you with the underlying data/ >Also, will my system choke if I mmap a 250 MB file on a system >with 32 MB of ram? Nope. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 21:14: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id C818A15282; Thu, 18 Nov 1999 21:14:00 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id WAA26469; Thu, 18 Nov 1999 22:13:43 -0700 (MST) From: David G Andersen Message-Id: <199911190513.WAA26469@faith.cs.utah.edu> Subject: Re: secure filesystem wiping To: dillon@apollo.backplane.com (Matthew Dillon) Date: Thu, 18 Nov 1999 22:13:43 -0700 (MST) Cc: danderse@cs.utah.edu, barrett@phoenix.aye.net, wes@softweyr.com, kris@hub.freebsd.org, trouble@netquick.net, freebsd-security@FreeBSD.ORG In-Reply-To: <199911190454.UAA90603@apollo.backplane.com> from "Matthew Dillon" at Nov 18, 99 08:54:43 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So, one side point to Wes: Under 3.3-STABLE (Early October), obliterate on a 141 MB file on my machine with 148M ram managed to deadlock my system. I recall something about a problem like this with /dev/random, so I'm sure it's cleaned up in -current. Lo and behold, Matthew Dillon once said: > > > Both the VFS interface (read and write) and the mmap interface will > properly handle write-behind and reuse pages without loading the system > too badly. Current does a somewhat better job at it due to tuning work > and a change in the way the file position is cached in regards to > determining the file mode. Cool. MADV_SEQUENTIAL resulted in some huge "playing well with others" benefits under an earlier 3.0, but I'll confess that I haven't revisted the project of mine that was using it since. -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 21:29:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 7A64F14D4B; Thu, 18 Nov 1999 21:29:25 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id VAA26327; Thu, 18 Nov 1999 21:25:06 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id VAA00322; Thu, 18 Nov 1999 21:25:05 -0800 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA16734; Thu, 18 Nov 99 21:24:52 PST Message-Id: <3834DF23.3416C163@softweyr.com> Date: Thu, 18 Nov 1999 22:24:51 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Jonathon McKitrick Cc: peter.jeremy@alcatel.com.au, TrouBle , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jonathon McKitrick wrote: > > On Fri, 19 Nov 1999, Peter Jeremy wrote: > > >This isn't technically possible. You can't securely wipe data from a > >disk using the disks own R/W head/electronics (which is the only way > >to preserve intact files). > > Why isn't it possible to read unallocated sectors and write back sectors > full of garbage, or 0xFF? It is, but that won't erase the disk, at least not well enough that someone who knows what they're doing can't get it back. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 21:31:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id F2CB215515 for ; Thu, 18 Nov 1999 21:31:37 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: (qmail 17302 invoked by uid 1000); 19 Nov 1999 05:31:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Nov 1999 05:31:55 -0000 Date: Fri, 19 Nov 1999 00:31:55 -0500 (EST) From: Barrett Richardson To: David G Andersen Cc: Matthew Dillon , wes@softweyr.com, kris@hub.freebsd.org, trouble@netquick.net, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping In-Reply-To: <199911190513.WAA26469@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, David G Andersen wrote: > So, one side point to Wes: > > Under 3.3-STABLE (Early October), obliterate on a 141 MB file on my > machine with 148M ram managed to deadlock my system. I recall something > about a problem like this with /dev/random, so I'm sure it's cleaned up in > -current. > I just experienced something similar with 3.1. Obliterate and top don't get along it seems. Seemed to wedge, but I sat tight for a while and it came back around after a bit. I have 2 CPUs, top had one nailed to the wall, and obliterate had the other. Finally getting obliterate killed brought my system back around but top was still chunking away, screen output was froze. CPU for obliterate was froze at 50 seconds in the top screen, but it actually had several minutes. It's repeatable. