From owner-freebsd-security@FreeBSD.ORG Sun Sep 19 01:50:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D4F916A4D7 for ; Sun, 19 Sep 2004 01:50:21 +0000 (GMT) Received: from mail20.syd.optusnet.com.au (mail20.syd.optusnet.com.au [211.29.132.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id C259F43D54 for ; Sun, 19 Sep 2004 01:50:20 +0000 (GMT) (envelope-from fbsd-security@mawer.org) Received: from c211-30-90-140.belrs3.nsw.optusnet.com.au (c211-30-90-140.belrs3.nsw.optusnet.com.au [211.30.90.140]) i8J1oJjc014448 for ; Sun, 19 Sep 2004 11:50:19 +1000 Received: (qmail 79956 invoked from network); 19 Sep 2004 01:50:19 -0000 Received: from unknown (HELO ?10.1.1.1?) (unknown) by unknown with SMTP; 19 Sep 2004 01:50:19 -0000 Message-ID: <414CE5E8.6000103@mawer.org> Date: Sun, 19 Sep 2004 11:50:32 +1000 From: Antony Mawer User-Agent: Mozilla Thunderbird 0.8 (Windows/20040905-pigfoot) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chris Ryan References: <20040918142955.61586.qmail@web51007.mail.yahoo.com> In-Reply-To: <20040918142955.61586.qmail@web51007.mail.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: Frankye - ML cc: freebsd-security@freebsd.org Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 01:50:21 -0000 Chris Ryan wrote: > protection - with the appropriate active firewall that > blocks their IP address after x failed attempts > permanently.... Has anyone found any good scripts or utilities for automating this kind of thing? I too have been subject to these probings, and my initial thought was to firewall off any address after any number of incorrect attempts. While I could write a script to parse the ipfilter logs, I didn't want to go re-inventing the wheel for something which I was sure someone would have already attempted. Anyone have any suggestions? Cheers Antony From owner-freebsd-security@FreeBSD.ORG Sun Sep 19 07:45:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7652D16A4CE for ; Sun, 19 Sep 2004 07:45:47 +0000 (GMT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id E9EA243D39 for ; Sun, 19 Sep 2004 07:45:46 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 78160 invoked from network); 19 Sep 2004 07:45:45 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 19 Sep 2004 07:45:45 -0000 X-pair-Authenticated: 209.68.2.70 Date: Sun, 19 Sep 2004 02:45:44 -0500 (CDT) From: Mike Silbersack To: stheg olloydson In-Reply-To: <20040918222428.97931.qmail@web53902.mail.yahoo.com> Message-ID: <20040919023634.I11704@odysseus.silby.com> References: <20040918222428.97931.qmail@web53902.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Random source ports in FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 07:45:47 -0000 On Sat, 18 Sep 2004, stheg olloydson wrote: > Hello, > > I don't think Mr Gerun has a problem with the way port randomizing is > implemented. I believe that because he couldn't find any information > about FBSD doing port randomization, he thought it wasn't implemented > at all, so he wrote some patches to enable it. > I missed this bit in the Release Notes myself. Thanks for the effort! I > do have a question, though. I don't understand the commit procedure, so > I have always been a little perplexed by some of the nomenclature in > the CVS log. For example, entries 1.143-1.46 are to Branch: Main, while > 1.59.2.27.2.1 is to Branch: RELENG_4_10 ans 1.5.2.28 is to Branch: > RELENG_4. What exactly Branch: Main? Is it RELENG_5? If so, does that > mean your changes are not in RELENG_5_2? > > Regards, > > Stheg Branch Main is -CURRENT; right now that means it's 6.0, but back when I did the commit, it was 5.2-CURRENT, and RELENG_5 did not yet exist. You are correct that port randomization was not merged into the releng_5_2 branch. Your other deductions are correct, AFAIK. To take this a bit more back on-topic, port randomization was not merged into the security branches because we don't consider RST attacks to be a threat to most users. Once we have finalized fixes for the RST and SYN vectors of the attack, we'll merge those changes, but only to 5-stable and 4-stable. (If you feel that those changes should be merged to the security branches, please tell me AFTER the fixes go in, not now - I don't need the distraction.) Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Sun Sep 19 09:33:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34F2016A4CE for ; Sun, 19 Sep 2004 09:33:46 +0000 (GMT) Received: from mail01.powweb.com (mail01.powweb.com [66.152.97.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CE8343D53 for ; Sun, 19 Sep 2004 09:33:46 +0000 (GMT) (envelope-from mikhailg@webanoide.org) Received: from [127.0.0.1] (ppp110-78.lns1.hba1.internode.on.net [150.101.110.78]) by mail01.powweb.com (Postfix) with ESMTP id 4CCF34148C; Sun, 19 Sep 2004 02:33:45 -0700 (PDT) Message-ID: <414D5241.9020901@webanoide.org> Date: Sun, 19 Sep 2004 19:32:49 +1000 From: Mikhail Goriachev User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Antony Mawer References: <20040918142955.61586.qmail@web51007.mail.yahoo.com> <414CE5E8.6000103@mawer.org> In-Reply-To: <414CE5E8.6000103@mawer.org> X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 09:33:46 -0000 Antony Mawer wrote: > Chris Ryan wrote: > >>protection - with the appropriate active firewall that >>blocks their IP address after x failed attempts >>permanently.... > > > Has anyone found any good scripts or utilities for automating this kind > of thing? I too have been subject to these probings, and my initial > thought was to firewall off any address after any number of incorrect > attempts. > > While I could write a script to parse the ipfilter logs, I didn't want > to go re-inventing the wheel for something which I was sure someone > would have already attempted. > > Anyone have any suggestions? > > Cheers > Antony Is it actually good idea to block those IPs? I get lots of attacks too on daily basis on my machines for: root, man, smmsp, nobody, bin, daemon, tty, uucp, mailnull, you-name-it etc. For several weeks I sent e-mails to abuse@{$attack-comming-from-x-network}.{$domain} and 0.01% of them replied. However, the attacks never come from same networks nor IPs. My 2 cents. Cheers, Mikhail From owner-freebsd-security@FreeBSD.ORG Sun Sep 19 12:37:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30DB916A4CE for ; Sun, 19 Sep 2004 12:37:20 +0000 (GMT) Received: from bluelight.org.uk (bluelight.org.uk [80.229.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4A2843D45 for ; Sun, 19 Sep 2004 12:37:19 +0000 (GMT) (envelope-from terry@mrtux.co.uk) Received: from [192.168.2.138] (unknown [192.168.2.138]) by bluelight.org.uk (Postfix) with ESMTP id 84A8F3BE for ; Sun, 19 Sep 2004 13:40:31 +0100 (BST) Message-ID: <414D7D7E.9040301@mrtux.co.uk> Date: Sun, 19 Sep 2004 13:37:18 +0100 From: Terry User-Agent: Mozilla Thunderbird 0.7.2 (Windows/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040919120131.4B2F916A4D8@hub.freebsd.org> In-Reply-To: <20040919120131.4B2F916A4D8@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re:sshd security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: terry@mrtux.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 12:37:20 -0000 I had the same problem so i setup up hosts.allow to only allow access from certain ips i require This has the affect of killing the connection from any other ip befor gettign to any login prompt example below sshd : localhost : allow sshd : 192.168.2. : allow sshd : 82.41.115.213 :allow sshd : 216.123.248.219 : allow <-- public ip i wish to allow of course i have changed it sshd : all : deny This then shows in log instead of failed login attempts dot.blah.co.uk refused connections: Sep 17 22:11:55 dlt sshd[35669]: refused connect from usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) Regards Terry From owner-freebsd-security@FreeBSD.ORG Sun Sep 19 12:48:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4115016A4CE for ; Sun, 19 Sep 2004 12:48:07 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-206-16-210.dyn.iinet.net.au [203.206.16.