From owner-freebsd-security Sun Sep 16 1:50:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id DDA3037B401 for ; Sun, 16 Sep 2001 01:50:40 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id DD6E12DDE26; Sun, 16 Sep 2001 03:50:39 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f8G8odJ72454; Sun, 16 Sep 2001 03:50:39 -0500 (CDT) (envelope-from hawkeyd) Date: Sun, 16 Sep 2001 03:50:39 -0500 From: D J Hawkey Jr To: "Karsten W. Rohrbach" , Krzysztof Zaraska , security at FreeBSD Subject: Re: Dynamic Firewall/IDS System, Was: portsentry's stealth mode - works under fBSD with ipf? Message-ID: <20010916035039.A72405@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry if this is a repost; my INN client doesn't show the first. On Sep 16, at 01:47 AM, Karsten W. Rohrbach wrote: > > Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.15 16:16:26 +0000: > > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: > [...] > > > By way of further explanation, the cron'd script analyzes the read in > > > log entries for blocked source IPs that either hit on the box a smallish > > > number of times, each hit within a defined frequency (port scans and DOS > > > attempts), or hit on the box at all a larger number of times (for more > > > general idiocies). > > There's an add-on for snort, called Guardian that reads the alert log file > > in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm > > not sure if it supports ipf right now but should be easily hackable (it's > > a Perl script). > > > > Personally, I'd rather use snort than portsentry since this is a more > > flexible and powerful solution. And it can detect "stealth" port > > scans under FreeBSD (verified personally). Basing on your description I > > think it would suit your needs. See http://www.snort.org/ > > who else, besides me, would be interested in having a dynamic system for > blocking/ratelimiting based on ids or packetfilter output and the like? Well. I am, obviously. > i am not talking perl here, rather implementing a native p2p or client > server framework which does this, including crypted communications and > policy based remote firewall configuration (perhaps ipfilter as > proof-of-concept basis). it should run realtime (not cron or whatever > exec() based scheduler) as a native event handler. it should be modular > in design, to be able to add input and output handlers and to have a > good choice of logging/alerting features. FreeBSD already has dummynet for rate limiting, and two firewall techno- logies. The encryption stuff seems disjointed. That seems like another topic altogether. > i already got lots of ideas for it, but haven't gotten around to > implement something yet, and after a long time of being a quite passive > member of the *bsd community, this would be an interesting project i > would like to contribute design, ideas and code and more. My first post was a simple Q to see if all of portsentry's features were available on FreeBSD (the answer appears to be "No."). Krzysztof snipped off the last sentence of that post, where I thought about putting my script's logic into portsentry, or maybe even ipmon. What I currently have is a working proof-of-concept for what I want. I browsed the source to ipmon today, and there's ample room for me to hack at it. Yes, I need userland. > tell me if you are interested in developing such a thing from scratch, > together... I don't think this is necessary. It seems, to me anyway, redundant to existing technologies. Does any OS need three firewalls in its base? All I want is what I've got proven, but to move it into a daemon for something more realtime; I've got it down to 2 minute intervals via cron, but that's not frequent enough, and draws too many resources for what it does at that interval. Myself, I think I'll decline active participation in such a project. I've got a pretty well defined criteria, and it's small. With this, my needs will be met. I can daemonize it over a weekend. Besides, aren't you [basically] describing snort? > ...and include a short description of your skills, programming > languages and os platform you're on, if you like. P/A and Systems Admin by profession. C, shell, awk, sed, m4. FreeBSD, QNX, Linux, and a little Solaris. X11R5/6. > /k Let me know how and where things go, though, Dave -- It took the computing power of three C-64s to fly to the Moon. It takes an 800Mhz P3 to run Windows XP. Something is wrong here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 16 7:18:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 9214E37B403 for ; Sun, 16 Sep 2001 07:18:10 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 021F21D14; Sun, 16 Sep 2001 16:17:48 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 491F8552A; Sun, 16 Sep 2001 16:17:48 +0200 (CEST) Date: Sun, 16 Sep 2001 16:17:46 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: D J Hawkey Jr Cc: "Karsten W. Rohrbach" , security at FreeBSD Subject: Re: Dynamic Firewall/IDS System, Was: portsentry's stealth mode - works under fBSD with ipf? In-Reply-To: <20010915204756.A70057@sheol.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 15 Sep 2001, D J Hawkey Jr wrote: > On Sep 16, at 01:47 AM, Karsten W. Rohrbach wrote: > > > > Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.15 16:16:26 +0000: > > > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: > > [...] > > > > By way of further explanation, the cron'd script analyzes the read in > > > > log entries for blocked source IPs that either hit on the box a smallish > > > > number of times, each hit within a defined frequency (port scans and DOS > > > > attempts), or hit on the box at all a larger number of times (for more > > > > general idiocies). > > > There's an add-on for snort, called Guardian that reads the alert log file > > > in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm > > > not sure if it supports ipf right now but should be easily hackable (it's > > > a Perl script). > > > > > > Personally, I'd rather use snort than portsentry since this is a more > > > flexible and powerful solution. And it can detect "stealth" port > > > scans under FreeBSD (verified personally). Basing on your description I > > > think it would suit your needs. See http://www.snort.org/ > > > > who else, besides me, would be interested in having a dynamic system for > > blocking/ratelimiting based on ids or packetfilter output and the like? > > Well. I am, obviously. Sounds interesting to me, too. > > > i am not talking perl here, rather implementing a native p2p or client > > server framework which does this, including crypted communications and > > policy based remote firewall configuration (perhaps ipfilter as > > proof-of-concept basis). it should run realtime (not cron or whatever > > exec() based scheduler) as a native event handler. it should be modular > > in design, to be able to add input and output handlers and to have a > > good choice of logging/alerting features. Sounds cool to me. Do you want to build it into firewall code or just use firewall logger output? > FreeBSD already has dummynet for rate limiting, and two firewall techno- > logies. > > The encryption stuff seems disjointed. That seems like another topic > altogether. > > > i already got lots of ideas for it, but haven't gotten around to > > implement something yet, and after a long time of being a quite passive > > member of the *bsd community, this would be an interesting project i > > would like to contribute design, ideas and code and more. > > My first post was a simple Q to see if all of portsentry's features were > available on FreeBSD (the answer appears to be "No."). > > Krzysztof snipped off the last sentence of that post, where I thought > about putting my script's logic into portsentry, or maybe even ipmon. Sorry for that. > > What I currently have is a working proof-of-concept for what I want. I > browsed the source to ipmon today, and there's ample room for me to hack > at it. Yes, I need userland. > > > tell me if you are interested in developing such a thing from scratch, > > together... > > I don't think this is necessary. It seems, to me anyway, redundant to > existing technologies. Does any OS need three firewalls in its base? Well, I don't think this project should aim towards building another packet filter, however a system gathering alerts from various sources (firewall, IDS, etc.) and reacting appropriately could be a good thing. Also, if it was modular in design and implementation then it could posibly run with many packet filters or IDS systems just by selecting appropriate "plugins". Is this what "different input/output handlers" means? > > All I want is what I've got proven, but to move it into a daemon for > something more realtime; I've got it down to 2 minute intervals via cron, > but that's not frequent enough, and draws too many resources for what > it does at that interval. > > Myself, I think I'll decline active participation in such a project. > I've got a pretty well defined criteria, and it's small. With this, my > needs will be met. I can daemonize it over a weekend. > > Besides, aren't you [basically] describing snort? I don't think this is a description of snort. Snort documentation explicitely states that it's a tool for intrusion detection only and snort itself does not have any options allowing to react to an alert, except the posibility of sending RST to tear down hostile TCP connections. I think the tool described by Karsten is rather something that could use snort as one of possible alert sensors, right? Besides, I like the idea of updating rulesets between firewalls real-time. It's been discussed on this list before in slightly different context, but did not lead to implementing anything. Sounds cool even as a purely research project. > > ...and include a short description of your skills, programming > > languages and os platform you're on, if you like. > > P/A and Systems Admin by profession. C, shell, awk, sed, m4. FreeBSD, QNX, > Linux, and a little Solaris. X11R5/6. Administration part-time, FreeBSD, Linux, C/C++, bash, a little Perl and Java. Regards, Krzysztof > > > /k > > Let me know how and where things go, though, > Dave > > -- > > It took the computing power of three C-64s to fly to the Moon. > It takes an 800Mhz P3 to run Windows XP. Something is wrong here. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 16 7:51:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1FE7D37B401 for ; Sun, 16 Sep 2001 07:51:40 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA25577 for ; Sun, 16 Sep 2001 07:51:39 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda25575; Sun Sep 16 07:51:25 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f8GEpOR85582 for ; Sun, 16 Sep 2001 07:51:24 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdv85563; Sun Sep 16 07:51:21 2001 Received: (from smtpd@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f8GEpK462728 for ; Sun, 16 Sep 2001 07:51:20 -0700 (PDT) Message-Id: <200109161451.f8GEpK462728@cwsys.cwsent.com> X-Authentication-Warning: cwsys.cwsent.com: smtpd set sender to using -f Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdu62723; Sun Sep 16 07:51:17 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: freebsd-security@freebsd.org Subject: Jailinit 0.0 (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 16 Sep 2001 07:51:17 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This came to me via SECTOOLS. Someone here might find this useful. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC ------- Forwarded Message [headers removed] Mailing-List: contact sectools-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list sectools@securityfocus.com Delivered-To: moderator for sectools@securityfocus.com Received: (qmail 9291 invoked from network); 15 Sep 2001 19:37:23 -0000 Date: Sat, 15 Sep 2001 13:37:23 -0600 From: aleph1@securityfocus.com To: sectools@securityfocus.com Subject: Jailinit 0.0 Message-ID: <20010915133723.M1818@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Jailinit 0.0 by Samuel J. Greear (http://freshmeat.net/users/dragonk/) Friday, September 14th 2001 11:24 Categories: Security, System :: Boot :: Init, System :: Operating System Kernels :: BSD, Utilities About: Jailinit is an init daemon for FreeBSD jail environments. It makes administration of 'sub-servers' easier. License: BSD License URL: http://freshmeat.net/projects/jailinit/ - -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 16 10:51:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 4147437B409 for ; Sun, 16 Sep 2001 10:51:44 -0700 (PDT) Received: (qmail 76825 invoked by uid 1000); 16 Sep 2001 17:52:04 -0000 Date: Sun, 16 Sep 2001 19:52:04 +0200 From: "Karsten W. Rohrbach" To: Krzysztof Zaraska Cc: D J Hawkey Jr , security at FreeBSD Subject: Re: Dynamic Firewall/IDS System Message-ID: <20010916195204.A76493@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Krzysztof Zaraska , D J Hawkey Jr , security at FreeBSD References: <20010915204756.A70057@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sun, Sep 16, 2001 at 04:17:46PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.16 16:17:46 +000= 0: > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: > > > tell me if you are interested in developing such a thing from scratch, > > > together... > >=20 > > I don't think this is necessary. It seems, to me anyway, redundant to > > existing technologies. Does any OS need three firewalls in its base? > Well, I don't think this project should aim towards building another > packet filter, however a system gathering alerts from various sources > (firewall, IDS, etc.) and reacting appropriately could be a good thing. > Also, if it was modular in design and implementation then it could posibly > run with many packet filters or IDS systems just by selecting appropriate > "plugins". Is this what "different input/output handlers" means? verbose concept: - input handlers read event data from firewall logs, ids, whetever and transform it to a unified format (idmef?) - event handler engine uses a to be discussed policy system to decide what to do in reation to the incoming events - output handlers take the generated countermeasure events, transform it to the appropriate format and remotely add rules to firewall systems and the like - logging system generates categorized logs from the all of the above, sends out realtime alerts via pager/mail/sms/... prerequisites (and proposed subsystems for first implementation): - lightweight ids system for input events -> snort - firewall system for log based input events -> ipfilter/bsd - firewall system for dynamic rule addition -> ipfilter/bsd -> cisco ios ip acls -> feed blackhole routes to juniper boxes - reliable, authenticated, secure network transport -> kame ipsec/bsd, preshared secrets (tell me if you got a better idea) - categorized log output subsystem -> plain file, easy thing -> mysql/postgresql, perhaps integration with acid or the like =2E..so it looks like we have to implement an event handling engine, input, logging and out filters on a modular basis and -- that's the hard work here -- a good and flexible policy/rule system. remote rule distribution for snort systems is already implemented as a working prototype at my site. > > Besides, aren't you [basically] describing snort? > I don't think this is a description of snort. Snort documentation > explicitely states that it's a tool for intrusion detection only and snort > itself does not have any options allowing to react to an alert, except the > posibility of sending RST to tear down hostile TCP connections.=20 exactly! i am not satisfied with the flexresp features in snort. they fit for a single host solution but not for clusters or larger scale networks. let me describe one installation that would be easier to manage with such a system: imagine you got a colo with web servers, let's say 200 different boxes behind several routers and firewalls. we do not have control over the os of the boxes, since they are customer machines. one guy on his home adsl line wrote a program that infiltrates windows based machines. we don't have access to the boxes but we can see -- as the network guys from the colo -- that they get or got attacked. we deploy sensor rules for the ids boxes. we deploy packet filter log rules that indicate the attack. the event engine gets a feed from the inputs. we deploy a policy for this certain attack type, including the definition of what needs to be done to block the attack. the output filters add the appropriate rules to a myriad of network devices in our infrastructure to=20 - block a single ip address from where the attack came - block certain things (in case of a worm) which appear to be outgoing from affected/infected servers - alert the colo people via a monitoring console - alert the owner of the server - generate an abuse report - ... you see, that i am thinking about a -- albeit complex -- network intrusion _management_ system which is able to - detect intrusion/breakage of boxes - react in real time, thus minimizing the impact on infrastructure - generate comprehensive reports on what happened implementing such a system is a perfect candidate for an open source project, because it probably will not originate from one larger company who could afford project funding; neither a smaller company could implement such a thing due to manpower constraints and cash. >=20 > I think the tool described by Karsten is rather something that could use > snort as one of possible alert sensors, right? >=20 > Besides, I like the idea of updating rulesets between firewalls real-time. > It's been discussed on this list before in slightly different context, but > did not lead to implementing anything. Sounds cool even as a purely > research project.=20 until a working proof of concept prototype is up and running wit will be a research project. the point is that neither university people are at this as far as i can see from the current ongoing projects of the major unis. also network consulting companies and network security folks do not have this comprehensive, interdisciplinary approach -- they rather implement limited by design solutions too keep their customers half-way happy and that's pretty it. >=20 > > > ...and include a short description of your skills, programming > > > languages and os platform you're on, if you like. > >=20 > > P/A and Systems Admin by profession. C, shell, awk, sed, m4. FreeBSD, Q= NX, > > Linux, and a little Solaris. X11R5/6. > Administration part-time, FreeBSD, Linux, C/C++, bash, a little Perl and > Java.=20 ah yes, - full time system admin and network architect for the last 6 years for nacamar (as3257), world online and tiscali germany. - 10+ years bsd knowledge, preferred flavour is freebsd, other flavours include aix, net and openbsd. i hate suns. i dislike win32, but worked for customer projects with it. - perl, shell (sedawkm4), php spoken fluently - c/c++, python, java are somewhat known, i am more and more into python (speak: learning the arcane magic of it ;-) - application specific knowledge in apache et al. > > --=20 > >=20 > > It took the computing power of three C-64s to fly to the Moon. > > It takes an 800Mhz P3 to run Windows XP. Something is wrong here. =2E..only if you insist on dancing paperclips killing your time ;-) business mail is very easily handled by latex and the like *grin* /k --=20 > question =3D ( to ) ? be : ! be; // Wm. Shakespeare KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7pObEM0BPTilkv0YRAuZLAKCAf/TIikDk0IugH4VZ62nXAXl7cQCgxX0j cwhB5BHFPA/HUgDEUouCAxk= =sLTQ -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 16 10:59:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 67B3F37B401 for ; Sun, 16 Sep 2001 10:59:33 -0700 (PDT) Received: (qmail 76975 invoked by uid 1000); 16 Sep 2001 17:59:54 -0000 Date: Sun, 16 Sep 2001 19:59:54 +0200 From: "Karsten W. Rohrbach" To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org Subject: Re: Jailinit 0.0 (fwd) Message-ID: <20010916195954.E76493@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Cy Schubert - ITSD Open Systems Group , freebsd-security@freebsd.org References: <200109161451.f8GEpK462728@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ep0oHQY+/Gbo/zt0" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109161451.f8GEpK462728@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Sun, Sep 16, 2001 at 07:51:17AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ep0oHQY+/Gbo/zt0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Cy Schubert - ITSD Open Systems Group(Cy.Schubert@uumail.gov.bc.ca)@2001.09= .16 07:51:17 +0000: > This came to me via SECTOOLS. Someone here might find this useful. not knowing the details about the product, i might note that using /usr/port/sysutils/daemontools serves as a really good and felxible init system for jails. it is, if you understand the basic concepts of svscan/supervise, the most simple and flexible solution i found so far. /k >=20 >=20 > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD > Ministry of Management Services > Province of BC =20 >=20 >=20 > ------- Forwarded Message >=20 > [headers removed] > Mailing-List: contact sectools-help@securityfocus.com; run by ezmlm > Precedence: bulk > List-Id: > List-Post: > List-Help: > List-Unsubscribe: > List-Subscribe: > Delivered-To: mailing list sectools@securityfocus.com > Delivered-To: moderator for sectools@securityfocus.com > Received: (qmail 9291 invoked from network); 15 Sep 2001 19:37:23 -0000 > Date: Sat, 15 Sep 2001 13:37:23 -0600 > From: aleph1@securityfocus.com > To: sectools@securityfocus.com > Subject: Jailinit 0.0 > Message-ID: <20010915133723.M1818@securityfocus.com> > Mime-Version: 1.0 > Content-Type: text/plain; charset=3Dus-ascii > Content-Disposition: inline >=20 > Jailinit 0.0 > by Samuel J. Greear (http://freshmeat.net/users/dragonk/) > Friday, September 14th 2001 11:24 >=20 > Categories: Security, System :: Boot :: Init, System :: Operating System > Kernels :: BSD, Utilities >=20 > About: Jailinit is an init daemon for FreeBSD jail environments. It=20 > makes > administration of 'sub-servers' easier.=20 >=20 > License: BSD License >=20 > URL: http://freshmeat.net/projects/jailinit/ >=20 >=20 > - --=20 > Elias Levy > SecurityFocus > http://www.securityfocus.com/ > Si vis pacem, para bellum >=20 > ------- End of Forwarded Message >=20 >=20 >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > die rechtschreibreform macht spas! KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --ep0oHQY+/Gbo/zt0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7pOiaM0BPTilkv0YRAoySAJ4l/Y3snys3SINo9PQiMZrUokPkVgCgl+wv 7Q3ZHgHIitbqMLaZ0QzWTZ8= =4mpN -----END PGP SIGNATURE----- --ep0oHQY+/Gbo/zt0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 16 11:48:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 530C537B406 for ; Sun, 16 Sep 2001 11:48:16 -0700 (PDT) Received: (qmail 77703 invoked by uid 1000); 16 Sep 2001 18:48:37 -0000 Date: Sun, 16 Sep 2001 20:48:37 +0200 From: "Karsten W. Rohrbach" To: Krzysztof Zaraska Cc: D J Hawkey Jr , security at FreeBSD Subject: Re: Dynamic Firewall/IDS System Message-ID: <20010916204837.H76493@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Krzysztof Zaraska , D J Hawkey Jr , security at FreeBSD References: <20010915204756.A70057@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Enx9fNJ0XV5HaWRu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sun, Sep 16, 2001 at 04:17:46PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Enx9fNJ0XV5HaWRu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable a mailing list has been set up: defender-devel@listsrv.webmonster.de to subscribe, send an ampty mail to defender-devel-subscribe@listsrv.webmonster.de for listserver instrumentation help send an empty mail to defender-devel-help@listsrv.webmonster.de i will post a detailed list of ideas and basic design to this list around thursday, to give interested people the time to subscribe /k --=20 > MCSE: Minesweeper Consultant & Solitaire Engineer KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --Enx9fNJ0XV5HaWRu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7pPQFM0BPTilkv0YRAvs0AJ41NMzOT3b3EhNP1PMn5PTpYT9ElwCeJXfb C3sO6TsXtPYOhr8ahVxQnwk= =lXYv -----END PGP SIGNATURE----- --Enx9fNJ0XV5HaWRu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 2:44:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from hale.inty.net (hale.inty.net [195.92.21.144]) by hub.freebsd.org (Postfix) with ESMTP id 1205437B406 for ; Mon, 17 Sep 2001 02:44:20 -0700 (PDT) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by hale.inty.net (8.11.3/8.11.2) with ESMTP id f8H9iHU94326 for ; Mon, 17 Sep 2001 10:44:18 +0100 (BST) Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.9.3/8.9.3) with SMTP id KAA57748 for ; Mon, 17 Sep 2001 10:44:16 +0100 (BST) From: "Terry" To: Subject: RE: isakmpd for freebsd howto Date: Mon, 17 Sep 2001 10:45:02 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org after some investigation it turns out that dynamic ip end-points are not compatible with racoon at all. so i'm going to try isakpmd (ported package isakmpd-20010403.tgz for freebsd 4.2-rel) the binaries seem to work ok, conf files read in ok... but then nothing (!)... anyone know of any how-tos? seeting up gif tunnels required? ideas / comments welcome. t --------------------------------------- On Fri, 14 Sep 2001, Terry wrote: > > I can get a FreeBSD IPSEC VPN (tunnel mode) going ... (setting up > gif0, routing etc etc)... > > and I can JUST ABOUT do a FreeBSD<->win2k ipsec transport mode > going... > > i want to be able to have mobile win2k laptops join the static ipsec > vpn... i guess they use transport mode? > > anyway, documentation is scarce (ipve spent a week reading stuff from > the bsd, ipsec sites, mailing and news archives... no luck)... the > scope IS THERE ... the racoon config file format does allow connection > specific SA's to be genereated: > > remote anonymous {...} (anyone) > sainfo anonymous {...} (again, anyone) > > remote address 1.2.3.4 (extra ones?) > sainfo address 1.2.3.4 (extra ones?) > > has anyone done this? > i'm using freebsd 4.3-release, will use 4.4-release when its out... > > any help/ideas welcome > > > -- > Information in this electronic mail message is confidential > and may be legally privileged. It is intended solely for > the addressee. Access to this message by anyone else is > unauthorised. If you are not the intended recipient any > use, disclosure, copying or distribution of this message is > prohibited and may be unlawful. When addressed to our > customers, any information contained in this message is > subject to Intelligent Network Technology Ltd Terms & Conditions. > -- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message This email has been virus scanned using Sophos Anti-Virus by intY (www.inty.net) -- Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Intelligent Network Technology Ltd Terms & Conditions. -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 5:45:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id ED42B37B40C for ; Mon, 17 Sep 2001 05:45:09 -0700 (PDT) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.11.3/8.11.3) with SMTP id f8HCjOG99608; Mon, 17 Sep 2001 16:45:24 +0400 (MSD) (envelope-from ark@eltex.ru) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Mon, 17 Sep 2001 16:38:02 +0400 Received: from undisclosed-intranet-sender id smtpdG19731; Mon Sep 17 16:37:42 2001 Date: Mon, 17 Sep 2001 16:39:40 +0400 Message-Id: <200109171239.QAA26001@paranoid.eltex.ru> From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Dynamic Firewall/IDS System To: karsten@rohrbach.de Cc: defender-devel@listsrv.webmonster.de, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Ok, some thoughts about event handling software. First to say i am definitely against any "super-duper-dynamic-countermeasures". No policy change should appear withount manual review and approval. I am the persion that controls my firewall directly and there should be no ways of indirect control. It sounds extermely cool, i know, but it simply does not worth problems that appear. I mean there are many known and even more unknown yet ways to cause 'false positive' and DoS vital or just important things for you and many ways to obtain information bad guys need regardless of if such a system is installed. There are some other things to do, though. A small network gets tens of security-related events daily, the number for big one is thousands, which is almost impossible to handle manually just reading logs. But we have to. Requirements for tool that should be able to do the job are simple: the thing should not be too complex. get offender's ip address, some mnemonic event type as command line - and detailed info like log lines from stdin. Do whois lookup then and record network owner and administrative contacts. This is how we fill our database. What can we do than? Retrieve useful information. "authomatic mode": when event occurs, send an _informative_ notification to admin, including: all details for this event last n similar or relevant events last n events recorded for this host last n events recorded for networks owned by the same organization providing a good template for a message to abuse service "manual mode": any kind of information retreival on demand. Someone can even write a fancy (say, tk ;) GUI for that to update database, keep track on abuse responces and tickets and to help you know if you really did perform any actions on this or that incident or you just were too lazy that day. Anyone willing to implement? I'm afraid i am too busy now to write code for that thing :( _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBO6XvC6H/mIJW9LeBAQHZuwP/TpqI7aoKz93/VyGg0X1g+fHf76pNqQgv tUVKLauCG2L/kBt0ZtX9kLhxXi8ys1BEmUq7fpK71jxOpu0rHgTiEsRBuYRjNBvu Xv4BpkjDR4Lv37D1rkcWqQd/RU9KrxBuEWM5GE1DGUTc08nHwX60skXqAun1g7dZ wwoCVjaC8yc= =fs5h -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 6:10:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.okbmei.msk.su (ns.okbmei.msk.su [194.190.170.19]) by hub.freebsd.org (Postfix) with ESMTP id ACF4037B407 for ; Mon, 17 Sep 2001 06:10:11 -0700 (PDT) Received: (from burba@localhost) by ns.okbmei.msk.su (8.11.4/8.11.4) id f8HD9wi28067; Mon, 17 Sep 2001 17:09:58 +0400 (MSD) Message-Id: <200109171309.f8HD9wi28067@ns.okbmei.msk.su> Subject: Re: Dynamic Firewall/IDS System In-Reply-To: <200109171239.QAA26001@paranoid.eltex.ru> To: ark@eltex.ru Date: Mon, 17 Sep 2001 17:09:57 +0400 (MSD) Cc: freebsd-security@freebsd.org From: "Alex S. Burba" Reply-To: "Alex S. Burba" Organization: OKB MEI X-Mailer: ELM [version 2.4ME+ PL92 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. > Anyone willing to implement? I'm afraid i am too busy now to write code for > that thing :( You mean now you have a working system of your kind but no GUI? Anyway can we look at it? -- Bye. Alex S. Burba To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 6:12:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 014AD37B40D for ; Mon, 17 Sep 2001 06:12:29 -0700 (PDT) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.11.3/8.11.3) with SMTP id f8HDCiG01530; Mon, 17 Sep 2001 17:12:44 +0400 (MSD) (envelope-from ark@eltex.ru) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Mon, 17 Sep 2001 17:05:22 +0400 Received: from undisclosed-intranet-sender id smtpdvh9021; Mon Sep 17 17:05:16 2001 Date: Mon, 17 Sep 2001 17:07:14 +0400 Message-Id: <200109171307.RAA26090@paranoid.eltex.ru> In-Reply-To: <200109171309.f8HD9wi28067@ns.okbmei.msk.su> from ""Alex S. Burba" " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Dynamic Firewall/IDS System To: burba@okbmei.msk.su Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org nuqneH, No, i just have some ideas on how should it be done :( "Alex S. Burba" said : > Hi. > > Anyone willing to implement? I'm afraid i am too busy now to write code for > > that thing :( > > You mean now you have a working system of your kind but no GUI? Anyway can we > look at it? > > -- > Bye. > Alex S. Burba > _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 6:19:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 6ADC737B409 for ; Mon, 17 Sep 2001 06:19:25 -0700 (PDT) Received: (qmail 97978 invoked by uid 1000); 17 Sep 2001 13:19:45 -0000 Date: Mon, 17 Sep 2001 15:19:45 +0200 From: "Karsten W. Rohrbach" To: ark@eltex.ru Cc: defender-devel@listsrv.webmonster.de, freebsd-security@FreeBSD.ORG Subject: Re: Dynamic Firewall/IDS System Message-ID: <20010917151945.F93774@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , ark@eltex.ru, defender-devel@listsrv.webmonster.de, freebsd-security@FreeBSD.ORG References: <200109171239.QAA26001@paranoid.eltex.