From owner-freebsd-security Sun Apr 7 0: 9:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 11A6737B419 for ; Sun, 7 Apr 2002 00:09:57 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id SAA06353; Sun, 7 Apr 2002 18:09:49 +1000 (EST) From: Darren Reed Message-Id: <200204070809.SAA06353@caligula.anu.edu.au> Subject: Re: pf OR ipf ? To: cjclark@alum.mit.edu Date: Sun, 7 Apr 2002 18:09:48 +1000 (Australia/ACT) Cc: scott@lampert.org (Scott Lampert), security@FreeBSD.ORG In-Reply-To: <20020406214253.H70207@blossom.cjclark.org> from "Crist J. Clark" at Apr 06, 2002 09:42:54 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Crist J. Clark, sie said: > > It's in 5.0-CURRENT so it may make 5.0-RELEASE. ;) I do not plan to > merge the code into 4.x-STABLE in its current form. I really am not > happy with how it works in -CURRENT either, but to get it to work more > cleanly and in a way darrenr suggested, I'd need to modify IPFilter > code, which I have tried to avoid. So the -CURRENT code is > experimental, but that's OK for -CURRENT. It's not OK for -STABLE. Ack. what was it that I suggested (that needed ipfilter code changed) ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 0:17: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 1B56A37B400; Sun, 7 Apr 2002 00:17:01 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020407081700.BFDV18078.rwcrmhc51.attbi.com@blossom.cjclark.org>; Sun, 7 Apr 2002 08:17:00 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g378H0571807; Sun, 7 Apr 2002 00:17:00 -0800 (PST) (envelope-from cjc) Date: Sun, 7 Apr 2002 00:17:00 -0800 From: "Crist J. Clark" To: ozkan_kirik Cc: freebsd-question@FreeBSD.ORG Subject: Re: NAT question. Message-ID: <20020407001700.I70207@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ozkan_kirik@yahoo.com on Sat, Apr 06, 2002 at 07:42:17PM -0000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Redirected to -questions from -security.] On Sat, Apr 06, 2002 at 07:42:17PM -0000, ozkan_kirik wrote: > in my LAN, NAT function is on Router. > I wanna remove NAT from router. how can i activate NAT on firewall. > i use FreeBSD 4.5 Using ipfw(8) or ipf(8)? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 0:23:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 87EE537B400 for ; Sun, 7 Apr 2002 00:23:16 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020407082316.LDWH15826.rwcrmhc54.attbi.com@blossom.cjclark.org>; Sun, 7 Apr 2002 08:23:16 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g378NFc71839; Sun, 7 Apr 2002 00:23:15 -0800 (PST) (envelope-from cjc) Date: Sun, 7 Apr 2002 00:23:15 -0800 From: "Crist J. Clark" To: Darren Reed Cc: Scott Lampert , security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-ID: <20020407002315.J70207@blossom.cjclark.org> References: <20020406214253.H70207@blossom.cjclark.org> <200204070809.SAA06353@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200204070809.SAA06353@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Sun, Apr 07, 2002 at 06:09:48PM +1000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Apr 07, 2002 at 06:09:48PM +1000, Darren Reed wrote: > In some mail from Crist J. Clark, sie said: > > > > It's in 5.0-CURRENT so it may make 5.0-RELEASE. ;) I do not plan to > > merge the code into 4.x-STABLE in its current form. I really am not > > happy with how it works in -CURRENT either, but to get it to work more > > cleanly and in a way darrenr suggested, I'd need to modify IPFilter > > code, which I have tried to avoid. So the -CURRENT code is > > experimental, but that's OK for -CURRENT. It's not OK for -STABLE. > > Ack. what was it that I suggested (that needed ipfilter code changed) ? A separate inetsw[] structure for the bridging. I don't see how you can do that without changing IPFilter code. Or am I missing something? I _can_ do this, and it creates some really interesting possibilities (the obvious one being completely independent filter lists for the bridge and the IP stack). But I really do not want to create a divergent branch of IPFilter that isn't going to get merged back in. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 0:26:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 198D937B400; Sun, 7 Apr 2002 00:26:25 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020407082624.UUCT3676.rwcrmhc52.attbi.com@blossom.cjclark.org>; Sun, 7 Apr 2002 08:26:24 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g378QNE71854; Sun, 7 Apr 2002 00:26:23 -0800 (PST) (envelope-from cjc) Date: Sun, 7 Apr 2002 00:26:23 -0800 From: "Crist J. Clark" To: Peter Leftwich Cc: FreeBSD Questions , FreeBSD Security Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" Message-ID: <20020407002623.K70207@blossom.cjclark.org> References: <20020406235622.O877-100000@66-75-1-142.san.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020406235622.O877-100000@66-75-1-142.san.rr.com>; from Hostmaster@Video2Video.Com on Sun, Apr 07, 2002 at 12:00:55AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Apr 07, 2002 at 12:00:55AM -0800, Peter Leftwich wrote: > prompt$ pkg_info | grep -i openssh > openssh-3.0.2 OpenBSD's secure shell client and server (remote login prog > > I just upgraded (or tried to upgrade) openssh on my FreeBSD 4.5-RELEASE > box using /stand/sysinstall but I get this (ver. 2.9??) when I type: > > prompt$ ssh -V > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f Did you actually change the rc.conf(5) file to start the new daemon, which probably lives in /usr/local/sbin/sshd, rather than the old one in /usr/sbin/sshd? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 0:55: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from nycsmtp2out.rdc-nyc.rr.com (nycsmtp2out.rdc-nyc.rr.com [24.29.99.227]) by hub.freebsd.org (Postfix) with ESMTP id E2C1E37B405; Sun, 7 Apr 2002 00:54:57 -0800 (PST) Received: from scott1.nyc.rr.com (24-168-24-239.nyc.rr.com [24.168.24.239]) by nycsmtp2out.rdc-nyc.rr.com (8.12.1/Road Runner SMTP Server 1.0) with SMTP id g378qcu0011691; Sun, 7 Apr 2002 04:52:38 -0400 (EDT) Date: Sun, 7 Apr 2002 04:55:29 -0400 From: Scott Robbins To: Peter Leftwich Cc: FreeBSD-Questions@FreeBSD.ORG, FreeBSD-Security@FreeBSD.ORG Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" Message-Id: <20020407045529.2999f2fa.scottro@nyc.rr.com> In-Reply-To: <20020406235622.O877-100000@66-75-1-142.san.rr.com> References: <20020406235622.O877-100000@66-75-1-142.san.rr.com> X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 7 Apr 2002 00:00:55 -0800 (PST) Peter Leftwich wrote: > prompt$ pkg_info | grep -i openssh > openssh-3.0.2 OpenBSD's secure shell client and server (remote > login prog > > I just upgraded (or tried to upgrade) openssh on my FreeBSD > 4.5-RELEASE box using /stand/sysinstall but I get this (ver. 2.9??) > when I type: > > prompt$ ssh -V > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, > OpenSSL 0x0090601f > > pkg_help -r --source majordomo? ;-) > > Probably the simplest way to upgrade to 3.1 (which seems to be advisable in itself) is Get the source tarball from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1.tar.gz Unzip it. tar -zxvf openssh-3.1p1.tar.gz CD to the new directory cd openssh-3.1p1 Configure it with the following parameters ./configure --with-pam --sysconfdir=/etc/ssh --prefix=/usr make; make install killall -HUP sshd I posted about this recently, and someone mentioned that there is a way to get the same result by using ports and referred me to another web page. After looking at that page, it seemed to me that this way is far less work.(This solution given me by Michael Smith, as I don't want to steal the credit) Thanks Scott Robbins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 3:53:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141]) by hub.freebsd.org (Postfix) with ESMTP id 3F01737B417 for ; Sun, 7 Apr 2002 03:53:39 -0700 (PDT) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with ESMTP id g37ArYKx029433 for ; Sun, 7 Apr 2002 12:53:38 +0200 (CEST) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id MAA05190; Sun, 7 Apr 2002 12:53:34 +0200 (CEST) From: Rob Frohwein To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: heimdal kerberos problems Date: Sun, 07 Apr 2002 11:53:59 +0200 Organization: XS4ALL Internet BV Message-ID: <3CB01737.6050001@frohwein.xs4all.nl> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi , I am trying to get heimdal kerbereros5 running on freeBSD4.5. The KDC seems to function , I can obtain a ticket from the kdc. But the application clients and services like login/logind and telnet/telnetd and pam doesnt seem to function after the heimdal install. Has anyone had any success with using heimdal on freeBSD. I cant get the 'official' MIT version because of US export limitations. I am using freeBSD STABLE 4.5 There are 3 machines K(dc) S(erver) end C(lient). In fact K and S are the same machine. To install kerberos I did: 1 make -DMAKE_KERBEROS5 buildworld (is this necessary ??) 2 make & install heimdal (/usr/ports/security/heimdal) 3 On all machines added /etc/krb5.conf ----------------------------------- [libdefaults] default_realm = RFKERB clockskew = 300 [realms] RFKERB = { kdc = vhfbsd45-3.frohwein.xs4all.nl. } [domain_realm] frohwein.xs4all.nl = RFKERB ----------------------------------- (vhfbsd45-3 is the name of Kdc/Server) 4 On K: k5admin -l kadmin> init RFKERB kadmin> add myself ... kadmin> add --random-key host/vhfbsd45-3.frohwein.xs4all.nl. kadmin> ext host/vhfbsd45-3.frohwein.xs4all.nl. So i added some users + a keytab file for Server role. 6 On S (==K): /etc/pam.conf klogin auth required pam_krb5.so try_first_pass And commented out the other login lines 7 On S (==K): /etc/inetd.conf klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k 8 From C rlogin -k RFKERB -l user1 vhfbsd45-3 rlogin: illegal option -- k This rlogin does not comply to the man page. So what has heimdal installed? When i just do: rlogin -l user1 vhfbsd45-3 I see that (ethereal) that a standard (port 513) rlogin request attempt is made. 9 Telnet In the manpage about telnetd i see no options for kerberos. I tried: pam.conf: telnetd auth required pam_krb5.so try_first_pass inetd.conf normal Result: telnet -l user1 vhfbsd45-3 A normal SRA login is the result, no kerberos involved. So i think something is wrong with the heimdal install for the applications like telnet and login. 10 I go to /usr/ports/security/heimdal/work/heimdal-0.4e/appl/telnet And use the telnet client there. When i do a login attempt i see on K in the logging: Apr 7 02:43:59 vhfbsd45-3 login: no modules loaded for `login' service Apr 7 02:43:59 vhfbsd45-3 login: pam_open_session: Permission denied Because I can acquire a tgt on C and indeed with k5list I can see the ticket, I think only the installation of the kdc is ok , the rest fails. thanks for some advice. Rob Frohwein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 7:18:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 3256437B400; Sun, 7 Apr 2002 07:18:44 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id AAA04872; Mon, 8 Apr 2002 00:18:42 +1000 (EST) From: Darren Reed Message-Id: <200204071418.AAA04872@caligula.anu.edu.au> Subject: Re: pf OR ipf ? To: cjc@FreeBSD.ORG (Crist J. Clark) Date: Mon, 8 Apr 2002 00:18:42 +1000 (Australia/ACT) Cc: security@FreeBSD.ORG In-Reply-To: <20020407002315.J70207@blossom.cjclark.org> from "Crist J. Clark" at Apr 07, 2002 12:23:15 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Crist J. Clark, sie said: > > On Sun, Apr 07, 2002 at 06:09:48PM +1000, Darren Reed wrote: > > In some mail from Crist J. Clark, sie said: > > > > > > It's in 5.0-CURRENT so it may make 5.0-RELEASE. ;) I do not plan to > > > merge the code into 4.x-STABLE in its current form. I really am not > > > happy with how it works in -CURRENT either, but to get it to work more > > > cleanly and in a way darrenr suggested, I'd need to modify IPFilter > > > code, which I have tried to avoid. So the -CURRENT code is > > > experimental, but that's OK for -CURRENT. It's not OK for -STABLE. > > > > Ack. what was it that I suggested (that needed ipfilter code changed) ? > > A separate inetsw[] structure for the bridging. I don't see how you > can do that without changing IPFilter code. Or am I missing something? No, you're not. > I _can_ do this, and it creates some really interesting possibilities > (the obvious one being completely independent filter lists for the > bridge and the IP stack). But I really do not want to create a > divergent branch of IPFilter that isn't going to get merged back > in. Yes, I have been considering this too. In some ways, it makes sense. For example, you might have a box with both bridging interfaces and routing interfaces. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 10:20:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from bigglesworth.mail.be.easynet.net (bigglesworth.mail.be.easynet.net [212.100.160.67]) by hub.freebsd.org (Postfix) with ESMTP id 9B8AB37B405 for ; Sun, 7 Apr 2002 10:20:15 -0700 (PDT) Received: from 212-100-182-20.adsl.easynet.be ([212.100.182.20] helo=ws-freebsd.defcon1.no-ip.com) by bigglesworth.mail.be.easynet.net with smtp (Exim 3.35 #1) id 16uGKn-0002Xa-00 for freebsd-security@freebsd.org; Sun, 07 Apr 2002 19:20:09 +0200 Date: Sun, 7 Apr 2002 19:20:04 +0200 From: Pieter Danhieux To: freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-Id: <20020407192004.5cbecd18.pdanhieux@easynet.be> In-Reply-To: <20020406170014.5f47c85f.cyschow@shaw.ca> References: <874riov1et.wl@delta.meridian-enviro.com> <20020406170014.5f47c85f.cyschow@shaw.ca> X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 6 Apr 2002 17:00:14 -0700 Samuel Chow wrote: > On Sat, 06 Apr 2002 17:43:22 -0600 > "Douglas K. Rand" wrote: > > > We have a few dozen FreeBSD workstaions and servers and as their > > numbers increase managing users and groups via indvidual /etc/passwd > > and /etc/group files is getting more and more tiresome. We also have > > just a few Linux boxes. > > How about NIS? I use it at home with a total > of two machines and one users. > > --- > Samuel Chow > cyschow@shaw.ca > > Segmentation Fault (core dumped) > This message is displayed using recycled electrons. > NIS is a security issue, cause it sends the passwords file trough the network, and any user can sniff it or get it by 'ypcat passwd'. So i would suggest a combination of NIS and RADIUS. NIS takes care of the home directories and users, and RADIUS would authenticate the users. We use it at the University of Gent in our little basement for 6 pc's and 50 users ... regards, Pieter Danhieux To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 10:35:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 911DD37B416 for ; Sun, 7 Apr 2002 10:35:51 -0700 (PDT) Received: (from anthony@localhost) by slc.edu (8.11.6/8.11.1) id g37HZb300193; Sun, 7 Apr 2002 13:35:37 -0400 (EDT) (envelope-from anthony) Date: Sun, 7 Apr 2002 13:35:37 -0400 From: Anthony Schneider To: Pieter Danhieux Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <20020407133536.A140@mail.slc.edu> References: <874riov1et.wl@delta.meridian-enviro.com> <20020406170014.5f47c85f.cyschow@shaw.ca> <20020407192004.5cbecd18.pdanhieux@easynet.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020407192004.5cbecd18.pdanhieux@easynet.be>; from pdanhieux@easynet.be on Sun, Apr 07, 2002 at 07:20:04PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable >=20 > NIS is a security issue, cause it sends the passwords file trough the net= work, and any user can sniff it or get it by 'ypcat passwd'. So i would sug= gest a combination of NIS and RADIUS. NIS takes care of the home directorie= s and users, and RADIUS would authenticate the users. We use it at the Univ= ersity of Gent in our little basement for 6 pc's and 50 users ... > 'ypcat passwd' does not show passwords...(it shows the usual /etc/passwd st= yle '*' in field 2). I believe, however, that if you have an improperly permed master.passwd in your /var/yp directory that that can be read by 'ypcat=20 master.passwd', but i've never tried it. on a private, small LAN, NIS can be okay, but you're right, passwords are p= assed in plaintext across the network. I'd say use Kerberos, OpenLDAP or perhaps= even NIS+ (although, i know little about NIS+, but what i do know is that securi= ty-wise it's a good bit higher on thew ladder than NIS). -Anthony. -Anthony. ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjywg2gACgkQ+rDjkNht5F1IDgCgm92VSbhvmmqzDLA1ZFqtYjLx 0oQAnA5vkmgzj8N6/v1uyxIQaqz7rn/z =fGAy -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 13:32:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 91BAD37B417 for ; Sun, 7 Apr 2002 13:32:44 -0700 (PDT) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id g37KWYf13089; Sun, 7 Apr 2002 13:32:34 -0700 Date: Sun, 7 Apr 2002 13:32:34 -0700 From: Brooks Davis To: Anthony Schneider Cc: Pieter Danhieux , freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <20020407133234.A6268@Odin.AC.HMC.Edu> References: <874riov1et.wl@delta.meridian-enviro.com> <20020406170014.5f47c85f.cyschow@shaw.ca> <20020407192004.5cbecd18.pdanhieux@easynet.be> <20020407133536.A140@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020407133536.A140@mail.slc.edu>; from aschneid@mail.slc.edu on Sun, Apr 07, 2002 at 01:35:37PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 07, 2002 at 01:35:37PM -0400, Anthony Schneider wrote: > on a private, small LAN, NIS can be okay, but you're right, passwords are= passed > in plaintext across the network. I'd say use Kerberos, OpenLDAP or perha= ps even > NIS+ (although, i know little about NIS+, but what i do know is that secu= rity-wise > it's a good bit higher on thew ladder than NIS). NIS+ adds nothing but pain to the equation. It does no encryption (that wasn't exportable) and the authentication sucks to the point that if you compromise root on a host you can probalby log in as any known user who's account is in the database. This is due to the fact that they authenticate the envelope on each packet, but don't insure that the data doesn't change and thus you can use dsniff like techniques to hijack the NIS+ responses and replace the encrypted password with a known one. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8sKzhXY6L6fI4GtQRAjOXAKCsMeaRfoJt63SrOuddfG+4oA8PLgCfSxHd 4vTptCYBk1gjwJL872Cs6Zs= =DYxg -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 7 21:21:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from draco.over-yonder.net (draco.over-yonder.net [198.78.58.61]) by hub.freebsd.org (Postfix) with ESMTP id 4BE3137B419 for ; Sun, 7 Apr 2002 21:21:38 -0700 (PDT) Received: by draco.over-yonder.net (Postfix, from userid 100) id DCDF7FC4; Sun, 7 Apr 2002 23:21:37 -0500 (CDT) Date: Sun, 7 Apr 2002 23:21:37 -0500 From: "Matthew D. Fuller" To: Samuel Chow Cc: "Douglas K. Rand" , freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020407232137.A86378@over-yonder.net> References: <874riov1et.wl@delta.meridian-enviro.com> <20020406170014.5f47c85f.cyschow@shaw.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5-fullermd.1i In-Reply-To: <20020406170014.5f47c85f.cyschow@shaw.ca>; from cyschow@shaw.ca on Sat, Apr 06, 2002 at 05:00:14PM -0700 X-Editor: vi X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Apr 06, 2002 at 05:00:14PM -0700 I heard the voice of Samuel Chow, and lo! it spake thus: > > How about NIS? I use it at home with a total > of two machines and one users. NIS is a giant pain in the rump. I struggled with it for a while, and finally threw up my hands and just use rdist (over ssh) to distribute passwd and group files, and called it done. Haven't had a moment's trouble since. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 1:27:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by hub.freebsd.org (Postfix) with ESMTP id 8CDBE37B419 for ; Mon, 8 Apr 2002 01:27:49 -0700 (PDT) Received: from probsd.ws (www@localhost [127.0.0.1]) by probsd.ws (8.12.2/8.12.2) with SMTP id g388UL6j000184 for ; Mon, 8 Apr 2002 04:30:21 -0400 (EDT) (envelope-from ms@probsd.ws) Received: from 192.168.1.2 (SquirrelMail authenticated user ms) by probsd.ws with HTTP; Mon, 8 Apr 2002 04:30:21 -0400 (EDT) Message-ID: <1074.192.168.1.2.1018254621.squirrel@probsd.ws> Date: Mon, 8 Apr 2002 04:30:21 -0400 (EDT) Subject: Berkley Packet Filter From: "Michael Sharp" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It is my understanding that if you comment OUT the bpf line in the kernel and re-compile, this disables things like nmap and prevents a sniffer from running on the network * easily * correct? The reason I put * easily * in there is because I am aware of other ways to bypass bpf, but I believe disabling would defeat 99% of the script kiddies. Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 5:39:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from madeline.boneyard.lawrence.ks.us (madeline.boneyard.lawrence.ks.us [24.124.26.25]) by hub.freebsd.org (Postfix) with ESMTP id 3251137B440 for ; Mon, 8 Apr 2002 05:39:04 -0700 (PDT) Received: from boneyard.lawrence.ks.us (crashtest.boneyard [192.168.101.6]) by madeline.boneyard.lawrence.ks.us (8.11.1/8.11.1) with ESMTP id g38Cd2X94215 for ; Mon, 8 Apr 2002 07:39:02 -0500 (CDT) (envelope-from bsd-sec@boneyard.lawrence.ks.us) Message-ID: <3CB18F66.1060304@boneyard.lawrence.ks.us> Date: Mon, 08 Apr 2002 07:39:02 -0500 From: "Stephen D. Spencer" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020326 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication References: <874riov1et.wl@delta.meridian-enviro.com> <002401c1ddf7$557e84a0$13ed7ad1@unstable.org> <20020406220150.C2867@rain.macguire.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Benjamin Krueger wrote: > > I'd highly suggest the oft-little understood but incredibly deserving > Kerberos. I truly believe that if it were better documented and understood by > the masses of administrators out there, it would blow away current network > authentication systems. Heck, Microsoft used it to totally revitalize their > network authentication scheme to enormous benefit. Sadly, they then broke it > for anyone who isn't them. > Though this is not from personal experience, I believe that K5 has been 'adjusted' to cohabitate correctly with the M$ implementation. -Stephen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 7: 2:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id 2DF0B37B405 for ; Mon, 8 Apr 2002 07:02:17 -0700 (PDT) Received: from dc.cis.okstate.edu (localhost [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g38E2GG95907 for ; Mon, 8 Apr 2002 09:02:16 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200204081402.g38E2GG95907@dc.cis.okstate.edu> Reply-To: martin@dc.cis.okstate.edu To: freebsd-security@FreeBSD.ORG Subject: Easiest way to reset Account Change Time Date: Mon, 08 Apr 2002 09:02:16 -0500 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have password aging set up for normal user accounts. We don't use password expiration, but have the Change field set to a given number of days such that the client needs to change his or her password at that time. If I need to reset someone's password, I choose an agreed-upon password but give it a change date of today so that it is already in need of renewal and the client will change it to something that hopefully only they know. The chpass command has a -e flag for expiration, but is there a quicker way to modify the Change field than using chsh and then manually modifying the Change line? Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 8: 4:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from nesos.prognostikos.com (nesos.prognostikos.com [207.173.200.105]) by hub.freebsd.org (Postfix) with ESMTP id 55E9037B400 for ; Mon, 8 Apr 2002 08:04:20 -0700 (PDT) Received: by nesos.prognostikos.com (Postfix, from userid 1000) id 7204634F3F; Mon, 8 Apr 2002 08:04:14 -0700 (PDT) Date: Mon, 8 Apr 2002 08:04:14 -0700 From: Matt Rohrer To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Easiest way to reset Account Change Time Message-ID: <20020408150414.GA77837@nesos.prognostikos.com> References: <200204081402.g38E2GG95907@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204081402.g38E2GG95907@dc.cis.okstate.