From owner-freebsd-security Sun Jun 27 2:29:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from well.apcs.com.au (unknown [203.41.196.92]) by hub.freebsd.org (Postfix) with ESMTP id 0ED1214D8D; Sun, 27 Jun 1999 02:29:15 -0700 (PDT) (envelope-from keith@well.apcs.com.au) Received: (from keith@localhost) by well.apcs.com.au (8.9.3/8.9.2) id TAA00540; Sun, 27 Jun 1999 19:29:12 +1000 (EST) (envelope-from keith) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Sun, 27 Jun 1999 19:29:12 +1000 (EST) From: Keith Anderson To: questions@freebsd.org, security@freebsd.org Subject: Whats going on please Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All I just noticed someone hacking. what has happend ? any help would be great. I have whats like a new kernel> I am the keith@work.xxx.com.au I have turned off all telnet/ssh/smtp/pop for now root@137~#uname -a FreeBSD 137.132.85.96 3.1-RELEASE FreeBSD 3.1-RELEASE #3: Wed Mar 31 14:59:17 EST 1999 keith@work.xxx.com.au:/usr/src/sys/compile/WORK i386 what is the '137.132.85.96' or who it should be work.xxx.com.au I have in /var/log/messages Jun 27 19:13:41 work sshd[3005]: fatal: Local: Sorry, you are not allowed to connect. Jun 27 19:18:24 work telnetd[3014]: refused connect from compl-r4.iscs.nus.sg Jun 27 19:18:26 work telnetd[3015]: refused connect from compl-r4.iscs.nus.sg and Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received Jun 27 07:09:04 work dnsserver: gethostby*.gethostanswer: asked for "exnjld4avip.doubleclick.net", got "exnjld3avip. doubleclick.net" Jun 27 17:10:05 work popper[1579]: (v2.53) Unable to get canonical name of client, err = 0 Jun 27 17:12:40 work inetd[145]: ident/tcp: No such user 'kmem', service ignored Jun 27 17:17:06 work popper[1637]: (v2.53) Unable to get canonical name of client, err = 0 Jun 27 17:18:47 work popper[1640]: @compl-r4.iscs.nus.sg: -ERR POP EOF received Jun 27 17:18:48 work popper[1642]: @compl-r4.iscs.nus.sg: -ERR POP EOF received Jun 27 17:18:48 work popper[1643]: @compl-r4.iscs.nus.sg: -ERR POP EOF received Hope you can help Thanking you Keith A "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! ---------------------------------- E-Mail: Keith Anderson Australia Power Control Systems Pty. Limited. Date: 27-Jun-99 Time: 18:59:43 Satelite Service 64K to 2Meg This message was sent by XFMail ---------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 27 3:55: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p2-max12.wlg.ihug.co.nz [216.100.145.2]) by hub.freebsd.org (Postfix) with ESMTP id EC615151B2; Sun, 27 Jun 1999 03:53:24 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id WAA01352; Sun, 27 Jun 1999 22:53:05 +1200 (NZST) Message-Id: <199906271053.WAA01352@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Keith Anderson Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Whats going on please In-reply-to: Your message of "Sun, 27 Jun 1999 19:29:12 +1000." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 27 Jun 1999 22:53:04 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org popper is a well known problem. Search back through the archives of freebsd-security for details. Once one problem was found in popper, a series of other problems came to light. I believe the problems that were identified have been fixed, but I don't know how comprehensively the source has been analysed. After getting root access (or presuming they had) through popper, they tried to log in through ssh and telnet. You have log entries from failed attempts, but I don't know your system well enough to comment on whether there were successful logins also. My guess is that they failed to get in the first time, but may have succeeded in the second attack on popper. Alternatively they may have just gone away. It's probable that if your version of popper is vulnerable then someone has had root access to your machine, and potentially any change at all could have been made to your setup. To be really sure of your security you should rebuild from backup, or failing that from a clean system install. Looks like they were interested in the kmem user. I don't know if that's something to do with what is possible through the popper exploit, but it's interesting that they didn't just go for root. Is there some program which runs as kmem but refuses to run as root that they might have been interested in? Andrew McNaughton > Hi All > > I just noticed someone hacking. > > what has happend ? > > any help would be great. > > I have whats like a new kernel> > > I am the keith@work.xxx.com.au > > I have turned off all telnet/ssh/smtp/pop for now > > > root@137~#uname -a > FreeBSD 137.132.85.96 3.1-RELEASE FreeBSD 3.1-RELEASE #3: Wed Mar 31 14:59:17 > EST 1999 keith@work.xxx.com.au:/usr/src/sys/compile/WORK i386 > > > what is the '137.132.85.96' or who > > it should be work.xxx.com.au > > I have in /var/log/messages > > > Jun 27 19:13:41 work sshd[3005]: fatal: Local: Sorry, you are not allowed to > connect. > Jun 27 19:18:24 