From owner-freebsd-security@FreeBSD.ORG Mon Dec 6 15:17:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52B9816A4CE for ; Mon, 6 Dec 2004 15:17:57 +0000 (GMT) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3044B43D1D for ; Mon, 6 Dec 2004 15:17:56 +0000 (GMT) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.13.1/8.13.1) with ESMTP id iB6FKAEL005004 for ; Mon, 6 Dec 2004 16:20:10 +0100 (CET) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.13.1/8.13.1/Submit) id iB6FKAkV005003 for freebsd-security@freebsd.org; Mon, 6 Dec 2004 16:20:10 +0100 (CET) (envelope-from mail25@bzerk.org) Date: Mon, 6 Dec 2004 16:20:10 +0100 From: Ruben de Groot To: freebsd-security@freebsd.org Message-ID: <20041206152010.GA4747@ei.bzerk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Spam-Status: No, score=-1.7 required=5.0 tests=ALL_TRUSTED, FROM_ENDS_IN_NUMS,J_CHICKENPOX_43 autolearn=failed version=3.0.0 X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on ei.bzerk.org X-Mailman-Approved-At: Tue, 07 Dec 2004 13:40:15 +0000 Subject: Unprivileged user can write to mbr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 15:17:57 -0000 Hi, I'm having trouble rationalizing the behaviour described below. Is this a security-issue (bug) or a feature? - An unprivileged user 'bztest' with read-only access to /dev/ar0: %id uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator) %ls -l /dev/ar0 crw-r----- 1 root operator 4, 21 Nov 23 17:34 /dev/ar0 - Now, the device ar0 has the standard mbr installed: %cmp /dev/ar0 /boot/mbr /dev/ar0 /boot/mbr differ: char 447, line 1 - The boot0cfg program does not have any setuid bits: %ls -l /usr/sbin/boot0cfg -r-xr-xr-x 1 root wheel 7940 Oct 26 22:47 /usr/sbin/boot0cfg - The test user now uses boot0cfg to install the boot0 bootblock: %boot0cfg -B -b /boot/boot0 /dev/ar0 %cmp /dev/ar0 /boot/mbr /dev/ar0 /boot/mbr differ: char 13, line 1 %cmp /dev/ar0 /boot/boot0 /dev/ar0 /boot/boot0 differ: char 447, line 5 Can somebody explain this? thanks, Ruben de Groot From owner-freebsd-security@FreeBSD.ORG Mon Dec 6 15:20:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 586FD16A4D1 for ; Mon, 6 Dec 2004 15:20:44 +0000 (GMT) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB61B43D5E for ; Mon, 6 Dec 2004 15:20:43 +0000 (GMT) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.13.1/8.13.1) with ESMTP id iB6FMxBS005065 for ; Mon, 6 Dec 2004 16:22:59 +0100 (CET) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.13.1/8.13.1/Submit) id iB6FMx9u005064 for freebsd-security@freebsd.org; Mon, 6 Dec 2004 16:22:59 +0100 (CET) (envelope-from mail25@bzerk.org) Date: Mon, 6 Dec 2004 16:22:59 +0100 From: Ruben de Groot To: freebsd-security@freebsd.org Message-ID: <20041206152259.GB4747@ei.bzerk.org> References: <20041206152010.GA4747@ei.bzerk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041206152010.GA4747@ei.bzerk.org> User-Agent: Mutt/1.4.2.1i X-Spam-Status: No, score=-1.7 required=5.0 tests=ALL_TRUSTED, FROM_ENDS_IN_NUMS,J_CHICKENPOX_43 autolearn=failed version=3.0.0 X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on ei.bzerk.org X-Mailman-Approved-At: Tue, 07 Dec 2004 13:40:15 +0000 Subject: Re: Unprivileged user can write to mbr X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 15:20:44 -0000 I forgot to mention: %uname -a FreeBSD ei.bzerk.org 5.3-STABLE FreeBSD 5.3-STABLE #56: Tue Oct 26 06:49:27 CEST 2004 root@ei.bzerk.org:/usr/build/usr/obj/usr/build/releng_5/usr/src/sys/SMP-EI i386 On Mon, Dec 06, 2004 at 04:20:10PM +0100, Ruben de Groot typed: > > Hi, > > I'm having trouble rationalizing the behaviour described below. Is this > a security-issue (bug) or a feature? > > - An unprivileged user 'bztest' with read-only access to /dev/ar0: > > %id > uid=1004(bztest) gid=1004(test) groups=1004(test), 5(operator) > %ls -l /dev/ar0 > crw-r----- 1 root operator 4, 21 Nov 23 17:34 /dev/ar0 > > - Now, the device ar0 has the standard mbr