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 21:32:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 944C615471; Thu, 18 Nov 1999 21:32:11 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id VAA26335; Thu, 18 Nov 1999 21:27:52 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id VAA00351; Thu, 18 Nov 1999 21:27:52 -0800 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA16860; Thu, 18 Nov 99 21:27:49 PST Message-Id: <3834DFD4.95D08AFD@softweyr.com> Date: Thu, 18 Nov 1999 22:27:48 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Dug Song Cc: Jonathon McKitrick , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dug Song wrote: > > On Thu, 18 Nov 1999, Jonathon McKitrick wrote: > > > Why isn't it possible to read unallocated sectors and write back sectors > > full of garbage, or 0xFF? > > this was the topic of a recent thread on comp.security.unix: > > peter gutmann's excellent paper from the 6th USENIX security symposium is > probably the definitive answer: > > http://www.fish.com/security/secure_del.html That's the algorithm my "obliterate" program uses, modulo caching in the disk controller, etc. The idea occurred to me this afternoon it would be relatively easy to wipe the unallocated sectors of a disk if it were unmounted, right after a fsck or maybe as a final optional pass to fsck. Such an operation would be excruciatingly slow on a disk of any size, though. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 21:50:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 5F252156D0; Thu, 18 Nov 1999 21:50:13 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id VAA26417; Thu, 18 Nov 1999 21:49:11 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id VAA00835; Thu, 18 Nov 1999 21:49:11 -0800 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA17809; Thu, 18 Nov 99 21:49:08 PST Message-Id: <3834E4D1.F1B3EC6B@softweyr.com> Date: Thu, 18 Nov 1999 22:49:05 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: trouble@netquick.net Cc: Barrett Richardson , David G Andersen , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: <38347544.3D50A536@softweyr.com> <3834785B.D1A99603@netquick.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org TrouBle wrote: > > will you all take a look at this, this is what i am looking for!! > > Wipe is a tool that effectively degauses the surface of a hard > disk, making it virtually impossible to retrieve the data that was > stored on it. This is the ultimate in making sure secure data that is > erased from a hard drive is unrecoverable. OK, I just looked at it. I don't see where it differs greatly from obliterate. In particular, nothing about the manpage or the code suggests that it will do what you suggest, background wiping of free sectors on a mounted filesystem. On the contrary, it appears that is has some special code introduced for handling block devices that seem to be unnecessary, given that block devices are (soon to be) no longer found in FreeBSD. I agree that the ability to securely overwrite disk sectors before returning them to the free pool is an excellent idea, but this tool does not appear to provide such a feature. When the original discussion that lead to my rather simple obliterate program occurred, Matt Dillon and others pointed out the way to really do this would be to integrate the disk sector wiping into the VM system. While I agree this sounds like an excellent feature, I am not going to be able to do that anytime in the foreseeable future. If someone else wants to work on this, feel free to use any part of the code I've written, it's under a Berkeley-style "copycenter" license after all. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 22:57:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 7715C15592; Thu, 18 Nov 1999 22:57:42 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id WAA26709; Thu, 18 Nov 1999 22:57:41 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id WAA02302; Thu, 18 Nov 1999 22:57:41 -0800 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA20912; Thu, 18 Nov 99 22:57:37 PST Message-Id: <3834F4E0.AE012B12@softweyr.com> Date: Thu, 18 Nov 1999 23:57:36 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Kris Kennaway Cc: TrouBle , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > > I don't understand why you think that the person who wrote the Linux tool > is privy to some kind of enlightened knowledge which us poor FreeBSD'ers > (and the security researches who