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Apr 08, 2002 at 09:02:16AM -0500, Martin McCormick wrote: [snip] > The chpass command has a -e flag for expiration, but is > there a quicker way to modify the Change field than using chsh > and then manually modifying the Change line? [rohrer@nesos:~]$ pw usermod help -- --------------------------------------------------------------- Matt Rohrer http://prognostikos.com/ 503.816.8789 --------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 8:18:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id 0149637B400 for ; Mon, 8 Apr 2002 08:18:32 -0700 (PDT) Received: from dc.cis.okstate.edu (localhost [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g38FIWG03595 for ; Mon, 8 Apr 2002 10:18:32 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200204081518.g38FIWG03595@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Easiest way to reset Account Change Time Date: Mon, 08 Apr 2002 10:18:32 -0500 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oh! of course. My brain just wasn't moving the right direction. Many thanks. Matt Rohrer writes: >[rohrer@nesos:~]$ pw usermod help > >-- >--------------------------------------------------------------- >Matt Rohrer http://prognostikos.com/ 503.816.8789 >--------------------------------------------------------------- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 11: 4:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 80D6137B404 for ; Mon, 8 Apr 2002 11:04:18 -0700 (PDT) Received: (qmail 9180 invoked by uid 1001); 8 Apr 2002 18:04:08 -0000 Message-ID: <20020408180408.9179.qmail@d188h80.mcb.uconn.edu> References: <874riov1et.wl@delta.meridian-enviro.com> <002401c1ddf7$557e84a0$13ed7ad1@unstable.org> <20020406220150.C2867@rain.macguire.net> <3CB18F66.1060304@boneyard.lawrence.ks.us> In-Reply-To: <3CB18F66.1060304@boneyard.lawrence.ks.us> From: "Peter C. Lai" To: "Stephen D. Spencer" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Date: Mon, 08 Apr 2002 18:04:08 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org the kerberos implementation by MS is completely backwards compatible with MIT-kerberos. This has been true for the past few years actually (and from personal experience) Stephen D. Spencer writes: > Benjamin Krueger wrote: > >> >> I'd highly suggest the oft-little understood but incredibly deserving >> Kerberos. I truly believe that if it were better documented and >> understood by >> the masses of administrators out there, it would blow away current >> network >> authentication systems. Heck, Microsoft used it to totally revitalize >> their >> network authentication scheme to enormous benefit. Sadly, they then broke >> it >> for anyone who isn't them. >> > > Though this is not from personal experience, I believe that K5 has been > 'adjusted' to cohabitate correctly with the M$ implementation. > > -Stephen > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 11: 6:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 10C9E37B416 for ; Mon, 8 Apr 2002 11:06:24 -0700 (PDT) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g38I6N997572 for security@freebsd.org; Mon, 8 Apr 2002 11:06:23 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Apr 2002 11:06:23 -0700 (PDT) Message-Id: <200204081806.g38I6N997572@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 11:15:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 7E5DB37B429 for ; Mon, 8 Apr 2002 11:14:25 -0700 (PDT) Received: (qmail 9261 invoked by uid 1001); 8 Apr 2002 18:14:19 -0000 Message-ID: <20020408181419.9260.qmail@d188h80.mcb.uconn.edu> References: <1074.192.168.1.2.1018254621.squirrel@probsd.ws> In-Reply-To: <1074.192.168.1.2.1018254621.squirrel@probsd.ws> From: "Peter C. Lai" To: "Michael Sharp" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Berkley Packet Filter Date: Mon, 08 Apr 2002 18:14:19 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org disabling bpf only prevents someone from running a sniffer on *your* box should they obtain a shell. I don't see how disabling it prevents nmap from running syn/fin scans. Furthermore, if someone obtains root shell, they could just load a kernel module to enable bpf-like capabilities. In addition, disabling bpf also breaks DHCP (and/or PPP?). If your host gets an IP via DHCP (e.g you are running dhclient(1)) you need to enable bpf. Michael Sharp writes: > It is my understanding that if you comment OUT the bpf line in the kernel > and re-compile, this disables things like nmap and prevents a sniffer from > running on the network * easily * correct? > > The reason I put * easily * in there is because I am aware of other ways to > bypass bpf, but I believe disabling would defeat 99% of the script kiddies. > > Michael > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 11:28:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id 6DBCD37B433 for ; Mon, 8 Apr 2002 11:28:05 -0700 (PDT) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16udqq-0003EG-00; Mon, 08 Apr 2002 20:26:48 +0200 Date: Mon, 8 Apr 2002 20:26:48 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: "Peter C. Lai" Cc: Michael Sharp , Subject: Re: Berkley Packet Filter In-Reply-To: <20020408181419.9260.qmail@d188h80.mcb.uconn.edu> Message-ID: <20020408202441.W3388-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My advise on BPF would be to use it selectively. It can come in very handy for certain tasks, amongst other things, doing security audits on your own network, as apps like nmap and most sniffers need BPF. As for servers, I would _NEVER_ really turn it on, unless there is a very specific need for its use. Also running at securelevel 1 or higher, to prevent somebody with a root shell from loading BPF-like modules into your kernel. Servers should never be using things like DHCP or PPP (unless they happen to be dialin servers), and you should not be using your servers to run network security audits. In short summary, I would say: For a security administrator's work station, turn it on. For anything else, turn it off. Will On Mon, 8 Apr 2002, Peter C. Lai wrote: > disabling bpf only prevents someone from running a sniffer on > *your* box should they obtain a shell. I don't see how disabling > it prevents nmap from running syn/fin scans. > > Furthermore, if someone obtains root shell, they could just > load a kernel module to enable bpf-like capabilities. > > In addition, disabling bpf also breaks DHCP (and/or PPP?). If your host gets > an IP via DHCP (e.g you are running dhclient(1)) you need to enable bpf. > > Michael Sharp writes: > > > It is my understanding that if you comment OUT the bpf line in the kernel > > and re-compile, this disables things like nmap and prevents a sniffer from > > running on the network * easily * correct? > > > > The reason I put * easily * in there is because I am aware of other ways to > > bypass bpf, but I believe disabling would defeat 99% of the script kiddies. > > > > Michael > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ----------- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 (Room) > 860.486.1899 (Lab) > 203.206.3784 (Cellphone) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 12: 4:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id 01ADB37B404 for ; Mon, 8 Apr 2002 12:04:40 -0700 (PDT) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16ueNY-0003FL-00; Mon, 08 Apr 2002 21:00:36 +0200 Date: Mon, 8 Apr 2002 21:00:36 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: Bill Fumerola Cc: Steve Shorter , FreeBSD , Subject: Re: IpFilter / IpFireWall In-Reply-To: <20020404233824.GN1135@elvis.mu.org> Message-ID: <20020408205232.W3388-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To get back to the origional post... as he writes he is using "FreeBSD 4.5-RELEASE _#0" I'm almost certain he hasn't rebuilt, or rebooted with a new kernel. Also, I wouldn't really recommend the IPFIREWALL_DEFAULT_TO_ACCEPT option, unless you are working with a testbed machine. Default to accept means that you have to explicitly block anything you don't want allowed in. The security section of the handbook covers this and very convincingly states that the above method is almost always a bad idea. The better option is to have it deny by default, and only allow in what is really needed in. For a client machine running no services, the following should suffice: add check-state add allow ip from any to any out keep-state That's all you need to set up a stateful firewall for a workstation, which denies ALL incoming new connections, and infact ALL incoming packets, except for ones which are related in connections that were established as outgoing from this machine. A few small caveats, some badly configured servers test for ident (port 113, also called auth) service to "authenticate" users (just as the RFCs on this say you SHOULDN'T use it) These servers will either have long delays when being connected to, or just not allow you to connect at all. Because your machine is not allowing any incoming connections, and thus they can not talk to port 113. A quick (but ugly) way arround this, is to reset TCP connections to port 113, thus telling remote servers you are not willing to provide an ident response. All but the very badly configured of the badly configured servers out there should then allow you immediate access. A good way to do this is to have this at the end of your ruleset (so it gets processed after your outgoing and incoming packets, and generally doesn't get in the way of legit traffic, or eat up any processing time): add reset tcp from any to any 113 setup in Note that outgoing ident from your machine will still work fine. Another annoyance with the stateful behaviour of ipfw is that although ping replies are covered in the 'check-state' state checking machine, replies from routers to traceroutes do not seem to make it through, adding a rule like this (again at the end of your ruleset) fixes the problem: add allow icmp from any to any in icmptypes 11 See the security section in the FreeBSD handbook, and other sections on compiling your kernel, and the ipfw manpage, for more details. Happy script-kiddy hunting. Will On Thu, 4 Apr 2002, Bill Fumerola wrote: > On Thu, Apr 04, 2002 at 06:27:54PM -0500, Steve Shorter wrote: > > On Thu, Apr 04, 2002 at 03:19:01PM -0800, Bill Fumerola wrote: > > > > options IPSTEALTH > > > > > > this has nothing to do with ipfw or ipfilter. > > > > Hmm.. this adds a syctl parameter that when enabled > > causes the firewall to not decrease the ttl for packets that > > pass through it making it "invisible" to traceroute et al. > > ipfw and ipfilter don't decrement the ttl. > > > Or am I missing something? > > yes, the difference between a firewall and a router. > > -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 17:14:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by hub.freebsd.org (Postfix) with ESMTP id 458FE37B416; Mon, 8 Apr 2002 17:14:21 -0700 (PDT) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id EA9E828C07; Mon, 8 Apr 2002 20:14:20 -0400 (EDT) Date: Mon, 8 Apr 2002 20:14:20 -0400 (EDT) From: Peter Leftwich X-X-Sender: To: "Crist J. Clark" Cc: FreeBSD Questions , FreeBSD Security Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] In-Reply-To: <20020407002623.K70207@blossom.cjclark.org> Message-ID: <20020408201323.N83584-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 7 Apr 2002, Crist J. Clark wrote: > On Sun, Apr 07, 2002 at 12:00:55AM -0800, Peter Leftwich wrote: > > prompt$ pkg_info | grep -i openssh > > openssh-3.0.2 OpenBSD's secure shell client and server (remote login prog > > > > I just upgraded (or tried to upgrade) openssh on my FreeBSD 4.5-RELEASE > > box using /stand/sysinstall but I get this (ver. 2.9??) when I type: > > > > prompt$ ssh -V > > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > Did you actually change the rc.conf(5) file to start the new daemon, which probably lives in /usr/local/sbin/sshd, rather than the old one in /usr/sbin/sshd? > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org My question was regarding ssh, not sshd. -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 17:23:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by hub.freebsd.org (Postfix) with ESMTP id 05E1137B405; Mon, 8 Apr 2002 17:23:29 -0700 (PDT) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id g390NRl56266; Mon, 8 Apr 2002 20:23:27 -0400 (EDT) (envelope-from str) Date: Mon, 8 Apr 2002 20:23:27 -0400 (EDT) From: Igor Roshchin Message-Id: <200204090023.g390NRl56266@giganda.komkon.org> To: FreeBSD-Questions@FreeBSD.ORG, Hostmaster@Video2Video.Com Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" Cc: FreeBSD-Security@FreeBSD.ORG In-Reply-To: <20020406235622.O877-100000@66-75-1-142.san.rr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What is in your $PATH ? Which ssh is started ? I suspect, you have /usr/bin in front of /usr/local/bin in your PATH, and thus, it's /usr/bin/ssh (system installation) that gave you the output, and not /usr/local/bin/ssh that was installed by the port/package. Hope, that helps. Igor > From owner-freebsd-security@FreeBSD.ORG Sun Apr 7 04:02:18 2002 > Date: Sun, 7 Apr 2002 00:00:55 -0800 (PST) > From: Peter Leftwich > To: FreeBSD Questions > Cc: FreeBSD Security > Subject: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" > > prompt$ pkg_info | grep -i openssh > openssh-3.0.2 OpenBSD's secure shell client and server (remote login prog > > I just upgraded (or tried to upgrade) openssh on my FreeBSD 4.5-RELEASE > box using /stand/sysinstall but I get this (ver. 2.9??) when I type: > > prompt$ ssh -V > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > > pkg_help -r --source majordomo? ;-) > > -- > Peter Leftwich > President & Founder > Video2Video Services > Box 13692, La Jolla, CA, 92039 USA > +1-413-403-9555 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 17:29:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from h066060062167.isol.net.ar (h066060062167.isol.net.ar [66.60.62.167]) by hub.freebsd.org (Postfix) with ESMTP id D2FC037B405 for ; Mon, 8 Apr 2002 17:28:54 -0700 (PDT) Received: from h066060062169.isol.net.ar (h066060062169.isol.net.ar [66.60.62.169]) by h066060062167.isol.net.ar (8.11.6/8.11.6) with ESMTP id g390Rgn17915 for ; Mon, 8 Apr 2002 21:27:42 -0300 (ART) (envelope-from root@h066060062169.isol.net.ar) Date: Mon, 8 Apr 2002 17:13:54 GMT Message-Id: <200204081713.g38HDs618353@h066060062169.isol.net.ar> Subject: LIQUID V - IMMEDIATE RESULTS NO PRESCRIPTION NECESSARY From: liquidv12@liquidv12.com.isol.net.ar To: liquidv12@liquidv12.com.isol.net.ar MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001__26423154_69463,55" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a Multipart MIME message. ------=_NextPart_000_001__26423154_69463,55 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit LIQUID V -  ALL NATURAL ----------------------------------------- Increase blood flow Increase Frequency Increase Desire Increase Sensation Increase Stamina Increase Satisfaction ---------------------------------------- HOW LIQUID-V WORKS: LIQUID-V is a revolutionary way to get your erection back to its youthful state. Oral absorption is the fastest, most effective way to get a dose of erection enhancing supplements into your system. LIQUID-V immediately allows the maximum amount of blood to fill the penile chambers, this process allows for an increase in penile length, girth and hardness. When put into the mouth, micro-sized beads are immediately absorbed into the tissue through the capillaries, which lie close to the surface of the lining in the mouth. This process allows the supplement to be absorbed within seconds. LIQUID-Vis superior to a pill because it absorbs into the blood stream immediately. Your penis has 3 chambers which fill with blood during an erection. These chambers are a collection of blood vessels which become swollen with blood during sexual arousal. While you're not sexually aroused the penile chambers are open and allow for the flow of blood through the filling chambers. When you are sexually aroused the chambers remain open and the exit gates close. When the exit gates close the blood that remains in the penis gives you your erection. Once the penile gates close the amount of blood in the chambers will determine how you perform . A revolutionary way to get your desire back to its youthful state LIQUID-V WORKS When put into the mouth, micro-sized beads are immediately absorbed into the tissue through the capillaries. This process allows the supplement to be absorbed within seconds. 100% SECURE ONLINE COMMERCE CLICK HERE FOR MORE DETAILS (http://66.60.62.169/index.htm) --------------------------------- If you do not want to receive further mailings or have been inadvertently placed on our mailing list, please click "Unsubscribe" (http://66.60.62.169/unsubscribe.htm) Your address will be removed in 24 hours ----------------------------------- ------=_NextPart_000_001__26423154_69463,55 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u YWwvL0VOIj4NCjxodG1sPg0KDQo8aGVhZD4NCjx0aXRsZT5saXF1aWQgViBBbGwgTmF0dXJh bDwvdGl0bGU+DQo8L2hlYWQ+DQoNCjxib2R5IGxpbms9IiMwMDgwMDAiIHZsaW5rPSIjMDA4 MDAwIiBhbGluaz0iIzAwODAwMCI+DQo8ZGl2IGFsaWduPSJjZW50ZXIiPjxjZW50ZXI+DQoN Cjx0YWJsZSB3aWR0aD0iMzgyIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIyIiBjZWxscGFk ZGluZz0iMCIgYWxpZ249ImNlbnRlciI+DQogIDx0cj4NCiAgICA8dGQ+PHRhYmxlIGJvcmRl cj0iMCIgY2VsbHNwYWNpbmc9IjAiIHdpZHRoPSIxMDAlIiBjZWxscGFkZGluZz0iMyIgYmdj b2xvcj0iIzAwODAwMCI+DQogICAgICA8dHI+DQogICAgICAgIDx0ZCB3aWR0aD0iMTAwJSI+ PHAgYWxpZ249ImNlbnRlciI+PGZvbnQgZmFjZT0iQXJpYWwiIHNpemU9IjMiIGNvbG9yPSIj RkZGRkZGIj48c3Ryb25nPkxJUVVJRA0KICAgICAgICBWIC0mbmJzcDsgQUxMIE5BVFVSQUw8 L3N0cm9uZz48L2ZvbnQ+PC90ZD4NCiAgICAgIDwvdHI+DQogICAgPC90YWJsZT4NCiAgICA8 L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkPjxwIGFsaWduPSJjZW50ZXIiPjxmb250 IGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPjxzdHJvbmc+SW5jcmVhc2UgYmxvb2QgZmxvdzxi cj4NCiAgICBJbmNyZWFzZSBGcmVxdWVuY3k8YnI+DQogICAgSW5jcmVhc2UgRGVzaXJlPGJy Pg0KICAgIEluY3JlYXNlIFNlbnNhdGlvbjxicj4NCiAgICBJbmNyZWFzZSBTdGFtaW5hPGJy Pg0KICAgIEluY3JlYXNlIFNhdGlzZmFjdGlvbjwvc3Ryb25nPjwvZm9udD48L3RkPg0KICA8 L3RyPg0KICA8dHI+DQogICAgPHRkPjxociBub3NoYWRlIHNpemU9IjEiIGNvbG9yPSIjQzBD MEMwIj4NCiAgICA8L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkPjxmb250IGNvbG9y PSIjRkYwMDAwIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj48Yj5IT1cgTElRVUlELVYgV09S S1M6PC9iPjwvZm9udD48Zm9udA0KICAgIGNvbG9yPSIjMUYxRjFGIiBmYWNlPSJWZXJkYW5h IiBzaXplPSIyIj48YnI+DQogICAgPGJyPg0KICAgIDxhIGhyZWY9Imh0dHA6Ly82Ni42MC42 Mi4xNjkvIiB0YXJnZXQ9Il9ibGFuayI+PGI+TElRVUlELVY8L2I+PC9hPiBpcyBhIHJldm9s dXRpb25hcnkgd2F5DQogICAgdG8gZ2V0IHlvdXIgZXJlY3Rpb24gYmFjayB0byBpdHMgeW91 dGhmdWwgc3RhdGUuIE9yYWwgYWJzb3JwdGlvbiBpcyB0aGUgZmFzdGVzdCwgbW9zdA0KICAg IGVmZmVjdGl2ZSB3YXkgdG8gZ2V0IGEgZG9zZSBvZiBlcmVjdGlvbiBlbmhhbmNpbmcgc3Vw cGxlbWVudHMgaW50byB5b3VyIHN5c3RlbS4gTElRVUlELVYNCiAgICBpbW1lZGlhdGVseSBh bGxvd3MgdGhlIG1heGltdW0gYW1vdW50IG9mIGJsb29kIHRvIGZpbGwgdGhlIHBlbmlsZSBj aGFtYmVycywgdGhpcyBwcm9jZXNzDQogICAgYWxsb3dzIGZvciBhbiBpbmNyZWFzZSBpbiBw ZW5pbGUgbGVuZ3RoLCBnaXJ0aCBhbmQgaGFyZG5lc3MuIFdoZW4gcHV0IGludG8gdGhlIG1v dXRoLA0KICAgIG1pY3JvLXNpemVkIGJlYWRzIGFyZSBpbW1lZGlhdGVseSBhYnNvcmJlZCBp bnRvIHRoZSB0aXNzdWUgdGhyb3VnaCB0aGUgY2FwaWxsYXJpZXMsIHdoaWNoDQogICAgbGll IGNsb3NlIHRvIHRoZSBzdXJmYWNlIG9mIHRoZSBsaW5pbmcgaW4gdGhlIG1vdXRoLiBUaGlz IHByb2Nlc3MgYWxsb3dzIHRoZSBzdXBwbGVtZW50IHRvDQogICAgYmUgYWJzb3JiZWQgd2l0 aGluIHNlY29uZHMuPGJyPg0KICAgIDxicj4NCiAgICA8YSBocmVmPSJodHRwOi8vNjYuNjAu NjIuMTY5LyIgdGFyZ2V0PSJfYmxhbmsiPjxiPkxJUVVJRC1WPC9iPjwvYT5pcyBzdXBlcmlv ciB0byBhIHBpbGwNCiAgICBiZWNhdXNlIGl0IGFic29yYnMgaW50byB0aGUgYmxvb2Qgc3Ry ZWFtIGltbWVkaWF0ZWx5LiBZb3VyIHBlbmlzIGhhcyAzIGNoYW1iZXJzIHdoaWNoIGZpbGwN CiAgICB3aXRoIGJsb29kIGR1cmluZyBhbiBlcmVjdGlvbi4gVGhlc2UgY2hhbWJlcnMgYXJl IGEgY29sbGVjdGlvbiBvZiBibG9vZCB2ZXNzZWxzIHdoaWNoDQogICAgYmVjb21lIHN3b2xs ZW4gd2l0aCBibG9vZCBkdXJpbmcgc2V4dWFsIGFyb3VzYWwuIFdoaWxlIHlvdSdyZSBub3Qg c2V4dWFsbHkgYXJvdXNlZCB0aGUNCiAgICBwZW5pbGUgY2hhbWJlcnMgYXJlIG9wZW4gYW5k IGFsbG93IGZvciB0aGUgZmxvdyBvZiBibG9vZCB0aHJvdWdoIHRoZSBmaWxsaW5nIGNoYW1i ZXJzLg0KICAgIFdoZW4geW91IGFyZSBzZXh1YWxseSBhcm91c2VkIHRoZSBjaGFtYmVycyBy ZW1haW4gb3BlbiBhbmQgdGhlIGV4aXQgZ2F0ZXMgY2xvc2UuIFdoZW4gdGhlDQogICAgZXhp dCBnYXRlcyBjbG9zZSB0aGUgYmxvb2QgdGhhdCByZW1haW5zIGluIHRoZSBwZW5pcyBnaXZl cyB5b3UgeW91ciBlcmVjdGlvbi4gT25jZSB0aGUNCiAgICBwZW5pbGUgZ2F0ZXMgY2xvc2Ug dGhlIGFtb3VudCBvZiBibG9vZCBpbiB0aGUgY2hhbWJlcnMgd2lsbCBkZXRlcm1pbmUgaG93 IHlvdSBwZXJmb3JtIC48YnI+DQogICAgPC9mb250Pjxmb250IGNvbG9yPSIjMUYxRjFGIj48 b2w+DQogICAgICA8bGk+PC9mb250Pjxmb250IGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiIGNv bG9yPSIjMUYxRjFGIj5BIHJldm9sdXRpb25hcnkgd2F5IHRvIGdldCB5b3VyDQogICAgICAg IGRlc2lyZSBiYWNrIHRvIGl0cyB5b3V0aGZ1bCBzdGF0ZSA8L2ZvbnQ+PGZvbnQgY29sb3I9 IiMxRjFGMUYiPjwvbGk+DQogICAgICA8bGk+PGZvbnQgY29sb3I9IiMxRjFGMUYiPjxmb250 IGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPkxJUVVJRC1WIFdPUktTIFdoZW4gcHV0IGludG8g dGhlDQogICAgICAgIG1vdXRoLCBtaWNyby1zaXplZCBiZWFkcyBhcmUgaW1tZWRpYXRlbHkg YWJzb3JiZWQgaW50byB0aGUgdGlzc3VlIHRocm91Z2ggdGhlIGNhcGlsbGFyaWVzLg0KICAg ICAgICBUaGlzIHByb2Nlc3MgYWxsb3dzIHRoZSBzdXBwbGVtZW50IHRvIGJlIGFic29yYmVk IHdpdGhpbiBzZWNvbmRzLiA8YnI+DQogICAgICAgIDwvZm9udD48Zm9udCBjb2xvcj0iUmVk Ij48cCBhbGlnbj0iY2VudGVyIj48L2ZvbnQ+PC9mb250PjwvZm9udD48Zm9udCBjb2xvcj0i I0ZGMDAwMCINCiAgICAgICAgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+PHN0cm9uZz4xMDAl IFNFQ1VSRSBPTkxJTkUgQ09NTUVSQ0U8YnI+DQogICAgICAgIDwvc3Ryb25nPjwvZm9udD48 Zm9udCBjb2xvcj0iIzFGMUYxRiIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+PGJyPg0KICAg ICAgICA8YnI+DQogICAgICAgIDxhIGhyZWY9Imh0dHA6Ly82Ni42MC42Mi4xNjkvIiB0YXJn ZXQ9Il9ibGFuayI+Q0xJQ0sgSEVSRSBGT1IgTU9SRSBERVRBSUxTPC9hPiA8YnI+DQogICAg ICAgIDxicj4NCiAgICAgICAgPC9mb250PjwvcD4NCiAgICAgIDwvbGk+DQogICAgPC9vbD4N CiAgICA8L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkPjxociBub3NoYWRlIHNpemU9 IjEiIGNvbG9yPSIjQzBDMEMwIj4NCiAgICA8L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAg PHRkPjxmb250IGNvbG9yPSIjMUYxRjFGIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj48cCBh bGlnbj0iY2VudGVyIj48L2ZvbnQ+PGZvbnQNCiAgICBmYWNlPSJBcmlhbCxIZWx2ZXRpY2Ei IGNvbG9yPSIjNGY1OTY0IiBzaXplPSIxIj5JZiB5b3UgZG8gbm90IHdhbnQgdG8gcmVjZWl2 ZSBmdXJ0aGVyDQogICAgbWFpbGluZ3Mgb3IgaGF2ZSBiZWVuIDxicj4NCiAgICBpbmFkdmVy dGVudGx5IHBsYWNlZCBvbiBvdXIgbWFpbGluZyBsaXN0LCBwbGVhc2UgY2xpY2s8YnI+DQog ICAgPGJyPg0KICAgIDxhIGhyZWY9Imh0dHA6Ly82Ni42MC42Mi4xNjkvdW5zdWJzY3JpYmUu aHRtIj4mcXVvdDtVbnN1YnNjcmliZSZxdW90OzwvYT48YnI+DQogICAgPHN0cm9uZz48YnI+ DQogICAgWW91ciBhZGRyZXNzIHdpbGwgYmUgcmVtb3ZlZCBpbiAyNCBob3Vyczwvc3Ryb25n Pjxicj4NCiAgICA8L2ZvbnQ+PC90ZD4NCiAgPC90cj4NCiAgPHRyPg0KICAgIDx0ZD48aHIg bm9zaGFkZSBzaXplPSIxIiBjb2xvcj0iI0MwQzBDMCI+DQogICAgPC90ZD4NCiAgPC90cj4N CjwvdGFibGU+DQo8L2NlbnRlcj48L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== ------=_NextPart_000_001__26423154_69463,55-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 17:29:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from h066060062167.isol.net.ar (h066060062167.isol.net.ar [66.60.62.167]) by hub.freebsd.org (Postfix) with ESMTP id 4F08537B416 for ; Mon, 8 Apr 2002 17:28:50 -0700 (PDT) Received: from h066060062169.isol.net.ar (h066060062169.isol.net.ar [66.60.62.169]) by h066060062167.isol.net.ar (8.11.6/8.11.6) with ESMTP id g390Rgn17921 for ; Mon, 8 Apr 2002 21:27:42 -0300 (ART) (envelope-from root@h066060062169.isol.net.ar) Date: Mon, 8 Apr 2002 17:13:54 GMT Message-Id: <200204081713.g38HDsl18369@h066060062169.isol.net.ar> Subject: LIQUID V - IMMEDIATE RESULTS NO PRESCRIPTION NECESSARY From: liquidv12@liquidv12.com.isol.net.ar To: liquidv12@liquidv12.com.isol.net.ar MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001__26423154_69463,55" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a Multipart MIME message. ------=_NextPart_000_001__26423154_69463,55 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit LIQUID V -  ALL NATURAL ----------------------------------------- Increase blood flow Increase Frequency Increase Desire Increase Sensation Increase Stamina Increase Satisfaction ---------------------------------------- HOW LIQUID-V WORKS: LIQUID-V is a revolutionary way to get your erection back to its youthful state. Oral absorption is the fastest, most effective way to get a dose of erection enhancing supplements into your system. LIQUID-V immediately allows the maximum amount of blood to fill the penile chambers, this process allows for an increase in penile length, girth and hardness. When put into the mouth, micro-sized beads are immediately absorbed into the tissue through the capillaries, which lie close to the surface of the lining in the mouth. This process allows the supplement to be absorbed within seconds. LIQUID-Vis superior to a pill because it absorbs into the blood stream immediately. Your penis has 3 chambers which fill with blood during an erection. These chambers are a collection of blood vessels which become swollen with blood during sexual arousal. While you're not sexually aroused the penile chambers are open and allow for the flow of blood through the filling chambers. When you are sexually aroused the chambers remain open and the exit gates close. When the exit gates close the blood that remains in the penis gives you your erection. Once the penile gates close the amount of blood in the chambers will determine how you perform . A revolutionary way to get your desire back to its youthful state LIQUID-V WORKS When put into the mouth, micro-sized beads are immediately absorbed into the tissue through the capillaries. This process allows the supplement to be absorbed within seconds. 100% SECURE ONLINE COMMERCE CLICK HERE FOR MORE DETAILS (http://66.60.62.169/index.htm) --------------------------------- If you do not want to receive further mailings or have been inadvertently placed on our mailing list, please click "Unsubscribe" (http://66.60.62.169/unsubscribe.htm) Your address will be removed in 24 hours ----------------------------------- ------=_NextPart_000_001__26423154_69463,55 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u YWwvL0VOIj4NCjxodG1sPg0KDQo8aGVhZD4NCjx0aXRsZT5saXF1aWQgViBBbGwgTmF0dXJh bDwvdGl0bGU+DQo8L2hlYWQ+DQoNCjxib2R5IGxpbms9IiMwMDgwMDAiIHZsaW5rPSIjMDA4 MDAwIiBhbGluaz0iIzAwODAwMCI+DQo8ZGl2IGFsaWduPSJjZW50ZXIiPjxjZW50ZXI+DQoN Cjx0YWJsZSB3aWR0aD0iMzgyIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIyIiBjZWxscGFk ZGluZz0iMCIgYWxpZ249ImNlbnRlciI+DQogIDx0cj4NCiAgICA8dGQ+PHRhYmxlIGJvcmRl cj0iMCIgY2VsbHNwYWNpbmc9IjAiIHdpZHRoPSIxMDAlIiBjZWxscGFkZGluZz0iMyIgYmdj b2xvcj0iIzAwODAwMCI+DQogICAgICA8dHI+DQogICAgICAgIDx0ZCB3aWR0aD0iMTAwJSI+ PHAgYWxpZ249ImNlbnRlciI+PGZvbnQgZmFjZT0iQXJpYWwiIHNpemU9IjMiIGNvbG9yPSIj RkZGRkZGIj48c3Ryb25nPkxJUVVJRA0KICAgICAgICBWIC0mbmJzcDsgQUxMIE5BVFVSQUw8 L3N0cm9uZz48L2ZvbnQ+PC90ZD4NCiAgICAgIDwvdHI+DQogICAgPC90YWJsZT4NCiAgICA8 L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkPjxwIGFsaWduPSJjZW50ZXIiPjxmb250 IGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPjxzdHJvbmc+SW5jcmVhc2UgYmxvb2QgZmxvdzxi cj4NCiAgICBJbmNyZWFzZSBGcmVxdWVuY3k8YnI+DQogICAgSW5jcmVhc2UgRGVzaXJlPGJy Pg0KICAgIEluY3JlYXNlIFNlbnNhdGlvbjxicj4NCiAgICBJbmNyZWFzZSBTdGFtaW5hPGJy Pg0KICAgIEluY3JlYXNlIFNhdGlzZmFjdGlvbjwvc3Ryb25nPjwvZm9udD48L3RkPg0KICA8 L3RyPg0KICA8dHI+DQogICAgPHRkPjxociBub3NoYWRlIHNpemU9IjEiIGNvbG9yPSIjQzBD MEMwIj4NCiAgICA8L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkPjxmb250IGNvbG9y PSIjRkYwMDAwIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj48Yj5IT1cgTElRVUlELVYgV09S S1M6PC9iPjwvZm9udD48Zm9udA0KICAgIGNvbG9yPSIjMUYxRjFGIiBmYWNlPSJWZXJkYW5h IiBzaXplPSIyIj48YnI+DQogICAgPGJyPg0KICAgIDxhIGhyZWY9Imh0dHA6Ly82Ni42MC42 Mi4xNjkvIiB0YXJnZXQ9Il9ibGFuayI+PGI+TElRVUlELVY8L2I+PC9hPiBpcyBhIHJldm9s dXRpb25hcnkgd2F5DQogICAgdG8gZ2V0IHlvdXIgZXJlY3Rpb24gYmFjayB0byBpdHMgeW91 dGhmdWwgc3RhdGUuIE9yYWwgYWJzb3JwdGlvbiBpcyB0aGUgZmFzdGVzdCwgbW9zdA0KICAg IGVmZmVjdGl2ZSB3YXkgdG8gZ2V0IGEgZG9zZSBvZiBlcmVjdGlvbiBlbmhhbmNpbmcgc3Vw cGxlbWVudHMgaW50byB5b3VyIHN5c3RlbS4gTElRVUlELVYNCiAgICBpbW1lZGlhdGVseSBh bGxvd3MgdGhlIG1heGltdW0gYW1vdW50IG9mIGJsb29kIHRvIGZpbGwgdGhlIHBlbmlsZSBj aGFtYmVycywgdGhpcyBwcm9jZXNzDQogICAgYWxsb3dzIGZvciBhbiBpbmNyZWFzZSBpbiBw ZW5pbGUgbGVuZ3RoLCBnaXJ0aCBhbmQgaGFyZG5lc3MuIFdoZW4gcHV0IGludG8gdGhlIG1v dXRoLA0KICAgIG1pY3JvLXNpemVkIGJlYWRzIGFyZSBpbW1lZGlhdGVseSBhYnNvcmJlZCBp bnRvIHRoZSB0aXNzdWUgdGhyb3VnaCB0aGUgY2FwaWxsYXJpZXMsIHdoaWNoDQogICAgbGll IGNsb3NlIHRvIHRoZSBzdXJmYWNlIG9mIHRoZSBsaW5pbmcgaW4gdGhlIG1vdXRoLiBUaGlz IHByb2Nlc3MgYWxsb3dzIHRoZSBzdXBwbGVtZW50IHRvDQogICAgYmUgYWJzb3JiZWQgd2l0 aGluIHNlY29uZHMuPGJyPg0KICAgIDxicj4NCiAgICA8YSBocmVmPSJodHRwOi8vNjYuNjAu NjIuMTY5LyIgdGFyZ2V0PSJfYmxhbmsiPjxiPkxJUVVJRC1WPC9iPjwvYT5pcyBzdXBlcmlv ciB0byBhIHBpbGwNCiAgICBiZWNhdXNlIGl0IGFic29yYnMgaW50byB0aGUgYmxvb2Qgc3Ry ZWFtIGltbWVkaWF0ZWx5LiBZb3VyIHBlbmlzIGhhcyAzIGNoYW1iZXJzIHdoaWNoIGZpbGwN CiAgICB3aXRoIGJsb29kIGR1cmluZyBhbiBlcmVjdGlvbi4gVGhlc2UgY2hhbWJlcnMgYXJl IGEgY29sbGVjdGlvbiBvZiBibG9vZCB2ZXNzZWxzIHdoaWNoDQogICAgYmVjb21lIHN3b2xs ZW4gd2l0aCBibG9vZCBkdXJpbmcgc2V4dWFsIGFyb3VzYWwuIFdoaWxlIHlvdSdyZSBub3Qg c2V4dWFsbHkgYXJvdXNlZCB0aGUNCiAgICBwZW5pbGUgY2hhbWJlcnMgYXJlIG9wZW4gYW5k IGFsbG93IGZvciB0aGUgZmxvdyBvZiBibG9vZCB0aHJvdWdoIHRoZSBmaWxsaW5nIGNoYW1i ZXJzLg0KICAgIFdoZW4geW91IGFyZSBzZXh1YWxseSBhcm91c2VkIHRoZSBjaGFtYmVycyBy ZW1haW4gb3BlbiBhbmQgdGhlIGV4aXQgZ2F0ZXMgY2xvc2UuIFdoZW4gdGhlDQogICAgZXhp dCBnYXRlcyBjbG9zZSB0aGUgYmxvb2QgdGhhdCByZW1haW5zIGluIHRoZSBwZW5pcyBnaXZl cyB5b3UgeW91ciBlcmVjdGlvbi4gT25jZSB0aGUNCiAgICBwZW5pbGUgZ2F0ZXMgY2xvc2Ug dGhlIGFtb3VudCBvZiBibG9vZCBpbiB0aGUgY2hhbWJlcnMgd2lsbCBkZXRlcm1pbmUgaG93 IHlvdSBwZXJmb3JtIC48YnI+DQogICAgPC9mb250Pjxmb250IGNvbG9yPSIjMUYxRjFGIj48 b2w+DQogICAgICA8bGk+PC9mb250Pjxmb250IGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiIGNv bG9yPSIjMUYxRjFGIj5BIHJldm9sdXRpb25hcnkgd2F5IHRvIGdldCB5b3VyDQogICAgICAg IGRlc2lyZSBiYWNrIHRvIGl0cyB5b3V0aGZ1bCBzdGF0ZSA8L2ZvbnQ+PGZvbnQgY29sb3I9 IiMxRjFGMUYiPjwvbGk+DQogICAgICA8bGk+PGZvbnQgY29sb3I9IiMxRjFGMUYiPjxmb250 IGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPkxJUVVJRC1WIFdPUktTIFdoZW4gcHV0IGludG8g dGhlDQogICAgICAgIG1vdXRoLCBtaWNyby1zaXplZCBiZWFkcyBhcmUgaW1tZWRpYXRlbHkg YWJzb3JiZWQgaW50byB0aGUgdGlzc3VlIHRocm91Z2ggdGhlIGNhcGlsbGFyaWVzLg0KICAg ICAgICBUaGlzIHByb2Nlc3MgYWxsb3dzIHRoZSBzdXBwbGVtZW50IHRvIGJlIGFic29yYmVk IHdpdGhpbiBzZWNvbmRzLiA8YnI+DQogICAgICAgIDwvZm9udD48Zm9udCBjb2xvcj0iUmVk Ij48cCBhbGlnbj0iY2VudGVyIj48L2ZvbnQ+PC9mb250PjwvZm9udD48Zm9udCBjb2xvcj0i I0ZGMDAwMCINCiAgICAgICAgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+PHN0cm9uZz4xMDAl IFNFQ1VSRSBPTkxJTkUgQ09NTUVSQ0U8YnI+DQogICAgICAgIDwvc3Ryb25nPjwvZm9udD48 Zm9udCBjb2xvcj0iIzFGMUYxRiIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+PGJyPg0KICAg ICAgICA8YnI+DQogICAgICAgIDxhIGhyZWY9Imh0dHA6Ly82Ni42MC42Mi4xNjkvIiB0YXJn ZXQ9Il9ibGFuayI+Q0xJQ0sgSEVSRSBGT1IgTU9SRSBERVRBSUxTPC9hPiA8YnI+DQogICAg ICAgIDxicj4NCiAgICAgICAgPC9mb250PjwvcD4NCiAgICAgIDwvbGk+DQogICAgPC9vbD4N CiAgICA8L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkPjxociBub3NoYWRlIHNpemU9 IjEiIGNvbG9yPSIjQzBDMEMwIj4NCiAgICA8L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAg PHRkPjxmb250IGNvbG9yPSIjMUYxRjFGIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj48cCBh bGlnbj0iY2VudGVyIj48L2ZvbnQ+PGZvbnQNCiAgICBmYWNlPSJBcmlhbCxIZWx2ZXRpY2Ei IGNvbG9yPSIjNGY1OTY0IiBzaXplPSIxIj5JZiB5b3UgZG8gbm90IHdhbnQgdG8gcmVjZWl2 ZSBmdXJ0aGVyDQogICAgbWFpbGluZ3Mgb3IgaGF2ZSBiZWVuIDxicj4NCiAgICBpbmFkdmVy dGVudGx5IHBsYWNlZCBvbiBvdXIgbWFpbGluZyBsaXN0LCBwbGVhc2UgY2xpY2s8YnI+DQog ICAgPGJyPg0KICAgIDxhIGhyZWY9Imh0dHA6Ly82Ni42MC42Mi4xNjkvdW5zdWJzY3JpYmUu aHRtIj4mcXVvdDtVbnN1YnNjcmliZSZxdW90OzwvYT48YnI+DQogICAgPHN0cm9uZz48YnI+ DQogICAgWW91ciBhZGRyZXNzIHdpbGwgYmUgcmVtb3ZlZCBpbiAyNCBob3Vyczwvc3Ryb25n Pjxicj4NCiAgICA8L2ZvbnQ+PC90ZD4NCiAgPC90cj4NCiAgPHRyPg0KICAgIDx0ZD48aHIg bm9zaGFkZSBzaXplPSIxIiBjb2xvcj0iI0MwQzBDMCI+DQogICAgPC90ZD4NCiAgPC90cj4N CjwvdGFibGU+DQo8L2NlbnRlcj48L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== ------=_NextPart_000_001__26423154_69463,55-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 17:46:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 9AD2837B404 for ; Mon, 8 Apr 2002 17:46:08 -0700 (PDT) Received: (qmail 79190 invoked by uid 1000); 9 Apr 2002 00:46:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Apr 2002 00:46:02 -0000 Date: Mon, 8 Apr 2002 17:45:59 -0700 (PDT) From: Jason Stone X-X-Sender: To: Michael Sharp Cc: Subject: Re: Berkley Packet Filter In-Reply-To: <20020408202441.W3388-100000@phoenix.vh.laserfence.net> Message-ID: <20020408172043.E32064-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > In short summary, I would say: > > For a security administrator's work station, turn it on. > For anything else, turn it off. Why turn it off? Does anyone still worry about sniffing? Given the prevalence of ssh and ssl-aware clients these days, if there's any plaintext still going over your network, your time would be better spent fixing that. And bpf is invaluable for debugging network-related problems. Whenever some network-related service stops working right, the very first thing I do is to run tcpdump to see what's going on. Bottom line - if there's anything an attacker could gain by sniffing your network, you already have problems. Yeah, yeah, security in layers, but there's really no excuse to still be allowing plaintext protocols at this stage of the game. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8sjnKswXMWWtptckRAoVrAJ9DtAz58c5IciKGvDjpkbBUElmrgQCgy23z 2ibVtI/dCcsZCBwdlFT7LLA= =A4PM -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 20: 4:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by hub.freebsd.org (Postfix) with SMTP id BB94837B431 for ; Mon, 8 Apr 2002 20:02:25 -0700 (PDT) Received: from dialup68.net33.samart.co.th (HELO pokaeobkk) (easytoberich01@203.149.33.68 with login) by smtp.mail.vip.sc5.yahoo.com with SMTP; 9 Apr 2002 03:02:15 -0000 Message-ID: <001901c1df73$2c90ba40$442195cb@loxinfo.co.th> From: "workathome" To: Subject: turn off your tv and turn on your life Date: Tue, 9 Apr 2002 09:57:02 +0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0014_01C1DFAC.E68AA760" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0014_01C1DFAC.E68AA760 Content-Type: text/plain; charset="windows-874" Content-Transfer-Encoding: quoted-printable if you need a chance to make your dream come true,I will give you a = chance.take it or loose it,up to you. www.smartejob.com/siriline ------=_NextPart_000_0014_01C1DFAC.E68AA760 Content-Type: text/html; charset="windows-874" Content-Transfer-Encoding: quoted-printable