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tmoQ0UElFV5VgXgH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109171239.QAA26001@paranoid.eltex.ru>; from ark@eltex.ru on Mon, Sep 17, 2001 at 04:39:40PM +0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tmoQ0UElFV5VgXgH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ark@eltex.ru(ark@eltex.ru)@2001.09.17 16:39:40 +0000: > Ok, some thoughts about event handling software. >=20 > First to say i am definitely against any "super-duper-dynamic-countermeas= ures". that's the same with me, but i see the need for a system to automate some of the daily net/abuse/system admins tasks. > No policy change should appear withount manual review and approval. > I am the persion that controls my firewall directly and there should be no > ways of indirect control. policies won't change themselves. i rather mean to employ policies defining what measures the output handlers are allowed to take and what input conditions have to be met to trigger a reaction. thus, prevent self-blocking the whole system and so on... >=20 > It sounds extermely cool, i know, but it simply does not worth problems t= hat=20 > appear. I mean there are many known and even more unknown yet ways to cau= se > 'false positive' and DoS vital or just important things for you and many = ways > to obtain information bad guys need regardless of if such a system is ins= talled. it is the intent to set certain thresholds, combinations or whole scenarios for triggering a countermeasure. i do not want to create a stupid dumbfire firewall remote controller. i could have done this in a perl script, already, if i wanted it so badly ;-) scifi firewalls on linux also had this feature, but for me it appears too limited (just one host) and it also had several other (operational) problems in the field. >=20 > There are some other things to do, though. A small network gets tens of= =20 > security-related events daily, the number for big one is thousands, which > is almost impossible to handle manually just reading logs. But we have to. yup and joining the logs into an event handling engine, correlating them, perhaps using templates or the like and putting them into a categorized log storage (whatever it may be) strongly helps you with that task. a small network (one ip address) 194.162.162.209/32 sometimes gets several thousands of alerts a day. >=20 > Requirements for tool that should be able to do the job are simple: >=20 > the thing should not be too complex. get offender's ip address, some mnem= onic > event type as command line - and detailed info like log lines from stdin. > Do whois lookup then and record network owner and administrative contacts. > This is how we fill our database. these are different processing steps which should be done in a modularized setup therefor. this cuts down complexity of each module to a minimum while giving us the most flexibility. >=20 > What can we do than? Retrieve useful information. >=20 > "authomatic mode": when event occurs, send an _informative_ notification = to admin, > including: >=20 > all details for this event > last n similar or relevant events > last n events recorded for this host > last n events recorded for networks owned by the same organization this is logging, way like acid does with snort logs. >=20 > providing a good template for a message to abuse service this is also logging based. >=20 > "manual mode": any kind of information retreival on demand. this would be some kind of query interface for the logging database, then. i am thinking about separating event priorities in handling right at the beginning. this creates a certain scalability. i just had a discussion with yoann from the prelude project, and it appears to me that separating several alert 'classes' into different priority queues on a processing node makes sense. alerts that need to be transformed for database storage and so on could spill over to another node which does the conversion to idmef or similar formats for incident storage. timeliness in reacting to what ever events come in is a premium. >=20 > Someone can even write a fancy (say, tk ;) GUI for that to update databas= e,=20 > keep track on abuse responces and tickets and to help you know if you > really did perform any actions on this or that incident or you just were = too > lazy that day.=20 a built-in ticketing system would rock for the categorized logging database, yes. >=20 > Anyone willing to implement? I'm afraid i am too busy now to write code f= or > that thing :( oh, i would be happy to have you on board with those ideas. /k --=20 > Sex is one of the nine reasons for reincarnation ... the other eight > are unimportant. --Henry Miller KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --tmoQ0UElFV5VgXgH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7pfhxM0BPTilkv0YRAmlRAJ9HbTYtDOCzuKzOtxNI09csNo7qHgCgjc86 DfHDWaT/Wp4ZvEFeKJKkLKo= =ufn6 -----END PGP SIGNATURE----- --tmoQ0UElFV5VgXgH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 6:34: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id F3C2637B40E for ; Mon, 17 Sep 2001 06:33:57 -0700 (PDT) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 15iyX4-000FBj-00 for freebsd-security@freebsd.org; Mon, 17 Sep 2001 06:33:54 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: ipfw logging to dmesg not /var/log/syslog Message-Id: Date: Mon, 17 Sep 2001 06:33:54 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org why is ipfw's logging in dmesg as opposed to /var/log/security? 4.4-RC [ some ip addresses changed ] # ipfw show 00100 98 3528 allow ip from 42.666.32.0/24 to any 00200 101 3780 allow ip from 42.666.42.0/24 to any 00300 3 185 allow ip from 42.666.49.0/24 to any 00400 1 36 deny icmp from any to 666.42.0.3 icmptype 8 00500 1 36 deny icmp from any to 666.42.0.4 icmptype 8 00600 7886 2583885 deny log logamount 100 icmp from any to 666.42.0.39 icmptype 8 00700 7435873 932696758 allow ip from any to any 65535 28 1803 deny ip from any to any # sysctl net.inet.ip.fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 1000 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 30 # cat /var/log/security # -- from /etc/syslog.conf # Log all security messages to a separate file. security.* /var/log/security # dmesg ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 202.138.24.6 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 202.138.24.6 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 195.138.133.10 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 212.25.76.130 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 203.166.26.98 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 211.188.128.2 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 149.239.191.1 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.147 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.147 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.148 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 63.123.132.2 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.150 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 212.9.161.92 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.147 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.148 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 146.83.188.5 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 63.123.132.2 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.150 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 212.9.161.92 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.147 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.148 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 146.83.188.5 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 63.123.132.2 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.150 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 212.9.161.92 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.147 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 209.16.20.148 666.42.0.39 in via fxp0 ipfw: 600 Deny ICMP:8.0 196.40.17.129 666.42.0.39 in via fxp0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 6:55:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail41.sdc1.sfba.home.com (femail41.sdc1.sfba.home.com [24.254.60.35]) by hub.freebsd.org (Postfix) with ESMTP id 587CE37B403 for ; Mon, 17 Sep 2001 06:55:40 -0700 (PDT) Received: from bean.overtone.org ([24.249.254.100]) by femail41.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010917135539.INDC25759.femail41.sdc1.sfba.home.com@bean.overtone.org>; Mon, 17 Sep 2001 06:55:39 -0700 Received: by bean.overtone.org (Postfix, from userid 1001) id 11D1A5B54D; Mon, 17 Sep 2001 13:55:17 +0000 (GMT) Date: Mon, 17 Sep 2001 13:55:16 +0000 From: Kevin Way To: Randy Bush Cc: freebsd-security@freebsd.org Subject: Re: ipfw logging to dmesg not /var/log/syslog Message-ID: <20010917135515.A3118@bean.overtone.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from randy@psg.com on Mon, Sep 17, 2001 at 06:33:54AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -- from /etc/syslog.conf > # Log all security messages to a separate file. > security.* /var/log/security try this instead: !ipfw *.* /var/log/security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 7:13:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id C3FA437B405 for ; Mon, 17 Sep 2001 07:13:23 -0700 (PDT) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 15iz9H-000GIu-00 for freebsd-security@freebsd.org; Mon, 17 Sep 2001 07:13:23 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: Re: ipfw logging to dmesg not /var/log/syslog References: <177251395818.20010917174352@internethelp.ru> Message-Id: Date: Mon, 17 Sep 2001 07:13:23 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > why is ipfw's logging in dmesg as opposed to /var/log/security? removing the logamount subclause seemed to fix it > 00600 7886 2583885 deny log logamount 100 icmp from any to 666.42.0.39 icmptype 8 possible interation with that subclause and the limit compiled in the kernel? options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 8: 1:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from iaces.com (horton.iaces.com [204.147.87.98]) by hub.freebsd.org (Postfix) with ESMTP id 6608837B401 for ; Mon, 17 Sep 2001 08:01:45 -0700 (PDT) Received: from iaces.com (ptroot.iaces.com [204.147.87.124]) by iaces.com (8.11.4/8.11.4) with ESMTP id f8HF1gl07098; Mon, 17 Sep 2001 10:01:42 -0500 (CDT) (envelope-from proot@iaces.com) Message-ID: <3BA61056.5F48202@iaces.com> Date: Mon, 17 Sep 2001 10:01:42 -0500 From: Paul Root X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brooks Davis , security@freebsd.org Subject: Re: IPSEC config References: <3BA10B3F.610E6FB3@iaces.com> <20010913124438.A19163@Odin.AC.HMC.Edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brooks Davis wrote: > > On Thu, Sep 13, 2001 at 02:38:39PM -0500, Paul Root wrote: > > Hi, > > I'm trying to setup a IPSec tunnel and am having trouble. > > Both machines are 4.4 RC3 (I think, last week). And when I set it up > > for a transport between the two machines it works fine, so racoon > > must be fine. > > > > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > > Here's my config on one end: > > > > #!/bin/sh > > # These commands need to be run on acesfbsd to > > # connect to lorax, in a IPSEC test > > # > > # Setup the tunnel device. > > gifconfig gif0 10.20.30.4 172.28.56.82 > > This won't work in 4.4. There's no gif0 device at this point because gif > devices are now created at runtime. Also, while gifconfig still works, > it's obsolete. Instead use: > > ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 > > These addresses should be the local machine's address and the remote > machines address (is the local machine really a 10.x address?) Yes, those are their real addresses. I had another response about having tunnel addresses as well as real addresses. Unfortunately, it's written exactly the same way as the doco that I already don't understand. So, here's a question. I set the addresses of gif0 the same as my primary interface, or are they a network all to themselves? Logically to me they need to be addresses that can be routed to, i.e. the real addresses of the machine. So here's a picture of what I think happens. workstation1 tunnel-start-machine - network - tunnel-end-machine workstation2 172.28.56.54 172.28.56.82 10.20.30.4 10.20.30.3 172.28.56.56-10.20.30.1 The network in the middle is actually a nokia running fw-1 4.1. It's rules are setup correctly, letting all traffic between the two machines. So for routing, I do this IP address Route to other net ---------- ------------------ 172.28.56.54 172.28.56.82 172.28.56.82 172.28.56.56 10.20.30.4 10.20.30.1 10.20.30.3 10.20.30.4 This is one end of the tunnel. #!/bin/sh # These commands need to be run on acesfbsd to # connect to lorax, in a IPSEC test # # Setup the tunnel device. #gifconfig gif0 10.20.30.4 172.28.56.82 ifconfig gif0 destroy ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 # # The next 2 lines delete all existing entries # from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c < -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- Paul T. Root E/Mail: proot@iaces.com 600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155 Minneapolis, MN 55413 WRK: +1 (612) 664-3385 NIC: PTR FAX: +1 (612) 664-4779 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 10:42:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from pineapple.theshop.net (pineapple.theshop.net [208.128.7.7]) by hub.freebsd.org (Postfix) with ESMTP id 4AE3C37B406 for ; Mon, 17 Sep 2001 10:42:42 -0700 (PDT) Received: from bsdprophet.org (grape1.theshop.net [206.30.141.194]) by pineapple.theshop.net (8.11.3/8.11.1) with ESMTP id f8HHf9t13940; Mon, 17 Sep 2001 12:41:14 -0500 (CDT) (envelope-from Scott@bsdprophet.org) Message-ID: <3BA635EA.36E75D01@bsdprophet.org> Date: Mon, 17 Sep 2001 12:42:02 -0500 From: Scott Corey Organization: Open Source Education Foundation X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Michael Richards Cc: freebsd-security@FreeBSD.ORG Subject: Re: US Congress already discussing bans on strong crypto References: <3BA20FDB.000229.61269@frodo.searchcanada.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael Richards wrote: > > I think it would be just as effective if they were to pass a law > requiring all terrorist organisations to provide backdoor keys to > their encrypted communications. > > Since things like DES and RSA are so widely published there really > isn't a way to make these "go away". If you're planning on hijacking > aircraft and flying them into buildings, I don't think you will care > that much about a little law against sending PGP'd email. What makes you think there are no backdoors now? I always thought that it was odd that the NSA allowed MS and Netscape to export 128 bit encryption with their browsers last year. Scroll down to page 34 "Workfactor Reduction" http://www.fas.org/irp/program/process/docs/98-14-01-2en.pdf Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 20: 5:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-168.dsl.lsan03.pacbell.net [64.169.104.168]) by hub.freebsd.org (Postfix) with ESMTP id 3A4C137B401 for ; Mon, 17 Sep 2001 20:05:35 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3313066D20; Mon, 17 Sep 2001 20:05:34 -0700 (PDT) Date: Mon, 17 Sep 2001 20:05:34 -0700 From: Kris Kennaway To: Scott Corey Cc: Michael Richards , freebsd-security@FreeBSD.ORG Subject: Re: US Congress already discussing bans on strong crypto Message-ID: <20010917200534.A39867@xor.obsecurity.org> References: <3BA20FDB.000229.61269@frodo.searchcanada.ca> <3BA635EA.36E75D01@bsdprophet.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BA635EA.36E75D01@bsdprophet.org>; from Scott@bsdprophet.org on Mon, Sep 17, 2001 at 12:42:02PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 17, 2001 at 12:42:02PM -0500, Scott Corey wrote: > Michael Richards wrote: > >=20 > > I think it would be just as effective if they were to pass a law > > requiring all terrorist organisations to provide backdoor keys to > > their encrypted communications. > >=20 > > Since things like DES and RSA are so widely published there really > > isn't a way to make these "go away". If you're planning on hijacking > > aircraft and flying them into buildings, I don't think you will care > > that much about a little law against sending PGP'd email. > >=20 > What makes you think there are no backdoors now? There's nowhere to put a "backdoor" in the RSA algorithm. There's room to put a backdoor in the DES algorithm, and in fact when the DES algorithm was under consideration back in the early 70's the NSA did request a change to the "S-Boxes" of the candidate algorithm submitted by IBM which was eventually accepted. This change may have seemed suspicious, until a number of years later when civilian cryptographers discovered the technique of differential cryptanalysis and realised that the NSA's changes were to improve the resilience of DES against that attack, which they evidently already knew about. As for backdoors in other algorithms: well, that's why peer review of cryptosystems by trained cryptographers is so important. People spend their lives trying to break cryptosystems. If you listen to their recommendations, you'll do pretty well. Kris --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7prn9Wry0BWjoQKURAkBZAJ4j7jyaZq0SHkOBjadb+ZyBfwtgbQCgyirI Z6haTr+Osw7c6TtW8u6hubs= =g+J9 -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 20:17:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 2CE1537B405 for ; Mon, 17 Sep 2001 20:17:26 -0700 (PDT) Received: by mail.interchange.ca (Fastmailer, from userid 555) id BF5B82560; Mon, 17 Sep 2001 23:17:18 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3BA6BCBE.0001F5.04743@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_U49UODMTZ6EOO49D7TH0" To: kris@obsecurity.org Subject: Re: US Congress already discussing bans on strong crypto Cc: freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.43.130.241 Date: Mon, 17 Sep 2001 23:17:18 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_U49UODMTZ6EOO49D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Your sediments echo mine about RSA and peer review. They can't really stuff the RSA cat back into the bag. As for the change NSA did make to the DES, I was not at all aware of this. I always assumed they had weakened it. When did this info become public knowledge? -Michael [chop chop chop] > There's nowhere to put a "backdoor" in the RSA algorithm. There's > room to put a backdoor in the DES algorithm, and in fact when the > DES algorithm was under consideration back in the early 70's the > NSA did request a change to the "S-Boxes" of the candidate > algorithm submitted by IBM which was eventually accepted. This > change may have seemed suspicious, until a number of years later > when civilian cryptographers discovered the technique of > differential cryptanalysis and realised that the NSA's changes > were to improve the resilience of DES against that attack, which > they evidently already knew about. [chop chop chop] _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_U49UODMTZ6EOO49D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 20:39:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id DB9A637B401 for ; Mon, 17 Sep 2001 20:39:41 -0700 (PDT) Received: (qmail 19100 invoked by uid 1000); 18 Sep 2001 03:39:39 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Sep 2001 03:39:39 -0000 Date: Mon, 17 Sep 2001 22:39:39 -0500 (CDT) From: Mike Silbersack To: Michael Richards Cc: , Subject: Re: US Congress already discussing bans on strong crypto In-Reply-To: <3BA6BCBE.0001F5.04743@frodo.searchcanada.ca> Message-ID: <20010917223618.A19035-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 17 Sep 2001, Michael Richards wrote: > Your sediments echo mine about RSA and peer review. They can't really > stuff the RSA cat back into the bag. As for the change NSA did make > to the DES, I was not at all aware of this. I always assumed they had > weakened it. When did this info become public knowledge? > > -Michael The history of DES (including the design of the sboxes) is in "Applied Cryptography", "The Code Book", and presumably many other crypto books. I recommend that you pick up a copy of The Code Book; it's an informative and enjoyable read. To be more specific, Applied Cryptography lists Differential Cryptanalysis as being public found in 1990. So, that puts the IBM researchers / NSA only 14 years ahead of the rest of the world. Good thing they decided to protect against the attack rather than weaken DES to it. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 20:42: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id E47C737B403 for ; Mon, 17 Sep 2001 20:42:00 -0700 (PDT) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 773AA256B; Mon, 17 Sep 2001 23:41:53 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3BA6C281.0001FF.04743@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_T9AUABRTZ6EOO49D7TH0" To: silby@silby.com Subject: Re: US Congress already discussing bans on strong crypto Cc: kris@obsecurity.org, freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.43.130.241 Date: Mon, 17 Sep 2001 23:41:53 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_T9AUABRTZ6EOO49D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit I've heard this book talked about a lot. Is it suitable to mere math mortals? I had enough trouble understanding how RSA worked :) -Michael > The history of DES (including the design of the sboxes) is in > "Applied Cryptography", "The Code Book", and presumably many other > crypto books. I recommend that you pick up a copy of The Code > Book; it's an informative and enjoyable read. > > To be more specific, Applied Cryptography lists Differential > Cryptanalysis as being public found in 1990. So, that puts the > IBM researchers / NSA only 14 years ahead of the rest of the > world. Good thing they decided to protect against the attack > rather than weaken DES to it. > > Mike "Silby" Silbersack _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_T9AUABRTZ6EOO49D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 20:49:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 6411837B411 for ; Mon, 17 Sep 2001 20:49:21 -0700 (PDT) Received: (qmail 19135 invoked by uid 1000); 18 Sep 2001 03:49:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Sep 2001 03:49:19 -0000 Date: Mon, 17 Sep 2001 22:49:19 -0500 (CDT) From: Mike Silbersack To: Michael Richards Cc: , Subject: Re: US Congress already discussing bans on strong crypto In-Reply-To: <3BA6C281.0001FF.04743@frodo.searchcanada.ca> Message-ID: <20010917224629.E19035-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 17 Sep 2001, Michael Richards wrote: > I've heard this book talked about a lot. Is it suitable to mere math > mortals? I had enough trouble understanding how RSA worked :) > > -Michael Which book? The Code Book is a history of crypto book; no math, lots of interesting history. Applied Crypto is basically a text book on crypto algorithms. There are a few interesting sections, but the majority of it is simply explanations and code for algorithms. Tons of algorithms, I should specify. So, if you're looking to learn about the history of crypto, get the former book. If you're implementing some crypto system, get the latter. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 17 22:40:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.halplant.com (24-168-203-47.wo.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id 7FAB037B42F for ; Mon, 17 Sep 2001 22:40:13 -0700 (PDT) Received: by mail.halplant.com (Postfix, from userid 1001) id 60B221FBC; Tue, 18 Sep 2001 01:40:07 -0400 (EDT) Date: Tue, 18 Sep 2001 01:40:07 -0400 From: Andrew J Caines To: FreeBSD Security Subject: Re: US Congress already discussing bans on strong crypto Message-ID: <20010918014007.D18196@hal9000.servehttp.com> Reply-To: Andrew J Caines Mail-Followup-To: FreeBSD Security References: <3BA6C281.0001FF.04743@frodo.searchcanada.ca> <20010917224629.E19035-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010917224629.E19035-100000@achilles.silby.com>; from silby@silby.com on Mon, Sep 17, 2001 at 10:49:19PM -0500 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.4-RC X-PGP-Fingerprint: C59A 2F74 1139 9432 B457 0B61 DDF2 AA61 67C3 18A1 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Silbersack said: > On Mon, 17 Sep 2001, Michael Richards wrote: > > I've heard this book talked about a lot. > Applied Crypto is basically a text book on crypto algorithms. [snip] > So, if you're looking to learn about the history of crypto, get the former > book. If you're implementing some crypto system, get the latter. I strongly recommend "Secrets and Lies - Digital Security in a Networked World" by Bruce Schneier, author of the legendary "Applied Cryptography". This book is by far the best book on systems security in the most general sense, including cryptography. It's completely accessible to the lay audience, intelligent, insightful and never patronising even to a know-it-all such as myself. Note that his preface to the book begins with.. "I have written this book partly to correct a mistake" ..where the mistake was "Applied Cryptography". If I were to choose a single text as required reading before being allowed to use a networked computer, then this would be it. -Andrew- -- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@halplant.com | | "They that can give up essential liberty to obtain a little temporary | | safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 10:47:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtprelay2.abs.adelphia.net (smtprelay.abs.adelphia.net [64.8.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 2B33D37B40E for ; Tue, 18 Sep 2001 10:47:22 -0700 (PDT) Received: from GANDALF ([24.48.164.64]) by smtprelay2.abs.adelphia.net (Netscape Messaging Server 4.15) with SMTP id GJVDD700.X8N for ; Tue, 18 Sep 2001 13:46:19 -0400 Message-ID: <003701c14069$bb1d2e00$7811a8c0@GANDALF> From: "Andrew Penniman" To: Subject: ipfw in a jail-centric environment? Date: Tue, 18 Sep 2001 13:45:38 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0034_01C14048.33667460" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0034_01C14048.33667460 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm playing with jails for the first time and am not sure how to handle = packet filtering in this scenario. Should the host and jail environments each handle their own packet = filtering or is all filtering handled by the host? Is natd required? I have tried to locate information on this subject but haven't found = anything useful.... Thanks much, Andrew Penniman ------=_NextPart_000_0034_01C14048.33667460 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I'm playing with jails for the first = time and am=20 not sure how to handle packet filtering in this scenario.
 