work telnetd[3014]: refused connect from compl-r4.iscs.nus.sg > Jun 27 19:18:26 work telnetd[3015]: refused connect from compl-r4.iscs.nus.sg > > > and > > > Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 07:09:04 work dnsserver: gethostby*.gethostanswer: asked for > "exnjld4avip.doubleclick.net", got "exnjld3avip. > doubleclick.net" > Jun 27 17:10:05 work popper[1579]: (v2.53) Unable to get canonical name of > client, err = 0 > Jun 27 17:12:40 work inetd[145]: ident/tcp: No such user 'kmem', service ignored > Jun 27 17:17:06 work popper[1637]: (v2.53) Unable to get canonical name of > client, err = 0 > Jun 27 17:18:47 work popper[1640]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:18:48 work popper[1642]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:18:48 work popper[1643]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > > > Hope you can help > > Thanking you > > Keith A > > > > > "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." > > ** The thing I like most about Windows 98 is... > ** You can download FreeBSD with it! > > ---------------------------------- > E-Mail: Keith Anderson > Australia Power Control Systems Pty. Limited. > Date: 27-Jun-99 > Time: 18:59:43 > Satelite Service 64K to 2Meg > This message was sent by XFMail > ---------------------------------- > > What's the similarity between an air > conditioner and a computer? They both > stop working when you open windows. > > ---------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Andrew McNaughton +64 4 389 6891 andrew@scoop.co.nz http://www.scoop.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 27 4: 7:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 8E46E14C3E for ; Sun, 27 Jun 1999 04:07:36 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id NAA18018; Sun, 27 Jun 1999 13:07:05 +0200 (CEST) Message-ID: <19990627130705.A11859@foobar.franken.de> Date: Sun, 27 Jun 1999 13:07:05 +0200 From: Harold Gutch To: Mark Newton , Michael Maxwell Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewalling problem. References: <19990626210402.B1580@atlas.topquark.org> <199906270218.LAA42821@atdot.dotat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199906270218.LAA42821@atdot.dotat.org>; from Mark Newton on Sun, Jun 27, 1999 at 11:48:51AM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jun 27, 1999 at 11:48:51AM +0930, Mark Newton wrote: > Michael Maxwell wrote: > > > Problem: > > I cannot allow my local net machines to talk outside to the net and still > > have a useful firewall at the same time. The rule that allows the local > > hosts to talk outside completely defeats the purpose of having any OTHER > > rules in the first place (ipfw allow ip from any to any). I have tried > > restricting the first "any" to :, but this also does not > > work. > > Read up the manpage for the "established" keyword. > I may be wrong, but IIRC, the actual talk-connection is established between to arbitrary TCP-ports - port 518 is only used for the first "handshake", when checking wether the remote user is logged in, telling them the local port to connect to etc. AFAIK there is no way to allow talk without opening everything... > More generally, run out and buy a copy of "Building Internet Firewalls" > by Bellovin and Cheswick. > ... which (if I'm not mistaken) they say aswell (I again may be wrong, it's been a while since I had a *short* look at this book). bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 27 4: 9:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id E28ED14C3E for ; Sun, 27 Jun 1999 04:09:45 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.7) id UAA45269; Sun, 27 Jun 1999 20:37:40 +0930 (CST) From: Mark Newton Message-Id: <199906271107.UAA45269@atdot.dotat.org> Subject: Re: firewalling problem. To: logix@foobar.franken.de (Harold Gutch) Date: Sun, 27 Jun 1999 20:37:39 +0930 (CST) Cc: drwho@xnet.com, freebsd-security@FreeBSD.ORG In-Reply-To: <19990627130705.A11859@foobar.franken.de> from "Harold Gutch" at Jun 27, 99 01:07:05 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Harold Gutch wrote: > On Sun, Jun 27, 1999 at 11:48:51AM +0930, Mark Newton wrote: > > Michael Maxwell wrote: > > > Problem: > > > I cannot allow my local net machines to talk outside to the net > > > and still have a useful firewall at the same time. > > > > Read up the manpage for the "established" keyword. > > I may be wrong, but IIRC, the actual talk-connection is > established between to arbitrary TCP-ports Maybe I misread; Was the question about the talk(1) utility, or was it about machines being able to "talk" (i.e.: exchange packets) with each other? - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 27 4:29:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from alfik.ms.mff.cuni.cz (alfik.ms.mff.cuni.cz [195.113.19.71]) by hub.freebsd.org (Postfix) with ESMTP id 4EE1614DA8 for ; Sun, 27 Jun 1999 04:29:15 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from nenya.ms.mff.cuni.cz by alfik.ms.mff.cuni.cz; (8.8.8/v1.00/19990210.0854) id NAA01569; Sun, 27 Jun 1999 13:29:14 +0200 (MET DST) Received: from localhost by nenya.ms.mff.cuni.cz (SMI-8.6/SMI-SVR4) id NAA26875; Sun, 27 Jun 1999 13:24:44 +0200 Date: Sun, 27 Jun 1999 13:24:44 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" X-Sender: mencl@nenya To: freebsd-security@FreeBSD.ORG Subject: Re: firewalling problem. In-Reply-To: <19990627130705.A11859@foobar.franken.