if you need a chance to make your dream = come true,I=20 will give you a chance.take it or loose it,up to you.
www.smartejob.com/siriline=
 
------=_NextPart_000_0014_01C1DFAC.E68AA760-- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 21: 3:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11802.mail.yahoo.com (web11802.mail.yahoo.com [216.136.172.156]) by hub.freebsd.org (Postfix) with SMTP id F2EA637B419 for ; Mon, 8 Apr 2002 21:03:44 -0700 (PDT) Message-ID: <20020409040344.36061.qmail@web11802.mail.yahoo.com> Received: from [66.222.32.155] by web11802.mail.yahoo.com via HTTP; Mon, 08 Apr 2002 21:03:44 PDT Date: Mon, 8 Apr 2002 21:03:44 -0700 (PDT) From: X Philius Reply-To: xphilius@yahoo.com Subject: zlib double-free security notification To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Security Folks, Are there any exploits out there that take advantage of this hole? I am running 4.4 Release, and have been watching the security notifications list for patches that I *really* need to run. So, if I want to keep things as simple as possible, would you recomend patching to fix this issue? If it is just a matter of possible DOS issues, versus actual known exploits, I'll probably skip it. Jason __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 21:25:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 52E5F37B423 for ; Mon, 8 Apr 2002 21:25:04 -0700 (PDT) Received: from universiow267t ([65.93.105.74]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20020409042458.HKOD12118.tomts7-srv.bellnexxia.net@universiow267t> for ; Tue, 9 Apr 2002 00:24:58 -0400 Message-ID: <010601c1df7e$b3657a50$e83dfea9@universiow267t> From: "Vincent Filby" To: References: <20020408172043.E32064-100000@walter> Subject: Securing a jailed virtual server. Date: Tue, 9 Apr 2002 00:26:20 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have to secure a jailed virtual server, I don't have access to the physical server though. Is there any good documentation for securing a jailed server or what the differences are between it and a normal server regarding security. Thanks in advance! - Vince To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 22:18:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 7E3A337B416; Mon, 8 Apr 2002 22:18:04 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020409051803.WZDD18078.rwcrmhc51.attbi.com@blossom.cjclark.org>; Tue, 9 Apr 2002 05:18:03 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g395HxD31522; Mon, 8 Apr 2002 22:17:59 -0700 (PDT) (envelope-from cjc) Date: Mon, 8 Apr 2002 22:17:59 -0700 From: "Crist J. Clark" To: Peter Leftwich Cc: FreeBSD Questions , FreeBSD Security Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] Message-ID: <20020408221759.A31507@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020407002623.K70207@blossom.cjclark.org> <20020408201323.N83584-100000@earl-grey.cloud9.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020408201323.N83584-100000@earl-grey.cloud9.net>; from Hostmaster@Video2Video.Com on Mon, Apr 08, 2002 at 08:14:20PM -0400 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Apr 08, 2002 at 08:14:20PM -0400, Peter Leftwich wrote: > On Sun, 7 Apr 2002, Crist J. Clark wrote: > > On Sun, Apr 07, 2002 at 12:00:55AM -0800, Peter Leftwich wrote: > > > prompt$ pkg_info | grep -i openssh > > > openssh-3.0.2 OpenBSD's secure shell client and server (remote login prog > > > > > > I just upgraded (or tried to upgrade) openssh on my FreeBSD 4.5-RELEASE > > > box using /stand/sysinstall but I get this (ver. 2.9??) when I type: > > > > > > prompt$ ssh -V > > > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > > Did you actually change the rc.conf(5) file to start the new daemon, which probably lives in /usr/local/sbin/sshd, rather than the old one in /usr/sbin/sshd? > > -- > > Crist J. Clark | cjclark@alum.mit.edu > > | cjclark@jhu.edu > > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > My question was regarding ssh, not sshd. Then I shall reprhase: Are you actually running the ssh(1) in /usr/local/bin/ssh or the old one in /usr/bin/ssh? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 8 23:58:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 3AC2A37B419 for ; Mon, 8 Apr 2002 23:58:48 -0700 (PDT) Received: (qmail 81134 invoked from network); 9 Apr 2002 07:04:59 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 9 Apr 2002 07:04:59 -0000 Received: (qmail 4176 invoked by uid 1000); 9 Apr 2002 06:58:32 -0000 Date: Tue, 9 Apr 2002 09:58:32 +0300 From: Peter Pentchev To: X Philius Cc: freebsd-security@FreeBSD.ORG Subject: Re: zlib double-free security notification Message-ID: <20020409095832.A3374@straylight.oblivion.bg> Mail-Followup-To: X Philius , freebsd-security@FreeBSD.ORG References: <20020409040344.36061.qmail@web11802.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020409040344.36061.qmail@web11802.mail.yahoo.com>; from xphilius@yahoo.com on Mon, Apr 08, 2002 at 09:03:44PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 08, 2002 at 09:03:44PM -0700, X Philius wrote: > Security Folks, > Are there any exploits out there that take advantage of this hole? I am > running 4.4 Release, and have been watching the security notifications > list for patches that I *really* need to run. So, if I want to keep > things as simple as possible, would you recomend patching to fix this > issue? If it is just a matter of possible DOS issues, versus actual > known exploits, I'll probably skip it. "Simple DoS issues" might result in killing a server you do not want killed, thus (theoretically) denying access to important services and maybe the machine itself. In truth, right now I cannot remember if there were any such announced vulnerabilities that could result in killing off a whole service, but.. better safe than sorry, I'd say.. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am not the subject of this sentence. --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyykRcACgkQ7Ri2jRYZRVO1SACeIL0LdaDxyC41y/GdFvLkaVyf E8cAoILStA7KkpGe4Tu8b/laRXeQ8x4w =IhYQ -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 3:32: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta05bw.bigpond.com (mta05bw.bigpond.com [139.134.6.95]) by hub.freebsd.org (Postfix) with ESMTP id 6C87D37B416 for ; Tue, 9 Apr 2002 03:31:59 -0700 (PDT) Received: from MICHAEL2 ([144.135.24.69]) by mta05bw.bigpond.com (Netscape Messaging Server 4.15 mta05bw Feb 26 2002 03:44:21) with SMTP id GUAQL900.4KN for ; Tue, 9 Apr 2002 20:31:57 +1000 Received: from CPE-203-45-56-124.vic.bigpond.net.au ([203.45.56.124]) by bwmam01.mailsvc.email.bigpond.com(MailRouter V3.0j 2/337868); 09 Apr 2002 20:31:56 Message-ID: <01b301c1dfb1$c7cb7610$2d01a8c0@MICHAEL2> From: "Michael Phaze" To: Subject: Ftpd and remote syslog Date: Tue, 9 Apr 2002 20:31:55 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey all. I am trying to setup remote sysloging for ftpd authentication messages only. I setup remote sysloging for auth.* to a remote syslog server. auth.* @loghost I put it at the top of the file, and it works find for when I ssh in, but when I ftp in using the freebsd ftpd it doesn't log anything. I tried putting in !ftpd *.* @loghost and it does log to that to the remote syslog but as "ftpd" facility not to "auth". I also run it from inetd with ftpd -ll to log transfers as well. I only want to log file transfers to the local syslogd and send auth messages to the remote syslog with no transfer information. Does any one know how to set this up properly? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 3:46:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from tng.tmn.ru (tngent02.tng.tmn.ru [212.76.168.162]) by hub.freebsd.org (Postfix) with ESMTP id 1A8A537B417 for ; Tue, 9 Apr 2002 03:46:37 -0700 (PDT) Received: from tng.tmn.ru [10.28.66.204] by tng.tmn.ru [212.76.168.162] with SMTP (MDaemon.PRO.v4.0.0.R) for ; Tue, 09 Apr 2002 16:45:24 +0600 Message-ID: <3CB2C695.8030809@tng.tmn.ru> Date: Tue, 09 Apr 2002 16:46:45 +0600 From: "Igor I. Ushatinsky" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.4) Gecko/20011022 X-Accept-Language: ru, en-us MIME-Version: 1.0 To: Michael Phaze Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: Ftpd and remote syslog References: <01b301c1dfb1$c7cb7610$2d01a8c0@MICHAEL2> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MDRemoteIP: 10.28.66.204 X-Return-Path: igor@tng.tmn.ru X-MDaemon-Deliver-To: FreeBSD-Security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael Phaze wrote: > Hey all. > I am trying to setup remote sysloging for ftpd authentication messages only. > I setup remote sysloging for auth.* to a remote syslog server. > auth.* @loghost > I put it at the top of the file, and it works find for when I ssh in, but > when I ftp in using the freebsd ftpd it doesn't log anything. > I tried putting in > !ftpd > *.* @loghost Try to use "ftp.*" facility (not "!ftpd" program entry). /Igor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 4:54:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from pikachu.sys.atl.earthlink.net (pikachu.sys.atl.earthlink.net [199.174.117.37]) by hub.freebsd.org (Postfix) with ESMTP id 94C3437B433 for ; Tue, 9 Apr 2002 04:54:33 -0700 (PDT) Received: (from poirierg@localhost) by pikachu.sys.atl.earthlink.net (8.11.1/8.11.1) id g39BsWf34959 for freebsd-security@freebsd.org; Tue, 9 Apr 2002 07:54:32 -0400 (EDT) (envelope-from poirierg) Date: Tue, 9 Apr 2002 07:54:32 -0400 (EDT) From: Greg Poirier Message-Id: <200204091154.g39BsWf34959@pikachu.sys.atl.earthlink.net> To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe freebsd-security poirierg@corp.earthlink.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 6: 1: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 2F1A837B400 for ; Tue, 9 Apr 2002 06:00:57 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g39D0v305759 for ; Tue, 9 Apr 2002 09:00:57 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 9 Apr 2002 09:00:52 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: zlib double-free security notification In-Reply-To: <20020409095832.A3374@straylight.oblivion.bg> Message-ID: <20020409085638.C5710-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Apr 2002, Peter Pentchev wrote: > On Mon, Apr 08, 2002 at 09:03:44PM -0700, X Philius wrote: > > Security Folks, > > Are there any exploits out there that take advantage of this hole? I am > > running 4.4 Release, and have been watching the security notifications > > list for patches that I *really* need to run. So, if I want to keep > > things as simple as possible, would you recomend patching to fix this > > issue? If it is just a matter of possible DOS issues, versus actual > > known exploits, I'll probably skip it. > > "Simple DoS issues" might result in killing a server you do not want > killed, thus (theoretically) denying access to important services > and maybe the machine itself. In truth, right now I cannot remember > if there were any such announced vulnerabilities that could result > in killing off a whole service, but.. better safe than sorry, I'd say.. Unless you have configured malloc() to dump core in a double-free situation, FreeBSD cannot be DoS'd in this manner. Double-free errors generate warnings by default. Note that applications running under Linux emulation, however, could still be DoS'd, given that the GNU implementation of malloc() (in glibc)is indeed vulnerable. In fact, of the systems I've tested (FreeBSD 4.5-STABLE, Solaris 8, Microsoft Visual C++ 6.0, Red Hat 7.0, and Cygwin 1.32), only those that use glibc's malloc() (i.e., Red Hat and Cygwin) are vulnerable. The test is trivial: write a short C program that mallocs a pointer and then frees it twice. If it dumps core, you're vulnerable. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 6: 1:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id 12E9037B427 for ; Tue, 9 Apr 2002 06:01:31 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id JAA16280 for ; Tue, 9 Apr 2002 09:01:30 -0400 (EDT) Message-Id: <200204091301.JAA16280@koibito.iisc.com> To: freebsd-security@freebsd.org Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] In-Reply-To: Your message of "Mon, 08 Apr 2002 22:17:59 PDT." <20020408221759.A31507@blossom.cjclark.org> Date: Tue, 09 Apr 2002 09:01:29 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Peter Leftwich wrote: > > > prompt$ pkg_info | grep -i openssh > Crist J. Clark wrote: Then I shall reprhase: Are you actually running the ssh(1) in /usr/local/bin/ssh or the old one in /usr/bin/ssh? Isn't that a bit of diconnect? pkfinfo doesn't care which executable his $PATH points at, right. *********************************************************************** * Charles Richmond Integrated International Systems Corporation * * cmr@iisc.com cmr@acm.org cmr@shore.net http://www.iisc.com * * UNIX Internals, I18N, L10N, X, Realtime Imaging, and Custom S/W * * 131 Bishop's Forest Drive , Waltham , Ma. USA 02452 * * (781) 647 2269 FAX (781) 647 3665 Cellular (781) 389 9777 * *********************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 6: 2:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id 0D09237B404 for ; Tue, 9 Apr 2002 06:02:45 -0700 (PDT) Received: from daleco [12.145.236.112] by mail.gbronline.com (SMTPD32-7.06) id A6333D0216; Tue, 09 Apr 2002 08:01:39 -0500 Message-ID: <002301c1dfc6$e21aa440$70ec910c@daleco> From: "Kevin Kinsey, DaleCo, S.P." To: Subject: sshd warning---a lil' help? Date: Tue, 9 Apr 2002 08:03:02 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Apr 9 07:50:00 elisha sshd[34375]: warning: /etc/hosts.allow, line 23: can't verify hostname: getaddrinfo(gbrdialin, AF_INET$) Failed This computer --- a - has incorrect or NO reverse DNS ? b - tried to authenticate via ssh login and succeeded? c - tried to authenticate via ssh login and failed? d - other TIA, Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 6:11:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11807.mail.yahoo.com (web11807.mail.yahoo.com [216.136.172.161]) by hub.freebsd.org (Postfix) with SMTP id 8112537B400 for ; Tue, 9 Apr 2002 06:11:22 -0700 (PDT) Message-ID: <20020409131122.2511.qmail@web11807.mail.yahoo.com> Received: from [64.73.64.94] by web11807.mail.yahoo.com via HTTP; Tue, 09 Apr 2002 06:11:22 PDT Date: Tue, 9 Apr 2002 06:11:22 -0700 (PDT) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: zlib double-free security notification To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020409095832.A3374@straylight.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter, Well, honestly, it is the "execute arbitrary code" warnings that I am really worried about. I run a web server for educational purposes more than anything else (ie there are no CC numbers or really anything else private on the whole machine). I want to make damn sure I don't get cracked and have my server used as a launch pad for some other nefarious task, but if someone crashes my ShoutCast server or Apache it's no big loss ;-) Anyone know of any scripts in the wild that take advantage of this hole? Jason > > "Simple DoS issues" might result in killing a server you do not want > killed, thus (theoretically) denying access to important services > and maybe the machine itself. In truth, right now I cannot remember > if there were any such announced vulnerabilities that could result > in killing off a whole service, but.. better safe than sorry, I'd > say.. > > G'luck, > Peter > > -- > Peter Pentchev roam@ringlet.net roam@FreeBSD.org > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 > I am not the subject of this sentence. > > ATTACHMENT part 2 application/pgp-signature __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 6:23:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id AD83437B400 for ; Tue, 9 Apr 2002 06:22:54 -0700 (PDT) Received: (qmail 5251 invoked from network); 9 Apr 2002 13:28:55 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 9 Apr 2002 13:28:55 -0000 Received: (qmail 52358 invoked by uid 1000); 9 Apr 2002 13:22:34 -0000 Date: Tue, 9 Apr 2002 16:22:34 +0300 From: Peter Pentchev To: "Charles M. Richmond" Cc: freebsd-security@freebsd.org Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] Message-ID: <20020409162234.D352@straylight.oblivion.bg> Mail-Followup-To: "Charles M. Richmond" , freebsd-security@freebsd.org References: <20020408221759.A31507@blossom.cjclark.org> <200204091301.JAA16280@koibito.iisc.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="veXX9dWIonWZEC6h" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204091301.JAA16280@koibito.iisc.com>; from cmr@iisc.com on Tue, Apr 09, 2002 at 09:01:29AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --veXX9dWIonWZEC6h Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 09, 2002 at 09:01:29AM -0400, Charles M. Richmond wrote: >=20 > > > Peter Leftwich wrote: > > > > prompt$ pkg_info | grep -i openssh >=20 > > Crist J. Clark wrote: > Then I shall reprhase: > Are you actually running the ssh(1) in /usr/local/bin/ssh or the old > one in /usr/bin/ssh? >=20 > Isn't that a bit of diconnect? pkfinfo doesn't care which > executable his $PATH points at, right. I believe the original poster mentioned pkg_info(1) output only as proof that he had actually installed the newer version of OpenSSH. Crist's question is directly related to the OP's original question - why, when he types 'ssh -V', the 'ssh' binary that is run reports version 2.9. Crist is asking whether the new ssh(1) binary, which is probably installed in /usr/local/bin/ssh, is the one that is actually ran; there is another ssh(1) binary on the system, the one in /usr/bin/ssh, which is probably still at 2.something. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. --veXX9dWIonWZEC6h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyy6xoACgkQ7Ri2jRYZRVO3bQCfZrPwuLDSBBQjqQUGgFc4vj8D 6P8AoL5Yugwbo5c3au0ESAyHLm9t6NNK =4/S1 -----END PGP SIGNATURE----- --veXX9dWIonWZEC6h-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 6:27:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id EB94037B404 for ; Tue, 9 Apr 2002 06:27:13 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id JAA16382 for ; Tue, 9 Apr 2002 09:27:13 -0400 (EDT) Message-Id: <200204091327.JAA16382@koibito.iisc.com> To: freebsd-security@FreeBSD.ORG Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] In-Reply-To: Your message of "Tue, 09 Apr 2002 16:22:34 +0300." <20020409162234.D352@straylight.oblivion.bg> Date: Tue, 09 Apr 2002 09:27:12 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I believe the original poster mentioned pkg_info(1) output > only as proof that he had actually installed the newer version > of OpenSSH. That makes a lot more sense. Thank you. I shouldn't have deleted all the old emails and I would have seen that. Mia Culpa. Charlie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 7:42: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 3D89437B416 for ; Tue, 9 Apr 2002 07:42:00 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id AA6E610; Tue, 9 Apr 2002 09:41:59 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g39EfwK47997; Tue, 9 Apr 2002 09:41:58 -0500 (CDT) (envelope-from nectar) Date: Tue, 9 Apr 2002 09:41:58 -0500 From: "Jacques A. Vidrine" To: Benjamin Krueger Cc: klik , "Douglas K. Rand" , freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409144158.GX19961@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Benjamin Krueger , klik , "Douglas K. Rand" , freebsd-security@freebsd.org References: <874riov1et.wl@delta.meridian-enviro.com> <002401c1ddf7$557e84a0$13ed7ad1@unstable.org> <20020406220150.C2867@rain.macguire.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020406220150.C2867@rain.macguire.net> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Apr 06, 2002 at 10:01:50PM -0800, Benjamin Krueger wrote: > > ----- Original Message ----- > > From: "Douglas K. Rand" > > To: > > Sent: Saturday, April 06, 2002 6:43 PM > > Subject: Centralized authentication > > > > > > > We have a few dozen FreeBSD workstaions and servers and as their > > > numbers increase managing users and groups via indvidual /etc/passwd > > > and /etc/group files is getting more and more tiresome. We also have > > > just a few Linux boxes. > > > > > > We aren't a huge site, everybody is in one building on the same > > > network. > > > > > > I was wondering what other sites are using to solve this problem. > > I'd highly suggest the oft-little understood but incredibly deserving > Kerberos. I truly believe that if it were better documented and understood by > the masses of administrators out there, it would blow away current network > authentication systems. Yes, Kerberos does `blow away' many authentication systems. However, the poster's subject --- ``Centralized authentication'' --- doesn't really describe what he needs. In addition to authentication, he needs authorization and directory services, which Kerberos does not provide. i.e. there is no Kerberos mechanism with which to distribute the contents of /etc/passwd and /etc/group. > Heck, Microsoft used it to totally revitalize their > network authentication scheme to enormous benefit. Sadly, they then broke it > for anyone who isn't them. That's not really an accurate assessment of the situation. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 7:52:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 2A56E37B405 for ; Tue, 9 Apr 2002 07:52:45 -0700 (PDT) Received: from gw.netlecture.com (gw.netlecture.com [206.40.34.9]) by roble.com with ESMTP id g39EqdQ27217 for ; Tue, 9 Apr 2002 07:52:39 -0700 (PDT) Date: Tue, 9 Apr 2002 07:52:38 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Centralized authentication In-Reply-To: Message-ID: <20020409073815.Q26460-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Samuel Chow wrote: > How about NIS? I use it at home with a total > of two machines and one users. I've used NIS with over 30,000 users, and adminitered 2 domains with over 2,500 users and experienced near zero problems. NIS+ may be a bit more difficult given it's Kerberos roots but it is being used successfully in shops with hundreds of NIS+ accounts and hosts. Adminning Sun NIS servers and clients is neither difficult nor complicated even with NFS and automount. Not sure if the same is true for FreeBSD servers however. The drawback to NIS is that it is not secure enough for many environments and does not support password aging. The best tool for this job (directory services) IMO is LDAP. Over the past couple of years it has matched NIS for reliability and clearly is the future direction of the industry. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 7:57:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 43D2E37B416; Tue, 9 Apr 2002 07:57:12 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id AAA10164; Wed, 10 Apr 2002 00:57:10 +1000 (EST) From: Darren Reed Message-Id: <200204091457.AAA10164@caligula.anu.edu.au> Subject: Re: Centralized authentication To: nectar@FreeBSD.ORG (Jacques A. Vidrine) Date: Wed, 10 Apr 2002 00:57:10 +1000 (Australia/ACT) Cc: benjamin@macguire.net (Benjamin Krueger), klik@unstable.org (klik), rand@meridian-enviro.com (Douglas K. Rand), freebsd-security@FreeBSD.ORG In-Reply-To: <20020409144158.GX19961@madman.nectar.cc> from "Jacques A. Vidrine" at Apr 09, 2002 09:41:58 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Jacques A. Vidrine, sie said: > > Yes, Kerberos does `blow away' many authentication systems. However, > the poster's subject --- ``Centralized authentication'' --- doesn't > really describe what he needs. In addition to authentication, he > needs authorization and directory services, which Kerberos does not > provide. i.e. there is no Kerberos mechanism with which to distribute > the contents of /etc/passwd and /etc/group. You can use NIS for this or when someone gets around to writing an LDAP extension for nsswitch.conf, you could use that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 8: 1:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11802.mail.yahoo.com (web11802.mail.yahoo.com [216.136.172.156]) by hub.freebsd.org (Postfix) with SMTP id EC95337B405 for ; Tue, 9 Apr 2002 08:01:09 -0700 (PDT) Message-ID: <20020409150109.97501.qmail@web11802.mail.yahoo.com> Received: from [64.73.64.94] by web11802.mail.yahoo.com via HTTP; Tue, 09 Apr 2002 08:01:09 PDT Date: Tue, 9 Apr 2002 08:01:09 -0700 (PDT) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: zlib double-free security notification To: Chris BeHanna , FreeBSD Security In-Reply-To: <20020409085638.C5710-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris, Great, and thanks. This was the answer I was looking for. I don't have anything running under Linux emulation, so I'll probably just let it slide. Jason > Note that applications running under Linux emulation, however, > could still be DoS'd, given that the GNU implementation of malloc() __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 8: 2:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 0080E37B41C for ; Tue, 9 Apr 2002 08:02:53 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id BAA10372; Wed, 10 Apr 2002 01:02:44 +1000 (EST) From: Darren Reed Message-Id: <200204091502.BAA10372@caligula.anu.edu.au> Subject: Re: Centralized authentication To: marquis@roble.com (Roger Marquis) Date: Wed, 10 Apr 2002 01:02:44 +1000 (Australia/ACT) Cc: security@FreeBSD.ORG In-Reply-To: <20020409073815.Q26460-100000@roble.com> from "Roger Marquis" at Apr 09, 2002 07:52:38 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Roger Marquis, sie said: > > Samuel Chow wrote: > > How about NIS? I use it at home with a total > > of two machines and one users. > > I've used NIS with over 30,000 users, and adminitered 2 domains > with over 2,500 users and experienced near zero problems. NIS+ > may be a bit more difficult given it's Kerberos roots but it is > being used successfully in shops with hundreds of NIS+ accounts > and hosts. Adminning Sun NIS servers and clients is neither > difficult nor complicated even with NFS and automount. Not sure > if the same is true for FreeBSD servers however. Where I work, we have experience with a production NIS+ database of double the size you have for NIS. After many requests to Sun, we're given the impression that they know of nobody else using NIS+ to such a large scale (even to the 1000s or 10,0000s). NIS+ is secure, if you don't have to do NIS, but you must get all your procedures *correct*, especially when changing passwords, or you are "fucked". Darren p.s. sorry for the french, but I believe that sums it up perfectly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 8:12:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 261F837B417 for ; Tue, 9 Apr 2002 08:12:04 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8FEA910; Tue, 9 Apr 2002 10:12:03 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g39FC3c48264; Tue, 9 Apr 2002 10:12:03 -0500 (CDT) (envelope-from nectar) Date: Tue, 9 Apr 2002 10:12:03 -0500 From: "Jacques A. Vidrine" To: Barney Wolff Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:01 Message-ID: <20020409151202.GE19961@madman.nectar.cc> References: <200204051512.g35FCOr11637@freefall.freebsd.org> <20020406143243.A8409@tp.