Should the host and jail environments = each handle=20 their own packet filtering or is all filtering handled by the = host?  Is=20 natd required?
 
I have tried to locate information on = this subject=20 but haven't found anything useful....
 
Thanks much,
Andrew = Penniman
------=_NextPart_000_0034_01C14048.33667460-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 10:52: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id B551637B40A for ; Tue, 18 Sep 2001 10:51:57 -0700 (PDT) Received: (qmail 32844 invoked by uid 1000); 18 Sep 2001 17:52:18 -0000 Date: Tue, 18 Sep 2001 19:52:18 +0200 From: "Karsten W. Rohrbach" To: freebsd-security@freebsd.org Subject: Nimda-A Worm/Virus threatens networks Message-ID: <20010918195218.P27375@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="S6vg04ofUPzW4qJg" Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --S6vg04ofUPzW4qJg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable there's a new breed out there again, check the analysis of it here: [http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html] i am writing this to -security to inform you to be able to react quickly, because -- depending on your upstream bandwidth -- this new worm may clog your upstream pipe. it started hammering on my servers at approx. 18:30 CEST (+0200) and until now (19:50 CEST) i got hit by it several thousand times. the generated bandwisth does not harm me, but if you are hooked up via T1 or DSL it might consume all of your available bandwidth. if it does not cease soon (what i do not expect) it will have transferred about 3 to 4 gigabytes just http request headers in one day on one machine (rough estimate by wallclocktime and calculator). apache installations, of course, are not harmed, but as i said it generates helluva traffic. take care /k --=20 > As a computing professional, I believe it would be unethical for me to > advise, recommend, or support the use (save possibly for personal > amusement) of any product that is or depends on any Microsoft product. > --David H. Wolfskill KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --S6vg04ofUPzW4qJg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7p4nSM0BPTilkv0YRAlS2AJ0bCqBZjVAnnbTVJvv43n0CRnJhdgCfW6Q/ nPIQQ5em+J0Ij28aj9lS4iI= =bbsD -----END PGP SIGNATURE----- --S6vg04ofUPzW4qJg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 11:23:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id B7D8037B405 for ; Tue, 18 Sep 2001 11:23:45 -0700 (PDT) Received: (qmail 69388 invoked by uid 1001); 18 Sep 2001 18:23:42 -0000 Date: Tue, 18 Sep 2001 11:23:42 -0700 From: Sean Chittenden To: freebsd-security@freebsd.org Subject: [peterw@usa.net: OpenSSH: sftp & bypassing keypair auth restrictions] Message-ID: <20010918112342.M62402@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="FFoLq8A0u+X9iRU8" Content-Disposition: inline X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --FFoLq8A0u+X9iRU8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Joy of joys. Has anyone seen any commits come through the OpenBSD/OpenSSH camp? -sc -- Sean Chittenden --FFoLq8A0u+X9iRU8 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Delivered-To: chittenden.org-sean-securityfocus-bugtraq@chittenden.org Received: (qmail 69278 invoked from network); 18 Sep 2001 18:12:56 -0000 Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.27) by rand.tgd.net with SMTP; 18 Sep 2001 18:12:56 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 06F5DA3153; Tue, 18 Sep 2001 11:45:21 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 26970 invoked from network); 18 Sep 2001 12:24:08 -0000 Date: Tue, 18 Sep 2001 08:24:07 -0400 From: Peter W To: bugtraq@securityfocus.com Subject: OpenSSH: sftp & bypassing keypair auth restrictions Message-ID: <20010918082406.M14947@usa.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i OpenSSH: sftp-server & bypassing keypair auth restrictions Summary: If you 1) are using keypairs and ~/.ssh/authorized_keys2 to enable remote execution of commands via OpenSSH's sshd and 2) have sshd configured to provide sftp service via the sftp-server subsystem, then clients who have access with "restricted" keypairs can gain additional access on the server side. In most cases, sftp can be used to evade the authorized_keys2 command= and other restrictions (i.e., obtaining the regular shell access that the server was configured to deny them). It appears that both OpenSSH 2.9 (the official OpenBSD code) and OpenSSH 2.9p2 (the official "portable" code for other systems) by default *do* have the sftp subsystem enabled, and their users would be vulnerable if they set up restricted keypairs. Disclaimer: This has been tested with OpenSSH 2.5x and 2.9x. *No* testing has been done on any other implementations, including the commercial product from SSH Communications, so I cannot speak to the safety of other implementations. Hopefully this defect is only present in OpenSSH. Regrettably, this information is correct to the best of my knowledge. This information is provided with the sole aim of helping admins secure their systems, without any warranty or guarantee of any sort. Background: OpenSSH allows clients to authenticate to the sshd service via RSA and DSA public key authentication. It also allows users on the sshd server to restrict what clients presenting certain keypairs can do. For instance, a backup system might use keypair authentication to encrypt network traffic and strongly verify the identity of both server and client machines. On the machine being backed up, the backup system's keypair would be recognized as having authorization to run one or more appropriate backup commands. OpenSSH also implements an FTP-like sftp service as a "subsystem" to allow secure file transfer (both as an alternative to 'scp' and to allow additional commands not provided by 'scp'). While OpenSSH allows a user to place many kinds of restrictions on what a client authenticating with a keypair can do (where they can connect from, what commands they can run, whether to forward TCP/X/ssh-agent info), it is *not* possible to prevent the client from using the sftp subsystem. Clients presenting otherwise restricted keypairs can use the sftp subsystem to access the sshd machine with an interface very similar to FTP. Various commands are provided in OpenSSH's sftp implementation, including commands to get, replace, delete, change permissions, and change ownership of files/directories. Problem scenario: You've got production server Important You've got backup server DumbTape You've got a backup script on Important You've got a keypair on DumbTape You've configured a ~/.ssh/authorized_keys2 file on Important so that one certain keypair from DumbTape can use scp/ssh to very securely run the backup script, and only the backup script, on Important Your private keypair on DumbTape lacks a password, to facilitate cron use Problem: Anyone who gets access to the private keypair on DumbTape can use the sftp client to connect to Important. They can use sftp subsystem to poke all around Important, reading, replacing, chowning, chmoding, and deleting data with all the privileges of the user on Important that the backup script runs as, via that user's ~/.ssh/authorized_keys2 file on Important. This unfortunately includes the ability to manipulate ~/.ssh/authorized_keys2 itself. The attacker can replace authorized_keys2 with a new version that allows them full SSH access. If the user whose ~/.ssh/authorized_keys2 file is being changed relies solely on keypair authentication, the attacker can easily disable the legitimate user's access via ~/.ssh/authorized_keys2. By manipulating the legitimate user's local .login/.profile files, the attacker likely can prevent logins that use passwords or other non-keypair authentication methods as well. So if you follow the example in the OpenSSH man page: command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back-up.hut.fi (running as root, naturally), then anyone who obtains the backup machine's SSH keypair can get a root shell and effectively lock out the real administrator (install a new SSH public key, change the root password). Solution: The OpenSSH development team (Markus Friedl) have committed a patch to CVS that is intended to make the command= restriction override any subsystem capability, including sftp. I'm not sure that's the most correct approach (vs. a subsystem= restriction), but it should plug the hole if it behaves as described. Not needing sftp service, I have simply disabled the sftp subsystem on my systems. I don't know when this patch might be available in an official/stable release. I would also suggest that OpenSSH's sshd_config file have the sftp subsystem disabled by default. Workaround: Until an official fix is released, disable the sftp subsystem on your sshd machines by editing sshd_config (comment out or remove the sftp subsystem line) and restarting the sshd service. This will not affect the ability of users on the system to use sftp client software to connect to other servers that still have the sftp subsystem available. In some situations, more likely with non-root users on the sshd/Important side, it might be possible to use filesystem ownership tricks (assigning objects to other users, using sticky bits, using "immutable" flags on filesystems that offer such things) to better protect the sshd host, especially the critical ~/.ssh/ files. While this should raise the bar for an attacker (e.g., making them find other ways/places to install trojan backdoors), it it likely to be an imperfect shield, and would in any case not prevent unauthorized read/write access to much of the Important system. Each admin should undertake their own risk analysis, but simply disabling the sftp subsystem is the simplest, most reliable way of protecting against this threat. Credits: Thanks go to Tatu Ylonen for releasing source and specification for SSH; to the OpenSSH team for their work in developing and maintaining a free implementation; Richard Silverman, Markus Friedl, and others for looking at this; and all the folks working hard to care for the victims of last week's attack, to find justice, and to safeguard our liberties in the face of uncertainty and fear. -Peter -- http://www.tux.org/~peterw/ Encryption advocacy resources: http://vees.net/freedom/ --FFoLq8A0u+X9iRU8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 11:31:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 3168537B40C for ; Tue, 18 Sep 2001 11:31:07 -0700 (PDT) Received: (qmail 33668 invoked by uid 1000); 18 Sep 2001 18:31:28 -0000 Date: Tue, 18 Sep 2001 20:31:28 +0200 From: "Karsten W. Rohrbach" To: Jim Arnold Cc: freebsd-security@freebsd.org Subject: Re: Nimda-A Worm/Virus threatens networks Message-ID: <20010918203128.B33432@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Jim Arnold , freebsd-security@freebsd.org References: <20010918195218.P27375@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wzJLGUyc3ArbnUjN" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jim@ohio.com on Tue, Sep 18, 2001 at 02:21:50PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wzJLGUyc3ArbnUjN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jim Arnold(jim@ohio.com)@2001.09.18 14:21:50 +0000: > i am running an apache server on linux. how do i stop it from gobbling > all my bandwidth? i'm being hit by dozens of different servers. you might configure your 404 error handler to spit out a very small file (for example containing just one space character '%20'). mod_throttle or other bandwidth control tools will not help, since the worm hits each server it scan with a list of several uris and that's pretty it. if the worm catches a 404 http error it will cease scanning this particular system. bad, that it does not honor redirect requests ;-) /k --=20 > Those who make peaceful revolution impossible will make violent > revolution inevitable. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --wzJLGUyc3ArbnUjN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7p5MAM0BPTilkv0YRAiN8AJ0adH7OPCNvyXCY0DmyQpZCW4UfyACfddHF zOJ59o4DXzZJnBrdnLXHPlE= =8Yuy -----END PGP SIGNATURE----- --wzJLGUyc3ArbnUjN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 12:30:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id 49EB737B415 for ; Tue, 18 Sep 2001 12:30:03 -0700 (PDT) Received: (qmail 83225 invoked by uid 1000); 18 Sep 2001 19:32:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Sep 2001 19:32:38 -0000 Date: Tue, 18 Sep 2001 15:32:38 -0400 (EDT) From: project10 To: Andrew Penniman Cc: Subject: Re: ipfw in a jail-centric environment? In-Reply-To: <003701c14069$bb1d2e00$7811a8c0@GANDALF> Message-ID: <20010918153120.O83149-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Andrew, You have to do packet filtering on the host system, the jails do not allow (by default, changing it would be a very bad idea) rulesets to be changed from within a jail. I know this holds true for ipfw, I don't know about packet filters such as ipf. Natd isn't required. -Shawn On Tue, 18 Sep 2001, Andrew Penniman wrote: > I'm playing with jails for the first time and am not sure how to handle packet filtering in this scenario. > > Should the host and jail environments each handle their own packet filtering or is all filtering handled by the host? Is natd required? > > I have tried to locate information on this subject but haven't found anything useful.... > > Thanks much, > Andrew Penniman > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:31:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 635A937B40B for ; Tue, 18 Sep 2001 14:31:16 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id 6DF741361D; Tue, 18 Sep 2001 17:31:15 -0400 (EDT) Date: Tue, 18 Sep 2001 17:31:15 -0400 From: Chris Faulhaber To: "Karsten W. Rohrbach" Cc: Jim Arnold , freebsd-security@freebsd.org Subject: Re: Nimda-A Worm/Virus threatens networks Message-ID: <20010918173115.A53937@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Karsten W. Rohrbach" , Jim Arnold , freebsd-security@freebsd.org References: <20010918195218.P27375@mail.webmonster.de> <20010918203128.B33432@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6c2NcOVqGQ03X4Wi" Content-Disposition: inline In-Reply-To: <20010918203128.B33432@mail.webmonster.de> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --6c2NcOVqGQ03X4Wi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 18, 2001 at 08:31:28PM +0200, Karsten W. Rohrbach wrote: > Jim Arnold(jim@ohio.com)@2001.09.18 14:21:50 +0000: > > i am running an apache server on linux. how do i stop it from gobbling > > all my bandwidth? i'm being hit by dozens of different servers. >=20 > you might configure your 404 error handler to spit out a very small > file (for example containing just one space character '%20'). >=20 > mod_throttle or other bandwidth control tools will not help, since the > worm hits each server it scan with a list of several uris and that's > pretty it. >=20 > if the worm catches a 404 http error it will cease scanning this > particular system. bad, that it does not honor redirect requests ;-) >=20 I tend to disagree with the next-to-last sentence. I have logged over 6600 requests from 37 unique hosts in the class B on which my box is located, each request generating a 404. These requests are pretty much generating a constant stream of log entries. While the bandwidth doesn't seem to be an issue here, and apache's CPU usage is 0.00 (server is a Pentium 166), my logs are bulging. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --6c2NcOVqGQ03X4Wi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjunvSIACgkQObaG4P6BelBOVwCfYkJ9pdVazbMl2ls5Kf8MQUSS /dsAn06qtOAvsPZmdUSdGVFpCvpwW/rz =cX/J -----END PGP SIGNATURE----- --6c2NcOVqGQ03X4Wi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:31:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f143.law11.hotmail.com [64.4.17.143]) by hub.freebsd.org (Postfix) with ESMTP id 53D4F37B40C for ; Tue, 18 Sep 2001 14:31:47 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 18 Sep 2001 14:31:47 -0700 Received: from 155.58.130.26 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 18 Sep 2001 21:31:46 GMT X-Originating-IP: [155.58.130.26] From: "Derek O'Flynn" To: freebsd-security@freebsd.org Subject: NIMDA Virus Date: Tue, 18 Sep 2001 16:31:46 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 18 Sep 2001 21:31:47.0115 (UTC) FILETIME=[51DBEFB0:01C14089] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone successfully written a rule for snort to alert to this? I'm currently running snort 1.8 with flex-resp. I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. Thanks, Derek O'Flynn _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:36:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 0FDB737B40C for ; Tue, 18 Sep 2001 14:36:09 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id f8ILa8S02856; Tue, 18 Sep 2001 16:36:08 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id QAA20167; Tue, 18 Sep 2001 16:36:08 -0500 (CDT) Message-ID: <3BA7BE3A.B7F26F0F@centtech.com> Date: Tue, 18 Sep 2001 16:35:54 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Derek O'Flynn" Cc: freebsd-security@freebsd.org Subject: Re: NIMDA Virus References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I must be stupid. How DO you go about doing that? I need to do that too.. Here is some info from a friend about the content of Nimda: ------------------------------------------------------ > There's a new worm hammering networks via email, via open shares, > and via vulnerable web servers. > > Propagation via email can be stopped with: > > /etc/postfix/main.cf: > body_checks = regexp:/etc/postfix/body_checks > > /etc/postfix/body_checks: > /^[SPACE TAB]*name=.*\.exe/ REJECT > > Inside the [] are one space and one tab. > > This is also a reminder that Postfix needs decent MIME parsing > support so it can filter this sort of malware more effectively. > > Wietse > > The worm's MIME headers, with spaces inserted to avoid false alarms. > > - - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = = > C o n t e n t - T y p e : m u l t i p a r t / a l t e r n a t i v e ; > b o u n d a r y = " = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = " > > - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = > C o n t e n t - T y p e : t e x t / h t m l ; > c h a r s e t = " i s o - 8 8 5 9 - 1 " > C o n t e n t - T r a n s f e r - E n c o d i n g : q u o t e d - p r i n t a b l e > > < H T M L > < H E A D > < / H E A D > < B O D Y b g C o l o r = 3 D # f f f f f f > > < i f r a m e s r c = 3 D c i d : E A 4 D M G B P 9 p h e i g h t = 3 D 0 w i d t h = 3 D 0 > > < / i f r a m e > < / B O D Y > < / H T M L > > - - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = - - > > - - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = = > C o n t e n t - T y p e : a u d i o / x - w a v ; > n a m e = " r e a d m e . e x e " > C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4 > C o n t e n t - I D : < E A 4 D M G B P 9 p > Derek O'Flynn wrote: > > Has anyone successfully written a rule for snort to alert to this? > > I'm currently running snort 1.8 with flex-resp. > > I would like to have a rule that identifies the attacks and then sends the > tcp_rst command so that the worm can't infect new machines. I have the > information for the rule, just need to know what to put in the content field > to verify that it is nimda. > > Thanks, > Derek O'Flynn > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:37:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 2386B37B409 for ; Tue, 18 Sep 2001 14:37:46 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8IKXj528527; Tue, 18 Sep 2001 13:33:45 -0700 (PDT) Date: Tue, 18 Sep 2001 13:33:45 -0700 (PDT) From: David Kirchner X-X-Sender: To: "Derek O'Flynn" Cc: Subject: Re: NIMDA Virus In-Reply-To: Message-ID: <20010918133322.R85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here's what I'm using: FTCBFzaDxAzpRQEAAIl9DGoIjUX0V1Doo2IAAIPEDI1F9MdF9B4AAACJtcT\+\/\/9QjYXA\/v\/\/V1BX The \'s are because this filter is using perl regexp patching. On Tue, 18 Sep 2001, Derek O'Flynn wrote: > Has anyone successfully written a rule for snort to alert to this? > > I'm currently running snort 1.8 with flex-resp. > > I would like to have a rule that identifies the attacks and then sends the > tcp_rst command so that the worm can't infect new machines. I have the > information for the rule, just need to know what to put in the content field > to verify that it is nimda. > > Thanks, > Derek O'Flynn > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:40:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 6084C37B406 for ; Tue, 18 Sep 2001 14:40:08 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA26037; Tue, 18 Sep 2001 15:39:59 -0600 (MDT) Message-Id: <4.3.2.7.2.20010918153412.0493bc10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 18 Sep 2001 15:39:35 -0600 To: "Derek O'Flynn" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: NIMDA Virus In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We just put a log monitor on the Apache server, and are firewalling anything that sends a request with "cmd.exe" in it. Quite effective. --Brett At 03:31 PM 9/18/2001, Derek O'Flynn wrote: >Has anyone successfully written a rule for snort to alert to this? > >I'm currently running snort 1.8 with flex-resp. > >I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. > >Thanks, >Derek O'Flynn > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:48:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id C30BE37B40F for ; Tue, 18 Sep 2001 14:48:19 -0700 (PDT) Received: (qmail 38085 invoked by uid 1000); 18 Sep 2001 21:48:38 -0000 Date: Tue, 18 Sep 2001 23:48:38 +0200 From: "Karsten W. Rohrbach" To: Chris Faulhaber , Jim Arnold , freebsd-security@freebsd.org Subject: Re: Nimda-A Worm/Virus threatens networks Message-ID: <20010918234838.T33432@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Chris Faulhaber , Jim Arnold , freebsd-security@freebsd.org References: <20010918195218.P27375@mail.webmonster.de> <20010918203128.B33432@mail.webmonster.de> <20010918173115.A53937@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Ep5m4srWGXPl6O+g" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010918173115.A53937@peitho.fxp.org>; from jedgar@fxp.org on Tue, Sep 18, 2001 at 05:31:15PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Ep5m4srWGXPl6O+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chris Faulhaber(jedgar@fxp.org)@2001.09.18 17:31:15 +0000: > On Tue, Sep 18, 2001 at 08:31:28PM +0200, Karsten W. Rohrbach wrote: > > Jim Arnold(jim@ohio.com)@2001.09.18 14:21:50 +0000: > > > i am running an apache server on linux. how do i stop it from gobbling > > > all my bandwidth? i'm being hit by dozens of different servers. > >=20 > > you might configure your 404 error handler to spit out a very small > > file (for example containing just one space character '%20'). > >=20 > > mod_throttle or other bandwidth control tools will not help, since the > > worm hits each server it scan with a list of several uris and that's > > pretty it. > >=20 > > if the worm catches a 404 http error it will cease scanning this > > particular system. bad, that it does not honor redirect requests ;-) > >=20 >=20 > I tend to disagree with the next-to-last sentence. I have logged > over 6600 requests from 37 unique hosts in the class B on which > my box is located, each request generating a 404. These requests > are pretty much generating a constant stream of log entries. > While the bandwidth doesn't seem to be an issue here, and apache's > CPU usage is 0.00 (server is a Pentium 166), my logs are bulging. correct. my preliminary analysis of the worms behaviour was wrong. it does NOT stop after catching 404. i was mislead by several boxes in the colo where some of my servers are housed. they apparently shut down several of the attacking iis servers while i was still staring at the=20 logs. when it comes to log management, you could use grep as a pipe logger, together with djb's multilog from daemontools: ErrorLog "|exec grep -v 'File does not exist:' \ | setuidgid loguser multilog s1000000 n10 /path/to/errorlog" which would log everything that's not "file not found" for the httpd which normally would throw the 404 to another pipe into multilog which=20 runs under uid of loguser and puts the log output in /path/to/errorlog while rotating the logs each 1000000 bytes, keeping 10 logs in history, thus limiting disk usage. /path/to/errorlog is a directory. you could also do ErrorLog "|exec grep -v 'File does not exist:' >/path/to/error_log" this would log less output to the errorlog but you would have to rotate it yourself. but anyway, you got to do any log management on every server that's out there. not just httpds but every other daemon's logs, too... /k --=20 > A truly wise man never plays leapfrog with a unicorn. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --Ep5m4srWGXPl6O+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7p8E2M0BPTilkv0YRApG5AJsELRfRFvjn8b3fj9hoUqkkbuJxTgCfafWI LU6vzk8BinlH5cw2F5oeTM0= =obEG -----END PGP SIGNATURE----- --Ep5m4srWGXPl6O+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:52:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from ds.express.ru (ds.express.ru [212.24.32.7]) by hub.freebsd.org (Postfix) with ESMTP id D2B6137B40D for ; Tue, 18 Sep 2001 14:52:51 -0700 (PDT) Received: from localhost.express.ru ([127.0.0.1] helo=localhost) by ds.express.ru with esmtp (Exim 2.12 #8) id 15jSnS-0000Ng-00 for freebsd-security@freebsd.org; Wed, 19 Sep 2001 01:52:50 +0400 Date: Wed, 19 Sep 2001 01:52:50 +0400 (MSD) From: Maxim Kozin To: freebsd-security@freebsd.org Subject: Re: Nimda-A Worm/Virus threatens networks In-Reply-To: <20010918173115.A53937@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > i am running an apache server on linux. how do i stop it from gobbling > > > all my bandwidth? i'm being hit by dozens of different servers. > > > > you might configure your 404 error handler to spit out a very small > > file (for example containing just one space character '%20'). > > > > mod_throttle or other bandwidth control tools will not help, since the > > worm hits each server it scan with a list of several uris and that's > > pretty it. > > > I tend to disagree with the next-to-last sentence. I have logged > over 6600 requests from 37 unique hosts in the class B on which > my box is located, each request generating a 404. These requests > are pretty much generating a constant stream of log entries. > While the bandwidth doesn't seem to be an issue here, and apache's > CPU usage is 0.00 (server is a Pentium 166), my logs are bulging. Hi. I use mod_bwshare on all hosting host. Each host carried from 300 to 800 alias(and corresponding virtualbasediphost) on loopback interface. mod_bwshare get statistic based on client ip. I detected peak on each host, then check manualy netstat -an | grep leader_ip If it not robot's engine, then leader_ip has not maximium in my_side_ip_distibution. Example for some index robot: netstat -an | grep tcp4 | grep leader_ip | cut -c22- | cut -d"." -f-4 | sort -n | uniq 100 aa.bb.cc.dd It's show, that leader_ip indexed(or flooded ? :) host aa.bb.cc.dd But now, from 17h53m on MSK time (+04) distribution changed: 1 a.b.c.d 1 w.e.r.t 2 x.d.f.r and practicaly all interface on current host. After this I set on border router 5-10 deny ipfw rule for blocking host and network. Now I have collection, that dramaticaly reduce load on all hosting servers: ipfw add 01 deny tcp from 212.24.188.206 to any ipfw add 03 deny tcp from 212.66.73.2 to any ipfw add 04 deny tcp from 212.24.0.0/19 to any ipfw add 06 deny tcp from 212.24.193.185 to any After 7hr, in 1h00m MSK time (+04) I check counter on this rule. Counter roll and roll, temporaly deleted rule get result, that host server slow down and rule was be set again. IMHO some kind of dynamic firewall solve problem. May be mod_bwshare and "perl automatic"+ipfw solved problem too. b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:54:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpu12.email.msn.com (cpimssmtpu12.email.msn.com [207.46.181.87]) by hub.freebsd.org (Postfix) with ESMTP id E4CDB37B413 for ; Tue, 18 Sep 2001 14:54:39 -0700 (PDT) Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu12.email.msn.com with Microsoft SMTPSVC(5.0.2195.3779); Tue, 18 Sep 2001 14:54:06 -0700 Message-ID: <010a01c1408c$82bf0380$0101a8c0@development.local> From: "John Howie" To: "Derek O'Flynn" , , "Brett Glass" References: <4.3.2.7.2.20010918153412.0493bc10@localhost> Subject: Re: NIMDA Virus Date: Tue, 18 Sep 2001 14:54:36 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-OriginalArrivalTime: 18 Sep 2001 21:54:07.0028 (UTC) FILETIME=[70826F40:01C1408C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Probably not enough - the Hydra (two-heads) is also doing NetBIOS queries. The example log below shows the entrire attack from an IIS standpoint. I have no example of the NetBIOS attack pattern because we haven't been infected. john... 2001-09-18 13:21:25 216.210.XXX.XXX- 192.168.1.251 80 GET /scripts/root.exe /c+dir 404 - 2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80 GET /MSADC/root.exe /c+dir 404 - 2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET /winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /winnt/system32/cmd.exe /c+dir 404 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - ----- Original Message ----- From: "Brett Glass" To: "Derek O'Flynn" ; Sent: Tuesday, September 18, 2001 2:39 PM Subject: Re: NIMDA Virus > We just put a log monitor on the Apache server, and are firewalling anything > that sends a request with "cmd.exe" in it. Quite effective. > > --Brett > > > At 03:31 PM 9/18/2001, Derek O'Flynn wrote: > > >Has anyone successfully written a rule for snort to alert to this? > > > >I'm currently running snort 1.8 with flex-resp. > > > >I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. > > > >Thanks, > >Derek O'Flynn > > > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 14:58:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id E95A237B623 for ; Tue, 18 Sep 2001 14:58:26 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA26300; Tue, 18 Sep 2001 15:58:11 -0600 (MDT) Message-Id: <4.3.2.7.2.20010918155648.04547340@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 18 Sep 2001 15:57:23 -0600 To: "John Howie" , "Derek O'Flynn" , From: Brett Glass Subject: Re: NIMDA Virus In-Reply-To: <010a01c1408c$82bf0380$0101a8c0@development.local> References: <4.3.2.7.2.20010918153412.0493bc10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:54 PM 9/18/2001, John Howie wrote: >Probably not enough - the Hydra (two-heads) is also doing NetBIOS queries. No problemo. We don't even let NetBIOS in the front door. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 20:14:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id 6116737B40E; Tue, 18 Sep 2001 20:14:45 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8J3Eof95774; Tue, 18 Sep 2001 23:14:51 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Tue, 18 Sep 2001 23:14:50 -0400 (EDT) From: "Marc G. Fournier" To: Cc: Subject: Re: ipfw problems ... In-Reply-To: <20010918134410.P87162-100000@atelier.acadiau.ca> Message-ID: <20010918230726.M30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, with ipfw and dummynet to do bandwidth shaping as well as firewalling ... The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... I've got an /etc/fw.rules file that has ~1200 rules in it so far, and still have more that I want to put in, but today the machine locked up solid ... I ended up re-starting the machine with fw set to open, and loaded a few rules at a time ... got up to 747 rules before the machine pretty much ground to a halt, with the occasional keystroke going through ... ~900 or so of the rules are purely 'pass thru' rules ... we have two connections to the internet ... one that costs us nothing, and one that costs us quite dearly ... we want to allow all traffic that goes to sites on the 'costs us nothing' network to go through unimpeded, while that which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 rules are the ones that define those b-class networks that are on the 'costs us nothing' network ... I'm not seeing any errors on the console to indicate a problem, it just slowly grinds to a halt ... is there a setting in the kernel, or somewhere, that I should be setting to allow fur such a high number of rules, or is it just not possible to do more then a few hundred? :( Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 21: 6:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id B3E8237B43A; Tue, 18 Sep 2001 21:06:07 -0700 (PDT) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f8J45Z483525; Wed, 19 Sep 2001 00:05:35 -0400 (EDT) (envelope-from aschneid) Date: Wed, 19 Sep 2001 00:05:34 -0400 From: Anthony Schneider To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... Message-ID: <20010919000534.A83486@mail.slc.edu> References: <20010918134410.P87162-100000@atelier.acadiau.ca> <20010918230726.M30377-100000@mail1.hub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org>; from scrappy@hub.org on Tue, Sep 18, 2001 at 11:14:50PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org it might have something to do with the prereleasenature of the machine. -Anthony. On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > > Thanks > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 22:34:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id 3E70537B40F; Tue, 18 Sep 2001 22:34:47 -0700 (PDT) Received: from elischer.org (InterJet.elischer.org [192.168.1.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id XAA24697; Tue, 18 Sep 2001 23:09:21 -0700 (PDT) Message-ID: <3BA82BD0.67F490B4@elischer.org> Date: Tue, 18 Sep 2001 22:23:28 -0700 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: "Marc G. Fournier" Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: ipfw problems ... References: <20010918230726.M30377-100000@mail1.hub.org> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Marc G. Fournier" wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > > Thanks IPFW is a linear search. you can however use 'skipto ' to good effect to get around this.. you can produce a decision tree by filtering left or right on one address bit (or something) so that each packet traverses a lot less that 747 rules. (probably about 10) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- +------------------------------------+ ______ _ __ | __--_|\ Julian Elischer | \ U \/ / hard at work in | / \ julian@elischer.org +------>x USA \ a very strange | ( OZ ) \___ ___ | country ! +- X_.---._/ presently in San Francisco \_/ \\ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 23:28: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta04.onebox.com (mta04.onebox.com [64.68.77.147]) by hub.freebsd.org (Postfix) with ESMTP id 3C34537B411 for ; Tue, 18 Sep 2001 23:27:57 -0700 (PDT) Received: from onebox.com ([10.1.101.12]) by mta04.onebox.com (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20010919062757.RNAO7831.mta04.onebox.com@onebox.com>; Tue, 18 Sep 2001 23:27:57 -0700 Received: from [203.144.253.62] by onebox.com with HTTP; Tue, 18 Sep 2001 23:27:56 -0700 Date: Tue, 18 Sep 2001 23:27:56 -0700 Subject: How to config ipfw for ftp server From: "Chutima S." To: freebsd-security@FreeBSD.ORG Cc: chutima@infoquest.co.th Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20010919062757.RNAO7831.mta04.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I try to config ipfw fot outside world can ftp to ftp server in internal network (real IP but behide my firewall). I config as: ipfw add pass tcp from any to 21 setup I test by ftp from Internet world. I can login to ftpserver but can not open data connection for get or list files in folder. Is it concern about passive mode or ftp-data port (20)? Thanks Chutima S. -- Chutima Subsirin chutima_s@zdnetonebox.com - email (202) 777-2641 ext. 6020 - voicemail/fax ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 23:30:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from tmisnet.com (thumper.tmisnet.com [205.197.28.7]) by hub.freebsd.org (Postfix) with ESMTP id 7CA1337B41F for ; Tue, 18 Sep 2001 23:30:09 -0700 (PDT) Received: from TERRAZZO.tmisnet.com (ppp69.tmisnet.com [205.197.28.69]) by tmisnet.com (8.11.3/8.11.3) with ESMTP id f8J6Tpj67959 for ; Tue, 18 Sep 2001 23:29:52 -0700 (PDT) (envelope-from gib@tmisnet.com) Message-Id: <5.1.0.14.2.20010918232719.00a6ba90@pop3.norton.antivirus> X-Sender: gib3/205.197.28.7@pop3.norton.antivirus X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 18 Sep 2001 23:30:04 -0700 To: freebsd-security@FreeBSD.ORG From: "Gib Gilbertson Jr." Subject: Re: NIMDA Virus In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All. You might want to check your httpd logs... I checked mine and in less than 22 hours they had grown from 0 bytes at log archive time to over 600 meg.... Just a heads up.. Accesses are coming in so fast that the log is a blur going by.. gib Gib Gilbertson Tierra-Miga Info Systems 858-279-8647 Support http://www.tmisnet.com 619-308-1096 Fax San Diego's "Friendly ISP" info@tmisnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 18 23:34:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta10.onebox.com (mta10.onebox.com [64.68.76.184]) by hub.freebsd.org (Postfix) with ESMTP id E05D637B411 for ; Tue, 18 Sep 2001 23:34:03 -0700 (PDT) Received: from onebox.com ([10.1.101.10]) by mta10.onebox.com (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20010919063403.QVBU12230.mta10.onebox.com@onebox.com>; Tue, 18 Sep 2001 23:34:03 -0700 Received: from [203.144.253.62] by onebox.com with HTTP; Tue, 18 Sep 2001 23:34:03 -0700 Date: Tue, 18 Sep 2001 23:34:03 -0700 Subject: How to config ipfw for ftp server From: "Chutima S." To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20010919063403.QVBU12230.mta10.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I try to config ipfw to allow outside world can connect to ftpserver(real IP) behide my firewall. I config rules as: ipfw add pass tcp from any to 21 setup After I test it, I found that I can login to ftpserver but can not get data connection like GET, List for files. Does it about ftp-data port or passive mode? How I config it to work with normal ftpserver? Thanks Chutima S. -- Chutima Subsirin chutima_s@zdnetonebox.com - email (202) 777-2641 ext. 6020 - voicemail/fax ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 1: 0:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id E9F7537B417; Wed, 19 Sep 2001 01:00:24 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 3836A1D14; Wed, 19 Sep 2001 09:59:52 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 43950552A; Wed, 19 Sep 2001 09:59:52 +0200 (CEST) Date: Wed, 19 Sep 2001 09:59:50 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Sep 2001, Marc G. Fournier wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... With all respect, that looks like a flawed firewall design. Quoting Lance Spitzner's paper on firewall design (http://www.enteract.com/~lspitz) , every firewall having over 50 rules becomes unmanageable. I'd say that the threshold may be moved to 100..150 rules since sometimes it's necessary to split one policy rule into several filter rules, but your number IMHO is way too much. First, is there any specific reason for allowing only specific 900 subnets instead of the whole 'cost nothing' network? How big is this network? How would this increase the risk? Second, with that number of networks, it is probable that at least some of them have the same prefix; for example 10.10.0.0/16 10.11.0.0/16 can be matched with 10.10.0.0/15. This may bring down the number of rules. Continuing from previous point, if all class B networks are on the same network block (having, say 1024 class B networks) you may allow whole block and disallow only 124 subnets. That would bring the number of relevant rules down to 125. Third, take into account that since ipfw takes 'first matching rule wins' approach, you will get performance boost by moving more frequently used and more general rules "up" in the ruleset. For example, if you move the rule from position 700 to 200 packet will be matched only against 200 rules instead of 700. Fourth, if you have any "keep-state" rules, each of them effectively generates new "dynamic" rules. In order to improve performance with TCP connections you may try to switch to TCP flag-based approach (keywords "setup" and "established"). This will save you from additional growth of ruleset, but may open you to the TCP ACK scan (I haven't verified it) which exposes inside network topology. Fifth, you may try separating routers. For example, set up one machine for each uplink, and set each one with a ruleset relevant with the link it is connected to. You may then connect them to the internal network with a non-filtering router or just set the routing tables on each internal host appropriately. This should distribute the load and ease management. > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( Well. A friend of mine gave up on a Linux router with ca 300 rules. Matching every of literally millions of packets traversing the router against a huge ruleset will bring every machine to it's knees. > Thanks Not at all. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 1:21:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from terminus.dnttm.ro (terminus.dnttm.ro [193.226.98.11]) by hub.freebsd.org (Postfix) with ESMTP id 39B3537B418 for ; Wed, 19 Sep 2001 01:21:39 -0700 (PDT) Received: from unix.edc.dnttm.ro (edc.dnttm.ro [193.226.98.104]) by terminus.dnttm.ro (8.9.3/8.9.3) with ESMTP id LAA28143 for ; Wed, 19 Sep 2001 11:21:30 +0300 Received: (from root@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2) id f8J8LU381216 for freebsd-security@freebsd.org; Wed, 19 Sep 2001 11:21:30 +0300 (EEST) (envelope-from titus) Received: (from titus@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2av) id f8J8LS581204 for freebsd-security@freebsd.org; Wed, 19 Sep 2001 11:21:28 +0300 (EEST) (envelope-from titus) Date: Wed, 19 Sep 2001 11:21:28 +0300 From: titus manea To: freebsd-security@freebsd.org Subject: Re: ipfw problems ... Message-ID: <20010919112128.A81114@unix.edc.dnttm.ro> References: <20010918230726.M30377-100000@mail1.hub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Wed, Sep 19, 2001 at 09:59:50AM +0200 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maybe this doesnt belong here but dummynet could be the cause of lockups. I and at least somebody else had experienced hard lockups because of dummynet. That was like 3 moths ago running 4.3-STABLE. So give it a try without dummynet, see if still freezes. -- __________________________________________________________________________ Titus Manea | Eastern Digital Inc. Lab owner | | +40-56-192091 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 1:26:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cnt.ru (ns.cnt.ru [212.15.127.34]) by hub.freebsd.org (Postfix) with SMTP id C24CA37B421 for ; Wed, 19 Sep 2001 01:26:13 -0700 (PDT) Received: (qmail 22728 invoked from network); 19 Sep 2001 08:26:05 -0000 Received: from ppp5-124.dial-up.cnt.ru (212.15.120.124) by ns.cnt.ru with SMTP; 19 Sep 2001 08:26:05 -0000 Date: Wed, 19 Sep 2001 12:20:17 +0400 From: Anton Vladimirov X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: Anton Vladimirov Organization: FBSD Administration Center X-Priority: 3 (Normal) Message-ID: <3091161270.20010919122017@mail.ru> To: freebsd-security@FreeBSD.ORG Subject: bad list during ftp session Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello freebsd-security, Periodically I facing some strange problem with my ftp server. Some files and dirs are not listed by ls command, while in the shell all looks Ok. All user mode/privileges are the same for all files in the directory, but some of them listed, but the others aren't ! If I copy all directory content to the new place and then return it back, "ls" goes to normal operation. What is the reason, and how to correct this? I use 4.0 release, if it makes any importance... -- Best regards, Anton mailto:admin128@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 1:29:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.net (216-203-226-2.customer.algx.net [216.203.226.2]) by hub.freebsd.org (Postfix) with SMTP id 100AD37B40C for ; Wed, 19 Sep 2001 01:29:20 -0700 (PDT) Received: (qmail 36492 invoked from network); 19 Sep 2001 08:29:14 -0000 Received: from cx443070-a.vista1.sdca.home.com (HELO cx443070b) (24.4.93.90) by sherline.net with SMTP; 19 Sep 2001 08:29:14 -0000 Message-ID: <000d01c140e5$2c4f0870$aa00a8c0@cx443070b> From: "Jeremiah Gowdy" To: Subject: Apologies Date: Wed, 19 Sep 2001 01:29:17 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I apologize for the mail filter bounce. Stuff's being adjusted, new perl scripts being tested. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 1:33: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 7497037B40C for ; Wed, 19 Sep 2001 01:32:55 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 295051D14; Wed, 19 Sep 2001 10:32:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 204BF552A; Wed, 19 Sep 2001 10:32:38 +0200 (CEST) Date: Wed, 19 Sep 2001 10:32:37 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: "Chutima S." Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to config ipfw for ftp server In-Reply-To: <20010919063403.QVBU12230.mta10.onebox.com@onebox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Sep 2001, Chutima S. wrote: > I try to config ipfw to allow outside world can connect to ftpserver(real > IP) behide my firewall. > > I config rules as: > > ipfw add pass tcp from any to 21 setup > > After I test it, I found that I can login to ftpserver but can not get > data connection like GET, List for files. Does it about ftp-data port > or passive mode? How I config it to work with normal ftpserver? In "normal" FTP when a request is sent from client the server connects _back_ to the client ("active mode"). So theoretically if your firewall allows an FTP server to initiate outbound connection it should be fine. Nowadays, however, more and more clients use "passive" mode (PASV command), where client connects to the server for data transfer. That solves the problem with firewalled client, but leads to problem with firewalled server. I don't know the solution with ipfw, but IIRC with ipfilter it is possible to make firewall watch for FTP transfer requests and add temporary rules passing the ftp data connections. See ipf docs for details. Alternatively, you may restrict the port range used by ftp daemon for passive transfers and then open this port range on firewall. Unfortunately, this may lead to opening a hole in security if you had some server listening in this port range. Your mileage may wary. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 1:33:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 9326137B41E; Wed, 19 Sep 2001 01:33:49 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1098) id 6CAE081D01; Wed, 19 Sep 2001 03:33:49 -0500 (CDT) Date: Wed, 19 Sep 2001 03:33:49 -0500 From: Bill Fumerola To: Anthony Schneider , "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... Message-ID: <20010919033349.X826@elvis.mu.org> References: <20010918134410.P87162-100000@atelier.acadiau.ca> <20010918230726.M30377-100000@mail1.hub.org> <20010919000534.A83486@mail.slc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919000534.A83486@mail.slc.edu>; from aschneid@mail.slc.edu on Wed, Sep 19, 2001 at 12:05:34AM -0400 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Sep 19, 2001 at 12:05:34AM -0400, Anthony Schneider wrote: > it might have something to do with the prereleasenature of the machine. > -Anthony. No it has nothing to do with -PRERELEASE. ipfw by any other name is ipfw. > On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote: > > > > I ended up re-starting the machine with fw set to open, and loaded a few > > rules at a time ... got up to 747 rules before the machine pretty much > > ground to a halt, with the occasional keystroke going through ... > > > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > > connections to the internet ... one that costs us nothing, and one that > > costs us quite dearly ... we want to allow all traffic that goes to sites > > on the 'costs us nothing' network to go through unimpeded, while that > > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > > rules are the ones that define those b-class networks that are on the > > 'costs us nothing' network ... > > > > I'm not seeing any errors on the console to indicate a problem, it just > > slowly grinds to a halt ... is there a setting in the kernel, or > > somewhere, that I should be setting to allow fur such a high number of > > rules, or is it just not possible to do more then a few hundred? :( as others have noted, if your critical path (that is, the path that the bulk of your traffic takes) is 700 rules, your technique is flawed. I've also seen various suggestions (skipto, mostly) on how to shorten your ruleset list walking... in any case, to answer your question of what happens as more rules are added: http://people.freebsd.org/~billf/bsdcon2000/presentation/graphics/ has a few of the graphics I used in my presentation to show what happens to ipfw as you add more rules in the critical path. different types of rules are effected differently (and can be optimized differently, but thats a whole different story) but they all show the same curve of poorer performance. 'old {TCP,UDP}' is an ipfw similar to what 4.4-PRERELEASE would have. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 2:25:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f15.pav1.hotmail.com [64.4.31.15]) by hub.freebsd.org (Postfix) with ESMTP id 441A137B420 for ; Wed, 19 Sep 2001 02:25:50 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 19 Sep 2001 02:25:49 -0700 Received: from 203.150.154.5 by pv1fd.pav1.hotmail.msn.com with HTTP; Wed, 19 Sep 2001 09:25:45 GMT X-Originating-IP: [203.150.154.5] From: "Mick Nicila" To: chutima_s@zdnetonebox.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to config ipfw for ftp server Date: Wed, 19 Sep 2001 16:25:45 +0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 19 Sep 2001 09:25:49.0404 (UTC) FILETIME=[11DA71C0:01C140ED] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Chutima, FTP uses separate command and data connections. By default FTP servers work in Active mode, where the server listens on port 21 for command; data connections are initiated by the server from its port 20 (ftp-data), to a random port on the client. This is the case your firewall will not allow. In this case, you may allow connections initiated from server port 20 to port > 1024 outside. I don't know exactly how to set the ipfw rules. On the other hand, Passive mode causes the client to open both connections to the server. Data connection is opened from a random port on the clients to a random port on the server. This case is also prohibited by your firewall. It is rather complicated to deal since both client and server port numbers are randomized. You may need special ftp proxy, I think. Note that Internet Explorer and Netscape are usually set to work in Passive mode, whilst FTP software is often set to work in Active mode. This setting can be changed in most FTP software. On Tue, 18 Sep 2001, Chutima S. wrote: >I try to config ipfw to allow outside world can connect to ftpserver(real >IP) behide my firewall. > >I config rules as: > >ipfw add pass tcp from any to 21 setup > >After I test it, I found that I can login to ftpserver but can not get >data connection like GET, List for files. Does it about ftp-data port >or passive mode? How I config it to work with normal ftpserver? > >Thanks >Chutima S. > >-- >Chutima Subsirin >chutima_s@zdnetonebox.com - email >(202) 777-2641 ext. 6020 - voicemail/fax > > > >___________________________________________________________________ >To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, >all in one place - sign up today at http://www.zdnetonebox.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 4:17:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id CB34037B416 for ; Wed, 19 Sep 2001 04:17:31 -0700 (PDT) Received: (qmail 52431 invoked by uid 1000); 19 Sep 2001 11:17:52 -0000 Date: Wed, 19 Sep 2001 13:17:52 +0200 From: "Karsten W. Rohrbach" To: "Gib Gilbertson Jr." Cc: freebsd-security@FreeBSD.ORG Subject: Re: NIMDA Virus Message-ID: <20010919131752.E52106@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Gib Gilbertson Jr." , freebsd-security@FreeBSD.ORG References: <5.1.0.14.2.20010918232719.00a6ba90@pop3.norton.antivirus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sfyO1m2EN8ZOtJL6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20010918232719.00a6ba90@pop3.norton.antivirus>; from gib@tmisnet.com on Tue, Sep 18, 2001 at 11:30:04PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sfyO1m2EN8ZOtJL6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Gib Gilbertson Jr.(gib@tmisnet.com)@2001.09.18 23:30:04 +0000: > Hi All. >=20 > You might want to check your httpd logs... I checked mine and in less tha= n=20 > 22 hours they had grown from 0 bytes at log archive time to over 600 meg.= ... >=20 > Just a heads up.. Accesses are coming in so fast that the log is a blur= =20 > going by.. quick 'fix' for excessive error_log size: ErrorLog "|exec grep -v 'File does not exist:' >/wherever/error_log" this will not log any more 404 throwing file not found errors /k --=20 > "Under capitalism, man exploits man. Under Communism, it's just the > opposite." --John Kenneth Galbraith=20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --sfyO1m2EN8ZOtJL6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7qH7gM0BPTilkv0YRAixgAJ9eHi0E9wSxiT7PzsSdRu/aCntRNQCfWQHu /+n/7EcVSq7/cASDyDd/nXM= =F19r -----END PGP SIGNATURE----- --sfyO1m2EN8ZOtJL6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 4:20:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id B9AE837B415 for ; Wed, 19 Sep 2001 04:20:10 -0700 (PDT) Received: (qmail 52472 invoked by uid 1000); 19 Sep 2001 11:20:32 -0000 Date: Wed, 19 Sep 2001 13:20:32 +0200 From: "Karsten W. Rohrbach" To: "Chutima S." Cc: freebsd-security@FreeBSD.ORG, chutima@infoquest.co.th Subject: Re: How to config ipfw for ftp server Message-ID: <20010919132032.F52106@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Chutima S." , freebsd-security@FreeBSD.ORG, chutima@infoquest.co.th References: <20010919062757.RNAO7831.mta04.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="QXO0/MSS4VvK6f+D" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919062757.RNAO7831.mta04.onebox.com@onebox.com>; from chutima_s@zdnetonebox.com on Tue, Sep 18, 2001 at 11:27:56PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --QXO0/MSS4VvK6f+D Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chutima S.(chutima_s@zdnetonebox.com)@2001.09.18 23:27:56 +0000: > I try to config ipfw fot outside world can ftp to ftp server in internal > network (real IP but behide my firewall). I config as: >=20 > ipfw add pass tcp from any to 21 setup >=20 > I test by ftp from Internet world. I can login to ftpserver but can > not open data connection for get or list files in folder. Is it concern > about passive mode or ftp-data port (20)? you probably want to check out ipfilter in conjunction with ipnat which maps ftp requests through an in-kernel stateful proxy which opens and closes the port pair rules for established ftp sessions' data connections via state table entries. check out the ipfilter docs for more info. /k --=20 > "I think pop music has done more for oral intercourse than anything else > that has ever happened, and vice versa." --Frank Zappa KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --QXO0/MSS4VvK6f+D Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7qH+AM0BPTilkv0YRAu1CAJ9xrzF5h85OWDoRMFFnC7oY1YkVXwCbBd3s UXQTUm4sHz4U4NPxKG/KJXI= =woBl -----END PGP SIGNATURE----- --QXO0/MSS4VvK6f+D-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 4:27:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id C318737B419 for ; Wed, 19 Sep 2001 04:27:13 -0700 (PDT) Received: (qmail 16409 invoked from network); 19 Sep 2001 11:27:11 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 19 Sep 2001 11:27:11 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 19 Sep 01 08:30:48 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 19 Sep 01 08:29:03 GMT-3 From: "Mario de Oliveira Lobo Neto" Organization: American School of Recife - Brazil To: Brett Glass Date: Wed, 19 Sep 2001 08:28:00 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NIMDA Virus Reply-To: mlobo@ear.com.br Cc: freebsd-security@FreeBSD.ORG Message-ID: <3BA8570F.8114.55B69A5@localhost> In-reply-to: <4.3.2.7.2.20010918153412.0493bc10@localhost> References: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 18 Sep 2001, at 15:39, Brett Glass wrote: > We just put a log monitor on the Apache server, and are firewalling anything > that sends a request with "cmd.exe" in it. Quite effective. > > --Brett Brett; Forgive my ignorance, but when you say "firewalling", you mean in Apache or in ipfw? if you mean ipfw, how did you build the ipfw rule to reject those "GET cmd.exe" ? They are not causing any harm to our novell enterprise server but the logs are growing fast. Thanks, Mario Lobo - *** Mario Lobo - mlobo@ear.com.br *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 5: 6:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id BA8E837B419; Wed, 19 Sep 2001 05:06:03 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8JC5aE62218; Wed, 19 Sep 2001 08:05:36 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Wed, 19 Sep 2001 08:05:36 -0400 (EDT) From: "Marc G. Fournier" To: Krzysztof Zaraska Cc: , Subject: Re: ipfw problems ... In-Reply-To: Message-ID: <20010919075409.G30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Krzysztof Zaraska wrote: > First, is there any specific reason for allowing only specific 900 subnets > instead of the whole 'cost nothing' network? How big is this network? How > would this increase the risk? CA*Net3 vs "commercial net" traffic ... > Second, with that number of networks, it is probable that at least some of > them have the same prefix; for example > 10.10.0.0/16 > 10.11.0.0/16 > can be matched with 10.10.0.0/15. This may bring down the number of rules. > Continuing from previous point, if all class B networks are on the same > network block (having, say 1024 class B networks) you may allow whole > block and disallow only 124 subnets. That would bring the number of > relevant rules down to 125. Actually, I've already done that :( Some areas, I've been able to get her down to /12 ... so imagine the number of rules if I *hadn't* done that ... > Third, take into account that since ipfw takes 'first matching rule > wins' approach, you will get performance boost by moving more > frequently used and more general rules "up" in the ruleset. For > example, if you move the rule from position 700 to 200 packet will be > matched only against 200 rules instead of 700. Thought about, but not possible ... unless I'm mis-understanding something ... these rules are the exceptions ... "if none of these b-class networks isn't matched, *then* shape the bandwidth for anything not in there" ... Is there someway of creating a 'group', similar to /etc/networks, where its one rule with many addresses in it? > Fourth, if you have any "keep-state" rules, each of them effectively > generates new "dynamic" rules. In order to improve performance with > TCP connections you may try to switch to TCP flag-based approach > (keywords "setup" and "established"). This will save you from > additional growth of ruleset, but may open you to the TCP ACK scan (I > haven't verified it) which exposes inside network topology. Not using any 'keep-state' rules ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 5:58:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from vbook.express.ru (asplinux.ru [195.133.213.194]) by hub.freebsd.org (Postfix) with ESMTP id 405BE37B40C for ; Wed, 19 Sep 2001 05:58:25 -0700 (PDT) Received: from vova by vbook.express.ru with local (Exim 3.31 #2) id 15jgwd-0000Io-00; Wed, 19 Sep 2001 16:59:15 +0400 From: "Vladimir B. Grebenschikov" MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="itn1syND1l" Content-Transfer-Encoding: 7bit Message-ID: <15272.38562.675553.16495@vbook.express.ru> Date: Wed, 19 Sep 2001 16:59:14 +0400 To: "Karsten W. Rohrbach" Cc: "Gib Gilbertson Jr." , freebsd-security@FreeBSD.ORG Subject: Re: NIMDA Virus In-Reply-To: <20010919131752.E52106@mail.webmonster.de> References: <5.1.0.14.2.20010918232719.00a6ba90@pop3.norton.antivirus> <20010919131752.E52106@mail.webmonster.de> X-Mailer: VM 6.95 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --itn1syND1l Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit Karsten W. Rohrbach writes: > Gib Gilbertson Jr.(gib@tmisnet.com)@2001.09.18 23:30:04 +0000: > > Hi All. > > > > You might want to check your httpd logs... I checked mine and in less than > > 22 hours they had grown from 0 bytes at log archive time to over 600 meg.... > > > > Just a heads up.. Accesses are coming in so fast that the log is a blur > > going by.. > > quick 'fix' for excessive error_log size: > > ErrorLog "|exec grep -v 'File does not exist:' >/wherever/error_log" > > this will not log any more 404 throwing file not found errors Quick fix for it using very simple netgraph module in attached tarball --itn1syND1l Content-Type: application/octet-stream Content-Disposition: attachment; filename="ng.NIMDA.tgz" Content-Transfer-Encoding: base64 H4sIADqWqDsAA+0ba3PaSHK/wq/oOHV7EAsMfoTEjn1RQLa1y8MHIlnX1hYlSwNoAUklCTvO 7d5vv+6ZEQgM9qY2l+xdzeQBmunp50x3z7TwWTKK7HC857qxyxLmJHv+aLB4KDvf/flWrVRe Hh7CdwBwUK2tfGKrHh5WDgBqB0f71epBZb+CXUcv9w+/g8oXoP1km8eJHQF8dxvc2o/BPTX+ P9ryey/y8AJWbY491FkPwvvIG40TKDhFqL5+/bK0X6lUweq9g53uPI492wfjYxixON7RwPSd Mk3Tp1Pg02LAERbdMpf307/e/OZXJAFJAMmYwTCYToM7zx9BcDP1RnbiBX4Mtu+C68XO1PZm LIJgCHd2FNl+cq/BPGY0TrgihkBJ5N3MaRqBJWMvhjgYJgjPNPB8fJhHDoMAsQjCTuAS2WgW a3DnJWMcIlz0NZgnMAtcb+g5KSMRAybkm95DyKKZlyTMhZt7WBP/hJCEUXDruczVYBzcsVsW aciRnRzTWLUMun/PRbNJPwyB3bkj6HDW2RZmZ7hCURRnOscHBCNs2JyFcfwg8XCafRPcct2s aXajJj0Wn6R63C9DO0gtRiKPCILEQAXayPTM9n2aHXHFaWQ8MoNUgeRHKkKDZuKWIYlsl83s aBJrkndihRijzsXqWZ27A2hG20XFJV6M8Bow3w2imM2YnyAiUgyiiO68mOzisDABO5Y44rkz BjsMmR3FxDjREip5oCnEIwHStbJYn9al2YNe59z6oHcNwO/vDLN9AVfdznuzYTTg3TV8QBCr aUC902r122Zdt8xOuwc7eg/hcRvo7QbH1EFkBrT0n8xWvwXGT5bRtuDK6LZMyxKYmvoHbRu6 lv6j0YN2h1B1jauu0cPpcqzTBWSvq7ct0+hpiJqGebfZumqaRkPDKRd6t0Gsr0ikETqzXW/2 +dgH07rs9C1omsgUR07sX5MIoDebKboMNeicE4qW0a1fYo/+zmya1rUG56bVJh7OkQkdrvSu Zdb7Tb0LV/3uVadnaMRdu9Mume3zLpI2WigO1/oW+RsdLr6V0tbgoq/TF0PgIv0Qr5v0kxXe gH7PQK75JHpEyH7TIkEyo1xL3D8tTN8GC23F4UwEr3e6XaPOhUQd1ev9rl6/Jj03TakEItBB lN0PZs8oC0WjBGC8J8P3LkmhW4R9ZwChwQGuP7RAQ2/pF0ZPSEcMkzTn3U6LqOhds0fPZDpk j+AzYiyNvbQ0V/QWYzdMEoyAl9/quNhRnU0NeldG3aQvxk8Grga9e83X0BVyb5nvhS3qKIPx zz7OQMiUdY02DaqJW5p46/Xf9SzT6lsGXHQ6DVqvXONG971ZJ/hmp8fV3afl0tAtnXAjElxb OHrZ+YCaRGI6jjf4Eu23G0Y3XQSo+U73muYvLEKbyyCLkCWQSQtthuL1rK5Zt7JgtDQ6XYvQ FJa7o21cNM0Lo103VkxbXOgfsZICP+jXqSmWK+qBM9H4QgDzfNsiQFi98d4k4SQm3Dg9U/BI 6LgO65dSwWURpPfyIoJzehT+fIoZ+Omy2Bv5GKzQZ2NkwnCEXh99cNtsNXS4Q0cOt140jyG0 nQlDz08Y0P9iOjRiFCnMK/LifhwGUaKBg7GODYcYlbxbjIVDb5pgSJjaEQIj2BCDJgwx4pA7 zuVy76e26828CN6V4SJiN8yPnbE3CW7hDSVSb2VULUfzMyHE8zTCvYnv473QjuxZeXy21o3/ kg3dLIr84GH3hEU+mz7sn2EADpwN/Tfz4QaaAannYb+T3IdstdtnqGGW7Hn+tv7BBgkWo+GD fpGZY242Q12hWbYByC/b56M+462zs6kfguB6giu07TgIJhgnhwHZB/MsTFZ4H+/6Vx5ko65B mMtBTj6cLIY8P4EtzfNd9vEk//vJgpxYt6vkwsi7de3ERnI5Gic6/MuSxjpjSwJPw2DC9zSQ UAxnlSzusiGsc/cidgahkKQttQozhgmlGwthMJ10KMV2MNnjc4NokOT8UZTtOckAxuN54gZ3 voSKZkLoJYDP7rjixbh8ygJEDuctRSCesgCUFgaY1zmJhFl2oCgrspDc5E+cyAuR0YxMUhOI jsNklxLvkeOnZMD2xQD9d4/iDn9oNHoNw8KAM2h3GsbAur4yaKDfbOLHmm5WB4Q65IOUfQmR BRRib3xaiivnkIXbhnXR1a8uByaGt8JCFg2+3yJa8UT6X0yhXUo1FyznM2rCjZBfk6gg1jO8 oM+wmEcF0SpaLKqTfI62D7o2VPgpVJBOroUpRKdeSEE0oBn4v/eJBcPCi7S/qEFrkErCv3c+ 6KZVJJRDWEyH01MguYv5XC5iyTzyoWC0Oy2jRZA3n1gUZEmtEyHJOb5CyiP5KXvCBlwyJ5jN Ar+wTW8aCLmLRVoaufOuYWSILdknVhbccULU83s+V5CKK53RNDthyEBGd+nX0hn3K6dSzziS Iqsgot9T4+kuHsv43t9kNrnEUpPxxSf9Hv/QhN3BGdu4OXx7xrg9RSe3auyQfnDegt1Ue6gO ZxYWaJIGK7vistP5EddhkexUEWqKndIZBRfyzKfS2eZy9JlVw/cC7CSXQ00Bm+Jh6Q9Qwgxm nRT6xz9Ei/vRzyAlvq9TSyPQHyCY+uSUJsKRqxamLeCJ7b3e5OtzzdjS2l3mMA8PhnwX0JEz tTwNIv+8Hxcwi2EYBTM87seRI+LhHYM7D8/vdP6Vx3UvxDOrS9kMT7WmCDYPYSsqN04eokLn ikkAv3V4BB9HxtHQFQI/CnNUMeV7mOwFEXPlQXaxhsWaBNyDUw8p//wLd8YAO3vCncd7URAk ZfaR/WNH4/2tnt6or/Wm/nF9Z0iXWljZDNLpUzoFL2YahUIbB+lj474QJl7bHTnBOOKQnnAY zH1Xfvc2eEcRrfme4up9dgqZ7YLLDDCk+QFdpYRzaQJUEy4cXKDkfwZ05ChIfsnLpAuK0KPL QZ+IAp3CLAlcAhMMEmA+h4YqeDjGmeQMPRNfv/8eUt3/7P1yAt7uLvAlL7KjCSdDZi5M+DSY wBuYlc5mgynz8Wl3twh5vrhJMGTg58kvtG9eFJZYixJhmnLFnxAVGgExZKFOFjC0Qz/BGRRS QlCCSZHiAJ+a7V2ZNGMz2takhl208xI32vyT3M6IJFVCVU7+nTts4e74WFFqHY/sDaF1bkgN 1twAmmJpDdroj81LnVV20hZv35PZFV3YObjP8FiUPUHh3yTynMl9GcwhbdOxjc7iBvcbeoop Gyb8kk3cKAmKuBN9BJR3gDf2DZ6Q7myfX3Oyj4SMnBe6i5hNb5m44JwywkqXUMldACFjEb/J Qj+Ae3vq+RM8utF02xmLrV6GzuLyC5mKx8F86sKvdDtI6SJwicR1mI0LPcJjjkiq7wiwnEoY wISxUNx+OUHIj3o84XWCKOJXszgSoTbxUEIM7JAAtpPscKwuF5L7IGKb+BTex6fwf2PjKYNf Aj+IoSJny4bQdV+wzEseRkrRMZzaoxh+O6U1wH282TihZG7gzBPOCUdfFH1zn8LPsieLEkTm kwJGbFhYTRhoxqM5ycZ1dUk+ZZlXojPfpIklQNZtfoZnXD+pvBDTxvzhlEff1fEirERRUuiP eq9ndK2CmPRM6EODws7f4mPw57gEaWBHg8HgvN+u0w3FYFBMU0hJapFq0C7/7Tex21fH6E59 25jY6dIzSyWJcCb8MocuncmEQBpMeKKsYvz5TMyS/ocI0QFILLglJE8cYdV0OTLety7BfNPm P1X/+/efp/FU/a92tC/qf5WX+5XDGna9rBweqfrf12ifWf/D/16r+p+q/6n6n6r/qfqfqv+p +t83rv+BPsfIFR3D51XcMpXDR8qGrofxjBy3eVVKi3x4jMGzIh4jRkGEUYQQYDhchi66yrLl VZa8xxKbAU8kdsxPjSOG4QRPpzxtP4Y4cjSgazGKXZjN34hIFQYYIm6mTJ4JXDbEE6kr6eGR Z+iN5pGgQyc0QeRqUc7EkMEicYbmsiVjPNSOxkSNsymv4WK6nbNDm0Dtke3RSYpOv1TVZDzW Elfso4coUxTi+o6SBzpiioNzHAa+640wvCXOGHFxHCXCQZxE92VV5lRlTlXmVGVOVeZUZU5V 5lRlTlXmVGVOVeZUZU5V5lRlTlXmVGXOb1TmfKr+N/4CNabH639wWDs6XP7+76jGf/93cKDq f1+jbar/jbfX/9Tv/1T9T9X/VP1P1f9U/U/V//4C9b//n9//DX0qOiyOH9nbtEH+uSj/bRvm 9/i8ysfv56kqR4FwZo/obohOCIyopFg2X8vndhYp0E4GtJWBrXc6P5pG7nX1ZbVSfXX0ihPm 5yGiGW+lIS85MWnf8fydR2BwHREQpiKPQYnvCJdyi/rDUIlHBmRns4qItU3535P5/3/9/T84 PDqsPnj/b1+9//dV2mfm/+r9P5X/q/xf5f8q/1f5v8r//wL5/596/08l3d8m6f4LtQ35f3xP lZthGUUbfhEaT+T/1f2XtbX8/+jgsKby/6/RSqUSf5l2Lwh5LloOMFXKWXMGP8x9gCOoVo73 X+NfoKv//O7u7gp47jzyBGQVDwjHB7XjioR8+xZK+69eaS9hlz5q8PZtHha7xLKucznEMVi+ 1JkZ7ZuPDL7/of5gdPfh9nuAIA/PQbdaULjUu1eASWaMAhTz1IcupmsIpDa9t5pfaGXoTdk2 nVSrazrhwOsaOTo+zGikdvSaNEIfQiPZ91OT5L7s5IRmqaoth6h/FbBvboTrm6tgt786G+Gw P7+7+cVYBx6CL0Y59r146gQzEUu2IYf0ZV/bcYYD/nZ2BhQ7MXMfiCskPro2YZwk4fYJNPpX 96r/O22D/09YnJTjL1H4lQ39f+3oaLv/r9aO1vz/4YH6/efXac+f7d14/l48xmwm/xyciNGL I+mq4LfJMfYjjEun81qNfhSCB3Sga2E+Bd7wV80K2H9cqxXPSiXPf7NYTfRqRKn0Bv+XMMUz mrOxSS/zPO+PnGQKpSGU4M0bMDCbnk3o1SFYoAV3PpvdpzN47lk+ln1unAE/hon4aQMd+bmL iey7PSFDfhaPOAwOcQH5eKXM/6AsG9HQLdE6HuKQlDdmzgS1NL2nO49gRlce6e36s2fPgPTI wLEjNpxP6eUmx/b/nqTT5skoyM4oEbyXiLcnp8zm70mlg869MxXpdmj7npP3wuEdvU+JQUfa By2VOKF8j9K/p8n08aqCvBGzmLfi803gErP0U5mYbrYEUzhiT+8/MalfRlSILBqGv6ZSsoVO pPoRmz2kcgDdbKXv9K+vIWHTxSjNV15cNdVUU0011VRTTTXVVFNNNdVUU0011VRTTTXVVFNN NdVUU+3Ltf8AsvO0tQB4AAA= --itn1syND1l Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit #!/bin/sh # # create netgraph nodes # bind on 77 divert port # # --inout-- # detect # ngctl -f - << EOF mkpeer ddsdetect dummy detect name .:dummy dds mkpeer dds: ksocket in inet/raw/divert msg dds:in bind inet/0.0.0.0:77 mkpeer dds: ksocket out inet/raw/divert EOF # check only incoming packets !!! # be careful we can't check outgoing packets - # it will lead to packets cycle and panic ipfw add 1 divert 77 tcp from any to any 80 in # if anybody interested we can analyze detected DDS pakets nghook -a dds: detect # after all shutdown netgraph nodes ngctl shutdown dds: > /k -- TSB Russian Express, Moscow Vladimir B. Grebenschikov, vova@express.ru --itn1syND1l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 9:50:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 2F47137B40A for ; Wed, 19 Sep 2001 09:50:30 -0700 (PDT) Received: from qnuno (unknown [217.129.231.117]) by pt-quorum.com (Postfix) with SMTP id 34891ECA0 for ; Wed, 19 Sep 2001 17:51:58 +0100 (WEST) Message-ID: <00cf01c1412b$7ecc4540$0a00a8c0@qnuno> From: "Nuno Teixeira" To: Subject: port 1023: listen Date: Wed, 19 Sep 2001 17:52:36 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00CC_01C14133.DDE27D30" X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00CC_01C14133.DDE27D30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello to all, Today I've run nmap to scan my server ports and I found a port that I = don't know (Well Known Ports: 0 to 1023) [nmap] 1023/tcp open unknown I login at the server I there it is again and netstat shows: [netstat -n] tcp4 0 0 *.1023 *.* = LISTEN Could my server be in security problems? What service or program open this port and how do I turn it off? Thanks very much, Nuno Teixeira ------=_NextPart_000_00CC_01C14133.DDE27D30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello to all,
 