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D32143D2D for ; Sun, 19 Sep 2004 12:47:46 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i8JCl75x076457; Sun, 19 Sep 2004 22:47:12 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Sun, 19 Sep 2004 22:47:07 +1000 (EST) From: Neo-Vortex To: Terry In-Reply-To: <414D7D7E.9040301@mrtux.co.uk> Message-ID: <20040919224629.L75607@Neo-Vortex.Ath.Cx> References: <20040919120131.4B2F916A4D8@hub.freebsd.org> <414D7D7E.9040301@mrtux.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re:sshd security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 12:48:07 -0000 On Sun, 19 Sep 2004, Terry wrote: > I had the same problem so i setup up hosts.allow to only allow access > from certain ips i require > This has the affect of killing the connection from any other ip befor > gettign to any login prompt > example below > sshd : localhost : allow > sshd : 192.168.2. : allow > sshd : 82.41.115.213 :allow > sshd : 216.123.248.219 : allow <-- public ip i wish to allow of course > i have changed it > sshd : all : deny > > This then shows in log instead of failed login attempts > > dot.blah.co.uk refused connections: > Sep 17 22:11:55 dlt sshd[35669]: refused connect from usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) you could always just use ipf/ipfw if the log messages are annoying you... > Regards Terry From owner-freebsd-security@FreeBSD.ORG Mon Sep 20 06:27:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AF5916A4CF for ; Mon, 20 Sep 2004 06:27:26 +0000 (GMT) Received: from smtpclu-2.eunet.yu (smtpclu-2.eunet.yu [194.247.192.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32E1C43D1D for ; Mon, 20 Sep 2004 06:27:25 +0000 (GMT) (envelope-from kolicz@EUnet.yu) Received: from kolic.net (P-2.17.eunet.yu [213.240.2.17]) by smtpclu-2.eunet.yu (8.12.11/8.12.11) with ESMTP id i8K6RLAM001988 for ; Mon, 20 Sep 2004 08:27:21 +0200 Received: by kolic.net (Postfix, from userid 1001) id 10A8041AE; Mon, 20 Sep 2004 08:08:48 +0200 (CEST) Date: Mon, 20 Sep 2004 08:08:48 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20040920060848.GA678@kolic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Virus-Scan: EUnet-AVAS-Milter X-AVAS-Virus-Status: clean X-Spam-Checker: EUnet-AVAS-Milter X-AVAS-Spam-Score: -2.3 Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 06:27:26 -0000 Dear all! There is possibility that someone makes fake tide of IP addresses, just to hide his own. If the list is long enough, that IP could be even not logged. If the packets are "syn", IPs you answer don't exist, you have syn flood and death of the server. However, only total idiot would make such kind of attack. Everybody knows he is trying some- thing. Suspect "script kid". Little joke with your server and you have a lot of job to do. Just be aware not to open new gate for another kind of attack. Human is the wickiest part of chain. Best regards ZK From owner-freebsd-security@FreeBSD.ORG Mon Sep 20 10:13:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5053F16A4CE for ; Mon, 20 Sep 2004 10:13:52 +0000 (GMT) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D31D43D2D for ; Mon, 20 Sep 2004 10:13:50 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by smtp.atlantis.dp.ua (8.12.6p2/8.12.6) with ESMTP id i8KADVai025882; Mon, 20 Sep 2004 13:13:31 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Mon, 20 Sep 2004 13:13:31 +0300 (EEST) From: Dmitry Pryanishnikov To: Mike Silbersack In-Reply-To: <20040918150205.A8909@odysseus.silby.com> Message-ID: <20040920130911.W24347@atlantis.atlantis.dp.ua> References: <621146771453.20040918232248@625.ru> <20040918150205.A8909@odysseus.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org cc: "Danil V.Gerun" Subject: Re: Random source ports in FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 10:13:52 -0000 Hello! On Sat, 18 Sep 2004, Mike Silbersack wrote: >> So, as far as I got to know, randomizing source ports in FreeBSD is >> impossible now? (to be exact - is not implemented?) >> >> It's very interesting to me - WHY is it so? >> I mean - may be there are good reasons for not making all this?.. > > Source port randomization was implemented before 4.10 was released. See > in_pcb.c revisions 1.143 - 1.146, 1.59.2.27, or 1.59.2.27.2.1, depending on > the branch you're interested in: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_pcb.c Yes, source port randomization works in 4.10-RELEASE, but port number sequence tends to give the same port number every 100-200 ports. Local FTP install of 4.10-RELEASE always fail for me, as a workaround I'm forced to issue sysctl net.inet.ip.portrange.randomized=0 before reselecting FTP server in sysinstall. Are there plans to fix the quality of random port number generation under 4-STABLE? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Mon Sep 20 13:50:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A929A16A583; Mon, 20 Sep 2004 13:50:34 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93BDE43D54; Mon, 20 Sep 2004 13:50:34 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) i8KDoYeC029578; Mon, 20 Sep 2004 13:50:34 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8KDoY4D029577; Mon, 20 Sep 2004 13:50:34 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 20 Sep 2004 13:50:34 GMT Message-Id: <200409201350.i8KDoY4D029577@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-04:14.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 13:50:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:14.cvs.asc Security Advisory The FreeBSD Project Topic: CVS Category: contrib Module: cvs Announced: 2004-09-19 Credits: Stefan Esser, Sebastian Krahmer, Derek Price iDEFENSE Affects: All FreeBSD versions Corrected: 2004-06-29 16:10:50 UTC (RELENG_4) 2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3) 2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12) 2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25) 2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10) CVE Name: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, CAN-2004-0778 FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Concurrent Versions System (CVS) is a version control system. It may be used to access a repository locally, or to access a `remote repository' using a number of different methods. When accessing a remote repository, the target machine runs the CVS server to fulfill client requests. II. Problem Description A number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price. . Insufficient input validation while processing "Entry" lines. (CAN-2004-0414) . A double-free resulting from erroneous state handling while processing "Argumentx" commands. (CAN-2004-0416) . Integer overflow while processing "Max-dotdot" commands. (CAN-2004-0417) . Erroneous handling of empty entries handled while processing "Notify" commands. (CAN-2004-0418) . A format string bug while processing CVS wrappers. . Single-byte buffer underflows while processing configuration files from CVSROOT. . Various other integer overflows. Additionally, iDEFENSE reports an undocumented command-line flag used in debugging does not perform input validation on the given path names. III. Impact CVS servers ("cvs server" or :pserver: modes) are affected by these vulnerabilities. They vary in impact but include information disclosure (the iDEFENSE-reported bug), denial-of-service (CAN-2004-0414, CAN-2004-0416, CAN-2004-0417 and other bugs), or possibly arbitrary code execution (CAN-2004-0418). In very special situations where the attacker may somehow influence the contents of CVS configuration files in CVSROOT, additional attacks may be possible. IV. Workaround Disable the use of remote CVS repositories. V. Solution Do one of the following: 1) Upgrade your vulnerable system to the RELENG_4 stable branch, or to the RELENG_5_2, RELENG_4_10, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date. OR 2) Patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.9, 4.10 and 5.2.1 systems. Note that one *must* have previously applied the patches pertaining to FreeBSD-SA-04:10.cvs in order to use these patches. Note that FreeBSD 4.10-STABLE systems built from sources dated 2004-06-29 