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020406143243.A8409@tp.databus.com> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Apr 06, 2002 at 02:32:43PM -0500, Barney Wolff wrote: > I don't understand the status of "Not yet fixed." The advisory says > mod_ssl versions < 2.8.7 have the bug, while 2.8.8 is the port > distfile as of 3/28/02. What am I missing? > > On Fri, Apr 05, 2002 at 07:12:24AM -0800, FreeBSD Security Advisories wrote: > > +------------------------------------------------------------------------+ > > Port name: apache13-ssl, apache13-modssl > > Affected: all versions of apache+ssl > > all versions of apache+mod_ssl > > Status: Not yet fixed. > > Buffer overflows in SSL session cache handling. > > > > You aren't missing anything. The port was updated while the notice was undergoing review, and the new version was missed. Revisions to the security notice will follow as ports are fixed. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 8:15:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11808.mail.yahoo.com (web11808.mail.yahoo.com [216.136.172.162]) by hub.freebsd.org (Postfix) with SMTP id 04C8637B400 for ; Tue, 9 Apr 2002 08:15:15 -0700 (PDT) Message-ID: <20020409151514.54994.qmail@web11808.mail.yahoo.com> Received: from [64.73.64.94] by web11808.mail.yahoo.com via HTTP; Tue, 09 Apr 2002 08:15:14 PDT Date: Tue, 9 Apr 2002 08:15:14 -0700 (PDT) From: X Philius Reply-To: xphilius@yahoo.com Subject: Verifying that a security patch has done it's thing... To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Security Folks, Background: I'm running 4.4 Release, which I built from source. I am pretty new to this whole concept, but comfortable enough in the CLI environment. I haven't ever written a scrap of C, but I can follow directions and run "make" like a champ ;-) I am just running a web server, with nothing too private on the entire box. My goal is to make the minimal changes to my system between major upgrades, so I am going to run the suggested patches from the security notices as needed between now and 5.0 release. Questions: I just ran the patch to fix the OpenSSH issue from "Security Advisory FreeBSD-SA-02:13.openssh " on my development server. 1. How do I verify that the patch did what it was supposed to do? My understanding is that this will not update the version flag of OpenSSH, and so other than making sure that the patch and install etc run without error, how do I make sure everything is cool? 2. The security notice did not really say what I needed to do to make sure that the new version of sshd was loaded in to memory after the install. On my dev machine I just rebooted (the brute force method!) I'd rather not do the same on my prod machine. Can I run a "kill -1" on the process while logged in via SSH? My instincts tell me that would log me out. Do I need to be local on the machine and run a "kill -1", or do I have to actually stop sshd entirely and then restart it to load the new binary? Truth to tell, I can reboot my prod machine as well, but I am practicing for a day when my server is co-lo'ed elsewhere and not available for local log ins! Thanks in advance! Jason __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 8:40:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.spc.org (insomnia.spc.org [195.224.94.183]) by hub.freebsd.org (Postfix) with SMTP id CE34E37B417 for ; Tue, 9 Apr 2002 08:40:04 -0700 (PDT) Received: (qmail 23328 invoked by uid 1031); 9 Apr 2002 15:30:29 -0000 Date: Tue, 9 Apr 2002 15:30:29 +0000 From: Bruce M Simpson To: "Douglas K. Rand" Cc: freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409153029.B10593@spc.org> Mail-Followup-To: Bruce M Simpson , "Douglas K. Rand" , freebsd-security@freebsd.org References: <874riov1et.wl@delta.meridian-enviro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com>; from rand@meridian-enviro.com on Sat, Apr 06, 2002 at 05:43:22PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Douglas, On Sat, Apr 06, 2002 at 05:43:22PM -0600, Douglas K. Rand wrote: > We have a few dozen FreeBSD workstaions and servers and as their > numbers increase managing users and groups via indvidual /etc/passwd > and /etc/group files is getting more and more tiresome. We also have > just a few Linux boxes. > > We aren't a huge site, everybody is in one building on the same > network. Look into using an LDAP server with pam_ldap. At the moment, nss_ldap is not supported on FreeBSD. What pam_ldap will give you is a means of securely verifying a user's password, but unfortunately, nss_ldap is needed in order to replace the /etc/group and /etc/passwd files via the /etc/nsswitch.conf mechanism. There is a workaround, which is to use NIS in a read-only, non-authenticating mode purely to deliver the passwd and group maps with ypldapd, which is a NIS-to-LDAP gateway. This is one alternative, if you're willing to live with the exposure of passwd/group file information being freely available as NIS maps; far more acceptable than relying entirely on NIS/NIS+. There is an architectural problem in that updating FreeBSD to use nss_ldap requires that certain parts of the base system be rewritten to use dynamic linking, much like Solaris. There are no firm plans to do this at this time, to the best of my knowledge. BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 9: 0:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12]) by hub.freebsd.org (Postfix) with ESMTP id 89F3637B417 for ; Tue, 9 Apr 2002 09:00:25 -0700 (PDT) Received: by squall.waterspout.com (Postfix, from userid 1050) id DE1DB9B76; Tue, 9 Apr 2002 11:00:24 -0500 (EST) Date: Tue, 9 Apr 2002 11:00:24 -0500 From: Will Andrews To: Bruce M Simpson Cc: "Douglas K. Rand" , freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409160024.GU75343@squall.waterspout.com> Mail-Followup-To: Bruce M Simpson , "Douglas K. Rand" , freebsd-security@freebsd.org References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020409153029.B10593@spc.org> User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote: > Look into using an LDAP server with pam_ldap. At the moment, nss_ldap is > not supported on FreeBSD. What pam_ldap will give you is a means of securely > verifying a user's password, but unfortunately, nss_ldap is needed in > order to replace the /etc/group and /etc/passwd files via the > /etc/nsswitch.conf mechanism. > > There is a workaround, which is to use NIS in a read-only, non-authenticating > mode purely to deliver the passwd and group maps with ypldapd, which is > a NIS-to-LDAP gateway. This is one alternative, if you're willing to live > with the exposure of passwd/group file information being freely available > as NIS maps; far more acceptable than relying entirely on NIS/NIS+. > > There is an architectural problem in that updating FreeBSD to use nss_ldap > requires that certain parts of the base system be rewritten to use dynamic > linking, much like Solaris. There are no firm plans to do this at this time, > to the best of my knowledge. You can also use my Perl script to regenerate the group and master.passwd files at will. See here: http://csociety.org/projects/ldap/ http://cvsweb.csociety.org/ldap/ This script has been tested on FreeBSD, NetBSD, and OpenBSD. Documentation is the script itself at the moment, due to lack of time. Perhaps some volunteer would be willing to write a manpage or something. Regards, -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 9: 3:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12]) by hub.freebsd.org (Postfix) with ESMTP id 8E36837B419 for ; Tue, 9 Apr 2002 09:03:32 -0700 (PDT) Received: by squall.waterspout.com (Postfix, from userid 1050) id 170869B19; Tue, 9 Apr 2002 11:03:32 -0500 (EST) Date: Tue, 9 Apr 2002 11:03:32 -0500 From: Will Andrews To: Will Andrews Cc: Bruce M Simpson , "Douglas K. Rand" , freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409160331.GV75343@squall.waterspout.com> Mail-Followup-To: Will Andrews , Bruce M Simpson , "Douglas K. Rand" , freebsd-security@freebsd.org References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org> <20020409160024.GU75343@squall.waterspout.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020409160024.GU75343@squall.waterspout.com> User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 11:00:24AM -0500, Will Andrews wrote: > http://csociety.org/projects/ldap/ Sorry, that should be: http://csociety.org/projects/ldap.html Oops ;) -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 9:16:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 5932C37B404 for ; Tue, 9 Apr 2002 09:16:32 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B125010; Tue, 9 Apr 2002 11:16:31 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g39GGSw48638; Tue, 9 Apr 2002 11:16:28 -0500 (CDT) (envelope-from nectar) Date: Tue, 9 Apr 2002 11:16:28 -0500 From: "Jacques A. Vidrine" To: Bruce M Simpson Cc: "Douglas K. Rand" , freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409161628.GK19961@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Bruce M Simpson , "Douglas K. Rand" , freebsd-security@freebsd.org References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020409153029.B10593@spc.org> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote: > What pam_ldap will give you is a means of securely > verifying a user's password, s/securely/insecurely/ unless you are using SSL to protect your LDAP connection, and you are verifying certificates. In which case your response time is probably not very nice. However, the suggested approach can be modified in a useful fashion: use NIS+ for group, passwd files. Disable passwords in NIS+ (e.g. use `*' in the password field). Use Kerberos for authentication. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 9:23:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 618D537B41E for ; Tue, 9 Apr 2002 09:23:42 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id E82EA4F; Tue, 9 Apr 2002 11:23:41 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g39GNfc48733; Tue, 9 Apr 2002 11:23:41 -0500 (CDT) (envelope-from nectar) Date: Tue, 9 Apr 2002 11:23:41 -0500 From: "Jacques A. Vidrine" To: X Philius Cc: freebsd-security@FreeBSD.ORG Subject: Re: Verifying that a security patch has done it's thing... Message-ID: <20020409162341.GL19961@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , X Philius , freebsd-security@FreeBSD.ORG References: <20020409151514.54994.qmail@web11808.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020409151514.54994.qmail@web11808.mail.yahoo.com> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 08:15:14AM -0700, X Philius wrote: > 1. How do I verify that the patch did what it was supposed to do? My > understanding is that this will not update the version flag of OpenSSH, > and so other than making sure that the patch and install etc run > without error, how do I make sure everything is cool? There is nothing special to do to verify that the patch was installed. Either you applied the patch, recompiled, and reinstalled, or you didn't. > 2. The security notice did not really say what I needed to do to make > sure that the new version of sshd was loaded in to memory after the > install. Yes, that was an oversight that we hope to avoid in the future. > On my dev machine I just rebooted (the brute force method!) > I'd rather not do the same on my prod machine. Can I run a "kill -1" on > the process while logged in via SSH? My instincts tell me that would > log me out. You can terminate the master SSH process without affecting your currently active SSH sessions. The PID of the master process is probably in /var/run/sshd.pid. You might also use `sockstat' to determine which process is listening --- look for the wildcard address `*:*' in the rightmost column. > Do I need to be local on the machine and run a "kill -1", > or do I have to actually stop sshd entirely and then restart it to load > the new binary? Truth to tell, I can reboot my prod machine as well, > but I am practicing for a day when my server is co-lo'ed elsewhere and > not available for local log ins! OpenSSH sshd responds to the HUP signal by exec'ing itself, so this should be sufficient. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 9:24: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.spc.org (insomnia.spc.org [195.224.94.183]) by hub.freebsd.org (Postfix) with SMTP id 8184937B416 for ; Tue, 9 Apr 2002 09:23:47 -0700 (PDT) Received: (qmail 11084 invoked by uid 1031); 9 Apr 2002 16:14:11 -0000 Date: Tue, 9 Apr 2002 16:14:11 +0000 From: Bruce M Simpson To: "Jacques A. Vidrine" , "Douglas K. Rand" , freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409161410.D10593@spc.org> Mail-Followup-To: Bruce M Simpson , "Jacques A. Vidrine" , "Douglas K. Rand" , freebsd-security@freebsd.org References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org> <20020409161628.GK19961@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020409161628.GK19961@madman.nectar.cc>; from nectar@freebsd.org on Tue, Apr 09, 2002 at 11:16:28AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 11:16:28AM -0500, Jacques A. Vidrine wrote: > On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote: > > What pam_ldap will give you is a means of securely > > verifying a user's password, > > s/securely/insecurely/ > > unless you are using SSL to protect your LDAP connection, and you are > verifying certificates. In which case your response time is probably > not very nice. Correct - anyone who sets up pam_ldap without either using a local ldapi:/// or ldaps:// transport across a network is asking for trouble. Much like the chap who believed that VLANs and switches were going to make casual sniffing a thing of the past. > However, the suggested approach can be modified in a useful fashion: > use NIS+ for group, passwd files. Disable passwords in NIS+ (e.g. use > `*' in the password field). Use Kerberos for authentication. Kerberos is extremely nice to have, but might be overkill for very small sites. BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 9:41:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout10.sul.t-online.com (mailout10.sul.t-online.com [194.25.134.21]) by hub.freebsd.org (Postfix) with ESMTP id 7704437B419 for ; Tue, 9 Apr 2002 09:41:11 -0700 (PDT) Received: from fwd11.sul.t-online.de by mailout10.sul.t-online.com with smtp id 16uxhW-00083O-06; Tue, 09 Apr 2002 17:38:30 +0200 Received: from Magelan.Leidinger.net (520065502893-0001@[80.131.115.117]) by fmrl11.sul.t-online.com with esmtp id 16uxhN-1jYb3IC; Tue, 9 Apr 2002 17:38:21 +0200 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.12.2/8.12.2) with ESMTP id g39FcN1T009086; Tue, 9 Apr 2002 17:38:27 +0200 (CEST) (envelope-from netchild@Leidinger.net) Message-Id: <200204091538.g39FcN1T009086@Magelan.Leidinger.net> Date: Tue, 9 Apr 2002 17:38:23 +0200 (CEST) From: Alexander Leidinger Subject: Re: Verifying that a security patch has done it's thing... To: xphilius@yahoo.com Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020409151514.54994.qmail@web11808.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-Sender: 520065502893-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 9 Apr, X Philius wrote: > Questions: > I just ran the patch to fix the OpenSSH issue from "Security Advisory > FreeBSD-SA-02:13.openssh " on my development server. > > 1. How do I verify that the patch did what it was supposed to do? My > understanding is that this will not update the version flag of OpenSSH, > and so other than making sure that the patch and install etc run > without error, how do I make sure everything is cool? Someone posted a program to bugtraq which tries to attack the flaw in question. > 2. The security notice did not really say what I needed to do to make > sure that the new version of sshd was loaded in to memory after the > install. On my dev machine I just rebooted (the brute force method!) > I'd rather not do the same on my prod machine. Can I run a "kill -1" on > the process while logged in via SSH? My instincts tell me that would > log me out. Do I need to be local on the machine and run a "kill -1", > or do I have to actually stop sshd entirely and then restart it to load > the new binary? Truth to tell, I can reboot my prod machine as well, > but I am practicing for a day when my server is co-lo'ed elsewhere and > not available for local log ins! Only kill the master which is listening for new connections: (102) netchild@ttyp0 > ps auxww | grep ssh netchild 9068 0.0 0.5 1096 588 p0 S+ 5:35PM 0:00.00 grep ssh root 164 0.0 1.0 2296 1316 ?? Ss Sun04PM 0:02.01 /usr/sbin/sshd root 8837 0.0 1.4 2412 1736 ?? S 4:35PM 0:00.46 sshd: netchild@notty (sshd) root 9059 0.5 1.4 2396 1732 ?? S 5:34PM 0:00.16 sshd: netchild@ttyp0 (sshd) Here the process with the PID 164 has to get killed ("kill 164" is enough), then restart sshd ("sshd" should be enough). Then check if you are still able to log in (don't close your existing connection). If you are, close every other ssh connection (either by logging out or by killing the process). Bye, Alexander. -- To boldly go where I surely don't belong. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 9:52:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 5E5EE37B417; Tue, 9 Apr 2002 09:52:41 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id CAA16233; Wed, 10 Apr 2002 02:52:39 +1000 (EST) From: Darren Reed Message-Id: <200204091652.CAA16233@caligula.anu.edu.au> Subject: Re: Centralized authentication To: nectar@FreeBSD.ORG (Jacques A. Vidrine) Date: Wed, 10 Apr 2002 02:52:39 +1000 (Australia/ACT) Cc: bms@spc.org (Bruce M Simpson), rand@meridian-enviro.com (Douglas K. Rand), freebsd-security@FreeBSD.ORG In-Reply-To: <20020409161628.GK19961@madman.nectar.cc> from "Jacques A. Vidrine" at Apr 09, 2002 11:16:28 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Jacques A. Vidrine, sie said: > > On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote: > > What pam_ldap will give you is a means of securely > > verifying a user's password, > > s/securely/insecurely/ > > unless you are using SSL to protect your LDAP connection, and you are > verifying certificates. In which case your response time is probably > not very nice. > > However, the suggested approach can be modified in a useful fashion: > use NIS+ for group, passwd files. Disable passwords in NIS+ (e.g. use > `*' in the password field). Use Kerberos for authentication. By default, there is also a shadow map with NIS+ (or at least Solaris has one). You also have access rights, per field, per row, and more than just owner, group, other with read/write/execute (unix file permissions). The only time NIS+ is at risk is when you run it with NIS compatibility enabled. NIS+ is secure, is very easy to shoot yourself in the foot with and is quite also quite complex. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 10:18:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11806.mail.yahoo.com (web11806.mail.yahoo.com [216.136.172.160]) by hub.freebsd.org (Postfix) with SMTP id 6299537B417 for ; Tue, 9 Apr 2002 10:18:17 -0700 (PDT) Message-ID: <20020409171817.52900.qmail@web11806.mail.yahoo.com> Received: from [64.73.64.94] by web11806.mail.yahoo.com via HTTP; Tue, 09 Apr 2002 10:18:17 PDT Date: Tue, 9 Apr 2002 10:18:17 -0700 (PDT) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Verifying that a security patch has done it's thing... To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020409162341.GL19961@madman.nectar.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jacques, Thanks so much for your rapid reply. One would hope to get such excellent service from paid, comerical software! An excellent example of open source software at it's finest! More below.. Jason > There is nothing special to do to verify that the patch was > installed. > Either you applied the patch, recompiled, and reinstalled, or you > didn't. Great. That is clear enough. I suppose the practice of using 'script' to capture the output of the patch, make and install process and looking it over for errors will be sufficient to satisfy my anal retentive tendancies ;-) > > > 2. The security notice did not really say what I needed to do to > make > > sure that the new version of sshd was loaded in to memory after the > > install. > > Yes, that was an oversight that we hope to avoid in the future. Wow. You guys are great. The security notifications in general are very clear. As I said, I pretty much followed the instructions by rote, never having run a patch on my source before, and it worked just fine. > You can terminate the master SSH process without affecting your > currently active SSH sessions. The PID of the master process is > probably in /var/run/sshd.pid. You might also use `sockstat' to > determine which process is listening --- look for the wildcard > address > `*:*' in the rightmost column. > Wonderful. I assume I can find the PID by running ps -x as well, correct? It would be the process ID for /usr/sbin/sshd... Thanks again for your diligence. Jason __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 10:22: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 6EE7D37B42A for ; Tue, 9 Apr 2002 10:21:28 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id E09AA10; Tue, 9 Apr 2002 12:21:27 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g39HLRW49024; Tue, 9 Apr 2002 12:21:27 -0500 (CDT) (envelope-from nectar) Date: Tue, 9 Apr 2002 12:21:27 -0500 From: "Jacques A. Vidrine" To: X Philius Cc: freebsd-security@FreeBSD.ORG Subject: Re: Verifying that a security patch has done it's thing... Message-ID: <20020409172127.GN19961@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , X Philius , freebsd-security@FreeBSD.ORG References: <20020409162341.GL19961@madman.nectar.cc> <20020409171817.52900.qmail@web11806.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020409171817.52900.qmail@web11806.mail.yahoo.com> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 10:18:17AM -0700, X Philius wrote: [deletia ... thanks for the kind words!] > I assume I can find the PID by running ps -x as well, > correct? It would be the process ID for /usr/sbin/sshd... Well, there will be more than one instance of sshd: the master, plus one for every active SSH connection. You don't want to shoot the wrong process, especially if SSH is your primary or only means of accessing the box. :-) Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 10:29: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 23FE937B405; Tue, 9 Apr 2002 10:28:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g39HSwKE017858; Wed, 10 Apr 2002 05:28:58 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 10 Apr 2002 05:28:58 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "Jacques A. Vidrine" Cc: X Philius , Subject: Re: Verifying that a security patch has done it's thing... In-Reply-To: <20020409172127.GN19961@madman.nectar.cc> Message-ID: <20020410052724.H12945-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Apr 2002, Jacques A. Vidrine wrote: > On Tue, Apr 09, 2002 at 10:18:17AM -0700, X Philius wrote: > [deletia ... thanks for the kind words!] > > > I assume I can find the PID by running ps -x as well, > > correct? It would be the process ID for /usr/sbin/sshd... > > Well, there will be more than one instance of sshd: the master, plus > one for every active SSH connection. You don't want to shoot the > wrong process, especially if SSH is your primary or only means of > accessing the box. :-) In which case you might be well advised to have a cron job which checks on it every so often and attempts to restart if it dies. No help if the server won't start though To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 11:12:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11806.mail.yahoo.com (web11806.mail.yahoo.com [216.136.172.160]) by hub.freebsd.org (Postfix) with SMTP id D68B637B416 for ; Tue, 9 Apr 2002 11:12:41 -0700 (PDT) Message-ID: <20020409181241.60735.qmail@web11806.mail.yahoo.com> Received: from [64.73.64.94] by web11806.mail.yahoo.com via HTTP; Tue, 09 Apr 2002 11:12:41 PDT Date: Tue, 9 Apr 2002 11:12:41 -0700 (PDT) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Verifying that a security patch has done it's thing... To: "Jacques A. Vidrine" , andrew@scoop.co.nz Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020409172127.GN19961@madman.nectar.