Today I've run nmap to scan my server = ports and I=20 found a port that I don't know (Well Known Ports: 0 to = 1023)
 
[nmap]
1023/tcp  =20 open        unknown
 
I login at the server I there it is = again=20 and  netstat shows:
 
[netstat -n]
tcp4      =20 0      0 =20 *.1023           &= nbsp;    =20 *.*           &nbs= p;       =20 LISTEN
 
 
Could my server be in security=20 problems?
What service or program open this port = and how=20 do I turn it off?
 
 
 
Thanks very much,
 
Nuno = Teixeira
------=_NextPart_000_00CC_01C14133.DDE27D30-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 9:54:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 3F64337B411 for ; Wed, 19 Sep 2001 09:54:33 -0700 (PDT) Received: from schulte-laptop.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by poontang.schulte.org (Postfix) with ESMTP id 437A7D14B0; Wed, 19 Sep 2001 11:54:31 -0500 (CDT) Message-Id: <5.1.0.14.0.20010919115220.03e6d2d0@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 19 Sep 2001 11:53:38 -0500 To: "Nuno Teixeira" , From: Christopher Schulte Subject: Re: port 1023: listen In-Reply-To: <00cf01c1412b$7ecc4540$0a00a8c0@qnuno> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Use sockstat or lsof to see what process is listening on 1023. At 05:52 PM 9/19/2001 +0100, Nuno Teixeira wrote: >Hello to all, > >Today I've run nmap to scan my server ports and I found a port that I >don't know (Well Known Ports: 0 to 1023) > >[nmap] >1023/tcp open unknown > >I login at the server I there it is again and netstat shows: > >[netstat -n] >tcp4 0 0 *.1023 *.* LISTEN > > >Could my server be in security problems? >What service or program open this port and how do I turn it off? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 10:48:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 621BC37B412 for ; Wed, 19 Sep 2001 10:48:39 -0700 (PDT) Received: from qnuno (unknown [217.129.231.117]) by pt-quorum.com (Postfix) with SMTP id 5239CECCD; Wed, 19 Sep 2001 18:50:06 +0100 (WEST) Message-ID: <011001c14133$9e021a40$0a00a8c0@qnuno> From: "Nuno Teixeira" To: "Nuno Teixeira" Cc: References: <00cf01c1412b$7ecc4540$0a00a8c0@qnuno> Subject: Re: port 1023: listen Date: Wed, 19 Sep 2001 18:50:44 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_010D_01C1413B.FCF84710" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_010D_01C1413B.FCF84710 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello to all, Ok. thanks for your help. I have found what process is runing on that port. Thanks very much, Nuno ----- Original Message -----=20 From: Nuno Teixeira=20 To: freebsd-security@freebsd.org=20 Sent: Wednesday, September 19, 2001 5:52 PM Subject: port 1023: listen Hello to all, Today I've run nmap to scan my server ports and I found a port that I = don't know (Well Known Ports: 0 to 1023) [nmap] 1023/tcp open unknown I login at the server I there it is again and netstat shows: [netstat -n] tcp4 0 0 *.1023 *.* = LISTEN Could my server be in security problems? What service or program open this port and how do I turn it off? Thanks very much, Nuno Teixeira ------=_NextPart_000_010D_01C1413B.FCF84710 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello to all,
 
Ok. thanks for your help.
 
I have found what process is runing on = that=20 port.
 
Thanks very much,
 
Nuno
 
 
----- Original Message -----
From:=20 Nuno Teixeira =
Sent: Wednesday, September 19, = 2001 5:52=20 PM
Subject: port 1023: = listen

Hello to all,
 
Today I've run nmap to scan my server = ports and I=20 found a port that I don't know (Well Known Ports: 0 to = 1023)
 
[nmap]
1023/tcp  =20 open        unknown
 
I login at the server I there it is = again=20 and  netstat shows:
 
[netstat -n]
tcp4      =20 0      0 =20 = *.1023           &= nbsp;    =20 = *.*           &nbs= p;       =20 LISTEN
 
 
Could my server be in security=20 problems?
What service or program open this = port=20 and how do I turn it off?
 
 
 