16:20:00 UTC or later include cvs 1.11.17, which has all of these issues fixed. These patches should not be applied to those systems. a) Download the relevant patches from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4_10 src/UPDATING 1.73.2.90.2.4 src/sys/conf/newvers.sh 1.44.2.34.2.5 src/contrib/cvs/lib/xsize.h 1.1.1.1.6.1 src/contrib/cvs/src/commit.c 1.8.2.5.6.1 src/contrib/cvs/src/cvs.h 1.11.2.6.6.1 src/contrib/cvs/src/filesubr.c 1.6.2.4.6.1 src/contrib/cvs/src/history.c 1.1.1.6.2.4.6.1 src/contrib/cvs/src/modules.c 1.1.1.5.2.4.2.1 src/contrib/cvs/src/server.c 1.13.2.5.6.3 src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.6.1 src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.6.1 RELENG_4_9 src/UPDATING 1.73.2.89.2.13 src/sys/conf/newvers.sh 1.44.2.32.2.13 src/contrib/cvs/lib/xsize.h 1.1.1.1.8.1 src/contrib/cvs/src/commit.c 1.8.2.5.4.1 src/contrib/cvs/src/cvs.h 1.11.2.6.4.1 src/contrib/cvs/src/filesubr.c 1.6.2.4.4.1 src/contrib/cvs/src/history.c 1.1.1.6.2.4.4.1 src/contrib/cvs/src/modules.c 1.1.1.5.2.3.4.2 src/contrib/cvs/src/server.c 1.13.2.5.4.3 src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.4.1 src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.28 src/sys/conf/newvers.sh 1.44.2.29.2.26 src/contrib/cvs/lib/xsize.h 1.1.1.1.10.1 src/contrib/cvs/src/commit.c 1.8.2.5.2.1 src/contrib/cvs/src/cvs.h 1.11.2.6.2.1 src/contrib/cvs/src/filesubr.c 1.6.2.4.2.1 src/contrib/cvs/src/history.c 1.1.1.6.2.4.2.1 src/contrib/cvs/src/modules.c 1.1.1.5.2.3.2.2 src/contrib/cvs/src/server.c 1.13.2.5.2.3 src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.2.1 src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.2.1 RELENG_5_2 src/UPDATING 1.282.2.18 src/sys/conf/newvers.sh 1.56.2.17 src/contrib/cvs/lib/xsize.h 1.1.1.1.12.1 src/contrib/cvs/src/commit.c 1.13.4.1 src/contrib/cvs/src/cvs.h 1.17.4.1 src/contrib/cvs/src/filesubr.c 1.10.6.1 src/contrib/cvs/src/history.c 1.1.1.10.6.1 src/contrib/cvs/src/modules.c 1.1.1.8.6.3 src/contrib/cvs/src/server.c 1.19.4.4 src/contrib/cvs/src/wrapper.c 1.1.1.10.6.1 src/gnu/usr.bin/cvs/lib/config.h.proto 1.17.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBTterFdaIBMps37IRAlkjAJ9jZ40PME0gr8b6DyS+h6zVHCxGTgCfdJN/ JiKgPD2YDy378kBO3hYd8Ao= =qzxJ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 02:01:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C54D16A51A for ; Thu, 23 Sep 2004 02:01:06 +0000 (GMT) Received: from smtp12.singnet.com.sg (smtp12.singnet.com.sg [165.21.6.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id F231743D2D for ; Thu, 23 Sep 2004 02:01:05 +0000 (GMT) (envelope-from mikecck@singnet.com.sg) Received: from Thinkpad (bb220-255-76-92.singnet.com.sg [220.255.76.92]) by smtp12.singnet.com.sg (8.13.1/8.13.1) with ESMTP id i8N2148b014104 for ; Thu, 23 Sep 2004 10:01:04 +0800 Message-Id: <200409230201.i8N2148b014104@smtp12.singnet.com.sg> From: "Mike Chan" To: Date: Thu, 23 Sep 2004 10:01:01 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 thread-index: AcShESzmkcU8+OMvSni6tVA4oBu9Zg== Subject: Survey on Open Source X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 02:01:06 -0000 Dear all, I am conducting a survey on open source software. This is for my academic coursework and dissertation. It will be great to have your support and participation in this survey. This survey has two separate questionnaires, focusing on the following areas: 1) OSS development (Developers or those who contribute in coding or documentation), and 2) IT/IS costs (CIOs or IT Managers). You are free to go for the questionnaire that is appropriate for you. Below are the links: 1) Brief introduction page: http://web.singnet.com.sg/~mikecck/opensource/Introduction1.htm 2) Questionnaire 1(Open Source Development): http://web.singnet.com.sg/~mikecck/opensource/WebFormA1.htm 3) Questionnaire 2(Open Source and IT/IS Cost): http://web.singnet.com.sg/~mikecck/opensource/WebFormB1.htm Thank you for your time. Mike Chan Student Curtin University of Technology From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 04:49:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25EFE16A4CE for ; Thu, 23 Sep 2004 04:49:57 +0000 (GMT) Received: from cleaton.net (cleaton.net [82.138.248.193]) by mx1.FreeBSD.org (Postfix) with SMTP id 5435043D2F for ; Thu, 23 Sep 2004 04:49:56 +0000 (GMT) (envelope-from nick@cleaton.net) Received: (qmail 78384 invoked by uid 0); 23 Sep 2004 04:49:54 -0000 Received: from cleaton.net (HELO lt4.cleaton.net) (82.138.248.193) by cleaton.net with SMTP; 23 Sep 2004 04:49:54 -0000 Received: from nick by lt4.cleaton.net with local (Exim 4.30) id 1CALao-0000Oj-FA for freebsd-security@freebsd.org; Thu, 23 Sep 2004 06:52:30 +0200 Date: Thu, 23 Sep 2004 06:52:29 +0200 From: Nick Cleaton To: freebsd-security@freebsd.org Message-ID: <20040923045229.GJ5340@lt1.cleaton.net> References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com> <414CB5EF.7080901@withagen.nl> <20040918222819.GG20449@pir.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040918222819.GG20449@pir.net> User-Agent: Mutt/1.3.28i Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 04:49:57 -0000 On Sat, Sep 18, 2004 at 06:28:19PM -0400, Peter Radcliffe wrote: > > Personally I only allow ssh from known legitimate sources and block the > rest so the "noise" is in a completely different list. > I want access to my system from any IP address, so I've patched my sshd so that a secret token is required to connect. Kinda like using an obscure port, only more so :) http://nick.cleaton.net/openssh-3.8p1-cc-0.03.patch Nick -- $_='YN8KuE*** http://www.exonetric.com/ Telehouse UK colo ***HARQr**' .'NfzV0YrC1*** GBP40/month +VAT 40G BW no setup fee ***MnjJ**' .'6QvtcPgQ20*** ***nlS**' ;s/(.)(.*(.))/$2.chr(32+(ord($1)+ord$3)%89)/euntil/Foo/;eval#****' From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 06:13:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52A5416A4CE for ; Thu, 23 Sep 2004 06:13:38 +0000 (GMT) Received: from h2.prohosting.com.ua (h2.prohosting.com.ua [217.16.18.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCB4143D67 for ; Thu, 23 Sep 2004 06:13:37 +0000 (GMT) (envelope-from news@625.ru) Received: from [194.84.94.11] (helo=[192.168.5.24]) by h2.prohosting.com.ua with esmtpa (Exim 4.42 (FreeBSD)) id 1CAMnn-000NUP-VI for freebsd-security@freebsd.org; Thu, 23 Sep 2004 10:10:01 +0400 Date: Mon, 20 Sep 2004 09:11:13 +0400 From: Danil V.Gerun Organization: Project 625.ru X-Priority: 3 (Normal) Message-ID: <911268477796.20040920091113@625.ru> To: freebsd-security@freebsd.org In-Reply-To: <20040918150205.A8909@odysseus.silby.com> References: <621146771453.20040918232248@625.ru> <20040918150205.A8909@odysseus.silby.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - h2.prohosting.com.ua X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - 625.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Re[2]: Random source ports in FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Danil V.Gerun" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 06:13:38 -0000 Hello, Mike. MS> Source port randomization was implemented before 4.10 was released. See MS> in_pcb.c revisions 1.143 - 1.146, 1.59.2.27, or 1.59.2.27.2.1, depending MS> on the branch you're interested in: Thank you, I really had to do this first =) MS> What are your concerns with the way port randomization was implemented in MS> FreeBSD? Stheg was quite right :-) I don't have any problems, I just didn't see anything other than my cvsup'ed RELENG_4_9 source tree ;-) (or actually, didn't know where to check it out..) -- Best regards, Danil V. Gerun. danil@hate.spam.625.ru From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 06:13:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C3DA16A4CE for ; Thu, 23 Sep 2004 06:13:43 +0000 (GMT) Received: from h2.prohosting.com.ua (h2.prohosting.com.ua [217.16.18.