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Jun 1999, Harold Gutch wrote: > On Sun, Jun 27, 1999 at 11:48:51AM +0930, Mark Newton wrote: > > Michael Maxwell wrote: > > > > > Problem: > > > I cannot allow my local net machines to talk outside to the net and still > > > have a useful firewall at the same time. The rule that allows the local > > > hosts to talk outside completely defeats the purpose of having any OTHER > > > rules in the first place (ipfw allow ip from any to any). I have tried > > > restricting the first "any" to :, but this also does not > > > work. > > > > Read up the manpage for the "established" keyword. > > > I may be wrong, but IIRC, the actual talk-connection is > established between to arbitrary TCP-ports - port 518 is only > used for the first "handshake", when checking wether the remote > user is logged in, telling them the local port to connect to etc. > AFAIK there is no way to allow talk without opening everything... About two years ago, I wrote a program that allows that. It listens on the bpf, and when a talk request udp packet is intercepted, a rule is added to the firewall allowing the incomming tcp connection to pass through. The program worked fine, however, due to security concerns, it was not used finally - the case was, that the local network was considered untrusted, one of the reasons it was firewalled was, that local users would run http or ftp servers with illegal stuff on their machines, and with the this program running, they could make their servers reachable on arbitrary ports, although always only for a single machine. Nonetheless, if you trusted your local network, you'd be fine using it - incoming talk udp packets can be ignored, the tcp connection is opened in the opposite way the udp challenge went, so you have to care only about outgoing udp packets. If anybody is interested, I can post it somewhere. However, the program is written in a VERY BAD style (no options, everything hardcoded through defines), it needs a strong cleanup. But the functional mechanism is there. ... it uses ipfw (through ioctls), a port for IPFILTER would have to be made. Vladimir Mencl P.S.: But I see that this is not what the original question asked about. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 27 4:47:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from well.apcs.com.au (unknown [203.41.196.92]) by hub.freebsd.org (Postfix) with ESMTP id B4F6514C08; Sun, 27 Jun 1999 04:47:02 -0700 (PDT) (envelope-from keith@well.apcs.com.au) Received: (from keith@localhost) by well.apcs.com.au (8.9.3/8.9.2) id VAA01164; Sun, 27 Jun 1999 21:46:57 +1000 (EST) (envelope-from keith) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199906271053.WAA01352@aniwa.sky> Date: Sun, 27 Jun 1999 21:46:57 +1000 (EST) From: Keith Anderson To: Andrew McNaughton Subject: Re: Whats going on please Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Andrew The version of popper is (v2.53) and the box is FreeBSD 3.1-REL. The person is still trying to connect now. I think I have closed all doors ATM. I have put tcp_wrappers on pop so only local ip's can access mail. I will ftp in new source and remake a kernel. should I maybe cvs to 3.2-REL ? and make world The problem is, it's a remote site. If the hacker was in then I beleave he would stop trying all ports for access. Thanks Keith On 27-Jun-99 Andrew McNaughton wrote: > > popper is a well known problem. Search back through the archives of > freebsd-security for details. Once one problem was found in popper, a series > of other problems came to light. I believe the problems that were identified > have been fixed, but I don't know how comprehensively the source has been > analysed. > > After getting root access (or presuming they had) through popper, they tried > to log in through ssh and telnet. You have log entries from failed attempts, > but I don't know your system well enough to comment on whether there were > successful logins also. My guess is that they failed to get in the first > time, but may have succeeded in the second attack on popper. Alternatively > they may have just gone away. > > It's probable that if your version of popper is vulnerable then someone has > had root access to your machine, and potentially any change at all could have > been made to your setup. To be really sure of your security you should > rebuild from backup, or failing that from a clean system install. > > Looks like they were interested in the kmem user. I don't know if that's > something to do with what is possible through