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jacques and Andrew, Understood. I'll look at /var/run/sshd.pid. I do in fact have physical access to the box at this point, but I'm always honing my skills for the future prospect of maintaining a remote machine. Jason > Well, there will be more than one instance of sshd: the master, plus > one for every active SSH connection. You don't want to shoot the > wrong process, especially if SSH is your primary or only means of > accessing the box. :-) > > Cheers, > -- > Jacques A. Vidrine > http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal > Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 12:23:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from agena.meridian-enviro.com (thunder.meridian-enviro.com [207.109.234.227]) by hub.freebsd.org (Postfix) with ESMTP id B79C737B400 for ; Tue, 9 Apr 2002 12:23:10 -0700 (PDT) Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by agena.meridian-enviro.com (8.11.6/8.11.6) with ESMTP id g39JN9W87496 for ; Tue, 9 Apr 2002 14:23:10 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Received: (from rand@localhost) by delta.meridian-enviro.com (8.11.6/8.11.6) id g39JN9A97711; Tue, 9 Apr 2002 14:23:09 -0500 (CDT) (envelope-from rand@meridian-enviro.com) X-Authentication-Warning: delta.meridian-enviro.com: rand set sender to rand@meridian-enviro.com using -f To: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication References: <874riov1et.wl@delta.meridian-enviro.com> From: rand@meridian-enviro.com (Douglas K. Rand) Date: 09 Apr 2002 14:23:09 -0500 In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com> ("Douglas K. Rand"'s message of "Sat, 06 Apr 2002 17:43:22 -0600") Message-ID: <87d6x8smle.fsf@delta.meridian-enviro.com> Lines: 51 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) XEmacs/21.4 (Common Lisp) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org First, I'm sorry I disappeared for a few days, this has been a great discussion. Jacques Vidrine is right: the subject doesn't really describe what I need. In addition to authentication I also want centralized distribution of /etc/passwd (uid, gid, home, shell) and /etc/group. A few people suggested NIS+. Virtually all of our boxes are FreeBSD, and the ones that aren't FreeBSD we wish they were. :) Can I run an NIS+ server on FreeBSD? I poked around the handbook and the searches for FreeBSD and NIS+ didn't return anything that lead me to believe that NIS+ support was ready, or even there. But it also sounds like I should pick NIS over NIS+ unless I /really/ need the NIS+ features. I think Pieter Danhieux was the first to suggest using NIS for everything EXCEPT the encrypted passwords, an approach that I had never considered before. After a little thought on this I find myself liking this idea. I could use NIS to distribute the (relatively) unsensitive information, everything in /etc/passwd and /etc/group, and also the login class, password change time, and account expiration time from /etc/master.passwd, setting the encrypted password to "*". Then I can use PAM modules for authentication. (What my subject said but not quite what I meant. :)) Here are the PAM modules that I know about and that I'd consider: o pam_radius o pam_ldap o pam_ssh I'm going to group pam_radius and pam_ldap together simply because I don't know very much about either server. My very limited understanding leads me to believe that a Radius server is easier to setup and get working than an LDAP server. I also understand that unless you go through a fair amount of pain, secure communications between the client and the LDAP server is difficult. I have a few questions about these PAM modules: o How secure is the client-server communications with a Radius server? o Can a user on a client change the password either the Radius or LDAP server, either with the passwd command or some other command? What about the pam_ssh module? Is it reasonable to allow users to authenticate off their own SSH key, or should the authentication be done via some other mechanism and then just use the session part of pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like having ssh-agent automatically started and your keys added. I want to thank everybody for their responses. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 12:59:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from enterprise.francisscott.net (enterprise.francisscott.net [64.81.95.235]) by hub.freebsd.org (Postfix) with ESMTP id D886037B404; Tue, 9 Apr 2002 12:59:28 -0700 (PDT) Received: from cobalt.heavymetal.org (cobalt.heavymetal.org [64.81.95.242]) by enterprise.francisscott.net (Postfix) with ESMTP id 8FFF656E3; Tue, 9 Apr 2002 12:59:28 -0700 (PDT) Date: Tue, 9 Apr 2002 12:59:24 -0700 From: Scott Lampert To: freebsd-security@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: IPFW bridges and, woe is me, ftp Message-Id: <20020409125924.365286ca.scott@lampert.org> X-Mailer: Sylpheed version 0.7.4claws (GTK+ 1.2.10; i386-portbld-freebsd4.5) X-Operating-System: FreeBSD4 Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.tt8YAKaqlkSU3O" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.tt8YAKaqlkSU3O Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit (If this shouldn't be on -net please accept my apologies. It seemed all the networking gurus are there and this sort of overlaps onto that subject.) I have a 4.5 release box that is acting as a bridging firewall with ipfw for an internet connected network and I'm having some issues with ftp (as usual). This network is NOT nat routed; the network has a real IP block. Using keep-state and tcp established rules the best I can come up with is to allow active ftp in and passive ftp out with the following three rules: add check-state add pass tcp from any to any established add pass tcp from any to ${ftphost} 21 in via ${OIF} setup keep-state All internal hosts can initiate connections to outside hosts at will. This sort of leaves anyone who needs to ftp into this network from behind their own firewall with a passive connection totally out of luck. The only functional solution to handle incoming passive connections seems to be to open up a range of ports which I'd prefer not to do for obvious reasons. I'd love to ditch ipfw and use ipfilter but that is not supported for bridging with FreeBSD unfortunately. OpenBSD is not an option on this box either as it has an old mylex raid controller that is unsupported by that OS. A quick scan of the archives seems to only address the issue with nat firewalls using natd and divert sockets. On that note, I had a quick look through the natd man page to see if I could set it up to just look at ftp connections and not actually do any network translations. Basically I just want it for its punchfw functionality and just for ftp connections. Is this even possible? I'm going to experiment with this today and I was hoping that someone might be able to give me a little guidance to save me some time and possibly fruitless efforts. If there are alternative and/or better ways of doing this I'd love to hear from someone. I know Crist J. Clark had an unofficial and unsupported patch to make ipfilter work with bridging on 4.x, but I'd prefer not to become dependant on something that won't be official until 5.0 comes out if I can avoid it. Thanks! -Scott -- Scott Lampert "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/lampert.key --=.tt8YAKaqlkSU3O Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8s0ggSVL3/uWE7xYRAntdAJ42o+x4wDRTB9mWjdv2Qrmh1nxmCACcCC8I ZdJ3W61KaYitc4QRSG+XZbs= =emxC -----END PGP SIGNATURE----- --=.tt8YAKaqlkSU3O-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 13:16:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from atlantis.dp.ua (atlantis.dp.ua [193.108.46.1]) by hub.freebsd.org (Postfix) with ESMTP id E2EDA37B400 for ; Tue, 9 Apr 2002 13:16:31 -0700 (PDT) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.11.1/8.11.1) with ESMTP id g39KGLi23485 for ; Tue, 9 Apr 2002 23:16:23 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Tue, 9 Apr 2002 23:16:21 +0300 (EEST) From: Dmitry Pryanishnikov To: Subject: Re: zlib double-free security notification In-Reply-To: <20020409040344.36061.qmail@web11802.mail.yahoo.com.lucky.freebsd.security> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! On Tue, 9 Apr 2002, X Philius wrote: > Security Folks, > Are there any exploits out there that take advantage of this hole? I am > running 4.4 Release, and have been watching the security notifications > list for patches that I *really* need to run. So, if I want to keep > things as simple as possible, would you recomend patching to fix this > issue? If it is just a matter of possible DOS issues, versus actual > known exploits, I'll probably skip it. If you don't want to break functionality of /sys/net/zlib.c, don't apply a patch proposed by the FreeBSD-SA-02:18.zlib - it will crash your patched kernel if you'll try to use pppd with deflate compression enabled (at least I've got a kernel panic almost immediately diring an experiment on a patched 4.5-RELEASE). The bug has fixed in all security branches (RELENG_4_5 etc), but security advisory still points to a buggy patch. Better fetch the correct version of this file from CVS repositary. Beware of it! Sincerely, Dmitry Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 13:19:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 3154C37B41A for ; Tue, 9 Apr 2002 13:19:22 -0700 (PDT) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id g39KJZA22153; Tue, 9 Apr 2002 13:19:35 -0700 (PDT) (envelope-from fasty) Date: Tue, 9 Apr 2002 13:19:35 -0700 From: faSty To: Darren Reed Cc: freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409131935.C20549@i-sphere.com> References: <20020409073815.Q26460-100000@roble.com> <200204091502.BAA10372@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204091502.BAA10372@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Wed, Apr 10, 2002 at 01:02:44AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I dont see any NIS or NIS+ on handbook. I tried setup the NIS+ and I am not experience with these feature. anyone can point where the HOWTO NIS or NIS+? -trev On Wed, Apr 10, 2002 at 01:02:44AM +1000, Darren Reed wrote: > In some mail from Roger Marquis, sie said: > > > > Samuel Chow wrote: > > > How about NIS? I use it at home with a total > > > of two machines and one users. > > > > I've used NIS with over 30,000 users, and adminitered 2 domains > > with over 2,500 users and experienced near zero problems. NIS+ > > may be a bit more difficult given it's Kerberos roots but it is > > being used successfully in shops with hundreds of NIS+ accounts > > and hosts. Adminning Sun NIS servers and clients is neither > > difficult nor complicated even with NFS and automount. Not sure > > if the same is true for FreeBSD servers however. > > Where I work, we have experience with a production NIS+ database of > double the size you have for NIS. After many requests to Sun, we're > given the impression that they know of nobody else using NIS+ to such > a large scale (even to the 1000s or 10,0000s). NIS+ is secure, if you > don't have to do NIS, but you must get all your procedures *correct*, > especially when changing passwords, or you are "fucked". > > Darren > p.s. sorry for the french, but I believe that sums it up perfectly. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Equal bytes for women. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 13:24:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id 631BD37B42B for ; Tue, 9 Apr 2002 13:24:19 -0700 (PDT) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.2/8.12.2) with ESMTP id g39KOBZG053937; Tue, 9 Apr 2002 13:24:11 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.2/8.12.2/Submit) id g39KOA6B053936; Tue, 9 Apr 2002 13:24:10 -0700 (PDT) Date: Tue, 9 Apr 2002 13:24:10 -0700 (PDT) From: David Wolfskill Message-Id: <200204092024.g39KOA6B053936@bunrab.catwhisker.org> To: avalon@coombs.anu.edu.au, fasty@i-sphere.com Subject: Re: Centralized authentication Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020409131935.C20549@i-sphere.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Date: Tue, 9 Apr 2002 13:19:35 -0700 >From: faSty >I dont see any NIS or NIS+ on handbook. I tried setup the NIS+ >and I am not experience with these feature. anyone can point >where the HOWTO NIS or NIS+? http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/nis.html Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david@catwhisker.org Based on my experience as a computing professional, I consider the use of Microsoft products as components of computing systems to be just as advisable as using green wood to frame a house... and expect similar results. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 13:34:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 9784537B416 for ; Tue, 9 Apr 2002 13:34:16 -0700 (PDT) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id g39KYTr24652; Tue, 9 Apr 2002 13:34:29 -0700 (PDT) (envelope-from fasty) Date: Tue, 9 Apr 2002 13:34:29 -0700 From: faSty To: David Wolfskill Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <20020409133428.A24516@i-sphere.com> References: <20020409131935.C20549@i-sphere.com> <200204092024.g39KOA6B053936@bunrab.catwhisker.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204092024.g39KOA6B053936@bunrab.catwhisker.org>; from david@catwhisker.org on Tue, Apr 09, 2002 at 01:24:10PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thanks david -trev On Tue, Apr 09, 2002 at 01:24:10PM -0700, David Wolfskill wrote: > >Date: Tue, 9 Apr 2002 13:19:35 -0700 > >From: faSty > > >I dont see any NIS or NIS+ on handbook. I tried setup the NIS+ > >and I am not experience with these feature. anyone can point > >where the HOWTO NIS or NIS+? > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/nis.html > > Cheers, > david (links to my resume at http://www.catwhisker.org/~david) > -- > David H. Wolfskill david@catwhisker.org > Based on my experience as a computing professional, I consider the use of > Microsoft products as components of computing systems to be just as > advisable as using green wood to frame a house... and expect similar results. -- FLASH! Intelligence of mankind decreasing. Details at ... uh, when the little hand is on the .... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 14:37:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.keane.com (smtp3.keane.com [4.17.130.51]) by hub.freebsd.org (Postfix) with ESMTP id CF0BF37B400 for ; Tue, 9 Apr 2002 14:37:33 -0700 (PDT) Subject: subscribe To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-ID: From: Saul_D_Rosenberg@Keane.com Date: Tue, 9 Apr 2002 16:37:30 -0500 X-MIMETrack: Serialize by Router on SMTP3/Keane(Release 5.0.7 |March 21, 2001) at 04/09/2002 05:37:33 PM MIME-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 15:50:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 74C5A37B400 for ; Tue, 9 Apr 2002 15:50:50 -0700 (PDT) Received: (qmail 17518 invoked by uid 1001); 9 Apr 2002 22:50:49 -0000 Date: Tue, 9 Apr 2002 18:50:49 -0400 From: "Peter C. Lai" To: "Kevin Kinsey, DaleCo, S.P." Cc: security@freebsd.org Subject: Re: sshd warning---a lil' help? Message-ID: <20020409185049.A17491@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <002301c1dfc6$e21aa440$70ec910c@daleco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002301c1dfc6$e21aa440$70ec910c@daleco>; from kdk@daleco.biz on Tue, Apr 09, 2002 at 08:03:02AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org a is true. the message is coming from hosts.allow, which checks for rdns as a (weak) signal of spoofed packets. You can deny these connections by by turning on: ALL : PARANOID : RFC931 20 : deny # Provide some protection against clients using a forged source IP address b would have sshd report "password" or keypair "accepted for username". c would have shown that user being rejected consequently, we don't know from what you've given us to know if someone logged in successfully to sshd runing with pid 34375 at that time :) On Tue, Apr 09, 2002 at 08:03:02AM -0500, Kevin Kinsey, DaleCo, S.P. wrote: > Apr 9 07:50:00 elisha sshd[34375]: warning: /etc/hosts.allow, line 23: > can't verify hostname: getaddrinfo(gbrdialin, AF_INET$) Failed > > This computer --- > > a - has incorrect or NO reverse DNS ? > b - tried to authenticate via ssh login and succeeded? > c - tried to authenticate via ssh login and failed? > d - other > > > TIA, Kevin Kinsey > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 20:58:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 514B037B416 for ; Tue, 9 Apr 2002 20:58:22 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g3A3wH307926 for ; Tue, 9 Apr 2002 23:58:18 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 9 Apr 2002 23:58:12 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: Centralized authentication In-Reply-To: <200204091457.AAA10164@caligula.anu.edu.au> Message-ID: <20020409235703.N7872-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 10 Apr 2002, Darren Reed wrote: > In some mail from Jacques A. Vidrine, sie said: > > > > Yes, Kerberos does `blow away' many authentication systems. However, > > the poster's subject --- ``Centralized authentication'' --- doesn't > > really describe what he needs. In addition to authentication, he > > needs authorization and directory services, which Kerberos does not > > provide. i.e. there is no Kerberos mechanism with which to distribute > > the contents of /etc/passwd and /etc/group. > > You can use NIS for this or when someone gets around to writing an > LDAP extension for nsswitch.conf, you could use that. Does FreeBSD support NIS+? In my digging in the FM, it appears that it does not. It'd be great if it did. (Then, all I'd need is for Sun to get on the ball and support MD5 passwords.) -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 23:35:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by hub.freebsd.org (Postfix) with ESMTP id A645B37B405; Tue, 9 Apr 2002 23:35:17 -0700 (PDT) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id F27E428C90; Wed, 10 Apr 2002 02:35:16 -0400 (EDT) Date: Wed, 10 Apr 2002 02:35:16 -0400 (EDT) From: Peter Leftwich X-X-Sender: To: Cc: FreeBSD Questions , FreeBSD Security Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] In-Reply-To: <20020408221759.A31507@blossom.cjclark.org> Message-ID: <20020410023018.I25097-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 8 Apr 2002, Crist J. Clark wrote: [snip] > PL> My question was regarding ssh, not sshd. > Then I shall reprhase: Are you actually running the ssh(1) in /usr/local/bin/ssh or the old one in /usr/bin/ssh? > Crist J. Clark | cjclark@alum.mit.edu,cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org I apologize for being snippy, if I seemed so. You alone fixed my woes!!! :) # ssh -V OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f # which ssh /usr/bin/ssh # /usr/local/bin/ssh -V OpenSSH_3.0.2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f # mv /usr/bin/ssh /usr/bin/ssh_2.9_old_dont_use # ln -s /usr/local/bin/ssh /usr/bin/ssh I guess that last line isn't really necessary if I adjust my $PATH, huh? -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 23:42:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 4164037B443; Tue, 9 Apr 2002 23:42:12 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020410064211.HBJK21252.rwcrmhc53.attbi.com@blossom.cjclark.org>; Wed, 10 Apr 2002 06:42:11 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3A6gBU34938; Tue, 9 Apr 2002 23:42:11 -0700 (PDT) (envelope-from cjc) Date: Tue, 9 Apr 2002 23:42:11 -0700 From: "Crist J. Clark" To: Peter Leftwich Cc: FreeBSD Questions , FreeBSD Security Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] Message-ID: <20020409234211.D34659@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020408221759.A31507@blossom.cjclark.org> <20020410023018.I25097-100000@earl-grey.cloud9.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020410023018.I25097-100000@earl-grey.cloud9.net>; from Hostmaster@Video2Video.Com on Wed, Apr 10, 2002 at 02:35:16AM -0400 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Apr 10, 2002 at 02:35:16AM -0400, Peter Leftwich wrote: > On Mon, 8 Apr 2002, Crist J. Clark wrote: > [snip] > > PL> My question was regarding ssh, not sshd. > > Then I shall reprhase: Are you actually running the ssh(1) in /usr/local/bin/ssh or the old one in /usr/bin/ssh? > > Crist J. Clark | cjclark@alum.mit.edu,cjclark@jhu.edu > > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > I apologize for being snippy, if I seemed so. You alone fixed my woes!!! :) > > # ssh -V > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > # which ssh > /usr/bin/ssh > # /usr/local/bin/ssh -V > OpenSSH_3.0.2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > # mv /usr/bin/ssh /usr/bin/ssh_2.9_old_dont_use > # ln -s /usr/local/bin/ssh /usr/bin/ssh > > I guess that last line isn't really necessary if I adjust my $PATH, huh? Probably, the "cleanest" thing to do is define a shell alias (assuming you use a shell that supports them), $ alias ssh /usr/loca/bin/ssh Would be the csh(1)-ish way to do it. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 23:59:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 68AF737B404 for ; Tue, 9 Apr 2002 23:59:02 -0700 (PDT) Received: (qmail 8458 invoked from network); 10 Apr 2002 07:05:22 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 10 Apr 2002 07:05:22 -0000 Received: (qmail 4005 invoked by uid 1000); 10 Apr 2002 06:58:51 -0000 Date: Wed, 10 Apr 2002 09:58:51 +0300 From: Peter Pentchev To: Andrew McNaughton Cc: "Jacques A. Vidrine" , X Philius , freebsd-security@FreeBSD.ORG Subject: Re: Verifying that a security patch has done it's thing... Message-ID: <20020410095851.C347@straylight.oblivion.bg> Mail-Followup-To: Andrew McNaughton , "Jacques A. Vidrine" , X Philius , freebsd-security@FreeBSD.ORG References: <20020409172127.GN19961@madman.nectar.cc> <20020410052724.H12945-100000@a2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="XMCwj5IQnwKtuyBG" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020410052724.H12945-100000@a2>; from andrew@scoop.co.nz on Wed, Apr 10, 2002 at 05:28:58AM +1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --XMCwj5IQnwKtuyBG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 10, 2002 at 05:28:58AM +1200, Andrew McNaughton wrote: >=20 >=20 > On Tue, 9 Apr 2002, Jacques A. Vidrine wrote: >=20 > > On Tue, Apr 09, 2002 at 10:18:17AM -0700, X Philius wrote: > > [deletia ... thanks for the kind words!] > > > > > I assume I can find the PID by running ps -x as well, > > > correct? It would be the process ID for /usr/sbin/sshd... > > > > Well, there will be more than one instance of sshd: the master, plus > > one for every active SSH connection. You don't want to shoot the > > wrong process, especially if SSH is your primary or only means of > > accessing the box. :-) >=20 > In which case you might be well advised to have a cron job which checks on > it every so often and attempts to restart if it dies. No help if the > server won't start though Or (dons asbestos suit) daemontools's supervise(1) in combination with the sshd(8)'s -D flag. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. --XMCwj5IQnwKtuyBG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyz4qsACgkQ7Ri2jRYZRVO1jwCbB6imVEtKlAS680Zin4S17MH4 z1wAmwQ9LRLhwQEyUlKBUnW2P7191rMF =sXsI -----END PGP SIGNATURE----- --XMCwj5IQnwKtuyBG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 9 23:59:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id B208C37B41F for ; Tue, 9 Apr 2002 23:59:10 -0700 (PDT) Received: from daleco [12.145.236.21] by mail.gbronline.com (SMTPD32-7.06) id A27BFD90054; Wed, 10 Apr 2002 01:58:03 -0500 Message-ID: <004b01c1e05d$419d6920$15ec910c@daleco> From: "Kevin Kinsey, DaleCo, S.P." To: Cc: References: <002301c1dfc6$e21aa440$70ec910c@daleco> <20020409185049.A17491@cowbert.2y.net> Subject: Re: sshd warning---a lil' help? Date: Wed, 10 Apr 2002 01:59:24 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to all 3 of you and esp. Mr. Lai...... I had always been fairly sure of 'a' ... but was hoping 'c' to also be the case until today when a situation arose that prompted the post. The login attempt entry I quoted was a successful one from a trusted machine. Made me wonder if any of the other ones I'd seen in the past from unknown locations/networks might have also authenticated. As of yet, no signs of intrusion .... but my security skills are still in the 'growing' stage. KDK ----- Original Message ----- From: "Peter C. Lai" To: "Kevin Kinsey, DaleCo, S.P." Cc: Sent: Tuesday, April 09, 2002 5:50 PM Subject: Re: sshd warning---a lil' help? > a is true. the message is coming from hosts.allow, which checks for rdns as > a (weak) signal of spoofed packets. You can deny these connections by > by turning on: > > ALL : PARANOID : RFC931 20 : deny > # Provide some protection against clients using a forged source IP address > > > b would have sshd report "password" or keypair "accepted for username". > > c would have shown that user being rejected > > consequently, we don't know from what you've given us to know > if someone logged in successfully to sshd runing with pid 34375 > at that time :) > > On Tue, Apr 09, 2002 at 08:03:02AM -0500, Kevin Kinsey, DaleCo, S.P. wrote: > > Apr 9 07:50:00 elisha sshd[34375]: warning: /etc/hosts.allow, line 23: > > can't verify hostname: getaddrinfo(gbrdialin, AF_INET$) Failed > > > > This computer --- > > > > a - has incorrect or NO reverse DNS ? > > b - tried to authenticate via ssh login and succeeded? > > c - tried to authenticate via ssh login and failed? > > d - other > > > > > > TIA, Kevin Kinsey > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 (Room) > 860.486.1899 (Lab) > 203.206.3784 (Cellphone) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 10 0:23:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by hub.freebsd.org (Postfix) with ESMTP id 7155337B417; Wed, 10 Apr 2002 00:23:43 -0700 (PDT) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id 0DFB628C3D; Wed, 10 Apr 2002 03:23:43 -0400 (EDT) Date: Wed, 10 Apr 2002 03:23:43 -0400 (EDT) From: Peter Leftwich X-X-Sender: To: Cc: FreeBSD Questions , FreeBSD Security Subject: Re: `pkg_info | grep -i openssh` ; echo "2.9 vs 3.0.2?" [cjc] In-Reply-To: <20020409234211.D34659@blossom.cjclark.org> Message-ID: <20020410032001.A25097-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Apr 2002, Crist J. Clark wrote: > PL> # mv /usr/bin/ssh /usr/bin/ssh_2.9_old_dont_use > PL> # ln -s /usr/local/bin/ssh /usr/bin/ssh > PL> I guess that last line isn't really necessary if I adjust my $PATH, huh? > Probably, the "cleanest" thing to do is define a shell alias (assuming you use a shell that supports them), > $ alias ssh /usr/loca/bin/ssh > Would be the csh(1)-ish way to do it. > Crist J. Clark | cjclark@alum.mit.edu,cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org The "huh" was more of a thinking-aloud. Actually, I've already done: prompt$ echo $PATH ...and since this included /usr/local/bin I just rm'ed the ssh in /usr/bin then did `rehash` and `which ssh` and all is quite clean, even csh'y clean (I use tcsh). Thanks again. -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 10 7:36:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11807.mail.yahoo.com (web11807.mail.yahoo.com [216.136.172.161]) by hub.freebsd.org (Postfix) with SMTP id 905B837B405 for ; Wed, 10 Apr 2002 07:36:46 -0700 (PDT) Message-ID: <20020410143646.56360.qmail@web11807.mail.yahoo.com> Received: from [64.73.64.94] by web11807.mail.yahoo.com via HTTP; Wed, 10 Apr 2002 07:36:46 PDT Date: Wed, 10 Apr 2002 07:36:46 -0700 (PDT) From: X Philius Reply-To: xphilius@yahoo.com Subject: Mysterious entries in kernel log relating to DNS To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Security Folks, I am running 4.4 Release, I have Bind 9.02 running on my box. I am authoratative for a domain or two, and use my own name server for resolution within my server (ie with lynx, nslookup or dig). Everything seems to work fine DNS wise, I can always get resolution, and my DNS setup appears to work correctly from the net at large (according to the DNS tester at declude.com, and the fact that I can access the domains I am authoratavie on from another ISP etc). Question: Periodically (a few times a week) I get these entries in the security email autimagically sent by the standard scripts in periodic. Sometimes there are many of them, and sometimes there are only a few or none. I *am* using IPFW, however these entries are not being blocked by my last rule, which I have numbered 999 (an example entry that *is* being blocked by rule number 999 is also pasted below for clarity). My understanding is that this log entry means that an attempt is being made by localhost to access the name server on localhost, but that bind is not listening or the request is malformed. I realize that this may not be a question for security, but it *is* generated by the built in FreeBSD security scripts, so I thought I'd start here. Thanks in advance for any light you can shed on this phenom. Jason > Connection attempt to UDP 127.0.0.1:4699 from 127.0.0.1:53 > Apr 9 03:06:02 {myservername} /kernel: Connection attempt to UDP 127.0.0.1:4699 from 127.0.0.1:53 > ipfw: 999 Deny ICMP:8.0 63.251.129.65 10.1.3.2 in via xl0 __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 10 8:15:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from neptune.deep-ocean.net (APastourelles-107-1-1-30.abo.wanadoo.fr [80.13.78.30]) by hub.freebsd.org (Postfix) with ESMTP id CA00F37B423 for ; Wed, 10 Apr 2002 08:14:33 -0700 (PDT) Received: by neptune.deep-ocean.net (Postfix, from userid 1000) id B8F085EF02; Wed, 10 Apr 2002 17:14:31 +0200 (CEST) Date: Wed, 10 Apr 2002 17:14:31 +0200 From: Olivier Cortes To: freebsd-security@freebsd.org Subject: Re: Mysterious entries in kernel log relating to DNS Message-ID: <20020410151431.GA3980@neptune.deep-ocean.local> Mail-Followup-To: Olivier Cortes , freebsd-security@freebsd.org References: <20020410143646.56360.qmail@web11807.