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id D187C43D70 for ; Thu, 23 Sep 2004 06:13:42 +0000 (GMT) (envelope-from news@625.ru) Received: from [194.84.94.11] (helo=[192.168.5.24]) by h2.prohosting.com.ua with esmtpa (Exim 4.42 (FreeBSD)) id 1CAMnv-000NUP-Ih for freebsd-security@freebsd.org; Thu, 23 Sep 2004 10:10:08 +0400 Date: Sun, 19 Sep 2004 18:53:59 +0400 From: Danil V.Gerun Organization: Project 625.ru X-Priority: 3 (Normal) Message-ID: <591217043234.20040919185359@625.ru> To: freebsd-security@freebsd.org In-Reply-To: <20040919023634.I11704@odysseus.silby.com> References: <20040918222428.97931.qmail@web53902.mail.yahoo.com> <20040919023634.I11704@odysseus.silby.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - h2.prohosting.com.ua X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - 625.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Re[2]: Random source ports in FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Danil V.Gerun" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 06:13:43 -0000 >> I don't think Mr Gerun has a problem with the way port randomizing is >> implemented. I believe that because he couldn't find any information >> about FBSD doing port randomization, he thought it wasn't implemented >> at all, so he wrote some patches to enable it. Yes, that's quite correct!! =) The point is that I didn't have any problems with finding such information about OpenBSD, but as for FreeBSD - I couldn't find just anything.. And now I usually cvsup to RELENG_4_9, where this is not implemented yet... (I should have seen the suggested versions of in_pcb.c before...) -- Best regards, Danil V. Gerun danil@hate.spam.625.ru From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 07:08:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5839816A4CE for ; Thu, 23 Sep 2004 07:08:28 +0000 (GMT) Received: from web51010.mail.yahoo.com (web51010.mail.yahoo.com [206.190.39.129]) by mx1.FreeBSD.org (Postfix) with SMTP id EF67843D5A for ; Thu, 23 Sep 2004 07:08:27 +0000 (GMT) (envelope-from chrisryanemail@yahoo.com.au) Message-ID: <20040923070809.14655.qmail@web51010.mail.yahoo.com> Received: from [218.214.67.227] by web51010.mail.yahoo.com via HTTP; Thu, 23 Sep 2004 17:08:09 EST Date: Thu, 23 Sep 2004 17:08:09 +1000 (EST) From: Chris Ryan To: Nick Cleaton , freebsd-security@freebsd.org In-Reply-To: <20040923045229.GJ5340@lt1.cleaton.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 07:08:28 -0000 > > I want access to my system from any IP address, so > I've patched my sshd so > that a secret token is required to connect. Kinda > like using an obscure > port, only more so :) > Hi Nick so does that mean you have to rebuild ssh everytime there is a security update for sshd? regards Chris Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 07:26:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A92216A4F7 for ; Thu, 23 Sep 2004 07:26:41 +0000 (GMT) Received: from cleaton.net (cleaton.net [82.138.248.193]) by mx1.FreeBSD.org (Postfix) with SMTP id 68C8C43D41 for ; Thu, 23 Sep 2004 07:26:40 +0000 (GMT) (envelope-from nick@cleaton.net) Received: (qmail 83051 invoked by uid 0); 23 Sep 2004 07:26:38 -0000 Received: from cleaton.net (HELO lt4.cleaton.net) (82.138.248.193) by cleaton.net with SMTP; 23 Sep 2004 07:26:38 -0000 Received: from nick by lt4.cleaton.net with local (Exim 4.30) id 1CAO2S-0000SV-Jg; Thu, 23 Sep 2004 09:29:12 +0200 Date: Thu, 23 Sep 2004 09:29:12 +0200 From: Nick Cleaton To: Chris Ryan Message-ID: <20040923072912.GK5340@lt1.cleaton.net> References: <20040923045229.GJ5340@lt1.cleaton.net> <20040923070809.14655.qmail@web51010.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040923070809.14655.qmail@web51010.mail.yahoo.com> User-Agent: Mutt/1.3.28i cc: freebsd-security@freebsd.org Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 07:26:41 -0000 On Thu, Sep 23, 2004 at 05:08:09PM +1000, Chris Ryan wrote: > [SNIP] > > I've patched my sshd so [SNIP] > > so does that mean you have to rebuild ssh everytime > there is a security update for sshd? Yup. An alternative that avoids that would be to run something out of inetd that reads the token and then execs sshd. Nick -- $_='YN8KuE*** http://www.exonetric.com/ Telehouse UK colo ***HARQr**' .'NfzV0YrC1*** GBP40/month +VAT 40G BW no setup fee ***MnjJ**' .'6QvtcPgQ20*** ***nlS**' ;s/(.)(.*(.))/$2.chr(32+(ord($1)+ord$3)%89)/euntil/Foo/;eval#****' From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 08:09:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A640B16A4CE for ; Thu, 23 Sep 2004 08:09:23 +0000 (GMT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 636A543D53 for ; Thu, 23 Sep 2004 08:09:23 +0000 (GMT) (envelope-from des@des.no) Received: from dwp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id E04FE5560; Thu, 23 Sep 2004 10:10:03 +0200 (MEST) Received: by dwp.des.no (Postfix, from userid 2602) id 39471B873; Thu, 23 Sep 2004 10:09:22 +0200 (CEST) To: Nick Cleaton References: <20040923045229.GJ5340@lt1.cleaton.net> <20040923070809.14655.qmail@web51010.mail.yahoo.com> <20040923072912.GK5340@lt1.cleaton.net> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Thu, 23 Sep 2004 10:09:22 +0200 In-Reply-To: <20040923072912.GK5340@lt1.cleaton.net> (Nick Cleaton's message of "Thu, 23 Sep 2004 09:29:12 +0200") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable cc: freebsd-security@freebsd.org cc: Chris Ryan Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 08:09:23 -0000 Nick Cleaton writes: > I want access to my system from any IP address, so I've patched my > sshd so that a secret token is required to connect. Kinda like > using an obscure port, only more so :) > [...] > An alternative that avoids that would be to run something out of > inetd that reads the token and then execs sshd. Look up "replay attack" on google... DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 23 08:26:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B806C16A4CE for ; Thu, 23 Sep 2004 08:26:27 +0000 (GMT) Received: from cleaton.net (cleaton.net [82.138.248.193]) by mx1.FreeBSD.org (Postfix) with SMTP id E5A3B43D31 for ; Thu, 23 Sep 2004 08:26:26 +0000 (GMT) (envelope-from nick@cleaton.net) Received: (qmail 84930 invoked by uid 0); 23 Sep 2004 08:26:24 -0000 Received: from cleaton.net (HELO lt4.cleaton.net) (82.138.248.193) by cleaton.net with SMTP; 23 Sep 2004 08:26:24 -0000 Received: from nick by lt4.cleaton.net with local (Exim 4.30) id 1CAOyK-0000U8-0K; Thu, 23 Sep 2004 10:29:00 +0200 Date: Thu, 23 Sep 2004 10:28:59 +0200 From: Nick Cleaton To: Dag-Erling Smorgrav Message-ID: <20040923082859.GL5340@lt1.cleaton.net> References: <20040923045229.GJ5340@lt1.cleaton.net> <20040923070809.14655.qmail@web51010.mail.yahoo.com> <20040923072912.GK5340@lt1.cleaton.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i cc: freebsd-security@freebsd.org cc: Chris Ryan Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 08:26:27 -0000 On Thu, Sep 23, 2004 at 10:09:22AM +0200, Dag-Erling Smorgrav wrote: > Nick Cleaton writes: > > I want access to my system from any IP address, so I've patched my > > sshd so that a secret token is required to connect. [...] > Look up "replay attack" on google... Indeed, this doesn't keep out attackers who can sniff a valid session, just like tcp_wrappers doesn't keep out attackers who can spoof an authorized source address. Nick -- $_='YN8KuE*** http://www.exonetric.com/ Telehouse UK colo ***HARQr**' .'NfzV0YrC1*** GBP40/month +VAT 40G BW no setup fee ***MnjJ**' .'6QvtcPgQ20*** ***nlS**' ;s/(.)(.*(.))/$2.chr(32+(ord($1)+ord$3)%89)/euntil/Foo/;eval#****' From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 13:22:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92C2716A4CE for ; Fri, 24 Sep 2004 13:22:12 +0000 (GMT) Received: from betty.computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id AABF043D60 for ; Fri, 24 Sep 2004 13:22:11 +0000 (GMT) (envelope-from derek@computinginnovations.com) Received: from p17.