installed: > > %cmp /dev/ar0 /boot/mbr > /dev/ar0 /boot/mbr differ: char 447, line 1 > > - The boot0cfg program does not have any setuid bits: > > %ls -l /usr/sbin/boot0cfg > -r-xr-xr-x 1 root wheel 7940 Oct 26 22:47 /usr/sbin/boot0cfg > > - The test user now uses boot0cfg to install the boot0 bootblock: > > %boot0cfg -B -b /boot/boot0 /dev/ar0 > %cmp /dev/ar0 /boot/mbr > /dev/ar0 /boot/mbr differ: char 13, line 1 > %cmp /dev/ar0 /boot/boot0 > /dev/ar0 /boot/boot0 differ: char 447, line 5 > > Can somebody explain this? > > thanks, > Ruben de Groot > From owner-freebsd-security@FreeBSD.ORG Thu Dec 9 01:56:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FAC816A4CE for ; Thu, 9 Dec 2004 01:56:19 +0000 (GMT) Received: from web53908.mail.yahoo.com (web53908.mail.yahoo.com [206.190.36.218]) by mx1.FreeBSD.org (Postfix) with SMTP id B000C43D31 for ; Thu, 9 Dec 2004 01:56:18 +0000 (GMT) (envelope-from stheg_olloydson@yahoo.com) Received: (qmail 69269 invoked by uid 60001); 9 Dec 2004 01:56:18 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=L0ohFQqChGikiyga6MC7pAdqGlP9P1GUryurRhRu44VAjxCO2uZRtiR7JYN28oumJ0iDTGUdJkO1UKzwvzZeSQHzj7qqYKT1cr/apn/rnJrBmh3r9lzpavTDxb3ulWtDijKBaqnUNTIXnhhwkGSd0asuzSvKP798cxL6Y1fC6ok= ; Message-ID: <20041209015618.69267.qmail@web53908.mail.yahoo.com> Received: from [68.210.42.218] by web53908.mail.yahoo.com via HTTP; Wed, 08 Dec 2004 17:56:18 PST Date: Wed, 8 Dec 2004 17:56:18 -0800 (PST) From: stheg olloydson To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Center for Internet Security "scoring tool" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 01:56:20 -0000 Hello, Has anyone tried out the security scoring tool at http://www.cisecurity.org/bench_freebsd.html? Any thoughts or opinions? Regards, stheg __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 From owner-freebsd-security@FreeBSD.ORG Thu Dec 9 02:46:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0F0416A4CE for ; Thu, 9 Dec 2004 02:46:07 +0000 (GMT) Received: from srv1a-cta.bs2.com.br (srv1a-cta.bs2.com.br [200.203.183.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AD2443D55 for ; Thu, 9 Dec 2004 02:46:07 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (srv1a-cta.bs2.com.br [200.203.183.35]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id B62DF1C5F77; Thu, 9 Dec 2004 00:46:04 -0200 (BRDT) Received: from [201.10.97.123] (201-010-097-123.mganm7016.dsl.brasiltelecom.net.br [201.10.97.123]) by srv1a-cta.bs2.com.br (Postfix) with ESMTP id 2D23A1C5F7F; Thu, 9 Dec 2004 00:46:04 -0200 (BRDT) Message-ID: <41B7BC69.2010904@tirloni.org> Date: Thu, 09 Dec 2004 00:46:01 -0200 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: stheg olloydson References: <20041209015618.69267.qmail@web53908.mail.yahoo.com> In-Reply-To: <20041209015618.69267.qmail@web53908.mail.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Center for Internet Security "scoring tool" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 02:46:07 -0000 stheg olloydson wrote: > Hello, > > Has anyone tried out the security scoring tool at > http://www.cisecurity.org/bench_freebsd.html? > Any thoughts or opinions? I tried it some weeks ago on 5.3-RC1. It's a good tool to use as a checklist but don't use the score to rank your systems. It said a default install scored 5.88 and after fixing some things I increase it to 8.0 but it didn't tweaked the system too much because I hadn't much time. I'm going to play with it again next week. -- Giovanni P. Tirloni From owner-freebsd-security@FreeBSD.ORG Thu Dec 9 18:02:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90D2816A4CE; Thu, 9 Dec 2004 18:02:46 +0000 (GMT) Received: from pd4mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0348543D5E; Thu, 9 Dec 2004 18:02:46 +0000 (GMT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd3mr7so.prod.shaw.ca (pd3mr7so-qfe3.prod.shaw.ca [10.0.141.23])2004)) with ESMTP id <0I8G00H4VVFZFS30@l-daemon>; Thu, 