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20020410143646.56360.qmail@web11807.mail.yahoo.com> User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-STABLE i386 up 4 days, 16:14, 1 user, load averages: 0.29 0.18 0.12 Organization: Deep-Ocean Network X-URL: http://www.deep-ocean.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Apr 10, 2002 at 07:36:46AM -0700, X Philius wrote: > Question: > Periodically (a few times a week) I get these entries in the security > email autimagically sent by the standard scripts in periodic. Sometimes > there are many of them, and sometimes there are only a few or none. I > *am* using IPFW, however these entries are not being blocked by my last > rule, which I have numbered 999 (an example entry that *is* being > blocked by rule number 999 is also pasted below for clarity). My > understanding is that this log entry means that an attempt is being > made by localhost to access the name server on localhost, but that bind > is not listening or the request is malformed. I realize that this may > not be a question for security, but it *is* generated by the built in > FreeBSD security scripts, so I thought I'd start here. Thanks in > advance for any light you can shed on this phenom. this has been discussed on this list or on stable. it is related to a timeout [problem] on your bind. search the archive for more info. hth, -- Olivier Cortes GPG 1024/46CE0A51 : 8DB6 A56C 00CA DA0F F77F 86EB E86A 803C 46CE 0A51 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 10 8:18:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id ED63C37B42C for ; Wed, 10 Apr 2002 08:17:49 -0700 (PDT) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id TAA05765; Wed, 10 Apr 2002 19:17:34 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2SVJTQY1; Wed, 10 Apr 2002 19:17:32 +0400 Date: Wed, 10 Apr 2002 19:17:31 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <62102913812.20020410191731@internethelp.ru> To: X Philius Cc: freebsd-security@freeBSD.ORG Subject: Re: Mysterious entries in kernel log relating to DNS In-reply-To: <20020410143646.56360.qmail@web11807.mail.yahoo.com> References: <20020410143646.56360.qmail@web11807.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello X, Wednesday, April 10, 2002, 6:36:46 PM, you wrote: XP> Security Folks, XP> I am running 4.4 Release, I have Bind 9.02 running on my box. I am XP> authoratative for a domain or two, and use my own name server for XP> resolution within my server (ie with lynx, nslookup or dig). Everything XP> seems to work fine DNS wise, I can always get resolution, and my DNS XP> setup appears to work correctly from the net at large (according to the XP> DNS tester at declude.com, and the fact that I can access the domains I XP> am authoratavie on from another ISP etc). XP> Question: XP> Periodically (a few times a week) I get these entries in the security XP> email autimagically sent by the standard scripts in periodic. Sometimes XP> there are many of them, and sometimes there are only a few or none. I XP> *am* using IPFW, however these entries are not being blocked by my last XP> rule, which I have numbered 999 (an example entry that *is* being XP> blocked by rule number 999 is also pasted below for clarity). My XP> understanding is that this log entry means that an attempt is being XP> made by localhost to access the name server on localhost, but that bind XP> is not listening or the request is malformed. I realize that this may XP> not be a question for security, but it *is* generated by the built in XP> FreeBSD security scripts, so I thought I'd start here. Thanks in XP> advance for any light you can shed on this phenom. XP> Jason >> Connection attempt to UDP 127.0.0.1:4699 from 127.0.0.1:53 >> Apr 9 03:06:02 {myservername} /kernel: Connection attempt to UDP XP> 127.0.0.1:4699 from 127.0.0.1:53 >> ipfw: 999 Deny ICMP:8.0 63.251.129.65 10.1.3.2 in via xl0 I suppose that you have enabled net.inet.udp.log_in_vain in your sysctls. This packets are not blocked by ipfw because of rule "pass all from any to any via lo0" which is normally turned on. The reason of such log entry may be this: 1) some program(P) tries to resolve `foo.bar.edu' and sends UDP request from port 4699 to port 53 2) the request takes so much time, that P stops waiting for response and exits. 3) response comes to port 4699, but there is nobody waiting for it. 4) kernel logs connection attempt. 5) ...later that evening... security check sends you email. :) I can be wrong, because I have never tried such scenario. Hope that helps ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 10 23: 6:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from wiggle.seifried.org (h24-86-92-240.sbm.shawcable.net [24.86.92.240]) by hub.freebsd.org (Postfix) with ESMTP id 551A737B417 for ; Wed, 10 Apr 2002 23:06:21 -0700 (PDT) Message-ID: <000901c1ddce$1d8b3b70$1400020a@chaser> Reply-To: "Kurt Seifried" From: "Kurt Seifried" To: "Douglas K. Rand" , References: <874riov1et.wl@delta.meridian-enviro.com> Subject: Re: Centralized authentication Date: Sat, 6 Apr 2002 16:49:46 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Use NIS+ (not NIS =). It's probably the least effort to setup (certainly less then say Kerberos). Another alternative is to look at LDAP based solutions, which are getting much easier to setup and manage. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "Douglas K. Rand" To: Sent: Saturday, April 06, 2002 3:43 PM Subject: Centralized authentication > We have a few dozen FreeBSD workstaions and servers and as their > numbers increase managing users and groups via indvidual /etc/passwd > and /etc/group files is getting more and more tiresome. We also have > just a few Linux boxes. > > We aren't a huge site, everybody is in one building on the same > network. > > I was wondering what other sites are using to solve this problem. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 10 23: 6:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from wiggle.seifried.org (h24-86-92-240.sbm.shawcable.net [24.86.92.240]) by hub.freebsd.org (Postfix) with ESMTP id 52B0137B416 for ; Wed, 10 Apr 2002 23:06:21 -0700 (PDT) Message-ID: <005201c1ddbc$4dc54a90$1400020a@chaser> Reply-To: "Kurt Seifried" From: "Kurt Seifried" To: "Barney Wolff" , References: <200204051512.g35FCOr11637@freefall.freebsd.org> <20020406143243.A8409@tp.databus.com> Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:01 Date: Sat, 6 Apr 2002 14:42:16 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org not yet fixed in ports (i.e. ports tree hasn't been updated). Source code updates are available for all the problems except for netscape/acroread. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "Barney Wolff" To: Sent: Saturday, April 06, 2002 11:32 AM Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:01 > I don't understand the status of "Not yet fixed." The advisory says > mod_ssl versions < 2.8.7 have the bug, while 2.8.8 is the port > distfile as of 3/28/02. What am I missing? > > On Fri, Apr 05, 2002 at 07:12:24AM -0800, FreeBSD Security Advisories wrote: > > +------------------------------------------------------------------------+ > > Port name: apache13-ssl, apache13-modssl > > Affected: all versions of apache+ssl > > all versions of apache+mod_ssl > > Status: Not yet fixed. > > Buffer overflows in SSL session cache handling. > > > > > > -- > Barney Wolff > I never met a computer I didn't like. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 1:16:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from nippur.irb.hr (nippur.irb.hr [161.53.128.127]) by hub.freebsd.org (Postfix) with ESMTP id DAE6537B404 for ; Thu, 11 Apr 2002 01:16:05 -0700 (PDT) Received: from localhost (keeper@localhost) by nippur.irb.hr (8.9.3/8.9.3) with ESMTP id KAA22101 for ; Thu, 11 Apr 2002 10:15:44 +0200 (MET DST) Date: Thu, 11 Apr 2002 10:15:44 +0200 (MET DST) From: Mario Pranjic To: Subject: ipfw configuration Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I'm configuring my first firewall on FreeBSD 4.5 release. The default rule is: 65535 deny ip from any to any I need to allow icmp, ssh, http, ftp and some other services. It's not a problem to allow such services, i.e: 00600 allow tcp from any to any 22 setup But what do I need to allow in generally, i.e allow al outgoing ports >1024. Can anyone give me some hints? Thanks! Mario Pranjic, dipl.ing. sistem administrator Knjiznica, Institut Rudjer Boskovic ------------------------------------- e-mail: mario.pranjic@irb.hr ICQ: 72059629 tel: +385 1 45 60 954 (interni: 1293) ------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 1:20:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 4B97E37B400 for ; Thu, 11 Apr 2002 01:20:16 -0700 (PDT) Received: (qmail 47490 invoked from network); 11 Apr 2002 08:26:34 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 11 Apr 2002 08:26:34 -0000 Received: (qmail 30801 invoked by uid 1000); 11 Apr 2002 08:20:02 -0000 Date: Thu, 11 Apr 2002 11:20:02 +0300 From: Peter Pentchev To: Mario Pranjic Cc: security@FreeBSD.ORG Subject: Re: ipfw configuration Message-ID: <20020411112002.A30703@straylight.oblivion.bg> Mail-Followup-To: Mario Pranjic , security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from mario.pranjic@irb.hr on Thu, Apr 11, 2002 at 10:15:44AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 11, 2002 at 10:15:44AM +0200, Mario Pranjic wrote: > Hi! >=20 > I'm configuring my first firewall on FreeBSD 4.5 release. > The default rule is: > 65535 deny ip from any to any >=20 > I need to allow icmp, ssh, http, ftp and some other services. > It's not a problem to allow such services, i.e: > 00600 allow tcp from any to any 22 setup >=20 >=20 > But what do I need to allow in generally, i.e allow al outgoing ports > >1024. >=20 > Can anyone give me some hints? Yep; look at the ipfw(8) manual page, the RULE FORMAT section; scroll down to the discussion of 'src and dst', find the sentence that starts with 'With the TCP and UDP protocols, optional ports may be specified as...', and read on :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjy1RzIACgkQ7Ri2jRYZRVN3lgCfVrP9gJYuyNJ+4fLOsP6Xpc5b /u8AoJ/8ifQLV/dyuOf9d35RvI6O7CWK =f1Pm -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 7: 6:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from acutiator.nacamar.de (mxa.tiscali.de [194.162.162.215]) by hub.freebsd.org (Postfix) with ESMTP id 839F537B416 for ; Thu, 11 Apr 2002 07:06:45 -0700 (PDT) Received: from PaNZER.de.tiscali.com (unknown [62.144.144.162]) by acutiator.nacamar.de (Postfix) with ESMTP id BAF765D14 for ; Thu, 11 Apr 2002 16:06:42 +0200 (CEST) Received: by PaNZER.de.tiscali.com (Postfix, from userid 1000) id 917D0A7CDE; Thu, 11 Apr 2002 17:06:42 +0200 (CEST) Date: Thu, 11 Apr 2002 17:06:42 +0200 From: Jan Wagner To: freebsd-security@freebsd.org Subject: Switching from ipfw to pf Message-ID: <20020411170642.A16359@de.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Fast question, I am accustomed to use pf on o.bsd and love its syntax and features. IS there a 'stable' way to switch [in my f.bsd45] to pf ? Are there maybe some disadvantages ? Maybe someone got a nice link[list] for me ? Advanced firwall stuff[bridging], firwall logging stuff--> BSD, I got a big list of links yet, but I always looking forward to make it more complete. H.A.N.D. [make sure its a BSD] -- Jan Wagner - Apprentice - Tiscali Business GmbH Robert-Bosch-Strasse 32 63303 Dreieich <<"Mad about BSD">> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (OpenBSD) Comment: For info see http://www.gnupg.org mQGiBDxxLtERBACNuANXZJL8Bi1lL8pQ2kDv98CxSCCARNjexi/FI1L40HB1fxhk P0Hodt/S7za5FByF7nofVVkxiUM1cMH6YuUQSY1WzVm0Mblc43asxOmCCRZQWVIJ QYxYHUBoZBK4ebUI0YEzpKQEah2VXeg4djiaJcUNI5mE/5pHDBcMvP3iXwCg1zz0 i0llyPHWJUQoteov3tBR6j8D/0buKHfD0Afex1gAd+32L5FhBqCOE774NxxOnzVk nYI64G9lI1SpgUu2CaPJ8FCSdn+0kIN+ULQxWp5sQJCetmGSbl+M7BE5xsoXgma1 sBtS4W6KzxjjEv68Y8kWqjhitSZwimksFVmuM0ObvGYr5rIT4Ams5F9bTGpwNbW4 n1+CA/9U902HUaRPMOH9NVR8U5drD5Mw5np6sj8vIKMLVvgPPZQSkSrBg1XfPeJb NwchseY1F4jm9iwireGecU8Uv6LSKktP25zYA+XaU+XivugLk6wRH9BAm5D5Y5Bt LsCFNTIzaPYA6zN5TpLceclvhRH5vbkZ8PeuRc2FxHgZOrdsb7QmSmFuIFdhZ25l ciA8amFuLndhZ25lckBkZS50aXNjYWxpLmNvbT6IXQQTEQIAHQUCPHEu0QUJAHan AAULBwoDBAMVAwIDFgIBAheAAAoJEIG1WFqRI9mFme0AniO0xGiUweUxidl4RL/H U5985XsbAKCKORssZlpg/Z+9EGcPXurfIAIlybkCDQQ8cS7uEAgAwER7HEMT/99h rthH1fgytLseOXOhBxDk9fMveU3RBC7oYAgLGdvSQis/iMTqUXFme56k5+gF1Hrw kxctP4WwoWq1sgvsad/lNQ0c7kq1tcKHQTlwPPtCP3Y3xtzTmmItCbo79THw68U+ fwFVkp89O8QhOeu9+k3Z4KChNQKFW2RMOQ1vGTEcgCr68LZVSVDHpB2AksoV5TSw vdC/Il6fO1W/ZRRHK7nUgpTbKRyVw5UuM/nKOYxNAJDaEx8EmmTMfYHtaNYea/v1 zIx0w4fI36dCRPBYTiiRhvcXHwfzFz3b17/owIyRHZNcuEcjNFmJ1IEx0EuxvqZL 2eFO8IZa1wADBQgAtTz+vFMTZJY/xLkiBFWu5eThOr5MzOEjvgQvLVWp8Fvz6Iw3 2yskpUa4L5ddUtrWoKtRpOCfcNvR+XUeEzdURgchNECeULn+OIPBVniu3JBwsl08 BLnohCvAlNV//Oddzv2NyW56dIqIxZBE3SIm9fPar0Elmtk/cfMUZwRtxxqpz8aE 8KPY1YEmZyL6wV1fSoxBS6Wd6xKQ2zwmeKRPaIRg+t8lpJ1sntsYw4b1aYCExXDZ NZFG1ltrQ2Jn145nWbqixiSwt4bOl1PIbo86z7nEtXub4hBwi4ZKrS8JmyGyCnM6 Z6LxnoTPij3gm8o2zYNyMvtJ7aF0rCSKPgqXg4hMBBgRAgAMBQI8cS7uBQkAdqcA AAoJEIG1WFqRI9mFpHEAnj4OFTOwGCvLydu3acZmOeXZbuQPAJwMpUab+LYRttON wdxtmJkEBq3U/w== =swhG -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 7:48:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id AD3F337B417 for ; Thu, 11 Apr 2002 07:48:02 -0700 (PDT) Received: from corona.cs.wm.edu (corona [128.239.2.50]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g3BElbb05973 for ; Thu, 11 Apr 2002 10:47:37 -0400 (EDT) Received: (from zvezdan@localhost) by corona.cs.wm.edu (8.11.6/8.9.1) id g3BEm1Y29692 for freebsd-security@FreeBSD.ORG; Thu, 11 Apr 2002 10:48:01 -0400 Date: Thu, 11 Apr 2002 10:48:01 -0400 From: Zvezdan Petkovic To: freebsd-security@FreeBSD.ORG Subject: Re: Switching from ipfw to pf Message-ID: <20020411104801.A29662@corona.cs.wm.edu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020411170642.A16359@de.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020411170642.A16359@de.tiscali.com>; from jan.wagner@de.tiscali.com on Thu, Apr 11, 2002 at 05:06:42PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 11, 2002 at 05:06:42PM +0200, Jan Wagner wrote: > Hi, > > Fast question, I am accustomed to use pf on o.bsd and love its syntax > and features. IS there a 'stable' way to switch [in my f.bsd45] to pf ? > Are there maybe some disadvantages ? > You have ipf on FreeBSD. ipf was used on OpenBSD until release 3.0 too. ipf has _very_ similar syntax to pf. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 8:25:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 5B57037B400 for ; Thu, 11 Apr 2002 08:25:55 -0700 (PDT) Received: from gw.netlecture.com (gw.netlecture.com [206.40.34.9]) by roble.com with ESMTP id g3BFPtK55316 for ; Thu, 11 Apr 2002 08:25:55 -0700 (PDT) Date: Thu, 11 Apr 2002 08:25:54 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <20020411081813.H55087-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org faSty wrote: >I dont see any NIS or NIS+ on handbook. I tried setup the NIS+ >and I am not experience with these feature. anyone can point >where the HOWTO NIS or NIS+? Try a web search (via Google or any other search engine). I found several good links from a query using "nis" and "howto". There's also 'man -k yp' or, more specifically `man -k yp|grep ^yp'. `man ypinit` might be a good place to start. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 11:34:52 2002 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 538) id 067EB37B41A; Thu, 11 Apr 2002 11:34:40 -0700 (PDT) To: freebsd-security@FreeBSD.ORG From: Majordomo@FreeBSD.ORG Subject: Majordomo results: Re: Confirmation for subscribe freebsd-s Reply-To: Majordomo@FreeBSD.ORG Message-Id: <20020411183440.067EB37B41A@hub.freebsd.org> Date: Thu, 11 Apr 2002 11:34:40 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -- >>>> auth ed1907ff subscribe freebsd-security freebsd-security@oki.dynodns.net Your request to Majordomo@FreeBSD.ORG: subscribe freebsd-security freebsd-security@oki.dynodns.net has been forwarded to the owner of the "freebsd-security" list for approval. This could be for any of several reasons: You might have asked to subscribe to a "closed" list, where all new additions must be approved by the list owner. You might have asked to subscribe or unsubscribe an address other than the one that appears in the headers of your mail message. When the list owner approves your request, you will be notified. If you have any questions about the policy of the list owner, please contact "freebsd-security-approval@FreeBSD.ORG". Thanks! Majordomo@FreeBSD.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 13:10:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 359C037B404 for ; Thu, 11 Apr 2002 13:09:58 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA12080 for ; Thu, 11 Apr 2002 14:09:39 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020411135811.02f5ed00@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 11 Apr 2002 14:09:16 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: This OpenBSD local root hole may affect some FreeBSD systems Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The vulnerability described in the message below is a classic "in-band signalling" problem that may give an unauthorized user the ability to run an arbitrary command as root. Fortunately, the vulnerability present in FreeBSD's daily, weekly, and monthly maintenance scripts, because they use sendmail rather than /bin/mail. Nonetheless, the same patch should be applied to FreeBSD's /bin/mail due to the possibility that other privileged utilities (or user-written scripts) might use /bin/mail instead of sendmail to create e-mail messages. --Brett Glass >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 32477 invoked from network); 11 Apr 2002 16:58:57 -0000 >Date: Thu, 11 Apr 2002 19:01:17 +0200 >From: Milos Urbanek >To: bugtraq@securityfocus.com >Subject: OpenBSD Local Root Compromise >Message-ID: <20020411170117.GB26359@zoli.zoom-int.cz> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >User-Agent: Mutt/1.3.27i >X-UIDL: 480c7f8899114108be23f7bf813d28fd > > > ZOOM International Security Advisory > > OpenBSD local root compromise > > Systems affected: > OpenBSD all version, OpenBSD Current prior April 8, 2002 > > Risk: High > Date: April 11, 2002 > > Legal Notice: > This advisory is copyright (c) ZOOM International. > > Disclaimer: > Information contained in this advisory are provided only ``AS IS''. > ZOOM International is not liable for any damages whatsoever > arising out of or in connection with the use or spread of this information. > Any use of this information is at our own risk. > > Background: > Program /usr/bin/mail is a simple mail user agent which can be used also in the batch mode, for example to send mail to the administrator when > running cron tasks. > > Problem description: > There is a local root compromise in all versions of OpenBSD including > OpenBSD Current prior to April 9, 2002 due to a bug in program > /usr/bin/mail. > > Details: > Program /usr/bin/mail accepts escape sequences while running in > the non-interactive mode. When the attacker inserts the escape sequence > into the stream which is used as an input to the mail command this escape > sequence is interpreted by the mail command and it is possible for example > execute arbitrary commands or read/write any file in the system with the > privileges of the user running /usr/bin/mail. > > Impact: > Users can gain superuser privileges because the output of > the /etc/daily script is piped to the /usr/bin/mail command while > running regular cron tasks. > There exists a method developed by Przemyslav Frasunek which allows > to perform a local attack by creating a file with a specialy designed > filename and permissions. Method of performing remote exploitation of this > bug is currently unknown. > > Exploit: > An exploit for this bug exists and is publicly available. > > Workaround: > Remove /usr/bin/mail binary until a patch for your release is available. > > Contact Status: > Vendor was contacted on 2002-04-08. Problem report related to the > security advisory was sent on 2002-04-10. > > Available Fixes: > This bug was patched in OpenBSD Current on April 8, 2002. > Official patch for other OpenBSD releases is not available at the moment > but the bug can be solved by applying the attached source code patch > to the 1.23 revision of the appropriate file and installing new mail > binary. > > Credits: > The bug was found by Milos Urbanek, Security Conslutant at ZOOM > International. Exploit was written by Przemyslav Frasunek. > > > About ZOOM International: > ZOOM International is a Czech company providing services and > solutions in the area of IT security. For more information visit > our website at http://www.zoom-int.cz/. > > >Mail Patch > >Index: collect.c >=================================================================== >RCS file: /cvs/src/usr.bin/mail/collect.c,v >retrieving revision 1.23 >retrieving revision 1.24 >diff -u -r1.23 -r1.24 >--- collect.c 2001/11/21 15:26:39 1.23 >+++ collect.c 2002/04/08 20:27:17 1.24 >@@ -1,4 +1,4 @@ >-/* $OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $ */ >+/* $OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $ */ > /* $NetBSD: collect.c,v 1.9 1997/07/09 05:25:45 mikel Exp $ */ > > /* >@@ -38,7 +38,7 @@ > #if 0 > static const char sccsid[] = "@(#)collect.c 8.2 (Berkeley) 4/19/94"; > #else >-static const char rcsid[] = "$OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $"; >+static const char rcsid[] = "$OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $"; > #endif > #endif /* not lint */ > >@@ -161,7 +161,8 @@ > value("interactive") != NULL && !lastlong && > (value("dot") != NULL || value("ignoreeof") != NULL)) > break; >- if (linebuf[0] != escape || lastlong) { >+ if (linebuf[0] != escape || value("interactive") == NULL || >+ lastlong) { > if (putline(collf, linebuf, !longline) < 0) > goto err; > continue; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 13:13: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id C63A237B405 for ; Thu, 11 Apr 2002 13:12:33 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA12134 for ; Thu, 11 Apr 2002 14:12:21 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 11 Apr 2002 14:12:01 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [This is a corrected version of the previous message, which omitted the word "isn't" near the beginning of the second paragraph.] The vulnerability described in the message below is a classic "in-band signalling" problem that may give an unauthorized user the ability to run an arbitrary command as root. Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly, and monthly maintenance scripts, because they use sendmail rather than /bin/mail. Nonetheless, the same patch should be applied to FreeBSD's /bin/mail due to the possibility that other privileged utilities (or user-written scripts) might use /bin/mail instead of sendmail to create e-mail messages. --Brett Glass >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 32477 invoked from network); 11 Apr 2002 16:58:57 -0000 >Date: Thu, 11 Apr 2002 19:01:17 +0200 >From: Milos Urbanek >To: bugtraq@securityfocus.com >Subject: OpenBSD Local Root Compromise >Message-ID: <20020411170117.GB26359@zoli.zoom-int.cz> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >User-Agent: Mutt/1.3.27i >X-UIDL: 480c7f8899114108be23f7bf813d28fd > > > ZOOM International Security Advisory > > OpenBSD local root compromise > > Systems affected: > OpenBSD all version, OpenBSD Current prior April 8, 2002 > > Risk: High > Date: April 11, 2002 > > Legal Notice: > This advisory is copyright (c) ZOOM International. > > Disclaimer: > Information contained in this advisory are provided only ``AS IS''. > ZOOM International is not liable for any damages whatsoever > arising out of or in connection with the use or spread of this information. > Any use of this information is at our own risk. > > Background: > Program /usr/bin/mail is a simple mail user agent which can be used also in the batch mode, for example to send mail to the administrator when > running cron tasks. > > Problem description: > There is a local root compromise in all versions of OpenBSD including > OpenBSD Current prior to April 9, 2002 due to a bug in program > /usr/bin/mail. > > Details: > Program /usr/bin/mail accepts escape sequences while running in > the non-interactive mode. When the attacker inserts the escape sequence > into the stream which is used as an input to the mail command this escape > sequence is interpreted by the mail command and it is possible for example > execute arbitrary commands or read/write any file in the system with the > privileges of the user running /usr/bin/mail. > > Impact: > Users can gain superuser privileges because the output of > the /etc/daily script is piped to the /usr/bin/mail command while > running regular cron tasks. > There exists a method developed by Przemyslav Frasunek which allows > to perform a local attack by creating a file with a specialy designed > filename and permissions. Method of performing remote exploitation of this > bug is currently unknown. > > Exploit: > An exploit for this bug exists and is publicly available. > > Workaround: > Remove /usr/bin/mail binary until a patch for your release is available. > > Contact Status: > Vendor was contacted on 2002-04-08. Problem report related to the > security advisory was sent on 2002-04-10. > > Available Fixes: > This bug was patched in OpenBSD Current on April 8, 2002. > Official patch for other OpenBSD releases is not available at the moment > but the bug can be solved by applying the attached source code patch > to the 1.23 revision of the appropriate file and installing new mail > binary. > > Credits: > The bug was found by Milos Urbanek, Security Conslutant at ZOOM > International. Exploit was written by Przemyslav Frasunek. > > > About ZOOM International: > ZOOM International is a Czech company providing services and > solutions in the area of IT security. For more information visit > our website at http://www.zoom-int.cz/. > > >Mail Patch > >Index: collect.c >=================================================================== >RCS file: /cvs/src/usr.bin/mail/collect.c,v >retrieving revision 1.23 >retrieving revision 1.24 >diff -u -r1.23 -r1.24 >--- collect.c 2001/11/21 15:26:39 1.23 >+++ collect.c 2002/04/08 20:27:17 1.24 >@@ -1,4 +1,4 @@ >-/* $OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $ */ >+/* $OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $ */ > /* $NetBSD: collect.c,v 1.9 1997/07/09 05:25:45 mikel Exp $ */ > > /* >@@ -38,7 +38,7 @@ > #if 0 > static const char sccsid[] = "@(#)collect.c 8.2 (Berkeley) 4/19/94"; > #else >-static const char rcsid[] = "$OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $"; >+static const char rcsid[] = "$OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $"; > #endif > #endif /* not lint */ > >@@ -161,7 +161,8 @@ > value("interactive") != NULL && !lastlong && > (value("dot") != NULL || value("ignoreeof") != NULL)) > break; >- if (linebuf[0] != escape || lastlong) { >+ if (linebuf[0] != escape || value("interactive") == NULL || >+ lastlong) { > if (putline(collf, linebuf, !longline) < 0) > goto err; > continue; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 13:45:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout09.sul.t-online.com (mailout09.sul.t-online.com [194.25.134.84]) by hub.freebsd.org (Postfix) with ESMTP id A91FB37B416 for ; Thu, 11 Apr 2002 13:45:31 -0700 (PDT) Received: from fwd05.sul.t-online.de by mailout09.sul.t-online.com with smtp id 16vlRh-0003bX-09; Thu, 11 Apr 2002 22:45:29 +0200 Received: from pc5.abc (520067998749-0001@[217.233.91.239]) by fmrl05.sul.t-online.com with esmtp id 16vlRW-24x6yuC; Thu, 11 Apr 2002 22:45:18 +0200 Received: (from nicolas@localhost) by pc5.abc (8.11.6/8.11.6) id g3BKjHC51297 for security@FreeBSD.ORG; Thu, 11 Apr 2002 22:45:17 +0200 (CEST) (envelope-from list@rachinsky.de) Date: Thu, 11 Apr 2002 22:45:17 +0200 From: Nicolas Rachinsky To: security@FreeBSD.ORG Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Message-ID: <20020411204516.GA51239@pc5.abc> Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> User-Agent: Mutt/1.3.28i X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc X-Sender: 520067998749-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Brett Glass [2002-04-11 14:12:01 -0600]: > [This is a corrected version of the previous message, which omitted > the word "isn't" near the beginning of the second paragraph.] > > The vulnerability described in the message below is a classic > "in-band signalling" problem that may give an unauthorized user > the ability to run an arbitrary command as root. > > Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly, > and monthly maintenance scripts, because they use sendmail rather > than /bin/mail. Nonetheless, the same patch should be applied to > FreeBSD's /bin/mail due to the possibility that other privileged > utilities (or user-written scripts) might use /bin/mail instead of > sendmail to create e-mail messages. man mail says: -I Forces mail to run in interactive mode even when input is not a terminal. In particular, the `~' special character when sending mail is only active in interactive mode. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 13:52:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from harrier.csrv.uidaho.edu (harrier.csrv.uidaho.edu [129.101.119.224]) by hub.freebsd.org (Postfix) with ESMTP id 73E6337B404 for ; Thu, 11 Apr 2002 13:52:38 -0700 (PDT) Received: from uidaho.edu (oblivion.csrv-staff.uidaho.edu [129.101.66.165]) by harrier.csrv.uidaho.edu (8.9.3 (PHNE_22672)/) with ESMTP id NAA29054 for ; Thu, 11 Apr 2002 13:52:29 -0700 (PDT) Message-Id: <200204112052.NAA29054@harrier.csrv.uidaho.edu> Date: Thu, 11 Apr 2002 13:52:31 -0700 (PDT) From: Jon DeShirley Subject: Re: Switching from ipfw to pf To: freebsd-security@FreeBSD.ORG In-Reply-To: <20020411104801.A29662@corona.cs.wm.edu> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 11 Apr, Zvezdan Petkovic wrote: > > You have ipf on FreeBSD. ipf was used on OpenBSD until release 3.0 too. > ipf has _very_ similar syntax to pf. > http://openbsd30.ipfilter.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 14: 5:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id 7EBE737B400 for ; Thu, 11 Apr 2002 14:05:46 -0700 (PDT) Received: from corona.cs.wm.edu (corona [128.239.2.50]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g3BL5Lb12183 for ; Thu, 11 Apr 2002 17:05:21 -0400 (EDT) Received: (from zvezdan@localhost) by corona.cs.wm.edu (8.11.6/8.9.1) id g3BL5jZ00599 for freebsd-security@FreeBSD.ORG; Thu, 11 Apr 2002 17:05:45 -0400 Date: Thu, 11 Apr 2002 17:05:45 -0400 From: Zvezdan Petkovic To: freebsd-security@FreeBSD.ORG Subject: Re: Switching from ipfw to pf Message-ID: <20020411170545.A509@corona.cs.wm.edu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020411104801.A29662@corona.cs.wm.edu> <200204112052.NAA29054@harrier.csrv.uidaho.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204112052.NAA29054@harrier.csrv.uidaho.edu>; from jond@uidaho.edu on Thu, Apr 11, 2002 at 01:52:31PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 11, 2002 at 01:52:31PM -0700, Jon DeShirley wrote: > On 11 Apr, Zvezdan Petkovic wrote: > > > > You have ipf on FreeBSD. ipf was used on OpenBSD until release 3.0 too. > > ipf has _very_ similar syntax to pf. > > > > http://openbsd30.ipfilter.org/ > I don't get your point. The original poster asked how to use pf on _FreeBSD_ and I pointed him to ipf instead. You're giving him an OpenBSD link and that's not what he asks for. If, on the other hand, you wanted to show me that it's possible to use ipf with OpenBSD 3.0 -- thanks. But it's not openbsd.org release and, frankly, I'd rather stay away. Since this is a freebsd-security list I do not see the point in discussing this further here. And the original poster could have searched archives. There was a discussion recently about pf, ipf, and ipfw. Again, I do not want to repeat it. Everything is in the mail list archives. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 15:30:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 13C8137B404 for ; Thu, 11 Apr 2002 15:30:23 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3BMUIc12513; Thu, 11 Apr 2002 15:30:18 -0700 (PDT) (envelope-from roo) Date: Thu, 11 Apr 2002 15:30:18 -0700 From: Benjamin Krueger To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <20020411153018.A9962@rain.macguire.net> References: <20020411081813.H55087-100000@roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020411081813.H55087-100000@roble.com>; from marquis@roble.com on Thu, Apr 11, 2002 at 08:25:54AM -0700 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Roger Marquis (marquis@roble.com) [020411 08:26]: > faSty wrote: > >I dont see any NIS or NIS+ on handbook. I tried setup the NIS+ > >and I am not experience with these feature. anyone can point > >where the HOWTO NIS or NIS+? > > Try a web search (via Google or any other search engine). I found > several good links from a query using "nis" and "howto". There's > also 'man -k yp' or, more specifically `man -k yp|grep ^yp'. > > `man ypinit` might be a good place to start. > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ Folks following this discussion might also be interested in the following article which describes a mechanism for authenticating unix clients in an Active Directory environment. http://online.securityfocus.com/infocus/1563 -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 15:59:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from verniernetworks.com (dns.verniernetworks.com [65.192.41.225]) by hub.freebsd.org (Postfix) with ESMTP id 9D92B37B417 for ; Thu, 11 Apr 2002 15:59:14 -0700 (PDT) Received: from lobo (localhost [127.0.0.1]) by verniernetworks.com (8.11.6/8.11.0) with SMTP id g3BMwqq65561; Thu, 11 Apr 2002 15:58:52 -0700 (PDT) (envelope-from lance@verniernetworks.com) Message-ID: <033b01c1e1ac$73111b50$880aa8c0@lancetest.com> From: "Lance Uyehara" To: "Benjamin Krueger" , "Roger Marquis" Cc: References: <20020411081813.H55087-100000@roble.com> <20020411153018.A9962@rain.macguire.net> Subject: Re: Centralized authentication Date: Thu, 11 Apr 2002 15:58:52 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > * Roger Marquis (marquis@roble.com) [020411 08:26]: > > faSty wrote: > > >I dont see any NIS or NIS+ on handbook. I tried setup the NIS+ > > >and I am not experience with these feature. anyone can point > > >where the HOWTO NIS or NIS+? > > > > Try a web search (via Google or any other search engine). I found > > several good links from a query using "nis" and "howto". There's > > also 'man -k yp' or, more specifically `man -k yp|grep ^yp'. > > > > `man ypinit` might be a good place to start. > > > > -- > > Roger Marquis > > Roble Systems Consulting > > http://www.roble.com/ > > Folks following this discussion might also be interested in the following > article which describes a mechanism for authenticating unix clients in an > Active Directory environment. > > http://online.securityfocus.com/infocus/1563 If you are going to use LDAP + AD for authentication, AD does not send back the user password in any form. So you can not use anonymous, or rootdn/rootpw for your bind. You must use the cn or samAccountName + the user password. Normal LDAP (port 389) will send the password in the clear, so to effectively use this you must use LDAPS (port 636). -Lance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 17:57:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from xela.oopz.com (xela.oopz.com [209.20.244.131]) by hub.freebsd.org (Postfix) with ESMTP id 445C037B405 for ; Thu, 11 Apr 2002 17:57:53 -0700 (PDT) Subject: RE: Centralized authentication MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 11 Apr 2002 17:57:52 -0700 Message-ID: content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Centralized authentication Thread-Index: AcHhbUr3s+p45eDTSAqBNFul/bCaNgAT0UDQ From: "Noah Davidson" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I know with linux you can authenicate via mysql with some small changes = to libnss library. We want to use mysql for the basis of authenticating = for many services. Does anyone have any experience or could point me in = the right direction with such a environment. Thanks Noah -----Original Message----- From: Roger Marquis [mailto:marquis@roble.com] Sent: Thursday, April 11, 2002 8:26 AM To: security@FreeBSD.ORG Subject: Re: Centralized authentication faSty wrote: >I dont see any NIS or NIS+ on handbook. I tried setup the NIS+ >and I am not experience with these feature. anyone can point >where the HOWTO NIS or NIS+? Try a web search (via Google or any other search engine). I found several good links from a query using "nis" and "howto". There's also 'man -k yp' or, more specifically `man -k yp|grep ^yp'. `man ypinit` might be a good place to start. --=20 Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 22:21: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 6847237B404 for ; Thu, 11 Apr 2002 22:20:52 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020412052044.TNOA1143.rwcrmhc51.attbi.com@blossom.cjclark.org>; Fri, 12 Apr 2002 05:20:44 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3C5Khn39990; Thu, 11 Apr 2002 22:20:43 -0700 (PDT) (envelope-from cjc) Date: Thu, 11 Apr 2002 22:20:43 -0700 From: "Crist J. Clark" To: Jan Wagner Cc: freebsd-security@FreeBSD.ORG Subject: Re: Switching from ipfw to pf Message-ID: <20020411222043.C39738@blossom.cjclark.org> References: <20020411170642.A16359@de.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020411170642.A16359@de.tiscali.com>; from jan.wagner@de.tiscali.com on Thu, Apr 11, 2002 at 05:06:42PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 11, 2002 at 05:06:42PM +0200, Jan Wagner wrote: > Hi, > > Fast question, I am accustomed to use pf on o.bsd and love its syntax > and features. IS there a 'stable' way to switch [in my f.bsd45] to pf ? Not unless you are going to import all of the features and functionality yourself. pf is OpenBSD-only. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 22:47:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12]) by hub.freebsd.org (Postfix) with ESMTP id E44D037B400 for ; Thu, 11 Apr 2002 22:47:39 -0700 (PDT) Received: (from root@localhost) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id g3C5lZS04604 for security@freebsd.org; Fri, 12 Apr 2002 07:47:35 +0200 (CEST) (envelope-from venglin@freebsd.lublin.pl) Received: from lagoon.freebsd.lublin.pl (qmailr@lagoon.freebsd.lublin.pl [212.182.115.11]) by mailhost.freebsd.lublin.pl (8.11.6/8.11.6av) with SMTP id g3C5kvP04590 for ; Fri, 12 Apr 2002 07:47:01 +0200 (CEST) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 4586 invoked by uid 1001); 12 Apr 2002 05:46:57 -0000 Date: Fri, 12 Apr 2002 07:46:57 +0200 From: Przemyslaw Frasunek To: security@freebsd.org Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Message-ID: <20020412074657.K58987@lagoon.freebsd.lublin.pl> References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 11, 2002 at 02:12:01PM -0600 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 11, 2002 at 02:12:01PM -0600, Brett Glass wrote: > Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly, > and monthly maintenance scripts, because they use sendmail rather > than /bin/mail. Nonetheless, the same patch should be applied to > FreeBSD's /bin/mail due to the possibility that other privileged > utilities (or user-written scripts) might use /bin/mail instead of > sendmail to create e-mail messages. FreeBSD's /usr/bin/mail doesn't accept ~! when working in non-interactive mode. lagoon:/home/venglin> echo "~\!touch foo" | mail venglin lagoon:/home/venglin> ls -la foo ls: foo: No such file or directory -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 11 22:58:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 0935637B400 for ; Thu, 11 Apr 2002 22:58:52 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA19648; Thu, 11 Apr 2002 23:58:16 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 11 Apr 2002 23:58:03 -0600 To: Przemyslaw Frasunek , security@FreeBSD.ORG From: Brett Glass Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems In-Reply-To: <20020412074657.K58987@lagoon.freebsd.lublin.pl> References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:46 PM 4/11/2002, Przemyslaw Frasunek wrote: >FreeBSD's /usr/bin/mail doesn't accept ~! when working in non-interactive >mode. That's good to know! It looks as if NetBSD and Darwin have this feature as well. But SunOS 5.8 doesn't (at least according to the docs at http://www.freebsd.org/cgi/man.cgi?query=mail&apropos=0&sektion=0&manpath=SunOS+5.8&format=html), so Solaris may be vulnerable. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 1:16:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from nippur.irb.hr (nippur.irb.hr [161.53.128.127]) by hub.freebsd.org (Postfix) with ESMTP id EC59C37B400 for ; Fri, 12 Apr 2002 01:16:25 -0700 (PDT) Received: from localhost (keeper@localhost) by nippur.irb.hr (8.9.3/8.9.3) with ESMTP id KAA24432 for ; Fri, 12 Apr 2002 10:16:23 +0200 (MET DST) Date: Fri, 12 Apr 2002 10:16:23 +0200 (MET DST) From: Mario Pranjic To: Subject: ipfw and samba Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Does anyone knows what should be opened in order to samba works proprely. I tried opening the ports 137-139 (tcp and udp) but it still doesn't work. smbclient -L works, though, but I can't access the host from windows. Anybody knowns what might be the problem? Thanks! Mario Pranjic, dipl.ing. sistem administrator Knjiznica, Institut Rudjer Boskovic ------------------------------------- e-mail: mario.pranjic@irb.hr ICQ: 72059629 tel: +385 1 45 60 954 (interni: 1293) ------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 2: 1: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from web13303.mail.yahoo.com (web13303.mail.yahoo.com [216.136.175.39]) by hub.freebsd.org (Postfix) with SMTP id B74B737B41A for ; Fri, 12 Apr 2002 02:00:58 -0700 (PDT) Message-ID: <20020412090058.65763.qmail@web13303.mail.yahoo.com> Received: from [193.174.9.99] by web13303.mail.yahoo.com via HTTP; Fri, 12 Apr 2002 11:00:58 CEST Date: Fri, 12 Apr 2002 11:00:58 +0200 (CEST) From: =?iso-8859-1?q?m=20p?= Subject: Re: ipfw and samba To: Mario Pranjic Cc: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Mario Pranjic wrote: > > Hi! > > Does anyone knows what should be opened in order to samba works proprely. > I tried opening the ports 137-139 (tcp and udp) but it still doesn't > work. > > smbclient -L works, though, but I can't access the host from windows. > > Anybody knowns what might be the problem? > > Thanks! > > Mario Pranjic, dipl.ing. > sistem administrator > Knjiznica, Institut Rudjer Boskovic > ------------------------------------- > e-mail: mario.pranjic@irb.hr > ICQ: 72059629 > tel: +385 1 45 60 954 (interni: 1293) > ------------------------------------- > Hi Mario, are you allowing only the host to this ports - or the broadcast address also? Add a test rule as last rule before the rule number 65535 which should read as: ipfw add 65500 deny log all from any to any Then you should see in /var/log/security with which address access for your windows machine is blocked. For me worked to allow the hosts + the broadcast address to access my machine. If that helps not, please send your ipfw-config and network-config to the list. We can then help you better. Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Sie brauchen mehr Speicher für Ihre E-Mails? - http://premiummail.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 4: 7:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (afgate.speednet.com.au [203.57.65.244]) by hub.freebsd.org (Postfix) with ESMTP id 761B537B404 for ; Fri, 12 Apr 2002 04:07:49 -0700 (PDT) Received: from backup.af.speednet.com.au (andyf@backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.6/8.11.6) with ESMTP id g3CB7BK57283; Fri, 12 Apr 2002 21:07:15 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Fri, 12 Apr 2002 21:07:10 +1000 (EST) From: Andy Farkas X-X-Sender: To: Cc: "Kevin Kinsey, DaleCo, S.P." , Subject: hosts.allow and RFC931 - was: sshd warning---a lil' help? In-Reply-To: <20020409185049.A17491@cowbert.2y.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Apr 2002, Peter C. Lai wrote: > a is true. the message is coming from hosts.allow, which checks for rdns as > a (weak) signal of spoofed packets. You can deny these connections by > by turning on: > > ALL : PARANOID : RFC931 20 : deny > # Provide some protection against clients using a forged source IP address > Question: the above rule in the default /etc/hosts.allow file is *above* the rules regarding sshd - does this mean that sshd is not protected against forged source IP adresses? Also, its been 2 and-a-bit years since this absolutely ridiculous bit of ascii-art was added to hosts.allow: # _____ _ _ # | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | # | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | # | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| # |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) # |_| ....could we *please* remove it? If it really is an example file, then it should be moved to /usr/share/examples or renamed to hosts.allow.sample... > > b would have sshd report "password" or keypair "accepted for username". > > c would have shown that user being rejected > > consequently, we don't know from what you've given us to know > if someone logged in successfully to sshd runing with pid 34375 > at that time :) > > On Tue, Apr 09, 2002 at 08:03:02AM -0500, Kevin Kinsey, DaleCo, S.P. wrote: > > Apr 9 07:50:00 elisha sshd[34375]: warning: /etc/hosts.allow, line 23: > > can't verify hostname: getaddrinfo(gbrdialin, AF_INET$) Failed > > > > This computer --- > > > > a - has incorrect or NO reverse DNS ? > > b - tried to authenticate via ssh login and succeeded? > > c - tried to authenticate via ssh login and failed? > > d - other > > > > > > TIA, Kevin Kinsey > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 (Room) > 860.486.1899 (Lab) > 203.206.3784 (Cellphone) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 4:22:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout10.sul.t-online.com (mailout10.sul.t-online.com [194.25.134.21]) by hub.freebsd.org (Postfix) with ESMTP id 70F0537B41A for ; Fri, 12 Apr 2002 04:22:32 -0700 (PDT) Received: from fwd11.sul.t-online.de by mailout10.sul.t-online.com with smtp id 16vz8Q-0004LM-0J; Fri, 12 Apr 2002 13:22:30 +0200 Received: from Magelan.Leidinger.net (520065502893-0001@[80.131.125.48]) by fmrl11.sul.t-online.com with esmtp id 16vz8K-0fCrOiC; Fri, 12 Apr 2002 13:22:24 +0200 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.12.2/8.12.2) with ESMTP id g3CBMVpN001093; Fri, 12 Apr 2002 13:22:35 +0200 (CEST) (envelope-from netchild@Leidinger.net) Message-Id: <200204121122.g3CBMVpN001093@Magelan.Leidinger.net> Date: Fri, 12 Apr 2002 13:22:31 +0200 (CEST) From: Alexander Leidinger Subject: Re: ipfw and samba To: mario.pranjic@irb.hr Cc: security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-Sender: 520065502893-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 12 Apr, Mario Pranjic wrote: > Does anyone knows what should be opened in order to samba works proprely. > I tried opening the ports 137-139 (tcp and udp) but it still doesn't > work. > > smbclient -L works, though, but I can't access the host from windows. > > Anybody knowns what might be the problem? ${fwcmd} add allow tcp from any to me 138,139,445 in via ${outside_interface} setup keep-state ${fwcmd} add pass udp from any 139 to me 139 via ${outside_interface} keep-state works for me. Bye, Alexander. -- It's not a bug, it's tradition! http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 4:34:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id 5A98A37B416 for ; Fri, 12 Apr 2002 04:34:43 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id HAA23582 for ; Fri, 12 Apr 2002 07:34:42 -0400 (EDT) Message-Id: <200204121134.HAA23582@koibito.iisc.com> To: security@FreeBSD.ORG Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems In-Reply-To: Your message of "Thu, 11 Apr 2002 23:58:03 MDT." <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org> Date: Fri, 12 Apr 2002 07:34:42 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Up-to-date patched Solaris 8: amaterasu $ pwd /export/home/cmr amaterasu $ echo "~\!touch foo" | mail cmr amaterasu $ ls -l foo foo: No such file or directory amaterasu $ ls -l /usr/bin/mail -r-x--s--x 1 root mail 61080 Mar 6 18:01 /usr/bin/mail Up-to-date patched Solaris 7 taiyou $ pwd /export/home/cmr taiyou $ echo "~\!touch foo" | mail cmr taiyou $ ls -l foo foo: No such file or directory taiyou $ ls -l /usr/bin/mail -r-x--s--x 1 bin mail 66796 Mar 1 18:14 /usr/bin/mail To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 8: 5:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id BAAB737B405 for ; Fri, 12 Apr 2002 08:05:16 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16w2ee-000MfN-00; Fri, 12 Apr 2002 17:08:00 +0200 From: Sheldon Hearn To: Andy Farkas Cc: peter.lai@uconn.edu, "Kevin Kinsey, DaleCo, S.P." , security@FreeBSD.ORG Subject: Re: hosts.allow and RFC931 - was: sshd warning---a lil' help? In-reply-to: Your message of "Fri, 12 Apr 2002 21:07:10 +1000." Date: Fri, 12 Apr 2002 17:08:00 +0200 Message-ID: <87132.1018624080@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 12 Apr 2002 21:07:10 +1000, Andy Farkas wrote: > Question: the above rule in the default /etc/hosts.allow file is *above* > the rules regarding sshd - does this mean that sshd is not protected > against forged source IP adresses? Given the high psuedo-random quality of modern FreeBSD's TCP ISN generation, do you think it's worth worrying about people spoofing SSH connections? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 9:55:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 68B3A37B400 for ; Fri, 12 Apr 2002 09:55:29 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g3CGtS315995 for ; Fri, 12 Apr 2002 12:55:28 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Fri, 12 Apr 2002 12:55:23 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: ipfw and samba In-Reply-To: Message-ID: <20020412125416.F15745-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 12 Apr 2002, Mario Pranjic wrote: > Hi! > > Does anyone knows what should be opened in order to samba works proprely. > I tried opening the ports 137-139 (tcp and udp) but it still doesn't > work. > > smbclient -L works, though, but I can't access the host from windows. > > Anybody knowns what might be the problem? NetBIOS collision? Try changing the NetBIOS name of the server host. NetBIOS is a braindead system with a completely flat namespace, and naming collisions are not always obvious. I lost an entire day to this problem last week. :-( -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 10: 2:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 46A1837B405 for ; Fri, 12 Apr 2002 10:02:33 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16w4VA-000NLY-00; Fri, 12 Apr 2002 19:06:20 +0200 From: Sheldon Hearn To: Chris BeHanna Cc: FreeBSD Security Subject: Re: ipfw and samba In-reply-to: Your message of "Fri, 12 Apr 2002 12:55:23 -0400." <20020412125416.F15745-100000@topperwein.dyndns.org> Date: Fri, 12 Apr 2002 19:06:20 +0200 Message-ID: <89747.1018631180@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 12 Apr 2002 12:55:23 -0400, Chris BeHanna wrote: > > Does anyone knows what should be opened in order to samba works proprely. > > I tried opening the ports 137-139 (tcp and udp) but it still doesn't > > work. > > > > smbclient -L works, though, but I can't access the host from windows. > > > > Anybody knowns what might be the problem? > > NetBIOS collision? Note that you usually need to allow broadcasts through as well. :-( Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 10:30:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 8B4E637B405 for ; Fri, 12 Apr 2002 10:30:17 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g3CHUGK16519; Fri, 12 Apr 2002 12:30:16 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id MAA24484; Fri, 12 Apr 2002 12:30:15 -0500 (CDT) Message-ID: <3CB7198D.16A333A8@centtech.com> Date: Fri, 12 Apr 2002 12:29:49 -0500 From: Eric Anderson Reply-To: anderson@centtech.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn Cc: Chris BeHanna , FreeBSD Security Subject: Re: ipfw and samba References: <89747.1018631180@axl.seasidesoftware.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sheldon Hearn wrote: > > > Anybody knowns what might be the problem? > > > > NetBIOS collision? > > Note that you usually need to allow broadcasts through as well. :-( Unless you use a WINS server, or set up your lmhosts file. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 12:20:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 6047937B400 for ; Fri, 12 Apr 2002 12:20:33 -0700 (PDT) Received: from there (localhost [127.0.0.1]) by borja.sarenet.es (8.11.6/8.11.6) with SMTP id g3CJKV265588 for ; Fri, 12 Apr 2002 21:20:31 +0200 (CEST) (envelope-from borjamar@sarenet.es) Message-Id: <200204121920.g3CJKV265588@borja.sarenet.es> Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: security@freebsd.org Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Date: Fri, 12 Apr 2002 21:20:30 +0200 X-Mailer: KMail [version 1.3.2] References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org> In-Reply-To: <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 12 April 2002 07:58, you wrote: > That's good to know! It looks as if NetBSD and Darwin have this feature > as well. But SunOS 5.8 doesn't (at least according to the docs at > http://www.freebsd.org/cgi/man.cgi?query=3Dmail&apropos=3D0&sektion=3D0= &manpath=3DS >unOS+5.8&format=3Dhtml), so Solaris may be vulnerable. =09I have just tested Solaris 8 and it is not vulnerable. However, this i= s very=20 old news. I reported a security hole in SCO Unix to CERT in 1993. I used = this=20 "feature" to modify root's crontab simply running a script which printed = "~!=20 commands" from "at". =09An a security problem with reverse fingers and TCP Wrapper (see Wietse= =20 Venema's "Murphy's Laws and Computer Security") exploited exactly the sam= e.=20 As far as I know, that behavior was removed from mail programs; they only= =20 accept escape sequences (at least the ~!) when running from a terminal. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 12:23:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id A27B137B404 for ; Fri, 12 Apr 2002 12:23:51 -0700 (PDT) Received: from there (localhost [127.0.0.1]) by borja.sarenet.es (8.11.6/8.11.6) with SMTP id g3CJNo265626 for ; Fri, 12 Apr 2002 21:23:50 +0200 (CEST) (envelope-from borjamar@sarenet.es) Message-Id: <200204121923.g3CJNo265626@borja.sarenet.es> Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: security@freebsd.org Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Date: Fri, 12 Apr 2002 21:23:50 +0200 X-Mailer: KMail [version 1.3.2] References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org> <200204121920.g3CJKV265588@borja.sarenet.es> In-Reply-To: <200204121920.g3CJKV265588@borja.sarenet.es> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 12 April 2002 21:20, you wrote: > =09An a security problem with reverse fingers and TCP Wrapper (see Wiet= se > Venema's "Murphy's Laws and Computer Security") exploited exactly the s= ame. > As far as I know, that behavior was removed from mail programs; they on= ly > accept escape sequences (at least the ~!) when running from a terminal. =09Sorry, I meant "was removed as a default behavior". I had not noticed = the=20 "-I" option in FreeBSD's /usr/bin/Mail. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 12:54:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay2.hot.ee (mail.hot.ee [194.126.101.94]) by hub.freebsd.org (Postfix) with ESMTP id 9E96D37B41C for ; Fri, 12 Apr 2002 12:54:18 -0700 (PDT) Received: (from amavis@localhost) by relay2.hot.ee (8.11.2/8.11.2) id g3CJsHx24743 for ; Fri, 12 Apr 2002 22:54:17 +0300 Received: from sun1.hot.ee (sun1.hot.ee [194.126.101.66]) by relay2.hot.ee (8.11.2/8.11.2) with ESMTP id g3CJsG924704 for ; Fri, 12 Apr 2002 22:54:17 +0300 Received: (from nobody@localhost) by sun1.hot.ee (8.9.3+Sun/8.9.3) id WAA23236; Fri, 12 Apr 2002 22:55:00 +0300 (EEST) Date: Fri, 12 Apr 2002 22:55:00 +0300 (EEST) Message-Id: <200204121955.WAA23236@sun1.hot.ee> X-Authentication-Warning: sun1.hot.ee: nobody set sender to alan@hot.ee using -f To: security@freebsd.org From: Citt Pjaskh Disposition-Notification-To: Citt Pjaskh Subject: IPFW+nat.problem+advice? X-Mailer: Hot.EE mail gateway (http://www.hot.ee) Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-type: multipart/mixed; boundary=b5d7d11c186c8157684375c37a8d392e7 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a MIME encoded message. --b5d7d11c186c8157684375c37a8d392e7 Content-type: text/plain; Content-encoding: base64 hello all, I'm new to FreeBSD (4.4) and unfortunately ipfw's syntax remains a mystery for me for now and probably for quite a long time :). I do realize, it's a bit out of security and more like nat&ipfw howto question, but maybe theres someone out there with appropiate knoleage to just run over the text without going deep into howtos and tutorials like me (without significant luck) and I can't experiment on that box neither, so here goes: I'm kind of trying to redirect (tcp, service ftp) internet port (123.45.67.89:6666) to internal lan port (192.168.1.111:6666) through freebsd ipfw with nat but : !Apr 12 17:20:52 server natd[185]: failed to write packet back (Permission denied) current static rules for ipfw: 00100 614046 237558606 allow ip from any to any via lo0 00110 0 0 deny ip from any to 127.0.0.0/8 00120 0 0 deny ip from 127.0.0.0/8 to any 00211 0 0 allow tcp from 000.000.000.000 to any 22 in 00212 0 0 allow tcp from any 22 to 000.000.000.000 out 00221 13722891 11976856801 allow ip from 192.168.1.0/24 to 192.168.1.0/24 via fxp0 00226 19175 2647319 allow ip from 10.10.10.0/24 to 10.10.10.0/24 via fxp1 00230 5003575 668421565 allow tcp from 192.168.1.0/24 1024-65535 to any via fxp0 00250 2009728 217605591 allow tcp from 10.10.10.0/24 1024-65535 to any via fxp1 00501 62407 5744884 deny ip from any to 10.0.0.0/8 via wi0 00502 30 1440 deny ip from any to 172.16.0.0/12 via wi0 00601 0 0 deny ip from any to 0.0.0.0/8 via wi0 00602 293 35384 deny ip from any to 169.254.0.0/16 via wi0 00603 0 0 deny ip from any to 192.0.2.0/24 via wi0 00604 491059 28724175 deny ip from any to 224.0.0.0/4 via wi0 00605 798321 116391193 deny ip from any to 240.0.0.0/4 via wi0 01001 585 28763 allow tcp from any to 123.45.67.89 20-23,53 01002 71542 27302862 allow tcp from any to 123.45.67.89 25,113 01003 263148 26163248 allow tcp from any to 123.45.67.89 80 01004 3 164 allow tcp from any to 123.45.67.89 110,143 01005 125 6796 allow tcp from any to 123.45.67.89 6666 01010 84591 7147847 allow tcp from any to any 20-25,53,80,110,113 in 02001 5336012 409089310 divert 8668 ip from 192.168.1.0/24 to any via 123.45.67.89 02002 8615895 9126246102 divert 8668 ip from any to 123.45.67.89 via 123.45.67.89 02011 2245061 232307377 divert 8888 ip from 10.10.10.0/24 to any via wi0 02012 16073819 7952662742 divert 8888 ip from any to 234.56.78.90 via wi0 02150 0 0 allow tcp from 123.45.67.89 6666 to 192.168.1.111 6666 02151 0 0 allow tcp from 192.168.1.111 6666 to 123.45.67.89 6666 02200 120487 5980772 allow tcp from 123.45.67.89 to any setup 02201 3308220 197451028 allow tcp from 234.56.78.90 to any setup 02300 52560397 29315365992 allow tcp from any to any established 02400 0 0 allow ip from any to any frag 03502 0 0 allow tcp from any 20 to 192.168.0.0/24 setup 03990 4664 238680 deny log logamount 100 tcp from any to any in recv wi0 setup 04001 72286 7514697 allow udp from any 1024-65535,53 to any 53 04002 98 7448 allow udp from any 1024-65535 to any 123 04004 4546511 587215773 allow udp from any 1024-65535 to any 1024-65535 keep-state 04101 21045 3220087 allow udp from any 53 to any 1024-65535,53 04102 92 6992 allow udp from any 123 to any 1024-65535 05001 24872 1606653 allow icmp from any to any icmptype 0,3,4,8,11,12 65000 218113 27926926 deny log logamount 100 ip from any to any 65535 3 180 allow ip from any to any @/etc/rc.conf: firewall_enable="YES" firewall_quiet="NO" firewall_type="SIMPLE" gateway_enable="YES" natd_enable="YES" natd_program="/etc/natstart" natd_flags="-f /etc/natd.conf" #is'nt this repating what's in natstart ? natd_interface="123.45.67.89" @/etc/natstart: /sbin/natd -f /etc/natd.conf -a 123.45.67.89 /sbin/natd -f /etc/natd.aip.conf -p 8888 -a 234.56.78.90 @/etc/natd.conf unregistered_only yes same_ports yes redirect_port tcp 192.168.1.111:6666 123.45.67.89:6666 #punch_fw 10000:999 (I'm about to add this here aswell, iS it right, or does this "FTP/IRC DCC punched holes" need additional configurations not covered in ipfw .. any experience/security related comments welcome ? @/etc/natd.aip.conf unregistered_only yes same_ports yes so I was wondering if someone could correct this setup for me .. sounds kind of lame, I know :(. So this is it: I'm really stuck with this one (for weeks now), so I could use ANY help ... thank you. ----------------------------------------- Eraisikute ja firmade kontaktandmete otsing - vajalik info kiiresti ja kohe saadaval! http://www.hot.ee --b5d7d11c186c8157684375c37a8d392e7-- hello all, I'm new to FreeBSD (4.4) and unfortunately ipfw's syntax remains a mystery for me for now and probably for quite a long time :). I do realize, it's a bit out of security and more like nat&ipfw howto question, but maybe theres someone out there with appropiate knoleage to just run over the text without going deep into howtos and tutorials like me (without significant luck) and I can't experiment on that box neither, so here goes: I'm kind of trying to redirect (tcp, service ftp) internet port (123.45.67.89:6666) to internal lan port (192.168.1.111:6666) through freebsd ipfw with nat but : !Apr 12 17:20:52 server natd[185]: failed to write packet back (Permission denied) current static rules for ipfw: 00100 614046 237558606 allow ip from any to any via lo0 00110 0 0 deny ip from any to 127.0.0.0/8 00120 0 0 deny ip from 127.0.0.0/8 to any 00211 0 0 allow tcp from 000.000.000.000 to any 22 in 00212 0 0 allow tcp from any 22 to 000.000.000.000 out 00221 13722891 11976856801 allow ip from 192.168.1.0/24 to 192.168.1.0/24 via fxp0 00226 19175 2647319 allow ip from 10.10.10.0/24 to 10.10.10.0/24 via fxp1 00230 5003575 668421565 allow tcp from 192.168.1.0/24 1024-65535 to any via fxp0 00250 2009728 217605591 allow tcp from 10.10.10.0/24 1024-65535 to any via fxp1 00501 62407 5744884 deny ip from any to 10.0.0.0/8 via wi0 00502 30 1440 deny ip from any to 172.16.0.0/12 via wi0 00601 0 0 deny ip from any to 0.0.0.0/8 via wi0 00602 293 35384 deny ip from any to 169.254.0.0/16 via wi0 00603 0 0 deny ip from any to 192.0.2.0/24 via wi0 00604 491059 28724175 deny ip from any to 224.0.0.0/4 via wi0 00605 798321 116391193 deny ip from any to 240.0.0.0/4 via wi0 01001 585 28763 allow tcp from any to 123.45.67.89 20-23,53 01002 71542 27302862 allow tcp from any to 123.45.67.89 25,113 01003 263148 26163248 allow tcp from any to 123.45.67.89 80 01004 3 164 allow tcp from any to 123.45.67.89 110,143 01005 125 6796 allow tcp from any to 123.45.67.89 6666 01010 84591 7147847 allow tcp from any to any 20-25,53,80,110,113 in 02001 5336012 409089310 divert 8668 ip from 192.168.1.0/24 to any via 123.45.67.89 02002 8615895 9126246102 divert 8668 ip from any to 123.45.67.89 via 123.45.67.89 02011 2245061 232307377 divert 8888 ip from 10.10.10.0/24 to any via wi0 02012 16073819 7952662742 divert 8888 ip from any to 234.56.78.90 via wi0 02150 0 0 allow tcp from 123.45.67.89 6666 to 192.168.1.111 6666 02151 0 0 allow tcp from 192.168.1.111 6666 to 123.45.67.89 6666 02200 120487 5980772 allow tcp from 123.45.67.89 to any setup 02201 3308220 197451028 allow tcp from 234.56.78.90 to any setup 02300 52560397 29315365992 allow tcp from any to any established 02400 0 0 allow ip from any to any frag 03502 0 0 allow tcp from any 20 to 192.168.0.0/24 setup 03990 4664 238680 deny log logamount 100 tcp from any to any in recv wi0 setup 04001 72286 7514697 allow udp from any 1024-65535,53 to any 53 04002 98 7448 allow udp from any 1024-65535 to any 123 04004 4546511 587215773 allow udp from any 1024-65535 to any 1024-65535 keep-state 04101 21045 3220087 allow udp from any 53 to any 1024-65535,53 04102 92 6992 allow udp from any 123 to any 1024-65535 05001 24872 1606653 allow icmp from any to any icmptype 0,3,4,8,11,12 65000 218113 27926926 deny log logamount 100 ip from any to any 65535 3 180 allow ip from any to any @/etc/rc.conf: firewall_enable="YES" firewall_quiet="NO" firewall_type="SIMPLE" gateway_enable="YES" natd_enable="YES" natd_program="/etc/natstart" natd_flags="-f /etc/natd.conf" #is'nt this repating what's in natstart ? natd_interface="123.45.67.89" @/etc/natstart: /sbin/natd -f /etc/natd.conf -a 123.45.67.89 /sbin/natd -f /etc/natd.aip.conf -p 8888 -a 234.56.78.90 @/etc/natd.conf unregistered_only yes same_ports yes redirect_port tcp 192.168.1.111:6666 123.45.67.89:6666 #punch_fw 10000:999 (I'm about to add this here aswell, iS it right, or does this "FTP/IRC DCC punched holes" need additional configurations not covered in ipfw .. any experience/security related comments welcome ? @/etc/natd.aip.conf unregistered_only yes same_ports yes so I was wondering if someone could correct this setup for me .. sounds kind of lame, I know :(. So this is it: I'm really stuck with this one (for weeks now), so I could use ANY help ... thank you. ----------------------------------------- Eraisikute ja firmade kontaktandmete otsing - vajalik info kiiresti ja kohe saadaval! http://www.hot.ee To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 14:42:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by hub.freebsd.org (Postfix) with ESMTP id AB74A37B404 for ; Fri, 12 Apr 2002 14:42:39 -0700 (PDT) Received: from cm (www.grebner.com [198.109.164.203]) by nyogtha.unknownkadath.net (8.12.2/8.12.2) with SMTP id g3CLtTs0015302 for ; Fri, 12 Apr 2002 17:55:29 -0400 (EDT) From: "Asenchi" To: Subject: RE: IPFW+nat.problem+advice? Date: Fri, 12 Apr 2002 17:42:39 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200204121955.WAA23236@sun1.hot.ee> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok I have no idea what natstart is so i might be completely wrong. but in your natd.conf file you should only have to specify: redirect_port tcp 192.168.1.111:6666 123.45.67.89:6666 and so on...you can also read natd manpage for more info on redirect_port. hope this sheds a little more light... also, i am curious as to why you have some of the rules you do, namely: 00211 0 0 allow tcp from 000.000.000.000 to any 22 in 00212 0 0 allow tcp from any 22 to 000.000.000.000 out not sure why you have 000.000.000.000? (this is just out of curiousity, i am not saying you are wrong) 00501 62407 5744884 deny ip from any to 10.0.0.0/8 via wi0 00502 30 1440 deny ip from any to 172.16.0.0/12 via wi0 00601 0 0 deny ip from any to 0.0.0.0/8 via wi0 00602 293 35384 deny ip from any to 169.254.0.0/16 via wi0 00603 0 0 deny ip from any to 192.0.2.0/24 via wi0 00604 491059 28724175 deny ip from any to 224.0.0.0/4 via wi0 00605 798321 116391193 deny ip from any to 240.0.0.0/4 via wi0 again with the 0.0.0.0 ip, and also shouldn't deny rules go more towards the end of your rule set? (again curiousity) 02001 5336012 409089310 divert 8668 ip from 192.168.1.0/24 to any via 123.45.67.89 02002 8615895 9126246102 divert 8668 ip from any to 123.45.67.89 via 123.45.67.89 02011 2245061 232307377 divert 8888 ip from 10.10.10.0/24 to any via wi0 02012 16073819 7952662742 divert 8888 ip from any to 234.56.78.90 via wi0 you might be able to just go: add XXXX divert ip 8668 ip from any to any via vr0 (is there a benefit to listing each ip connection?) 65535 3 180 allow ip from any to any shouldn't this be 'deny' natd_program="/etc/natstart" i don't know what this is...could you explain what it is. basically i look at these lists to learn more. hope you don't mind me asking questions on top of yours. don't know if i was any help at all. ASENCHI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 23:32:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 7EDE937B404 for ; Fri, 12 Apr 2002 23:32:38 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020413063238.GUKH1143.rwcrmhc51.attbi.com@blossom.cjclark.org>; Sat, 13 Apr 2002 06:32:38 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3D6WaW44209; Fri, 12 Apr 2002 23:32:36 -0700 (PDT) (envelope-from cjc) Date: Fri, 12 Apr 2002 23:32:36 -0700 From: "Crist J. Clark" To: Nicolas Rachinsky Cc: security@FreeBSD.org, brett@lariat.org Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Message-ID: <20020412233236.A43915@blossom.cjclark.org> References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> <20020411204516.GA51239@pc5.abc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020411204516.GA51239@pc5.abc>; from list@rachinsky.de on Thu, Apr 11, 2002 at 10:45:17PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 11, 2002 at 10:45:17PM +0200, Nicolas Rachinsky wrote: > * Brett Glass [2002-04-11 14:12:01 -0600]: > > [This is a corrected version of the previous message, which omitted > > the word "isn't" near the beginning of the second paragraph.] > > > > The vulnerability described in the message below is a classic > > "in-band signalling" problem that may give an unauthorized user > > the ability to run an arbitrary command as root. > > > > Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly, > > and monthly maintenance scripts, because they use sendmail rather > > than /bin/mail. No, they use mail(1), $ more /usr/bin/periodic . . . *) pipe="mail -s '$host ${arg##*/} run output' $output";; -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 12 23:46: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id D2E5D37B404 for ; Fri, 12 Apr 2002 23:46:04 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020413064604.TFIN1901.rwcrmhc52.attbi.com@blossom.cjclark.org>; Sat, 13 Apr 2002 06:46:04 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3D6k3844275; Fri, 12 Apr 2002 23:46:03 -0700 (PDT) (envelope-from cjc) Date: Fri, 12 Apr 2002 23:46:02 -0700 From: "Crist J. Clark" To: Andy Farkas Cc: peter.lai@uconn.edu, "Kevin Kinsey, DaleCo, S.P." , security@FreeBSD.ORG Subject: Re: hosts.allow and RFC931 - was: sshd warning---a lil' help? Message-ID: <20020412234602.B43915@blossom.cjclark.org> References: <20020409185049.A17491@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from andyf@speednet.com.au on Fri, Apr 12, 2002 at 09:07:10PM +1000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 12, 2002 at 09:07:10PM +1000, Andy Farkas wrote: > On Tue, 9 Apr 2002, Peter C. Lai wrote: > > > a is true. the message is coming from hosts.allow, which checks for rdns as > > a (weak) signal of spoofed packets. You can deny these connections by > > by turning on: > > > > ALL : PARANOID : RFC931 20 : deny > > # Provide some protection against clients using a forged source IP address > > > > Question: the above rule in the default /etc/hosts.allow file is *above* > the rules regarding sshd - does this mean that sshd is not protected > against forged source IP adresses? The original statement is misleading. There pretty much no way to protect against forged IP addresses, IP is unauthenticated. All PARANOID does is, PARANOID Matches any host whose name does not match its address. It looks up the host name from the address, then looks up the address associated with the host name, and makes sure the addresses match. It looks for people playing DNS games. It's only really useful if you are restricting access by host name. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 13 7:35:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from x.vwx.com (226.muag.wash.wacdc01r1.dsl.att.net [12.98.110.226]) by hub.freebsd.org (Postfix) with ESMTP id 12FB037B41A; Sat, 13 Apr 2002 07:35:18 -0700 (PDT) Received: from x.reston01.va.comcast.net (pcp742943pcs.reston01.va.comcast.net [68.49.147.101]) by x.vwx.com (Post.Office MTA v3.5.3 release 223 ID# 0-60653U1000L100S0V35) with SMTP id com; Sat, 13 Apr 2002 06:47:24 -0400 From: domainmaster@vwx.com Subject: SOS VWX.COM Date: Sat, 13 Apr 2002 06:47:24 -0400 Message-ID: <20020413104724250.ABW2216@x.vwx.com@x.reston01.va.comcast.net> To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ladies and Gentlmen, Please accept my most humble and sincere apologies if this email has reached you at a bad moment, or is problem to you in any fashion. My true email is listed as the return address as a gesture of my sincerity. This email is a cry for help at http://vwx.com A cry for freedom... A cry for rights... A cry for Justice... Please help...Please don't report me for sending mass email... Your email was selected on a spider done on "Prayer" Sincerely yours, Jim Anderson http://vwx.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 13 10: 6:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from vulcan.rsasecurity.com (vulcan.rsasecurity.com [204.167.114.130]) by hub.freebsd.org (Postfix) with SMTP id 8953537B41B for ; Sat, 13 Apr 2002 10:06:37 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by vulcan.rsasecurity.com via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 13 Apr 2002 17:05:30 UT Received: from ebola.securitydynamics.com (ebola.securid.com [192.80.211.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA12905 for ; Sat, 13 Apr 2002 13:05:21 -0400 (EDT) Received: from spirit.dynas.se (localhost [127.0.0.1]) by ebola.securitydynamics.com (8.10.2+Sun/8.9.1) with SMTP id g3DH6ct10238 for ; Sat, 13 Apr 2002 13:06:38 -0400 (EDT) Received: (qmail 18992 invoked from network); 13 Apr 2002 17:06:32 -0000 Received: from explorer.rsa.com (HELO mikko.rsa.com) (10.81.217.59) by spirit.st.se.eu.rsa.net with SMTP; 13 Apr 2002 17:06:32 -0000 Received: (from mikko@localhost) by mikko.rsa.com (8.11.6/8.11.6) id g3DH6T117776; Sat, 13 Apr 2002 10:06:29 -0700 (PDT) (envelope-from mikko) Date: Sat, 13 Apr 2002 10:06:29 -0700 (PDT) From: Mikko Tyolajarvi Message-Id: <200204131706.g3DH6T117776@mikko.rsa.com> To: cmr@iisc.com Cc: security@freebsd.org Orig-To: "Charles M. Richmond" Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Newsgroups: local.freebsd.security References: Your message of "Thu, 11 Apr 2002 23:58:03 MDT." <4.3.2.7.2.20020411235129.00ba5bc0@nospam.lariat.org> <200204121134.HAA23582@koibito.iisc.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In local.freebsd.security you write: >Up-to-date patched Solaris 8: >amaterasu $ pwd >/export/home/cmr >amaterasu $ echo "~\!touch foo" | mail cmr >amaterasu $ ls -l foo >foo: No such file or directory >amaterasu $ ls -l /usr/bin/mail >-r-x--s--x 1 root mail 61080 Mar 6 18:01 /usr/bin/mail >Up-to-date patched Solaris 7 >taiyou $ pwd >/export/home/cmr >taiyou $ echo "~\!touch foo" | mail cmr >taiyou $ ls -l foo >foo: No such file or directory >taiyou $ ls -l /usr/bin/mail >-r-x--s--x 1 bin mail 66796 Mar 1 18:14 /usr/bin/mail Try "mailx" or /usr/ucb/mail... $.02, /Mikko -- Mikko Työläjärvi_______________________________________mikko@rsasecurity.com RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 13 11:26:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id F203E37B41A for ; Sat, 13 Apr 2002 11:26:34 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id OAA26250 for ; Sat, 13 Apr 2002 14:26:33 -0400 (EDT) Message-Id: <200204131826.OAA26250@koibito.iisc.com> To: security@FreeBSD.ORG Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems In-Reply-To: Your message of "Sat, 13 Apr 2002 10:06:29 PDT." <200204131706.g3DH6T117776@mikko.rsa.com> Date: Sat, 13 Apr 2002 14:26:33 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>Up-to-date patched Solaris 8: >>... >>amaterasu $ echo "~\!touch foo" | mail cmr >>amaterasu $ ls -l foo >>foo: No such file or directory >Try "mailx" or /usr/ucb/mail... First: amaterasu% ls -l /usr/ucb/mail /usr/bin/mailx -r-x--s--x 1 root mail 126880 Mar 6 18:01 /usr/bin/mailx lrwxrwxrwx 1 root root 12 Mar 31 2001 /usr/ucb/mail -> ../bin/mailx So we only need to try one. amaterasu% echo "~\!touch foo" | mailx cmr ! No message !?! amaterasu% ls -l foo -rw-r--r-- 1 cmr staff 0 Apr 13 13:21 foo So yes the BSD mailx/mail has the bug. Also I do not see a bug report on sunsolve.sun.com. On the otherhand it appears that the tilde command is not operating with the effective UID but with the actual UID. Even though mailx is SGID mail and the root maibox is group readable for mail: ls -l /var/mail total 18 drwxrwxr-x 2 root mail 512 Oct 25 08:34 :saved -rw-rw---- 1 cmr mail 318 Apr 13 14:04 cmr -rw-rw---- 1 root mail 7090 Mar 28 03:10 root amaterasu% echo "~\!cat /var/mail/root" | mailx cmr cat: cannot open /var/mail/root ! No message !?! Does this mitigate the problem sufficiently? Charles Richmond PS: I have the source CDs for Solaris, I've just been too lazy to open them up. Is the mailx utility on the distributed source? *********************************************************************** * Charles Richmond Integrated International Systems Corporation * * cmr@iisc.com cmr@acm.org cmr@shore.net http://www.iisc.com * * UNIX Internals, I18N, L10N, X, Realtime Imaging, and Custom S/W * * 131 Bishop's Forest Drive , Waltham , Ma. USA 02452 * * (781) 647 2269 FAX (781) 647 3665 Cellular (781) 389 9777 * *********************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 13 14:56:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from n19.grp.scd.yahoo.com (n19.grp.scd.yahoo.com [66.218.66.74]) by hub.freebsd.org (Postfix) with SMTP id 8176537B428 for ; Sat, 13 Apr 2002 14:55:35 -0700 (PDT) X-eGroups-Return: ozkan_kirik@yahoo.com Received: from [66.218.67.164] by n19.grp.scd.yahoo.com with NNFMP; 13 Apr 2002 21:54:02 -0000 Date: Sat, 13 Apr 2002 21:54:02 -0000 From: "ozkan_kirik" To: freebsd-security@freebsd.org Subject: IPFW & NAT question. Message-ID: User-Agent: eGroups-EW/0.82 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 193.255.128.250 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use IPFIREWALL protocol. I wanna use this computer as both Firewall and Transparent Proxy. &i use "natd" for make nat. But my NAT doesnt work. here my files: ***natd.rules*** log yes alias_address 10.0.0.1 target_address 178.128.44.52 red=FDrect_port tcp 178.128.44.52:3128 80 proxy_rule port 80 server 178.128.44.52:3128 ***rc.conf*** ipfirewall_enable=3D"YES" natd_enable=3D"YES" By now thanks for your helps. With my best regards. **Ozkan** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 13 16: 8:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id AFDEC37B404 for ; Sat, 13 Apr 2002 16:08:16 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA13244; Sat, 13 Apr 2002 17:07:44 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020413170619.00b18ef0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 13 Apr 2002 17:07:39 -0600 To: "Charles M. Richmond" , security@FreeBSD.ORG From: Brett Glass Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems In-Reply-To: <200204131826.OAA26250@koibito.iisc.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:26 PM 4/13/2002, Charles M. Richmond wrote: >So yes the BSD mailx/mail has the bug. Also I do not see a bug >report on sunsolve.sun.com. On the otherhand it appears that the >tilde command is not operating with the effective UID but with the >actual UID. Even though mailx is SGID mail and the root maibox is >group readable for mail: > >ls -l /var/mail >total 18 >drwxrwxr-x 2 root mail 512 Oct 25 08:34 :saved >-rw-rw---- 1 cmr mail 318 Apr 13 14:04 cmr >-rw-rw---- 1 root mail 7090 Mar 28 03:10 root > >amaterasu% echo "~\!cat /var/mail/root" | mailx cmr >cat: cannot open /var/mail/root >! >No message !?! > > >Does this mitigate the problem sufficiently? Not if the process invoking mail really is running as root, as a periodic maintenance script would. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 13 17:11:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by hub.freebsd.org (Postfix) with ESMTP id F11D037B404 for ; Sat, 13 Apr 2002 17:11:11 -0700 (PDT) Received: from koibito.iisc.com ([127.0.0.1]) by koibito.iisc.com (8.9.0/8.9.0) with ESMTP id UAA26695; Sat, 13 Apr 2002 20:11:00 -0400 (EDT) Message-Id: <200204140011.UAA26695@koibito.iisc.com> To: freebsd-security@freebsd.org, brett@lariat.org Subject: Affect of BSD mail/mailx bug in Solaris (was: Re: Corrected... In-Reply-To: Your message of "Sat, 13 Apr 2002 17:07:39 MDT." <4.3.2.7.2.20020413170619.00b18ef0@nospam.lariat.org> Date: Sat, 13 Apr 2002 20:11:00 -0400 From: "Charles M. Richmond" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >amaterasu% echo "~\!cat /var/mail/root" | mailx cmr > >cat: cannot open /var/mail/root > >! > >No message !?! > > > > > >Does this mitigate the problem sufficiently? > Not if the process invoking mail really is running as root, > as a periodic maintenance script would. Remember /usr/bin/mail is fine. Only the BSD compatible mailx has the problem and I am pretty sure that no Sun scripts use mailx or its link, /usr/ucb/mail. So not only would the script have to be running as root, it would have to allow non-root users to input arguments, it would have to use a deprecated version of mail and the default root shell would have had to have been changed from 'sh' to 'csh'. Not to say that Sun shouldn't fix this. Clearly they should. I am just saying that there doesn't seem to be a means of failure without the admin coniving in his/her own destruction. Charlie PS The mail & mailx on Tru64/Digital Unix seems ok. PPS: /usr/lib/acct/ckpacct and /usr/lib/acct/runacct both use mailx but have fixed args and force the shell to sh. Ain't grep wonderful *g* *********************************************************************** * Charles Richmond Integrated International Systems Corporation * * cmr@iisc.com cmr@acm.org cmr@shore.net http://www.iisc.com * * UNIX Internals, I18N, L10N, X, Realtime Imaging, and Custom S/W * * 131 Bishop's Forest Drive , Waltham , Ma. USA 02452 * * (781) 647 2269 FAX (781) 647 3665 Cellular (781) 389 9777 * *********************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 13 20:21: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from x.vwx.com (226.muag.wash.wacdc01r1.dsl.att.net [12.98.110.226]) by hub.freebsd.org (Postfix) with ESMTP id 9184437B400 for ; Sat, 13 Apr 2002 20:20:57 -0700 (PDT) Received: from x.reston01.va.comcast.net (pcp742943pcs.reston01.va.comcast.net [68.49.147.101]) by x.vwx.com (Post.Office MTA v3.5.3 release 223 ID# 0-60653U1000L100S0V35) with SMTP id com; Sat, 13 Apr 2002 12:24:04 -0400 From: domainmaster@vwx.com Subject: SOS VWX.COM Date: Sat, 13 Apr 2002 12:24:04 -0400 Message-ID: <20020413162404312.ADY548@x.vwx.com@x.reston01.va.comcast.net> To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ladies and Gentlmen, Please accept my most humble and sincere apologies if this email has reached you at a bad moment, or is problem to you in any fashion. My true email is listed as the return address as a gesture of my sincerity. This email is a cry for help at http://vwx.com A cry for freedom... A cry for rights... A cry for Justice... Please help...Please don't report me for sending mass email... Your email was selected on a spider done on "Prayer" Sincerely yours, Jim Anderson http://vwx.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message