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0)i8ODM4b2091991; Fri, 24 Sep 2004 08:22:05 -0500 (CDT) Message-Id: <6.0.0.22.2.20040924082209.01f44ae0@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 24 Sep 2004 08:22:12 -0500 To: terry@mrtux.co.uk, freebsd-security@freebsd.org From: Derek Ragona Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re:sshd security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 13:22:12 -0000 I tried to implement a similar scheme in my hosts.allow on a FreeBSD 5.2.1 server. But when I try to test it from an IP outside my LAN, it still allows ssh logins. I even put in a line in hosts.allow to explicitly deny the IP I was ssh'ing from, but it still let me in. The behavior gives the appearance that TCP wrappers are not enabled, and thus the /etc/hosts.allow file is ignored. Is there something I need to do to enable the wrappers in sshd? I saw that there is a compile option for the portable source from openssh.org, so I wonder if there is some compile option that needs to be enabled in make.conf? I have gone through the documentation for sshd_config, sshd, make.conf, etc. but am not finding anything to change. -Derek At 07:37 AM 9/19/2004, Terry wrote: >I had the same problem so i setup up hosts.allow to only allow access from >certain ips i require >This has the affect of killing the connection from any other ip befor >gettign to any login prompt >example below >sshd : localhost : allow >sshd : 192.168.2. : allow >sshd : 82.41.115.213 :allow >sshd : 216.123.248.219 : allow <-- public ip i wish to allow of course i >have changed it >sshd : all : deny > >This then shows in log instead of failed login attempts > >dot.blah.co.uk refused connections: >Sep 17 22:11:55 dlt sshd[35669]: refused connect from >usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) > >Regards Terry > > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 15:50:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BB7216A526 for ; Fri, 24 Sep 2004 15:50:05 +0000 (GMT) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 020B143D1D for ; Fri, 24 Sep 2004 15:50:05 +0000 (GMT) (envelope-from David.Bear@asu.edu) Received: from conversion.post5.inre.asu.edu by asu.edu (PMDF V6.1-1X6 #30769) id <0I4J00A01YGM39@asu.edu> for freebsd-security@FreeBSD.ORG; Fri, 24 Sep 2004 08:45:58 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) <0I4J009GFYGLDS@asu.edu>; Fri, 24 Sep 2004 08:45:58 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i8OFjt71011184; Fri, 24 Sep 2004 08:45:55 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id 25ECDE1B; Fri, 24 Sep 2004 08:45:51 -0700 (MST) Received: from post1.inre.asu.edu (post1.inre.asu.edu [129.219.110.72]) by imap1.asu.edu (8.11.0/8.11.0/asu_cyrus,tcp_wrapped) with ESMTP id fA83bbX27413 for ; Wed, 07 Nov 2001 20:37:37 -0700 (MST) Received: from conversion.post1.inre.asu.edu by asu.edu (PMDF V6.1 #40110) David.Bear@asu.edu) ; Wed, 07 Nov 2001 20:37:37 -0700 (MST) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by asu.edu (PMDF V6.1 #40110) with ESMTP id <0GMG00536Q2OH9@asu.edu> for iddwb@IMAP1.ASU.EDU (ORCPT David.Bear@asu.edu); Wed, 07 Nov 2001 20:37:37 -0700 (MST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id fA83bah72147; Wed, 07 Nov 2001 19:37:36 -0800 (PST envelope-from emechler) Content-return: allowed From: Erick Mechler In-reply-to: ; from David Bear on Wed, Nov 07, 2001 at 07:02:09PM -0700 To: dwbear75@gmail.com Message-id: <20011107193736.V64838@techometer.net> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Old-To: David Bear User-Agent: Mutt/1.2.5i Lines: 23 References: X-Keywords: cc: FreeBSD Security List Subject: Re: sharing /etc/passwd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 24 Sep 2004 15:50:05 -0000 X-Original-Date: Wed, 07 Nov 2001 19:37:36 -0800 X-List-Received-Date: Fri, 24 Sep 2004 15:50:05 -0000 How 'bout PAM? /usr/ports/security/pam_ldap. If you have machines that can't do PAM, perhaps NIS is the way to go (assuming, of course, you're behind a firewall). You can store login information in LDAP like you want, then use a home-grown script to extract the information to a NIS map. Or, if you have a Solaris 8 machine lying around, you can cut out the middle step and use Sun's NIS server which can backend directly into LDAP. Cheers - Erick At Wed, Nov 07, 2001 at 07:02:09PM -0700, David Bear said this: :: :: I need to sync /etc/passwd and /etc/group among multiple machines. I was :: thinking ldap would be a good method but am concerned about :: :: 1) the most secure way to do it :: 2) the most stable :: 3) things I don't know about this but should... :: :: any pointers to man pages/docs would be appreciated. :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 15:59:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B568116A688 for ; Fri, 24 Sep 2004 15:59:05 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05F4043D49 for ; Fri, 24 Sep 2004 15:59:03 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id i8OFwH9K082582; Fri, 24 Sep 2004 11:58:17 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i8OFwBXv082579; Fri, 24 Sep 2004 11:58:17 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 24 Sep 2004 11:58:11 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: John Hay In-Reply-To: <200201020559.g025xaX94943@zibbi.icomtek.csir.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Randy Bush cc: freebsd-security@FreeBSD.ORG cc: dwbear75@gmail.com Subject: Re: openssh version X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 15:59:05 -0000 On Wed, 2 Jan 2002, John Hay wrote: > Well I can accept your argument for -stable, although bigger changes has > gone in -stable in the past, but what about -current? My -current boxes > also still claim: "sshd version OpenSSH_2.9 FreeBSD localisations > 20011202" And this is the problem, if we don't have -current upgraded > we have little chance in getting wrinkles out and very little chance of > it going in -stable. > > Also maybe we should think again about all our local changes and if all > of them are really necesary. If we can ditch some, that will also make > it a lot easier to upgrade. Funny, my -CURRENT boxes claim: SSH-1.99-OpenSSH_3.8.1p1 FreeBSD-20040419 I might check that you're using the version shipped with FreeBSD rather than a package-installed version, and that your sshd configuration doesn't include a line to indicate the older version number. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 16:29:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B95016A4CE for ; Fri, 24 Sep 2004 16:29:35 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 091CA43D45 for ; Fri, 24 Sep 2004 16:29:35 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id i8OGSnne083277; Fri, 24 Sep 2004 12:28:49 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i8OGSnt2083274; Fri, 24 Sep 2004 12:28:49 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 24 Sep 2004 12:28:49 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: John Hay In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Randy Bush cc: freebsd-security@FreeBSD.ORG cc: dwbear75@gmail.com Subject: Re: openssh version X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 16:29:35 -0000 On Fri, 24 Sep 2004, Robert Watson wrote: > ... Sigh, someone is replaying all the old messages to security@, and since security@ now points to security-team@, I'm getting the replays. Sorry for the false positive response, should have looked at the send date before replying. We need to go knock some heads together regarding the replay though, I've received a lot so far. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 16:52:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 169A516A4CE; Fri, 24 Sep 2004 16:52:17 +0000 (GMT) Received: from it.buh.tecnik93.com (it.buh.tecnik93.com [81.196.204.