09 Dec 2004 11:02:24 -0700 (MST) Received: from pn2ml9so.prod.shaw.ca ([10.0.121.7]) by pd3mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I8G00H9HVG0GLD0@pd3mr7so.prod.shaw.ca>; Thu, 09 Dec 2004 11:02:24 -0700 (MST) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.233.42])2003)) with ESMTP id <0I8G00K14VFZUN@l-daemon>; Thu, 09 Dec 2004 11:02:23 -0700 (MST) Date: Thu, 09 Dec 2004 10:02:21 -0800 From: Colin Percival To: freebsd-stable@freebsd.org, freebsd-security@freebsd.org Message-id: <41B8932D.8030800@wadham.ox.ac.uk> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime User-Agent: Mozilla Thunderbird 0.9 (X11/20041107) Subject: 5.3 SMP kernels now available via FreeBSD Update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 18:02:46 -0000 In response to popular demand, I am now providing both GENERIC and SMP kernels via FreeBSD Update to people running FreeBSD 5.3. To take advantage of this on your FreeBSD 5.3 (and only 5.3!) SMP system, run the following commands as root: # touch /boot/kernel/SMP # freebsd-update fetch (this should mention downloading a new /boot/kernel/SMP file) # freebsd-update install (likewise, this should mention installing /boot/kernel/SMP) # echo 'bootfile="SMP"' >> /boot/loader.conf and reboot. You should now find that `uname -ri` outputs "5.3-SECURITY SMP". Note again that this does not apply to any FreeBSD releases other than 5.3. Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Dec 10 04:43:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44AFA16A4CF for ; Fri, 10 Dec 2004 04:43:27 +0000 (GMT) Received: from mailserver.rolta.com (mailserver.rolta.com [202.60.128.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBE7043D5F for ; Fri, 10 Dec 2004 04:43:23 +0000 (GMT) (envelope-from milindyn@rolta.com) Received: (qmail 25862 invoked by uid 515); 10 Dec 2004 04:36:42 -0000 Received: from milindyn@rolta.com by mailserver by uid 512 with qmail-scanner-1.15 (clamscan: 0.54. Clear:. Processed in 2.404115 secs); 10 Dec 2004 04:36:42 -0000 Received: from unknown (HELO bdcrilbmcrp.rolta.com) ([172.16.10.9]) (envelope-sender ) by smtpd (qmail-ldap-1.03) with SMTP for ; 10 Dec 2004 04:36:39 -0000 Received: by BDCRILBMCRP with Internet Mail Service (5.5.2653.19) id ; Fri, 10 Dec 2004 10:07:07 +0530 Message-ID: From: Milind Nanal To: freebsd-security@freebsd.org Date: Fri, 10 Dec 2004 10:07:07 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" cc: stheg_olloydson@yahoo.com Subject: Re: Center for Internet Security "scoring tool" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 04:43:27 -0000 Stheg, I have used CIS tool on RedHat linux & found effective going through the report generated after running the tool. I am new to BSD not much used to BSD stuff but since the tool is same it should give good result. Let me also try the same on my FreeBSD box. I'll keep you updated. Regards, Milind **************************************************************************** ************* NOTHING IS IMPOSSIBLE, Because Impossible itself says - I'M POSSIBLE **************************************************************************** ************* -----Original Message----- From: freebsd-security-request@freebsd.org [mailto:freebsd-security-request@freebsd.org] Sent: Thursday, December 09, 2004 5:31 PM To: freebsd-security@freebsd.org Subject: freebsd-security Digest, Vol 88, Issue 2 Send freebsd-security mailing list submissions to freebsd-security@freebsd.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freebsd.org/mailman/listinfo/freebsd-security or, via email, send a message with subject or body 'help' to freebsd-security-request@freebsd.org You can reach the person managing the list at freebsd-security-owner@freebsd.org When replying, please edit your Subject line so it is more specific than "Re: Contents of freebsd-security digest..." Today's Topics: 1. Center for Internet Security "scoring tool" (stheg olloydson) 2. Re: Center for Internet Security "scoring tool" (Giovanni P. Tirloni) ---------------------------------------------------------------------- Message: 1 Date: Wed, 8 Dec 2004 17:56:18 -0800 (PST) From: stheg olloydson Subject: Center for Internet Security "scoring tool" To: freebsd-security@freebsd.org Message-ID: <20041209015618.69267.qmail@web53908.