authored the aforementioned papers on > secure deletion) aren't. If Wes Peters wrote some impressive drivel to > attach to his 'obliterate' program about how kick-arse it is, would it > make you happier? In fact, wipe uses the same overwrite algorithm obliterate does. The problem is trouBle seems to have assumed wipe has a really neat feature that just isn't there: the ability to zot disk sectors that are not currently allocated, on a live filesystem. This is a neat idea, but well past my knowlege of filesystems at this time. > AXIOM 1) take all claims made by the vendor about the abilities of > their software with a very large handful of NaCl. > > Exercise for the novice reader: apply Axiom 1 to the Linux 'wipe' program. > > Exercise 2: apply axiom 1 to the secure deletion utility "FileSpanker" > which can be found at http://www.freebsd.org/~kris/filespanker.sh Snort. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 18 23: 0:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 4A19215592; Thu, 18 Nov 1999 23:00:36 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id XAA26732; Thu, 18 Nov 1999 23:00:08 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id XAA02388; Thu, 18 Nov 1999 23:00:07 -0800 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA21036; Thu, 18 Nov 99 23:00:04 PST Message-Id: <3834F573.EE821665@softweyr.com> Date: Fri, 19 Nov 1999 00:00:03 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Barrett Richardson Cc: Kris Kennaway , TrouBle , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson wrote: > > Wes Peters wrote: > > > > I've tested obliterate on some rather large files (250 MB) and it exhausts > > the system entropy pool very quickly, even on a system with a busy network. > > Does anyone make a hardware entropy device? ;^) > > > > How about pseudo-random data? Aren't the passes with random data just > a little extra icing? > > Also, will my system choke if I mmap a 250 MB file on a system > with 32 MB of ram? That was why I was thinking of obliterating > files in strips. Mine don't choke when I mmap 250 MB files on a system with 512MB of RAM. I guess that's not quite the same, but it does have two processes doing this at the same time; one on each processor. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 19 1:48:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from pollux.sdata.de (pollux.sdata.de [193.30.133.37]) by hub.freebsd.org (Postfix) with ESMTP id 71D2315206 for ; Fri, 19 Nov 1999 01:48:06 -0800 (PST) (envelope-from cs@sdata.de) Received: from sdata.de (vega.sdata.de [193.30.133.36]) by pollux.sdata.de (8.9.3/8.9.3) with ESMTP id KAA38438; Fri, 19 Nov 1999 10:47:58 +0100 (CET) (envelope-from cs@sdata.de) Message-ID: <38351CCD.D2800B0@sdata.de> Date: Fri, 19 Nov 1999 10:47:57 +0100 From: Christoph Splittgerber Organization: sdata - C. Splittgerber Datentechnik X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.2-STABLE i386) X-Accept-Language: de, en MIME-Version: 1.0 To: Barrett Richardson Cc: freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson wrote: > How about pseudo-random data? Aren't the passes with random data just > a little extra icing? > See also documentation for the -w (wipe) option of pgp (release 2.6.x). The idea is that, if you can guess the pattern which is used for overwriting, which is the case if one can guess the seed for your pseudo random data, it's not worth too much. I think it all boils down to 1) How predictable is your seed 2) How many bits are used for seeding. Christoph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 19 2:35:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C6B4914F5A; Fri, 19 Nov 1999 02:35:30 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA56775; Fri, 19 Nov 1999 11:35:19 +0100 (CET) (envelope-from des) To: Barrett Richardson Cc: Wes Peters , Kris Kennaway , TrouBle , David G Andersen , freebsd-security@FreeBSD.ORG Subject: Re: secure filesystem wiping References: From: Dag-Erling Smorgrav Date: 19 Nov 1999 11:35:17 +0100 In-Reply-To: Barrett Richardson's message of "Thu, 18 Nov 1999 23:37:34 -0500 (EST)" Message-ID: Lines: 15 User-Agent: Gnus/5.070097 (Pterodactyl Gnus v0.97) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson writes: > Wes Peters wrote: > > I've tested obliterate on some rather large files (250 MB) and it exhausts > > the system entropy pool very quickly, even on a system with a busy network. > > Does anyone make a hardware entropy device? ;^) > How about pseudo-random data? Aren't the passes with random data just > a little extra icing? Don't use random data. Use patterns. See the previous 'secure deletion' thread for references to a paper describing which patterns to use (and in which order). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 19 5:42:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from freebsd.navon.org.il (freebsd.navon.org.il [192.117.131.10]) by hub.freebsd.org (Postfix) with ESMTP id A4B8714EBA for ; Fri, 19 Nov 1999 05:42:04 -0800 (PST) (envelope-from retal@freebsd.navon.org.il) Received: from localhost (retal@localhost) by freebsd.navon.org.il (8.9.3/8.9.3) with ESMTP id PAA00293 for ; Fri, 19 Nov 1999 15:45:59 +0200 (IST) (envelope-from retal@freebsd.navon.org.il) Date: Fri, 19 Nov 1999 15:45:55 +0200 (IST) From: retal To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 19 11: 8:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from quasar.pucrs.br (quasar.pucrs.br [200.132.10.5]) by hub.freebsd.org (Postfix) with ESMTP id BC6FF1561D for ; Fri, 19 Nov 1999 11:08:32 -0800 (PST) (envelope-from mwp@pucrs.br) Received: from pucrs.br (clapton.pucrs.br [200.132.13.11]) by quasar.pucrs.br (8.9.1a/8.9.1) with ESMTP id OAA20450 for ; Thu, 18 Nov 1999 14:35:43 -0300 Message-ID: <38342BBC.66802B68@pucrs.br> Date: Thu, 18 Nov 1999 14:39:24 -0200 From: Mauricio Westendorff Pegoraro X-Mailer: Mozilla 4.5 [en] (X11; I; SunOS 5.7 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: Windows Authentication through ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I have to place a small WinNT network behind a FreeBSD firewall. The PDC is in the other side of the firewall. So, the WinNT machines must authenticate through the firewall. Anyone knows what entries I should put in ipfw configuration to make it possible? I've tried something allowing traffic in ports 137 and 138, but it didn't work. I think it's a pretty common case, but couldn't figure it out. Any help is welcome. Thanks. No mas, MauricioWP. ----------------------------- Mauricio Westendorff Pegoraro UNIX Administration PUCRS-BR To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 19 11:27:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 8131A15598 for ; Fri, 19 Nov 1999 11:27:35 -0800 (PST) (envelope-from JHowie@msn.com) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Fri, 19 Nov 1999 11:27:35 -0800 Message-ID: <00b301bf32c5$181579f0$fd01a8c0@pacbell.net> From: "John Howie" To: "Mauricio Westendorff Pegoraro" , "FreeBSD Security" References: <38342BBC.66802B68@pucrs.br> Subject: Re: Windows Authentication through ipfw Date: Fri, 19 Nov 1999 11:34:27 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6000 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mauricio, You'll need to allow access to ports 137/tcp, 138/tcp, and 139/tcp for everything to "sort-of" work. I say "sort of" as 135/tcp and 135/udp (DCE endpoint-mapper) should also be open along with allowing the possibility for communication on a variety of ports (both TCP and UDP) above 1023 which are dynamic endpoints. In other words, it's a mess. If I were you I would seriously consider installing RRAS on a machine on the LAN inside the firewall which establishes a PPTP connection to the PDC. That way, you only open up one port: 1723/tcp. Hope this helps, john... ----- Original Message ----- From: "Mauricio Westendorff Pegoraro" To: "FreeBSD Security" Sent: Thursday, November 18, 1999 8:39 AM Subject: Windows Authentication through ipfw > Hi. > > I have to place a small WinNT network behind a FreeBSD firewall. The > PDC is in the other side of the firewall. So, the WinNT machines must > authenticate through the firewall. Anyone knows what entries I should > put in ipfw configuration to make it possible? I've tried something > allowing traffic in ports 137 and 138, but it didn't work. I think it's > a pretty common case, but couldn't figure it out. > > Any help is welcome. Thanks. > > No mas, > MauricioWP. > > ----------------------------- > Mauricio Westendorff Pegoraro > UNIX Administration > PUCRS-BR > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 19 14:37:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.nethampton.com (fbsd1.nethampton.com [209.51.166.39]) by