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id 119CD43D4C; Fri, 24 Sep 2004 16:52:16 +0000 (GMT) (envelope-from itetcu@apropo.ro) Received: from it.buh.tecnik93.com (localhost.buh.tecnik93.com [127.0.0.1]) by it.buh.tecnik93.com (Postfix) with SMTP id 8D03D460; Fri, 24 Sep 2004 19:52:13 +0300 (EEST) Date: Fri, 24 Sep 2004 19:52:13 +0300 From: Ion-Mihai Tetcu To: Robert Watson Message-ID: <20040924195213.2177c795@it.buh.tecnik93.com> In-Reply-To: References: X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-security@FreeBSD.ORG cc: postmaster@freebsd.org Subject: Re: openssh version X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 16:52:17 -0000 On Fri, 24 Sep 2004 12:28:49 -0400 (EDT) Robert Watson wrote: > > On Fri, 24 Sep 2004, Robert Watson wrote: > > > ... > > Sigh, someone is replaying all the old messages to security@, and since > security@ now points to security-team@, I'm getting the replays. Sorry > for the false positive response, should have looked at the send date > before replying. We need to go knock some heads together regarding the > replay though, I've received a lot so far. It happens on all lists for about one hour now. I've already contacted David. Messages seems to come from *.asu.edu : Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i8OFl671012936; Fri, 24 Sep 2004 08:47:06 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id 5D7ACE8C; Fri, 24 Sep 2004 08:46:41 -0700 (MST) Received: from post1.inre.asu.edu (post1.inre.asu.edu [129.219.110.72]) by imap1.asu.edu (8.11.0/8.11.0/asu_cyrus,tcp_wrapped) with ESMTP id g57361E05355 for ; Thu, 06 Jun 2002 20:06:02 -0700 (MST) -- IOnut Unregistered ;) FreeBSD "user" 5.3-BETA4 - try `sysctl debug.witness_watch=0` and prepare to fly :-) From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 20:50:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8C8416A4CE for ; Fri, 24 Sep 2004 20:50:40 +0000 (GMT) Received: from dlt.bluelight.org.uk (bluelight.org.uk [80.229.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FA5743D49 for ; Fri, 24 Sep 2004 20:50:40 +0000 (GMT) (envelope-from terry@mrtux.co.uk) Received: from [192.168.2.138] (helo=[127.0.0.1]) by dlt.bluelight.org.uk with esmtp (Exim 4.42 (FreeBSD)) id 1CAx5L-0003WA-T6 for freebsd-security@freebsd.org; Fri, 24 Sep 2004 21:54:31 +0100 Message-ID: <415488AB.2060803@mrtux.co.uk> Date: Fri, 24 Sep 2004 21:50:51 +0100 From: Terry User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040923120103.5DD3116A517@hub.freebsd.org> In-Reply-To: <20040923120103.5DD3116A517@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 20:50:40 -0000 Derek Ragona wrote: >> I tried to implement a similar scheme in my hosts.allow on a FreeBSD >> 5.2.1 server. But when I try to test it from an IP outside my LAN, it >> still allows ssh logins. I even put in a line in hosts.allow to >> explicitly deny the IP I was ssh'ing from, but it still let me in. >> The behavior gives the appearance that TCP wrappers are not enabled, >> and thus the /etc/hosts.allow file is ignored. >> >> Is there something I need to do to enable the wrappers in sshd? I saw >> that there is a compile option for the portable source from >> openssh.org, so I wonder if there is some compile option that needs to >> be enabled in make.conf? >> >> I have gone through the documentation for sshd_config, sshd, >> make.conf, etc. but am not finding anything to change. >> >> -Derek >> >> >> >> At 07:37 AM 9/19/2004, Terry wrote: >> > > >>>> I had the same problem so i setup up hosts.allow to only allow access >>>> from certain ips i require >>>> This has the affect of killing the connection from any other ip befor >>>> gettign to any login prompt >>>> example below >>>> sshd : localhost : allow >>>> sshd : 192.168.2. : allow >>>> sshd : 82.41.115.213 :allow >>>> sshd : 216.123.248.219 : allow <-- public ip i wish to allow of >>>> course i have changed it >>>> sshd : all : deny >>>> >>>> This then shows in log instead of failed login attempts >>>> >>>> dot.blah.co.uk refused connections: >>>> Sep 17 22:11:55 dlt sshd[35669]: refused connect from >>>> usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) >>>> >>>> Regards Terry >>>> >>>> >> >> I read some where the order is important have you tried exactly as i posted only changed ip's to fit your setup ? My freebsd version is 4.10 and i made no other changes i think tcp wrappers are default Terry From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 21:03:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EF3D16A4CE for ; Fri, 24 Sep 2004 21:03:07 +0000 (GMT) Received: from manual-override.net (manual-override.net [65.42.236.5]) by mx1.FreeBSD.org (Postfix) with SMTP id D1DB943D41 for ; Fri, 24 Sep 2004 21:03:06 +0000 (GMT) (envelope-from chris@manual-override.net) Received: (qmail 77819 invoked from network); 24 Sep 2004 21:03:04 -0000 Received: from unknown (HELO manual-override.net) (127.0.0.1) by localhost.localline.com with SMTP; 24 Sep 2004 21:03:04 -0000 Received: from localhost (chris@localhost)i8OL34o7077815 for ; Fri, 24 Sep 2004 16:03:04 -0500 (EST) Date: Fri, 24 Sep 2004 16:03:04 -0500 (EST) From: Chris Orr To: freebsd-security@freebsd.org In-Reply-To: <415488AB.2060803@mrtux.co.uk> Message-ID: <20040924160019.K77746@manual-override.net> References: <20040923120103.5DD3116A517@hub.freebsd.org> <415488AB.2060803@mrtux.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 21:03:07 -0000 When you build openssh, you need to be sure to add the --with-tcp-wrappers argument when you run the configure script. ex: ./configure --with-ssl-dir=../openssl --with-pam --with-tcp-wrappers Hopefully this points you in the right direction. -chris On Fri, 24 Sep 2004, Terry wrote: > Derek Ragona wrote: > > > >> I tried to implement a similar scheme in my hosts.allow on a FreeBSD > >> 5.2.1 server. But when I try to test it from an IP outside my LAN, it > >> still allows ssh logins. I even put in a line in hosts.allow to > >> explicitly deny the IP I was ssh'ing from, but it still let me in. > >> The behavior gives the appearance that TCP wrappers are not enabled, > >> and thus the /etc/hosts.allow file is ignored. > >> > >> Is there something I need to do to enable the wrappers in sshd? I saw > >> that there is a compile option for the portable source from > >> openssh.org, so I wonder if there is some compile option that needs to > >> be enabled in make.conf? > >> > >> I have gone through the documentation for sshd_config, sshd, > >> make.conf, etc. but am not finding anything to change. > >> > >> -Derek > >> > >> From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 21:49:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A91216A4CE for ; Fri, 24 Sep 2004 21:49:20 +0000 (GMT) Received: from smtp15.wxs.nl (smtp15.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B6D743D2F for ; Fri, 24 Sep 2004 21:49:19 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp15.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I4K006RAFA3L3@smtp15.wxs.nl> for freebsd-security@freebsd.org; Fri, 24 Sep 2004 23:49:18 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i8OLnA1F040296; Fri, 24 Sep 2004 23:49:10 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i8OLn9Et040295; Fri, 24 Sep 2004 23:49:09 +0200 Content-return: prohibited Date: Fri, 24 Sep 2004 23:49:09 +0200 From: Alex de Kruijff In-reply-to: <6917b781040918103077c76f0c@mail.gmail.com> To: "David D.W. Downey" Message-id: <20040924214909.GA784@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 21:49:20 -0000 On Sat, Sep 18, 2004 at 01:30:22PM -0400, David D.W. Downey wrote: > On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > > Hi, > > > > Is there a security problem with ssh that I've missed??? > > Ik keep getting these hords of: > > Failed password for root from 69.242.5.195 port 39239 ssh2 > > with all kinds of different source addresses. > > > > They have a shot or 15 and then they are of again, but a little later on > > they're back and keep clogging my logs. > > Is there a "easy" way of getting these ip-numbers added to the > > blocking-list of ipfw?? > > > > Thanx, > > --WjW > > well you want to see those. So long as you have > > PermitRootLogin no > > in your /etc/ssh/sshd_config, they won't be able to get in since ssh > is then denied for root (except via a valid ssh key which you can > further lock down by adding No ssh key's are also denied. To enable this you have to set PermitRootLogin to 'without-password' or 'forced-commands-only' (or yes). > from="ip.addr, forward.dns.record.of.host" > > to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) > > A better solution to the verbosity level would probably be to change > your kernel config to have something like > > options IPFIREWALL_VERBOSE_LIMIT=3 > > or using the sysctl.conf oid > > net.inet.ip.fw.verbose_limit=3 > > Then you can still see the attempts (and thus log the IP information > for contacting the abuse@ for the responsible IP controller) while > limiting your log sizes. This only logs the first tree catches (when the log attribuut is set) per rule. You may want to set this a little higher like 100. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/ From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 21:54:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17F7B16A4CE for ; Fri, 24 Sep 2004 21:54:16 +0000 (GMT) Received: from smtp16.wxs.nl (smtp16.wxs.nl [195.121.6.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0B2243D48 for ; Fri, 24 Sep 2004 21:54:15 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp16.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I4K001FBFIC8K@smtp16.wxs.nl> for freebsd-security@freebsd.org; Fri, 24 Sep 2004 23:54:15 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i8OLs71F040335; Fri, 24 Sep 2004 23:54:07 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i8OLs6u9040334; Fri, 24 Sep 2004 23:54:06 +0200 Content-return: prohibited Date: Fri, 24 Sep 2004 23:54:06 +0200 From: Alex de Kruijff In-reply-to: <20040924160019.K77746@manual-override.net> To: Chris Orr Message-id: <20040924215406.GB784@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20040923120103.5DD3116A517@hub.freebsd.org> <415488AB.2060803@mrtux.co.uk> <20040924160019.K77746@manual-override.net> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: freebsd-security@freebsd.org Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 21:54:16 -0000 On Fri, Sep 24, 2004 at 04:03:04PM -0500, Chris Orr wrote: > When you build openssh, you need to be sure to add the --with-tcp-wrappers > argument when you run the configure script. > > ex: ./configure --with-ssl-dir=../openssl --with-pam --with-tcp-wrappers > > Hopefully this points you in the right direction. > > -chris This is a bit unsual for FreeBSD. If the default with the base system doesn't fith you, the you can use the port system to comile a newer version. cd /usr/porst/.../ssh && make install && make clean -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/ From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 22:02:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A335D16A4CE for ; Fri, 24 Sep 2004 22:02:40 +0000 (GMT) Received: from betty.computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC4CA43D31 for ; Fri, 24 Sep 2004 22:02:39 +0000 (GMT) (envelope-from derek@computinginnovations.com) Received: from p17.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0)i8OM2Xi4094262; Fri, 24 Sep 2004 17:02:34 -0500 (CDT) Message-Id: <6.0.0.22.2.20040924165856.01f551f0@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 24 Sep 2004 17:02:27 -0500 To: Terry , freebsd-security@freebsd.org From: Derek Ragona In-Reply-To: <415488AB.2060803@mrtux.co.uk> References: <20040923120103.5DD3116A517@hub.freebsd.org> <415488AB.2060803@mrtux.co.uk> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 22:02:40 -0000 At 03:50 PM 9/24/2004, Terry wrote: >Derek Ragona wrote: > > >>>I tried to implement a similar scheme in my hosts.allow on a FreeBSD >>>5.2.1 server. But when I try to test it from an IP outside my LAN, it >>>still allows ssh logins. I even put in a line in hosts.allow to >>>explicitly deny the IP I was ssh'ing from, but it still let me in. >>>The behavior gives the appearance that TCP wrappers are not enabled, >>>and thus the /etc/hosts.allow file is ignored. >>> >>>Is there something I need to do to enable the wrappers in sshd? I saw >>>that there is a compile option for the portable source from openssh.org, >>>so I wonder if there is some compile option that needs to be enabled in >>>make.conf? >>>I have gone through the documentation for sshd_config, sshd, make.conf, >>>etc. but am not finding anything to change. >>> >>> -Derek >>> >>> >>> >>>At 07:37 AM 9/19/2004, Terry wrote: >> >> >>>>>I had the same problem so i setup up hosts.allow to only allow access >>>>>from certain ips i require >>>>>This has the affect of killing the connection from any other ip befor >>>>>gettign to any login prompt >>>>>example below >>>>>sshd : localhost : allow >>>>>sshd : 192.168.2. : allow >>>>>sshd : 82.41.115.213 :allow >>>>>sshd : 216.123.248.219 : allow <-- public ip i wish to allow of >>>>>course i have changed it >>>>>sshd : all : deny >>>>> >>>>>This then shows in log instead of failed login attempts >>>>> >>>>>dot.blah.co.uk refused connections: >>>>>Sep 17 22:11:55 dlt sshd[35669]: refused connect from >>>>>usen-219x113x213x21.ap-US.usen.ad.jp (219.113.213.21) >>>>> >>>>>Regards Terry >>>>> >>> >I read some where the order is important have you tried exactly as i >posted only changed ip's to fit your setup ? >My freebsd version is 4.10 and i made no other changes i think tcp >wrappers are default >Terry Terry, I cut and pasted the lines as you had them, and just changed the IP's. I had one less line originally where your public address line is, then added a line to explicitly deny the one address I was testing from. I do have a 4.10 server I will try this on as well. Thanks for the reply. -Derek >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 22:09:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEC9716A4CE for ; Fri, 24 Sep 2004 22:09:21 +0000 (GMT) Received: from betty.computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5666A43D39 for ; Fri, 24 Sep 2004 22:09:21 +0000 (GMT) (envelope-from derek@computinginnovations.com) Received: from p17.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0)i8OM9Bwb094321; Fri, 24 Sep 2004 17:09:12 -0500 (CDT) Message-Id: <6.0.0.22.2.20040924170902.01feb948@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 24 Sep 2004 17:09:05 -0500 To: Alex de Kruijff , Chris Orr From: Derek Ragona Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-security@freebsd.org Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 22:09:22 -0000 At 04:54 PM 9/24/2004, Alex de Kruijff wrote: >On Fri, Sep 24, 2004 at 04:03:04PM -0500, Chris Orr wrote: > > When you build openssh, you need to be sure to add the --with-tcp-wrappers > > argument when you run the configure script. > > > > ex: ./configure --with-ssl-dir=../openssl --with-pam --with-tcp-wrappers > > > > Hopefully this points you in the right direction. > > > > -chris > >This is a bit unsual for FreeBSD. If the default with the base system >doesn't fith you, the you can use the port system to comile a newer >version. cd /usr/porst/.../ssh && make install && make clean > >-- >Alex I guess I am asking are the tcp wrappers enabled in the default base system? If the wrappers are not enabled, do I need to build world with some special compile option? Or build ssh from the port? If the port is used do I then need to reconfigure anything in the system to use the port version instead of the base system ssh? Thanks for your help. -Derek From owner-freebsd-security@FreeBSD.ORG Sat Sep 25 09:52:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D18816A4CE for ; Sat, 25 Sep 2004 09:52:45 +0000 (GMT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5ACFF43D1D for ; Sat, 25 Sep 2004 09:52:45 +0000 (GMT) (envelope-from des@des.no) Received: from dwp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id 52BB05989; Sat, 25 Sep 2004 11:53:26 +0200 (MEST) Received: by dwp.des.no (Postfix, from userid 2602) id 28FF6B85E; Sat, 25 Sep 2004 11:52:44 +0200 (CEST) To: Derek Ragona References: <6.0.0.22.2.20040924170902.01feb948@mail.computinginnovations.com> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Sat, 25 Sep 2004 11:52:44 +0200 In-Reply-To: <6.0.0.22.2.20040924170902.01feb948@mail.computinginnovations.com> (Derek Ragona's message of "Fri, 24 Sep 2004 17:09:05 -0500") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable cc: freebsd-security@freebsd.org Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 09:52:45 -0000 Derek Ragona writes: > I guess I am asking are the tcp wrappers enabled in the default base > system? des@dwp ~/projects/freebsd% grep -B1 WRAP releng_4/src/crypto/openssh/confi= g.h /* Define if you want TCP Wrappers support */ #define LIBWRAP 1 des@dwp ~/projects/freebsd% grep -B1 WRAP releng_5/src/crypto/openssh/confi= g.h /* Define if you want TCP Wrappers support */ #define LIBWRAP 1 des@dwp ~/projects/freebsd% grep -B1 WRAP head/src/crypto/openssh/config.h /* Define if you want TCP Wrappers support */ #define LIBWRAP 1 DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sat Sep 25 09:59:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEEAA16A4CE for ; Sat, 25 Sep 2004 09:59:32 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D60443D39 for ; Sat, 25 Sep 2004 09:59:32 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1] (may be forged))i8P9xOXM028606 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 25 Sep 2004 10:59:24 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i8P9xNiL028605; Sat, 25 Sep 2004 10:59:23 +0100 (BST) (envelope-from matthew) Date: Sat, 25 Sep 2004 10:59:23 +0100 From: Matthew Seaman To: Derek Ragona Message-ID: <20040925095923.GC2060@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Derek Ragona , Alex de Kruijff , Chris Orr , freebsd-security@freebsd.org References: <6.0.0.22.2.20040924170902.01feb948@mail.computinginnovations.