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Hello, Has anyone tried out the security scoring tool at http://www.cisecurity.org/bench_freebsd.html? Any thoughts or opinions? Regards, stheg __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ------------------------------ Message: 2 Date: Thu, 09 Dec 2004 00:46:01 -0200 From: "Giovanni P. Tirloni" Subject: Re: Center for Internet Security "scoring tool" To: stheg olloydson Cc: freebsd-security@freebsd.org Message-ID: <41B7BC69.2010904@tirloni.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed stheg olloydson wrote: > Hello, > > Has anyone tried out the security scoring tool at > http://www.cisecurity.org/bench_freebsd.html? > Any thoughts or opinions? I tried it some weeks ago on 5.3-RC1. It's a good tool to use as a checklist but don't use the score to rank your systems. It said a default install scored 5.88 and after fixing some things I increase it to 8.0 but it didn't tweaked the system too much because I hadn't much time. I'm going to play with it again next week. -- Giovanni P. Tirloni ------------------------------ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" End of freebsd-security Digest, Vol 88, Issue 2 *********************************************** From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 00:02:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EE2516A4CE for ; Sat, 11 Dec 2004 00:02:07 +0000 (GMT) Received: from dreadlock.phreakout.net (dreadlock.phreakout.net [12.45.16.51]) by mx1.FreeBSD.org (Postfix) with SMTP id CDDA143D5D for ; Sat, 11 Dec 2004 00:02:06 +0000 (GMT) (envelope-from ababurko@adelphia.net) Received: (qmail 22967 invoked from network); 11 Dec 2004 00:05:26 -0000 Received: from 24-52-224-96.kntnny.adelphia.net (HELO ?192.168.102.100?) (24.52.224.96) by dreadlock.phreakout.net with SMTP; 11 Dec 2004 00:05:26 -0000 Message-ID: <41BA38F7.6020409@adelphia.net> Date: Fri, 10 Dec 2004 19:01:59 -0500 From: Bob Ababurko User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: need some advice on connections logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 00:02:07 -0000 Hello- What is the best way to deal with getting logs for someone attacking my box? I am not really sure, but I think it may involve tcpdump. Is there any way to implement this so that it can be running before an attack happens?.....see the problem is, that I do not have physical access to the box and if it is taken down(unaccessible by remote means), I cannot log in to start a dump. What can I do in this case, or what are my options, if I want to have the network connections dumped somehow with no intervention?....is that a tall order? Thanks, Bob From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 00:22:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E647C16A4CE for ; Sat, 11 Dec 2004 00:22:54 +0000 (GMT) Received: from dreadlock.phreakout.net (dreadlock.phreakout.net [12.45.16.51]) by mx1.FreeBSD.org (Postfix) with SMTP id 7527A43D1D for ; Sat, 11 Dec 2004 00:22:54 +0000 (GMT) (envelope-from ababurko@adelphia.net) Received: (qmail 31924 invoked from network); 11 Dec 2004 00:26:13 -0000 Received: from 24-52-224-96.kntnny.adelphia.net (HELO ?192.168.102.100?) (24.52.224.96) by dreadlock.phreakout.net with SMTP; 11 Dec 2004 00:26:13 -0000 Message-ID: <41BA3DD6.5040702@adelphia.net> Date: Fri, 10 Dec 2004 19:22:46 -0500 From: Bob Ababurko User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: way to duplicate logs? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 00:22:55 -0000 Hello- I am bit confused here. I have just had some issues with my box and I am looking for some opinions. I just had been denied access to my box...supposedly from a memory shortage in reference to my NIC....more specifically, mbuf clusters exhausted. Now I am looking in my /var/log/messages for when this started and I notice a discrepancy in my logs. Now from where I am looking, I see time in the logs go backwards. You can see it as soon as the box is rebooted. Is there an explanation for this? bash-2.05b# tail -200 /var/log/messages Dec 7 19:01:03 additional su: bob to root on /dev/ttyp0 Dec 8 10:19:35 additional su: bob to root on /dev/ttyp1 Dec 8 18:09:24 additional su: BAD SU bob to root on /dev/ttyp0 Dec 8 18:09:29 additional su: bob to root on /dev/ttyp0 Dec 10 17:36:45 additional /kernel: All mbuf clusters exhausted, please see tuning(7). Dec 10 17:37:16 additional last message repeated 31 times Dec 10 17:39:17 additional last message repeated 121 times Dec 10 17:49:18 additional last message repeated 575 times Dec 10 17:59:19 additional last message repeated 545 times Dec 10 14:08:10 additional /kernel: Copyright (c) 1992-2003 The FreeBSD Project. Dec 10 14:08:10 additional /kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Dec 10 14:08:10 additional /kernel: The Regents of the University of California. All rights reserved. Dec 10 14:08:10 additional /kernel: FreeBSD 4.9-RELEASE #0: Tue Nov 30 01:20:25 AST 2004 The date on the box should not have changed during that reboot, as it was in sync with ntp and still is. Also, is there a way to make more than one copy of these logs?....I am not sure how this is set up and but I would like to possibly have another set of logs in place so if someone is editing them, I can catch it. I know there is a chance that I may be overreacting., but just in case I want to know. Thanks, Bob From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 00:49:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8021D16A4CE for ; Sat, 11 Dec 2004 00:49:43 +0000 (GMT) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C47243D39 for ; Sat, 11 Dec 2004 00:49:41 +0000 (GMT) (envelope-from randall@ucsb.edu) Received: from casino.isber.ucsb.edu ([128.111.147.11]) by isber.ucsb.edu with esmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #2) id 1CcvS1-000HJV-00; Fri, 10 Dec 2004 16:49:33 -0800 Message-ID: <41BA4424.7040201@ucsb.edu> Date: Fri, 10 Dec 2004 16:49:40 -0800 From: randall ehren User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bob Ababurko References: <41BA3DD6.5040702@adelphia.net> In-Reply-To: <41BA3DD6.5040702@adelphia.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanner: exiscan *1CcvS1-000HJV-00*UZiy/2Srxqs* (ISBER - Institute for Social, Behavioral, and Economic Research) cc: freebsd-security@freebsd.org Subject: Re: way to duplicate logs? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 00:49:43 -0000 > I am bit confused here. I have just had some issues with my box and I > am looking for some opinions. I just had been denied access to my > box...supposedly from a memory shortage in reference to my NIC....more > specifically, mbuf clusters exhausted. Now I am looking in my > /var/log/messages for when this started and I notice a discrepancy in my > logs. Now from where I am looking, I see time in the logs go backwards. > You can see it as soon as the box is rebooted. Is there an explanation > for this? it could be that your BIOS time is conflicting with freebsd's - during your install did you select "YES" for "Does your BIOS keep track of time?" or whatever the question is... > The date on the box should not have changed during that reboot, as it > was in sync with ntp and still is. are you sure ntp is running? to check: root@box[~]% \ps -waux | grep ntp > Also, is there a way to make more than one copy of these logs?....I am > not sure how this is set up and but I would like to possibly have > another set of logs in place so if someone