Thanks very much,
 
Nuno=20 Teixeira
------=_NextPart_000_010D_01C1413B.FCF84710-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 10:51:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 756DB37B41A for ; Wed, 19 Sep 2001 10:51:17 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA11814 for ; Wed, 19 Sep 2001 11:51:10 -0600 (MDT) Message-Id: <4.3.2.7.2.20010919112438.0598b8b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Sep 2001 11:48:18 -0600 To: security@freebsd.org From: Brett Glass Subject: Defense against "Code Rainbow" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm working on an automatic defense against "Code Rainbow" and would appreciate suggestions about how to refine it so that others can use it. My first quick-and-dirty attempt was to create an ErrorDocument for Apache that was not actually a document but rather a CGI script. If the script saw that the error was not "Code Rainbow," it sent back a standard error code. But if it recognized a "Code Rainbow" attack, it blackholed the attacker's IP address (available to CGI programs via the REMOTE_ADDR environment variable) via the system routing table and dropped the connection... cold. Bingo -- the attacking machine was locked out. (To give the CGI script the ability to change the routing table safely, I had to create a setuid program that could be invoked only by the CGI script and could do nothing but add a blackhole route.) Unfortunately, there was a serious problem with this approach. The BSD TCP/IP stack apparently does not expect its routing table to be very big, and so scans it linearly. This means that, as the list of blackhole routes grew, we started to see serious problems with network performance. I tried creating ipfw rules instead, but discovered that ipfw scans linearly too. What does ipf use? pf? Any ideas for speedups or security enhancements? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 10:56: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id D5C0737B416 for ; Wed, 19 Sep 2001 10:55:59 -0700 (PDT) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.3) id f8JHtrS05107; Wed, 19 Sep 2001 10:55:53 -0700 (PDT) (envelope-from emechler) Date: Wed, 19 Sep 2001 10:55:53 -0700 From: Erick Mechler To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Defense against "Code Rainbow" Message-ID: <20010919105553.J3881@techometer.net> References: <4.3.2.7.2.20010919112438.0598b8b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20010919112438.0598b8b0@localhost>; from Brett Glass on Wed, Sep 19, 2001 at 11:48:18AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: Unfortunately, there was a serious problem with this approach. The BSD :: TCP/IP stack apparently does not expect its routing table to be very big, :: and so scans it linearly. This means that, as the list of blackhole :: routes grew, we started to see serious problems with network performance. :: I tried creating ipfw rules instead, but discovered that ipfw scans :: linearly too. What does ipf use? pf? Any ideas for speedups or security :: enhancements? What about using TCP wrapers? I'm not sure of the performance implications of doing so, but maybe it's worth a shot. --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 11: 2: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 89D0637B412 for ; Wed, 19 Sep 2001 11:01:58 -0700 (PDT) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f8JI1Q963852; Wed, 19 Sep 2001 14:01:26 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Wed, 19 Sep 2001 14:01:22 -0400 (EDT) From: Rob Simmons To: Brett Glass Cc: Subject: Re: Defense against "Code Rainbow" In-Reply-To: <4.3.2.7.2.20010919112438.0598b8b0@localhost> Message-ID: <20010919135456.M62587-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 This poses the same problem as allowing snort, or snort-like NIDS systems access to your firewall rules. It opens a new window for DOS attacks. If some nefarious person figured out that you are doing such a thing, they could spoof attacks from many addresses and cripple the server. A much better approach is something like hogwash, which will only block the attack itself, allowing all normal traffic to pass. http://hogwash.sourceforge.net/ There was traffic on this list about making a freebsd port of the software, but that is not needed, just grab the source and compile :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 19 Sep 2001, Brett Glass wrote: > I'm working on an automatic defense against "Code Rainbow" and would > appreciate suggestions about how to refine it so that others can use it. > > My first quick-and-dirty attempt was to create an ErrorDocument for > Apache that was not actually a document but rather a CGI script. If the > script saw that the error was not "Code Rainbow," it sent back a standard > error code. But if it recognized a "Code Rainbow" attack, it blackholed > the attacker's IP address (available to CGI programs via the REMOTE_ADDR > environment variable) via the system routing table and dropped the > connection... cold. Bingo -- the attacking machine was locked out. (To > give the CGI script the ability to change the routing table safely, I had > to create a setuid program that could be invoked only by the CGI script > and could do nothing but add a blackhole route.) > > Unfortunately, there was a serious problem with this approach. The BSD > TCP/IP stack apparently does not expect its routing table to be very big, > and so scans it linearly. This means that, as the list of blackhole > routes grew, we started to see serious problems with network performance. > I tried creating ipfw rules instead, but discovered that ipfw scans > linearly too. What does ipf use? pf? Any ideas for speedups or security > enhancements? > > --Brett Glass > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7qN11v8Bofna59hYRA4i2AJ4yBY2E6xU1yP26+W6se6FcoGiRSgCeOR/U DCj4YG603EVC948uAQlXhvw= =tdyc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 11:20:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 9AD9737B415 for ; Wed, 19 Sep 2001 11:20:16 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8JHGFa31255; Wed, 19 Sep 2001 10:16:15 -0700 (PDT) Date: Wed, 19 Sep 2001 10:16:15 -0700 (PDT) From: David Kirchner X-X-Sender: To: Brett Glass Cc: Subject: Re: Defense against "Code Rainbow" In-Reply-To: <4.3.2.7.2.20010919112438.0598b8b0@localhost> Message-ID: <20010919101020.B85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Brett Glass wrote: > Unfortunately, there was a serious problem with this approach. The BSD > TCP/IP stack apparently does not expect its routing table to be very big, > and so scans it linearly. Something I've wanted to implement but haven't because I'm not really knowledgable enough is a sysctl that would enable/disable dynamic route creation. It's so rare that any one of these /32 routes the server creates will ever be different than any of the others that it's just a waste of resources for the system to track them. Those that want to route with their BSD box would leave dynamic routes enabled. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 11:22:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id A349B37B41E for ; Wed, 19 Sep 2001 11:22:35 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id f8JIMYS29690; Wed, 19 Sep 2001 13:22:34 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with SMTP id NAA16178; Wed, 19 Sep 2001 13:22:33 -0500 (CDT) From: Eric Anderson Received: from 10.177.173.21 (proxying for 10.177.173.77, 10.177.173.99) (SquirrelMail authenticated user anderson) by proton.centtech.com with HTTP; Wed, 19 Sep 2001 13:22:18 -0500 (CDT) Message-ID: <44071.10.177.173.21.1000923738.squirrel@proton.centtech.com> Date: Wed, 19 Sep 2001 13:22:18 -0500 (CDT) Subject: Re: Defense against 'Code Rainbow' To: davidk@accretivetg.com In-Reply-To: <20010919101020.B85958-100000@localhost> References: <20010919101020.B85958-100000@localhost> Cc: brett@lariat.org, security@freebsd.org X-Mailer: SquirrelMail (version 1.0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it possible to do a hash table lookup kind of thing? I think a list of about 10,000 would be fast even on a hash table. Eric > On Wed, 19 Sep 2001, Brett Glass wrote: > >> Unfortunately, there was a serious problem with this approach. The BSD >> TCP/IP stack apparently does not expect its routing table to be very >> big, and so scans it linearly. > > Something I've wanted to implement but haven't because I'm not really > knowledgable enough is a sysctl that would enable/disable dynamic route > creation. It's so rare that any one of these /32 routes the server > creates will ever be different than any of the others that it's just a > waste of resources for the system to track them. Those that want to > route with their BSD box would leave dynamic routes enabled. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 13:24:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from smgwisys.intersys.com.mx (smgwisys.intersys.com.mx [206.65.32.41]) by hub.freebsd.org (Postfix) with SMTP id B341937B407 for ; Wed, 19 Sep 2001 13:24:44 -0700 (PDT) Received: by smgwisys.intersys.com.mx(Lotus SMTP MTA v4.6.4 (830.2 3-23-1999)) id 06256ACC.00759D8D ; Wed, 19 Sep 2001 15:24:40 -0600 X-Lotus-FromDomain: INTERSYS@ISYS From: rrios@intersys.com.mx To: chutima_s@zdnetonebox.com Cc: freebsd-security@freebsd.org Message-ID: <06256ACC.00759C28.00@smgwisys.intersys.com.mx> Date: Wed, 19 Sep 2001 15:20:33 -0600 Subject: How to config ipfw for ftp server Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try This before the "ipfw add 100 allow tcp from any to 21 setup" ipfw add 100 allow tcp from any to any stablished or ipfw add 100 allow tcp from any to any 21 stablished To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 13:49:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A393037B414 for ; Wed, 19 Sep 2001 13:49:26 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA14575; Wed, 19 Sep 2001 14:49:08 -0600 (MDT) Message-Id: <4.3.2.7.2.20010919143532.05986c30@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Sep 2001 14:37:10 -0600 To: Erick Mechler From: Brett Glass Subject: Re: Defense against "Code Rainbow" Cc: security@FreeBSD.ORG In-Reply-To: <20010919105553.J3881@techometer.net> References: <4.3.2.7.2.20010919112438.0598b8b0@localhost> <4.3.2.7.2.20010919112438.0598b8b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:55 AM 9/19/2001, Erick Mechler wrote: >What about using TCP wrapers? I'm not sure of the performance implications >of doing so, but maybe it's worth a shot. Apache doesn't play very well with TCP wrappers, as it likes to manage its own sockets and process pool. Also, a wrapper wouldn't eliminate the overhead of opening a socket. I'm trying to block the packets before that happens. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 13:49:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 500B237B415 for ; Wed, 19 Sep 2001 13:49:31 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA14578; Wed, 19 Sep 2001 14:49:13 -0600 (MDT) Message-Id: <4.3.2.7.2.20010919143740.059c5be0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Sep 2001 14:46:29 -0600 To: Rob Simmons From: Brett Glass Subject: Re: Defense against "Code Rainbow" Cc: In-Reply-To: <20010919135456.M62587-100000@mail.wlcg.com> References: <4.3.2.7.2.20010919112438.0598b8b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:01 PM 9/19/2001, Rob Simmons wrote: >This poses the same problem as allowing snort, or snort-like NIDS systems >access to your firewall rules. It opens a new window for DOS attacks. >If some nefarious person figured out that you are doing such a thing, they >could spoof attacks from many addresses and cripple the server. It'd be tough. They'd have to get past the 3-way handshake and submit an HTTP GET request.It's easy to spoof UDP, or a single SYN, but not a fully established socket. >A much better approach is something like hogwash, which will only block >the attack itself, allowing all normal traffic to pass. > >http://hogwash.sourceforge.net/ Trouble is, by the time you get to the telltale packet, you've invested the overhead of opening a socket and firing up a process to receive the HTTP request. The idea behind firewalling is to eliminate that overhead. Sheldon Hearn, in private e-mail, mentioned that an attack from behind a transparent proxy or NAT router could cause us to drop all requests from the entire site. If we firewall the IP address for all destination port numbers, then this is indeed a concern. But if we block Port 80, the most innocent users will lose is access to a Web server. This is usually a reasonable tradeoff. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 15:47:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from deborah.paradise.net.nz (deborah.paradise.net.nz [203.96.152.32]) by hub.freebsd.org (Postfix) with ESMTP id 325DE37B40D for ; Wed, 19 Sep 2001 15:47:24 -0700 (PDT) Received: from ss11232 (203-79-72-40.cable.paradise.net.nz [203.79.72.40]) by deborah.paradise.net.nz (Postfix) with ESMTP id B30D71FA176; Thu, 20 Sep 2001 10:47:21 +1200 (NZST) From: rshea@opendoor.co.nz To: security@FreeBSD.ORG Date: Thu, 20 Sep 2001 10:46:41 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NIMDA Virus Cc: brett@lariat.org Message-ID: <3BA9C911.18530.49BAA5C@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > We just put a log monitor on the Apache server, and are firewalling > anything that sends a request with "cmd.exe" in it. Quite effective. I'd like to do this too. I use IPFW. Can anyone point me at a 'how-to' ? I thought IPFW rules could only be based on IP address or service type ? thanks richard shea. ***************************************************** Open Door Ltd PO Box 119-46 Wellington, NZ PH +64 4 384 7639 FX +64 4 384 7672 ***************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 15:52:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 87FF237B416 for ; Wed, 19 Sep 2001 15:52:16 -0700 (PDT) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id f8JMqBS11860 for ; Wed, 19 Sep 2001 16:52:11 -0600 (MDT) Message-ID: <3BA9219B.772E33D5@fpsn.net> Date: Wed, 19 Sep 2001 16:52:11 -0600 From: Colin Faber X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: Re: NIMDA Virus (OT) References: <3BA9C911.18530.49BAA5C@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fyi, in case anyone hasn't noticed, Microsoft's Frontpage site `http://www.microsoft.com/frontpage has been infected. wget -q http://www.microsoft.com/frontpage; tail index.html (assuming it hasn't been fixed yet) rshea@opendoor.co.nz wrote: > > > We just put a log monitor on the Apache server, and are firewalling > > anything that sends a request with "cmd.exe" in it. Quite effective. > > I'd like to do this too. I use IPFW. Can anyone point me at a 'how-to' ? I > thought IPFW rules could only be based on IP address or service type ? > > thanks > > richard shea. > > ***************************************************** > Open Door Ltd > PO Box 119-46 > Wellington, NZ > > PH +64 4 384 7639 > FX +64 4 384 7672 > ***************************************************** > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 16:26:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 1378E37B405 for ; Wed, 19 Sep 2001 16:26:46 -0700 (PDT) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f8JNQjX75896 for ; Wed, 19 Sep 2001 19:26:45 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Wed, 19 Sep 2001 19:26:41 -0400 (EDT) From: Rob Simmons To: Subject: Secure branch support Message-ID: <20010919192508.K74747-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Will the RELENG_4_3 branch continue to get patched now, or will only the RELENG_4_4 branch be supported from now on? Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7qSm1v8Bofna59hYRAx7mAJkBPgO175tj50bZ/O5Aam7/vDOQvwCfUWpY wiJXV7EkIMMa+HPvFtoxd4U= =ZU3l -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 16:52:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 8401437B422 for ; Wed, 19 Sep 2001 16:52:25 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f8JNobV74094; Wed, 19 Sep 2001 20:50:37 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Wed, 19 Sep 2001 20:50:36 -0300 (ART) From: Fernando Gleiser To: Cc: Subject: Re: NIMDA Virus In-Reply-To: <3BA9C911.18530.49BAA5C@localhost> Message-ID: <20010919204433.A71511-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 20 Sep 2001 rshea@opendoor.co.nz wrote: > > I'd like to do this too. I use IPFW. Can anyone point me at a 'how-to' ? I > thought IPFW rules could only be based on IP address or service type ? This is a quick and dirty perl script I made. It is for IP Filter, but it shouldn't be difficult to modify it o work with ipfw. Hope this helps. Fer ------------------------------8< ---------------- #!