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7qSK/uQB79J36Y4o" Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20040924170902.01feb948@mail.computinginnovations.com> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Sat, 25 Sep 2004 10:59:24 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-security@freebsd.org Subject: Re: ssh security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 09:59:33 -0000 --7qSK/uQB79J36Y4o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 24, 2004 at 05:09:05PM -0500, Derek Ragona wrote: =20 > I guess I am asking are the tcp wrappers enabled in the default base=20 > system? If the wrappers are not enabled, do I need to build world with= =20 > some special compile option? Look at /usr/src/secure/usr.sbin/sshd/Makefile where it says: LDADD+=3D -lssh -lcrypt -lcrypto -lutil -lz -lwrap ${MINUSLPAM} ^^^^^ Conclusion: tcp-wrappers are enabled by default in the sshd(8) built by the base system. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --7qSK/uQB79J36Y4o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBVUF7iD657aJF7eIRAkZBAJ9pO9VeXC67RJOLY9HgBA4EyXKFpQCgtP6S wvNBVPnSEsyYUkjk+sV5pbc= =tmSs -----END PGP SIGNATURE----- --7qSK/uQB79J36Y4o-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 24 15:50:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CE9116A52E for ; Fri, 24 Sep 2004 15:50:05 +0000 (GMT) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FD9E43D1D for ; Fri, 24 Sep 2004 15:50:05 +0000 (GMT) (envelope-from David.Bear@asu.edu) Received: from conversion.post5.inre.asu.edu by asu.edu (PMDF V6.1-1X6 #30769) id <0I4J00A01YGM3A@asu.edu> for freebsd-security@FreeBSD.ORG; Fri, 24 Sep 2004 08:45:58 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) <0I4J009GDYGLDS@asu.edu>; Fri, 24 Sep 2004 08:45:58 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i8OFjt71011178; Fri, 24 Sep 2004 08:45:55 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id E4AE9E14; Fri, 24 Sep 2004 08:45:50 -0700 (MST) Received: from post1.inre.asu.edu (post1.inre.asu.edu [129.219.110.72]) by imap1.asu.edu (8.11.0/8.11.0/asu_cyrus,tcp_wrapped) with ESMTP id fA82IIX25418 for ; Wed, 07 Nov 2001 19:18:18 -0700 (MST) Received: from conversion.post1.inre.asu.edu by asu.edu (PMDF V6.1 #40110) David.Bear@asu.edu) ; Wed, 07 Nov 2001 19:18:18 -0700 (MST) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by asu.edu (PMDF V6.1 #40110) with ESMTP id <0GMG004UZMEHD8@asu.edu> for iddwb@IMAP1.ASU.EDU (ORCPT David.Bear@asu.edu); Wed, 07 Nov 2001 19:18:18 -0700 (MST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 96C9D44AB63 for ; Thu, 08 Nov 2001 02:18:16 +0000 (GMT) Received: (qmail 7837 invoked by uid 1001); Thu, 08 Nov 2001 02:13:16 +0000 From: Steve Shorter In-reply-to: <"from David.Bear"@asu.edu> To: dwbear75@gmail.com Message-id: <20011107211316.A7830@nomad.lets.net> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Old-To: David Bear User-Agent: Mutt/1.2.5i Lines: 14 References: X-Keywords: X-Mailman-Approved-At: Sat, 25 Sep 2004 12:40:30 +0000 cc: FreeBSD Security List Subject: Re: sharing /etc/passwd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 24 Sep 2004 15:50:05 -0000 X-Original-Date: Wed, 07 Nov 2001 21:13:16 -0500 X-List-Received-Date: Fri, 24 Sep 2004 15:50:05 -0000 On Wed, Nov 07, 2001 at 07:02:09PM -0700, David Bear wrote: > > I need to sync /etc/passwd and /etc/group among multiple machines. I was > thinking ldap would be a good method but am concerned about > > 1) the most secure way to do it > 2) the most stable > 3) things I don't know about this but should... > > any pointers to man pages/docs would be appreciated. Hmm... how about rsync? /usr/ports/net/rsync -steve From owner-freebsd-security@FreeBSD.ORG Sat Sep 25 20:38:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63C0F16A4CE for ; Sat, 25 Sep 2004 20:38:44 +0000 (GMT) Received: from mail08.syd.optusnet.com.au (mail08.syd.optusnet.com.au [211.29.132.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id C86E043D1F for ; Sat, 25 Sep 2004 20:38:43 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i8PKcYiJ019499 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 26 Sep 2004 06:38:36 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])i8PKcYxP008987; Sun, 26 Sep 2004 06:38:34 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)i8PKcXeE008986; Sun, 26 Sep 2004 06:38:33 +1000 (EST) (envelope-from pjeremy) Date: Sun, 26 Sep 2004 06:38:33 +1000 From: Peter Jeremy To: Derek Ragona Message-ID: <20040925203833.GG83620@cirb503493.alcatel.com.au> References: <6.0.0.22.2.20040924082209.01f44ae0@mail.computinginnovations.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20040924082209.01f44ae0@mail.computinginnovations.com> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: sshd security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 20:38:44 -0000 On Fri, 2004-Sep-24 08:22:12 -0500, Derek Ragona wrote: >I tried to implement a similar scheme in my hosts.allow on a FreeBSD 5.2.1 >server. But when I try to test it from an IP outside my LAN, it still >allows ssh logins. I even put in a line in hosts.allow to explicitly deny >the IP I was ssh'ing from, but it still let me in. The behavior gives the >appearance that TCP wrappers are not enabled, and thus the /etc/hosts.allow >file is ignored. > >Is there something I need to do to enable the wrappers in sshd? I saw that >there is a compile option for the portable source from openssh.org, so I >wonder if there is some compile option that needs to be enabled in >make.conf? Depending on how TCP wrappers are integrated into SSH, one possibility is that you need /var/empty/etc/hosts.{allow,deny} -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Sat Sep 25 22:20:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E6FF16A4DA for ; Sat, 25 Sep 2004 22:20:25 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F6C443D64 for ; Sat, 25 Sep 2004 22:20:15 +0000 (GMT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 0730B535A; Sun, 26 Sep 2004 00:20:13 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 5C3CE533C; Sun, 26 Sep 2004 00:20:06 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id F161CB85E; Sun, 26 Sep 2004 00:20:05 +0200 (CEST) To: Peter Jeremy References: <6.0.0.22.2.20040924082209.01f44ae0@mail.computinginnovations.com> <20040925203833.GG83620@cirb503493.alcatel.com.au> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Sun, 26 Sep 2004 00:20:05 +0200 In-Reply-To: <20040925203833.GG83620@cirb503493.alcatel.com.au> (Peter Jeremy's message of "Sun, 26 Sep 2004 06:38:33 +1000") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: sshd security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 22:20:25 -0000 Peter Jeremy writes: > Depending on how TCP wrappers are integrated into SSH, one possibility > is that you need /var/empty/etc/hosts.{allow,deny} no, hosts_access() is called before chroot(). DES --=20 Dag-Erling Sm=F8rgrav - des@des.no