is editing them, I can catch > it. I know there is a chance that I may be overreacting., but just in > case I want to know. you can setup another machine to receive logs: http://isber.ucsb.edu/~randall/instructions/loghost/ or just % man 5 syslog.conf -randall -- randall s. ehren :// 805.893.5632 systems administrator :// isber.ucsb.edu institute for social, behavioral, and economic research From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 01:16:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B11FA16A4CE for ; Sat, 11 Dec 2004 01:16:13 +0000 (GMT) Received: from mail.npubs.com (mail.npubs.com [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88BEF43D58 for ; Sat, 11 Dec 2004 01:16:13 +0000 (GMT) (envelope-from nielsen@memberwebs.com) From: Nielsen User-Agent: Mozilla Thunderbird 0.9 (X11/20041127) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <41BA3DD6.5040702@adelphia.net> X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Message-Id: <20041211012557.E29B0840813@mail.npubs.com> X-AV-Checked: ClamAV using ClamSMTP Date: Sat, 11 Dec 2004 01:25:58 +0000 (GMT) Subject: Re: way to duplicate logs? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 01:16:13 -0000 Bob Ababurko wrote: > Also, is there a way to make more than one copy of these logs?....I am > not sure how this is set up and but I would like to possibly have > another set of logs in place so if someone is editing them, I can catch > it. I know there is a chance that I may be overreacting., but just in > case I want to know. You can forward them to another machine. Add a line like this to your syslog.conf: *.* @hostname And then on the other machine change syslogd to accept (udp log packets) connections from other machines by removing the '-s' flags. Of course if someone is really messing around they'll be able to send bogus logs to your other logging machine too. Cheers, Nate From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 07:51:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F053E16A4CE for ; Sat, 11 Dec 2004 07:51:00 +0000 (GMT) Received: from jengal.datamax.bg (jengal.datamax.bg [82.103.104.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 690D243D48 for ; Sat, 11 Dec 2004 07:51:00 +0000 (GMT) (envelope-from vd@datamax.bg) Received: from sinanica.bg.datamax (sinanica.bg.datamax [192.168.10.1]) by jengal.datamax.bg (Postfix) with QMQP id 6F6A687CA for ; Sat, 11 Dec 2004 09:50:56 +0200 (EET) Received: (nullmailer pid 35669 invoked by uid 1004); Sat, 11 Dec 2004 07:51:28 -0000 Date: Sat, 11 Dec 2004 09:51:28 +0200 From: Vasil Dimov To: freebsd-security@freebsd.org Message-ID: <20041211075128.GA35474@sinanica.bg.datamax> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline X-OS: FreeBSD 5.3-STABLE User-Agent: Mutt/1.5.6i X-Mailman-Approved-At: Sat, 11 Dec 2004 13:30:41 +0000 Subject: need some advice on connections logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: vd@datamax.bg List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 07:51:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Hello- > > What is the best way to deal with getting logs for someone attacking my > box? I am not really sure, but I think it may involve tcpdump. Is > there any way to implement this so that it can be running before an > attack happens?.....see the problem is, that I do not have physical > access to the box and if it is taken down(unaccessible by remote means), > I cannot log in to start a dump. What can I do in this case, or what > are my options, if I want to have the network connections dumped somehow > with no intervention?....is that a tall order? > > Thanks, > Bob See ipfw(8) and/or ipf(8), ipf(5) and/or pfctl(8), pf.conf(5), pflogd(8) (5.x only) Especially the log options for those facilities. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBuqcAFw6SP/bBpCARAnzZAJ4/FY9eDIbUIl8ZqCOXiXwSsyD/NACeMvUV YteM4eFE6q/7msvgCbJlk8k= =6uzJ -----END PGP SIGNATURE-----