/usr/bin/perl -w my $logfile="tail -f path_to_your_access_log |"; my $if="xl0"; #change to match your interface open LOG, $logfile or die "cant open"; while () { if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) { open FW, "| ipf -f -" or die "cant open pipe"; print FW "block return-rst in quick on $if proto tcp from $1 to any"; close FW; } } ------------------------------8< ---------------- > > thanks > > richard shea. > > > > ***************************************************** > Open Door Ltd > PO Box 119-46 > Wellington, NZ > > PH +64 4 384 7639 > FX +64 4 384 7672 > ***************************************************** > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 17:20:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by hub.freebsd.org (Postfix) with ESMTP id A37D937B41A for ; Wed, 19 Sep 2001 17:20:21 -0700 (PDT) Received: from steiner.cc.vt.edu (IDENT:mirapoint@steiner.cc.vt.edu [198.82.161.185]) by lennier.cc.vt.edu (8.11.4/8.11.4) with ESMTP id f8K0KBn288226; Wed, 19 Sep 2001 20:20:13 -0400 (EDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by steiner.cc.vt.edu (Mirapoint) with ESMTP id ADG59771; Wed, 19 Sep 2001 20:20:10 -0400 (EDT) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by lennier.cc.vt.edu (8.11.4/8.11.4) with ESMTP id f8K0K5h288664; Wed, 19 Sep 2001 20:20:05 -0400 (EDT) Received: from enterprise.muriel.penguinpowered.com ([198.82.100.125]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2001.05.04.11.50.p10) with ESMTP id <0GJX00M2FQ9GTK@gkar.cc.vt.edu>; Wed, 19 Sep 2001 20:20:04 -0400 (EDT) Date: Wed, 19 Sep 2001 20:16:59 -0400 (EDT) From: Mike Heffner Subject: RE: bad list during ftp session In-reply-to: <3091161270.20010919122017@mail.ru> To: Anton Vladimirov Cc: freebsd-security@FreeBSD.ORG Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.5.0 on FreeBSD Content-type: multipart/signed; boundary="_=XFMail.1.5.0.FreeBSD:20010919201659:417=_"; micalg=pgp-md5; protocol="application/pgp-signature" X-Priority: 3 (Normal) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format --_=XFMail.1.5.0.FreeBSD:20010919201659:417=_ Content-Type: text/plain; charset=us-ascii Is this repeatable? (ie. the same files aren't displaying in a directory) Any common pattern to the filesnames? What client are you using? On 19-Sep-2001 Anton Vladimirov wrote: | Hello freebsd-security, | | Periodically I facing some strange problem with my ftp server. | Some files and dirs are not listed by ls command, while | in the shell all looks Ok. | | All user mode/privileges are the same for all files in the | directory, but some of them listed, but the others aren't ! | | If I copy all directory content to the new place and | then return it back, "ls" goes to normal operation. | | What is the reason, and how to correct this? | | I use 4.0 release, if it makes any importance... | Mike -- Mike Heffner Blacksburg, VA --_=XFMail.1.5.0.FreeBSD:20010919201659:417=_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7qTV6FokZQs3sv5kRAnYaAJ4hoVftSad6xsMoLiwGX1xZPoSwFQCfTNiV Su0pXAH+BOQaNlhOLsANpwY= =QIWx -----END PGP SIGNATURE----- --_=XFMail.1.5.0.FreeBSD:20010919201659:417=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 17:24:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-35.dsl.lsan03.pacbell.net [63.207.60.35]) by hub.freebsd.org (Postfix) with ESMTP id B6A7737B413 for ; Wed, 19 Sep 2001 17:24:08 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1114866D46; Wed, 19 Sep 2001 17:24:07 -0700 (PDT) Date: Wed, 19 Sep 2001 17:24:07 -0700 From: Kris Kennaway To: Rob Simmons Cc: freebsd-security@freebsd.org Subject: Re: Secure branch support Message-ID: <20010919172407.B66167@xor.obsecurity.org> References: <20010919192508.K74747-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919192508.K74747-100000@mail.wlcg.com>; from rsimmons@wlcg.com on Wed, Sep 19, 2001 at 07:26:41PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Sep 19, 2001 at 07:26:41PM -0400, Rob Simmons wrote: > Will the RELENG_4_3 branch continue to get patched now, or will only the > RELENG_4_4 branch be supported from now on? Yes, we intend to continue supporting RELENG_4_3 as long as 4.3-RELEASE itself is supported. That will probably be until the release of 4.5-RELEASE, perhaps longer. Kris --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7qTcnWry0BWjoQKURAjJ5AJ40DKffgSFU7RVOnVBVIGuLcJB12ACdGIH2 tbQFhpTRcTSZXj1C8h1dcvo= =Nwac -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 17:29:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from deborah.paradise.net.nz (deborah.paradise.net.nz [203.96.152.32]) by hub.freebsd.org (Postfix) with ESMTP id 92BD937B418 for ; Wed, 19 Sep 2001 17:29:32 -0700 (PDT) Received: from ss11232 (203-79-72-40.cable.paradise.net.nz [203.79.72.40]) by deborah.paradise.net.nz (Postfix) with ESMTP id 6A7181F9DB9; Thu, 20 Sep 2001 12:29:28 +1200 (NZST) From: rshea@opendoor.co.nz To: fgleiser@cactus.fi.uba.ar Date: Thu, 20 Sep 2001 12:28:48 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NIMDA Virus Cc: Message-ID: <3BA9E100.28014.4F925F6@localhost> References: <3BA9C911.18530.49BAA5C@localhost> In-reply-to: <20010919204433.A71511-100000@cactus.fi.uba.ar> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > This is a quick and dirty perl script I made. It is for IP Filter, but it > shouldn't be difficult to modify it o work with ipfw. > Thanks Fernando, I'll check it out. richard shea To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 18:26: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 2864037B407 for ; Wed, 19 Sep 2001 18:26:05 -0700 (PDT) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6) with ESMTP id f8K1Q3975429 for ; Wed, 19 Sep 2001 21:26:03 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010919212233.02f8f2c8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 19 Sep 2001 21:26:01 -0400 To: security@freebsd.org From: Mike Tancsa Subject: FreeBSD virus ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org While grabbing the latest copy of my NAI dat file and looking through the readme to see whats new, I found this in the list of new worms INTERNET WORM (17) ------------------ FREEBSD/WOODWORM Huh ? Looking at their web site, I could not find anything listed as that. Does anyone know what they are talking about ? Dejanews didnt show anything either. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 18:41:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail2.sdc1.sfba.home.com (femail2.sdc1.sfba.home.com [24.0.95.82]) by hub.freebsd.org (Postfix) with ESMTP id B094937B407 for ; Wed, 19 Sep 2001 18:41:13 -0700 (PDT) Received: from x1-6-00-50-ba-de-36-33.kico1.on.home.com ([24.141.119.162]) by femail2.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010920014108.NCDV10288.femail2.sdc1.sfba.home.com@x1-6-00-50-ba-de-36-33.kico1.on.home.com>; Wed, 19 Sep 2001 18:41:08 -0700 Received: from localhost (genisis@localhost) by x1-6-00-50-ba-de-36-33.kico1.on.home.com (8.11.3/8.11.3) with ESMTP id f8K1l9f87506; Wed, 19 Sep 2001 21:47:11 -0400 (EDT) (envelope-from genisis@istar.ca) X-Authentication-Warning: x1-6-00-50-ba-de-36-33.kico1.on.home.com: genisis owned process doing -bs Date: Wed, 19 Sep 2001 21:47:08 -0400 (EDT) From: Dru X-X-Sender: To: Mike Tancsa Cc: Subject: Re: FreeBSD virus ? In-Reply-To: <5.1.0.14.0.20010919212233.02f8f2c8@192.168.0.12> Message-ID: <20010919214542.U87443-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Mike Tancsa wrote: > While grabbing the latest copy of my NAI dat file and looking through the > readme to see whats new, I found this in the list of new worms > > > INTERNET WORM (17) > ------------------ > FREEBSD/WOODWORM > > Huh ? Looking at their web site, I could not find anything listed as that. > Does anyone know what they are talking about ? Dejanews didnt show anything > either. Hi Mike, Wonder if it's referring to this? You're offered the ability to download a gzipped file, but I didn't bother as I like my FreeBSD box :) http://members.tripod.com/mixtersecurity/progs.html Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 19:21:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from home.ephemeron.org (CBL137.pool019.CH001-riverside.dhcp.hs.earthlink.net [24.41.83.137]) by hub.freebsd.org (Postfix) with ESMTP id D897637B40A for ; Wed, 19 Sep 2001 19:21:16 -0700 (PDT) Received: (from nobody@localhost) by home.ephemeron.org (8.9.3/8.9.3) id TAA13929; Wed, 19 Sep 2001 19:20:56 -0700 (PDT) (envelope-from bigby@bizatch.org) X-Authentication-Warning: home.ephemeron.org: nobody set sender to bigby@bizatch.org using -f To: Dru Subject: Re: FreeBSD virus ? Message-ID: <1000952455.3ba95287e9d96@webmail2.bizatch.org> Date: Wed, 19 Sep 2001 19:20:55 -0700 (PDT) From: Bigby Findrake Cc: Mike Tancsa , security@FreeBSD.ORG References: <20010919214542.U87443-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com> In-Reply-To: <20010919214542.U87443-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From the readme in that tarfile: ---------------------------------------- Woodworm - a UNIX virus by Mixter Disclaimer: This program is distributed under the GNU GPL, which implies that I take no responsibility for anything it causes. Well, this one is kinda lame, it is a companion virus. It will search for ELF files starting from / recursively, and spawn copies of itself while it renames the original files (this is the classic companion virus). All it does to the ELF binaries is change their 6th byte to '0' so it recognizes them as already targetted. What are the 'advantages' of this virus? Well, it is portable. It should be 99.9% POSIX compliant, and with the right includes compile and run on every UNIX out there. Payloads: for non-root it displays a nice ANSI graphic, for root it opens a shell on port 1234. :) Mixter ---------------------------------------- Quoting Dru : > > > On Wed, 19 Sep 2001, Mike Tancsa wrote: > > > While grabbing the latest copy of my NAI dat file and looking through > the > > readme to see whats new, I found this in the list of new worms > > > > > > INTERNET WORM (17) > > ------------------ > > FREEBSD/WOODWORM > > > > Huh ? Looking at their web site, I could not find anything listed as > that. > > Does anyone know what they are talking about ? Dejanews didnt show > anything > > either. > > Hi Mike, > > Wonder if it's referring to this? You're offered the ability to download > a > gzipped file, but I didn't bother as I like my FreeBSD box :) > > http://members.tripod.com/mixtersecurity/progs.html > > Dru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------------------------------------------- Be a Bizatch! http://webmail.bizatch.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 19:31: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id E215E37B421 for ; Wed, 19 Sep 2001 19:30:55 -0700 (PDT) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.3/8.11.1) id f8K2Usw44718 for ; Thu, 20 Sep 2001 12:30:54 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from pc09011.aipo.gov.au(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.1) id xma044705; Thu, 20 Sep 01 12:30:32 +1000 Received: (from anwsmh@localhost) by localhost.aipo.gov.au (8.11.3/8.11.1) id f8K2UWt05929 for security@FreeBSD.ORG; Thu, 20 Sep 2001 12:30:32 +1000 (EST) (envelope-from anwsmh) Date: Thu, 20 Sep 2001 12:30:32 +1000 From: Stanley Hopcroft To: security@FreeBSD.ORG Subject: Re: NIMDA Virus Message-ID: <20010920123031.F5729@IPAustralia.Gov.AU> References: <3BA9C911.18530.49BAA5C@localhost> <20010919204433.A71511-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919204433.A71511-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Wed, Sep 19, 2001 at 08:50:36PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Ladies and Gentlemen, Here is an attempt at an ipfw equivalent of Mr Gleisers auto adding of ipfilter rules. #!/usr/bin/perl -w use strict ; my $logfile="tail -f /usr/local/apache/logs/pericles.aipo.gov.au-access_log |"; my $if="fxp0"; my $ipfw_filename = "/root/ipfw_msiis" ; my %reset ; open(LOG, $logfile) or die "can't open $logfile as pipe: $!"; while () { if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) { unless ( $reset{$1}++ ) { open(FW, "> $ipfw_filename") or die "Can't open $ipfw_filename: $!" ; print FW "add reset tcp from $1 to any via $if " ; # print FW "block return-rst in quick on $if proto tcp from $1 to any"; close FW; system "/sbin/ipfw $ipfw_filename" and die "ipfw rules failed: $!" ; } } } Use at your own risk/peril of course. Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ Parkinson's Fourth Law: The number of people in any working group tends to increase regardless of the amount of work to be done. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 19:37: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 76F4A37B408 for ; Wed, 19 Sep 2001 19:36:59 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA19831; Wed, 19 Sep 2001 20:35:51 -0600 (MDT) Message-Id: <4.3.2.7.2.20010919203412.04b57290@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Sep 2001 20:35:28 -0600 To: Stanley Hopcroft , security@FreeBSD.ORG From: Brett Glass Subject: Re: NIMDA Virus In-Reply-To: <20010920123031.F5729@IPAustralia.Gov.AU> References: <20010919204433.A71511-100000@cactus.fi.uba.ar> <3BA9C911.18530.49BAA5C@localhost> <20010919204433.A71511-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This will stop working when the logs rotate. Better to pipe to it from syslog.conf, or work from an ErrorDocument CGI. Or use mod_rewrite and put it in as a mapping process. --Brett At 08:30 PM 9/19/2001, Stanley Hopcroft wrote: >Dear Ladies and Gentlemen, > >Here is an attempt at an ipfw equivalent of Mr Gleisers auto adding of >ipfilter rules. > >#!/usr/bin/perl -w > >use strict ; > >my $logfile="tail -f >/usr/local/apache/logs/pericles.aipo.gov.au-access_log |"; >my $if="fxp0"; >my $ipfw_filename = "/root/ipfw_msiis" ; >my %reset ; > > >open(LOG, $logfile) or die "can't open $logfile as pipe: $!"; > > > >while () { > if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) { > > unless ( $reset{$1}++ ) { > open(FW, "> $ipfw_filename") or die "Can't open >$ipfw_filename: $!" ; > > print FW "add reset tcp from $1 to any via $if " ; > # print FW "block return-rst in quick on $if proto tcp >from $1 to any"; > close FW; > > system "/sbin/ipfw $ipfw_filename" and die "ipfw rules >failed: $!" ; > > } > } >} > >Use at your own risk/peril of course. > >Yours sincerely. > >-- >------------------------------------------------------------------------ >Stanley Hopcroft IP Australia >Network Specialist >+61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU >------------------------------------------------------------------------ >Parkinson's Fourth Law: > The number of people in any working group tends to increase >regardless of the amount of work to be done. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 20: 4: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id DCA2F37B410; Wed, 19 Sep 2001 20:03:45 -0700 (PDT) Received: from NDNM ([195.161.98.250]) by ns.morning.ru (8.11.5/8.11.5) with ESMTP id f8K33Zd24172; Thu, 20 Sep 2001 11:03:36 +0800 (KRAST) Date: Thu, 20 Sep 2001 11:03:57 +0800 From: Igor Podlesny X-Mailer: The Bat! (v1.53d) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <9419970505.20010920110357@morning.ru> To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re[2]: ipfw problems ... In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org> References: <20010918230726.M30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > ~900 or so of the rules are purely 'pass thru' rules ... > we have two > connections to the internet ... May we know how exaclty your system is connected? Two connections usually mean two network interfaces and some specially set up routing policy, therefore the shaping could be easily done using these circumstances. So what is your situation? > one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > Thanks > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 20:19: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id F01EE37B414; Wed, 19 Sep 2001 20:18:50 -0700 (PDT) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.6/8.11.3) with ESMTP id f8K3Ik110903; Wed, 19 Sep 2001 20:18:47 -0700 (PDT) (envelope-from bri@sonicboom.org) Date: Wed, 19 Sep 2001 20:18:46 -0700 (PDT) From: Brian Whalen X-X-Sender: To: Tom ONeil Cc: Free , Subject: Re: EMERGENCY - Arp attack? Am I being DOS'd ? In-Reply-To: <3BA95D24.B5B737B9@tacni.com> Message-ID: <20010919201741.Q10874-100000@cx175057-a.ocnsd1.sdca.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org u r about to become the network guy, this is a classic symptom of a very widespread attack going on now. See www.cert.org for example. Brian "Sonic" Whalen Success = Preparation + Opportunity On Wed, 19 Sep 2001, Tom ONeil wrote: > > Network guy on vacation, pls help if you can. > Having major problems w/ my router getting overloaded. > > See below - BTW - gw is my router. > > # tcpdump -p | grep " arp " > tcpdump: listening on rl0 > 22:04:43.323267 arp who-has 216.178.158.211 tell > router-216-178-158-1.tacni.net > 22:04:43.398803 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:43.473615 arp who-has 216-178-189-15.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.623222 arp who-has 216.178.155.95 tell gw > 22:04:43.636589 arp who-has 216.178.188.168 tell gw > 22:04:43.679175 arp who-has 216.178.136.88 tell gw > 22:04:43.684980 arp who-has 216.178.135.108 tell gw > 22:04:43.758496 arp who-has 209.251.183.42 tell gw > 22:04:43.793178 arp who-has 216.178.155.158 tell gw > 22:04:43.832945 arp who-has 216-178-189-22.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.947669 arp who-has 216.178.155.26 tell gw > 22:04:43.989166 arp who-has 209.251.183.163 tell gw > 22:04:44.102455 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:44.279331 arp who-has 216.178.155.78 tell gw > 22:04:44.391065 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:44.666819 arp who-has 216.178.135.202 tell gw > 22:04:44.824443 arp who-has 216.178.155.92 tell gw > 22:04:44.977537 arp who-has 216.178.154.141 tell gw > 22:04:45.070651 arp who-has 216.178.136.2 tell gw > 22:04:45.116522 arp who-has 216.178.156.42 tell gw > 22:04:45.116901 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:45.296852 arp who-has 216.178.135.31 tell gw > 22:04:45.391056 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:45.558506 arp who-has 216.178.188.1 tell 216.178.188.14 > > > > > -- > Thomas J. ONeil tom.oneil@tacni.com > http://www.tacni.net > "National Power, Local Presence" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 20:21: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 4F4E237B40D for ; Wed, 19 Sep 2001 20:21:04 -0700 (PDT) Received: (qmail 70441 invoked by uid 1000); 20 Sep 2001 03:21:24 -0000 Date: Thu, 20 Sep 2001 05:21:24 +0200 From: "Karsten W. Rohrbach" To: Fernando Gleiser Cc: rshea@opendoor.co.nz, security@FreeBSD.ORG Subject: Re: NIMDA Virus Message-ID: <20010920052124.X55380@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Fernando Gleiser , rshea@opendoor.co.nz, security@FreeBSD.ORG References: <3BA9C911.18530.49BAA5C@localhost> <20010919204433.A71511-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3ioKt2kN+IccB5F4" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919204433.A71511-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Wed, Sep 19, 2001 at 08:50:36PM -0300 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3ioKt2kN+IccB5F4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Fernando Gleiser(fgleiser@cactus.fi.uba.ar)@2001.09.19 20:50:36 +0000: >=20 > my $logfile=3D"tail -f path_to_your_access_log |"; tail -F that is (capital f) if you are on 4.x. reopens the log when it get rotated /k --=20 > Blessed are the meek for they shall inhibit the earth. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --3ioKt2kN+IccB5F4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7qWC0M0BPTilkv0YRArM2AKCLXbYODzn6oLvMcAJCgz6jeX4fLwCgkiiz nmo0ep6f2bfrLCCFbO87UzA= =TlBN -----END PGP SIGNATURE----- --3ioKt2kN+IccB5F4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 19 23:28:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32]) by hub.freebsd.org (Postfix) with SMTP id D732437B41A for ; Wed, 19 Sep 2001 23:28:17 -0700 (PDT) Received: from unknown (HELO RAMBUS) (216.179.225.200) by smtp.mail.vip.sc5.yahoo.com with SMTP; 20 Sep 2001 06:26:44 -0000 X-Apparently-From: Message-ID: <004e01c1419d$3dfdd200$c8e1b3d8@liquidground.com> Reply-To: "DrTebi" From: "DrTebi" To: Subject: How Nimda can effect Samba users Date: Wed, 19 Sep 2001 23:26:54 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org like a little child I had to touch the hot plate. I am using 4 FreeBSD servers, and one win98 machine as my "GUI". Using the win box, I went to a website that (according to my logs) seemed infected with the Nimda virus. A popup window came up, I closed it, felt weird things were going on, and I was right. A process tool for windows showed a process running that I did never notice before. I shut it down immediately, updated my virus scanner (InoculateIT), and did a full scan. The virus scanner was up to date and found a few files infected by "Nimda". - What happened with Samba To ease my work I use a Samba server and share the htdocs directory. Nimda immediately copied files into every share listed in my Network, and in subfolders of those. These files are typically coins.eml vendors.eml wt10us.eml start.eml test.nws Oh well, it seems like that's all it could do to the FreeBSD servers. Supposedly the virus also infects html files, adding a little