hub.freebsd.org (Postfix) with SMTP id 11BCC15780 for ; Fri, 19 Nov 1999 14:37:32 -0800 (PST) (envelope-from tplatt@nethampton.com) Received: (qmail 11906 invoked from network); 19 Nov 1999 22:37:27 -0000 Received: from unknown (HELO ?24.188.227.12?) (24.188.227.12) by fbsd1.nethampton.com with SMTP; 19 Nov 1999 22:37:27 -0000 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Fri, 19 Nov 1999 17:37:12 -0500 To: freebsd-security@freebsd.org From: "Timothy R. Platt" Subject: Re: [Systalk] localhost.org (fwd) Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Another thing you (the original poster) could do, is if you want your >machine to work on the net like domain.com, You could simply name the >machine something.domain.com, CNAME domain.com to it, and reverse the >IP address to domain.com. This will do the trick to having the machine >show up on the internet (IRC, etc) as domain.com, while leaving your >machine with a "hostname" so your domain would be '.com' or in your >case, '.org' -Matt > arpa should reflect FQDN, not a CNAME. If you do this you create problems for yourself when you contact other systems; for example systems with tcpd compiled -DPARANOID. It will work for nameservice purposes, but you won't be able to connect to my system, at least :) tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 19 17: 1:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 5403D1513D for ; Fri, 19 Nov 1999 17:01:29 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from localhost.hell.gr (patr530-a063.otenet.gr [195.167.115.63]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id DAA03867 for ; Sat, 20 Nov 1999 03:01:27 +0200 (EET) Received: (qmail 15138 invoked by uid 1001); 19 Nov 1999 03:41:08 -0000 To: freebsd-security@freebsd.org Subject: Re: ipfw and ifconfig References: <199911181112.MAA00778@CoDe.hu> From: Giorgos Keramidas Date: 19 Nov 1999 05:41:07 +0200 In-Reply-To: Zahemszky Gabor's message of "Thu, 18 Nov 1999 12:12:00 +0100 (CET)" Message-ID: <86zowbywq4.fsf@localhost.hell.gr> Lines: 22 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Zahemszky Gabor writes: > Hi! > > Somebody asked, and I cannot answered: > > Why in FreeBSD, there is ifconfig _before_ ipfw? I think it is because the default setup of the kernel (that is if you don't enable the IPFIREWALL_DEFAULT_TO_ACCEPT option when building your kernel) will explicitly deny all packets with a rule of: 65535 deny ip from any to any Seems ok to me. On the other hand, if you change this to `allow' then you're probably accepting more things than you would like to, and it doesn't really matter if ifconfig is the first or the last thing in your rc-scripts anyway. -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 20 10: 4:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 0661814D52 for ; Sat, 20 Nov 1999 10:04:24 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id TAA18265; Sat, 20 Nov 1999 19:04:23 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id TAA09898; Sat, 20 Nov 1999 19:04:18 +0100 (MET) Date: Sat, 20 Nov 1999 19:04:17 +0100 From: Eivind Eklund To: Nate Williams Cc: Matthew Dillon , security@FreeBSD.ORG Subject: Disabling FTP (was Re: Why not sandbox BIND?) Message-ID: <19991120190417.I602@bitbox.follo.net> References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <199911130031.RAA21117@mt.sri.com>; from nate@mt.sri.com on Fri, Nov 12, 1999 at 05:31:14PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 05:31:14PM -0700, Nate Williams wrote: > > > > Speaking of default system configurations - what do people think about > > > > turning off the 'ftp' service in the default configuration? > > > > > > Personally, I don't like it. At least, not until SSH becomes a default > > > protocol in the system, since otherwise there is no way to transfer > > > files to/from FreeBSD boxes easily. > > > > You could still easily reenable ftpd if you need it. > > Or, you could still easily disable ftpd since you almost *always* need > it right away. I've never, ever needed it. It transfers *cleartext* passwords. My view is that it is not usable for anything but anonymous FTP. > > Given recent vulnerability history on many ftp daemons, I think it > > might be safer to disable FTP by default. > > FreeBSD's ftpd is not succeptible. Given the argument, why don't we > disable *ALL* network access, since all are suspect to breakins. :( (I'm > kidding of course...) I am in favour of disabling all network access to boxes as they come from install. As it is, we have a bunch of things that are most often not necessary, and we're encouraging people (like poor misguided Nate here ;) to run protocols that do not encrypt passwords. Any proposal to disable things that listen to the network in our default setup will have my approval. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 20 10: 9: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id BFBB0150CA; Sat, 20 Nov 1999 10:09:00 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id LAA26068; Sat, 20 Nov 1999 11:08:53 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id LAA10767; Sat, 20 Nov 1999 11:08:52 -0700 Date: Sat, 20 Nov 1999 11:08:52 -0700 Message-Id: <199911201808.LAA10767@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Eivind Eklund Cc: Nate Williams , Matthew Dillon , security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) In-Reply-To: <19991120190417.I602@bitbox.follo.net> References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > > Speaking of default system configurations - what do people think about > > > > > turning off the 'ftp' service in the default configuration? > > > > > > > > Personally, I don't like it. At least, not until SSH becomes a default > > > > protocol in the system, since otherwise there is no way to transfer > > > > files to/from FreeBSD boxes easily. > > > > > > You could still easily reenable ftpd if you need it. > > > > Or, you could still easily disable ftpd since you almost *always* need > > it right away. > > I've never, ever needed it. It transfers *cleartext* passwords. My > view is that it is not usable for anything but anonymous FTP. So? *Most* of the FreeBSD boxes I setup are behind firewalls, or are un-connected to the 'real' internet at first. I need something so I can transfer files to/from them to get them up and running initially. > > > Given recent vulnerability history on many ftp daemons, I think it > > > might be safer to disable FTP by default. > > > > FreeBSD's ftpd is not succeptible. Given the argument, why don't we > > disable *ALL* network access, since all are suspect to breakins. :( (I'm > > kidding of course...) > > I am in favour of disabling all network access to boxes as they come > from install. NOT! Then we'd be worse than a windoze box. I think most of you 'ISP' types are forgetting that *MOST* of the FreeBSD boxes out there are installed by users, not big businesses. Making the box unusable for most people, but 'secure' for a very small portio of people is not a winning strategy. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 20 10:32:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 69C5A14CF8; Sat, 20 Nov 1999 10:32:41 -0800 (PST) (envelope-from xrayu@home.com) Received: from home.com ([24.9.211.68]) by mail.rdc1.il.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <19991120183241.FFWS8758.mail.rdc1.il.home.com@home.com>; Sat, 20 Nov 1999 10:32:41 -0800 Message-ID: <3836E8E3.E9F9E009@home.com> Date: Sat, 20 Nov 1999 13:30:59 -0500 From: Craig Garner X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Eivind Eklund Cc: Nate Williams , Matthew Dillon , security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > > On Fri, Nov 12, 1999 at 05:31:14PM -0700, Nate Williams wrote: > > > > > Speaking of default system configurations - what do people think about > > > > > turning off the 'ftp' service in the default configuration? > > > > > > > > Personally, I don't like it. At least, not until SSH becomes a default > > > > protocol in the system, since otherwise there is no way to transfer > > > > files to/from FreeBSD boxes easily. > > > > > > You could still easily reenable ftpd if you need it. > > > > Or, you could still easily disable ftpd since you almost *always* need > > it right away. > > I've never, ever needed it. It transfers *cleartext* passwords. My > view is that it is not usable for anything but anonymous FTP. > > > > Given recent vulnerability history on many ftp daemons, I think it > > > might be safer to disable FTP by default. > > > > FreeBSD's ftpd is not succeptible. Given the argument, why don't we > > disable *ALL* network access, since all are suspect to breakins. :( (I'm > > kidding of course...) > > I am in favour of disabling all network access to boxes as they come > from install. As it is, we have a bunch of things that are most often > not necessary, and we're encouraging people (like poor misguided Nate > here ;) to run protocols that do not encrypt passwords. > > Any proposal to disable things that listen to the network in our > default setup will have my approval. > > Eivind. > If you think about it, why should someone who doesn't know how to turn something on and off have it on in the first place? I'm sure these ideas 'scare' newbie people who do not wish to read and figure out how to do this. I personally like to install a box, turn everything off, and then turn on what I need. Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 20 14:24:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [63.77.239.12]) by hub.freebsd.org (Postfix) with ESMTP id 76DEA14E86 for ; Sat, 20 Nov 1999 14:24:19 -0800 (PST) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id DBF94151A2; Sat, 20 Nov 1999 17:20:48 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id CDDC814A01; Sat, 20 Nov 1999 17:20:48 -0500 (EST) Date: Sat, 20 Nov 1999 17:20:48 -0500 (EST) From: Dug Song To: Peter Losher Cc: freebsd-security@freebsd.org, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH & Kerberos 5? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Nov 1999, Peter Losher wrote: > Has anyone gotten OpenSSH (v1.2) to work with KRB5? I have > defined Kerberos by typing 'make KERBEROS=YES' and it defaults to > KerberosIV as such in /usr/ports/security/openssh/: OpenSSH currently only supports Kerberos v4. sorry. :-( the Kerberos v5 support that was integrated into the original SSH was based on my earlier Kerberos v4 patch - but it was implemented using the same SSH auth protocol message types, so support for the two versions are currently mutually exclusive. :-( there may be some magic we can do to auto-detect/negotiate the version of Kerberos being spoken, but i don't have any spare cycles to work on it right now. any other Kerberos ppl willing to help? > If there is a OpenSSH mailing list that this would be better > served in, let me know (I couldn't find one on the OpenSSH web site). Damien Miller is hosting one, at least until openssh.org is transferred to the OpenSSH project. see http://violet.ibs.com.au/openssh/list.html -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 20 16:37:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from wit395301.student.utwente.nl (wit395301.student.utwente.nl [130.89.235.121]) by hub.freebsd.org (Postfix) with ESMTP id 6A8E114BDB; Sat, 20 Nov 1999 16:37:38 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from [10.235.121.14] (helo=vangelderen.org) by wit395301.student.utwente.nl with esmtp (Exim 2.05 #1) id 11pL0H-0000tv-00; Sun, 21 Nov 1999 01:37:17 +0100 Message-ID: <38373E91.74688367@vangelderen.org> Date: Sun, 21 Nov 1999 01:36:33 +0100 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: Eivind Eklund , Matthew Dillon , security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> <199911201808.LAA10767@mt.sri.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > NOT! Then we'd be worse than a windoze box. Why? You can easily enable the services you need. And disabling would increases security even more over windoze ;-p On top of that you don't have to reboot for those newly enabled services to work ;-p You could argue that disabling services is as easy, but then you're forgetting that having them enabled by default introduces a window of opportunity. And of course it's easy to forget to turn off a service you don't need. By disabling services you prevent these problems. Assuming that most every user on most every box tweaks it's configuration anyway, disabling services doesn't introduce a lot more work. In the end it's all allow-all-except vs. deny-all-except and IMO the latter is a winner. > I think most of you 'ISP' types are forgetting that *MOST* of the > FreeBSD boxes out there are installed by users, not big businesses. As a *user* managing only 19 FreeBSD boxen I'd appreciate the change. > Making the box unusable for most people, but 'secure' for a very > small portio of people is not a winning strategy. This is *way* exaggerated. If you can't enable the services you need the box is unusable to you anyway. We're not Linux. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message