the popper exploit, but it's > interesting that they didn't just go for root. Is there some program which > runs as kmem but refuses to run as root that they might have been interested > in? > > Andrew McNaughton > > > > >> Hi All "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! ---------------------------------- E-Mail: Keith Anderson Australia Power Control Systems Pty. Limited. Date: 27-Jun-99 Time: 21:38:32 Satelite Service 64K to 2Meg This message was sent by XFMail ---------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 27 19: 7:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp13.bellglobal.com (smtp13.bellglobal.com [204.101.251.52]) by hub.freebsd.org (Postfix) with ESMTP id 72EBC15269 for ; Sun, 27 Jun 1999 19:07:17 -0700 (PDT) (envelope-from ralph@tinynet.hamilton.on.ca) Received: from starlight.tinynet.hamilton.on.ca (ppp6554.on.bellglobal.com [206.172.208.146]) by smtp13.bellglobal.com (8.8.5/8.8.5) with ESMTP id WAA17281; Sun, 27 Jun 1999 22:08:34 -0400 (EDT) Received: from localhost (ralph@localhost) by starlight.tinynet.hamilton.on.ca (8.9.3/8.9.3) with SMTP id WAA99994; Sun, 27 Jun 1999 22:04:14 -0400 (EDT) (envelope-from ralph@starlight.tinynet.hamilton.on.ca) Date: Sun, 27 Jun 1999 22:04:11 -0400 (EDT) From: Ralph Strohschein To: Michael Maxwell Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewalling problem. In-Reply-To: <19990626210402.B1580@atlas.topquark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 26 Jun 1999, Michael Maxwell wrote: > I have attached my /etc/rc.firewall as it currently is... please have a look > for more info: > > Problem: > I cannot allow my local net machines to talk outside to the net and still > have a useful firewall at the same time. The rule that allows the local > hosts to talk outside completely defeats the purpose of having any OTHER > rules in the first place (ipfw allow ip from any to any). I have tried > restricting the first "any" to :, but this also does not > work. > > Any help I can get on this would be VERY much appreciated. Reading the > docs doesn't help much at all, and all the examples I've looked at on the > net are of little help on this one, too... It took me two weeks just to > get this far... > > Thanks again... > > > -- > Michael Maxwell | http://www.xnet.com/~drwho/ > -- NATO: Now that you've destroyed Serbia, who you gonna kill next? -- > Your inside address is 192.168.16.1, which is a RFC1918 address. Look at the RFC1918 section in your rc.firewall. You are blocking all traffic to and from 192.168.X.X via ppp0. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 4:32:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6630914FC6 for ; Mon, 28 Jun 1999 04:32:05 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id NAA80510; Mon, 28 Jun 1999 13:28:16 +0200 (CEST) (envelope-from des) To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: file flags during low securelevels References: From: Dag-Erling Smorgrav Date: 28 Jun 1999 13:28:15 +0200 In-Reply-To: Frank Tobin's message of "Fri, 25 Jun 1999 01:13:04 -0500 (CDT)" Message-ID: Lines: 23 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Frank Tobin writes: > Jason Young, at 01:02 on Fri, 25 Jun 1999, wrote: > > In what situations are you running into problems with schg/sappnd? There's > > only a few things that are schg/sappnd out of the box, and those targets > > are handled by make world and the kernel install target automatically > > assuming you're in an appropriate securelevel. > I haven't looked that thorougly into the 'make world' installation > process, but from watching output, it doesn't seem like it removes file > flags from files it installs. Only on the ones in /usr/obj. If you've never run make world on the box, only the kernel is schg (quite simply because tar/cpio don't preserve flags). If you *have* run make world, there's a whole lot of useless (e.g. /bin/rcp) and not-so-useles (e.g. /usr/libexec/ld-elf.so.1) stuff marked schg. Finally, if you intend to raise the secure level, there's a whole lot of critical stuff (e.g. /boot.config, /boot/*, /etc/*) that should be schg, but isn't. Beware of files that aren't there; even if you don't need /boot.config, you should create an empty one and mark it schg so black hats can't create one of their own. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 4:46:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id AEA7114E21; Mon, 28 Jun 1999 04:46:14 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id NAA80856; Mon, 28 Jun 1999 13:44:53 +0200 (CEST) (envelope-from des) To: Keith Anderson Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Whats going on please References: From: Dag-Erling Smorgrav Date: 28 Jun 1999 13:44:52 +0200 In-Reply-To: Keith Anderson's message of "Sun, 27 Jun 1999 19:29:12 +1000 (EST)" Message-ID: Lines: 39 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Keith Anderson writes: > > root@137~#uname -a > FreeBSD 137.132.85.96 3.1-RELEASE FreeBSD 3.1-RELEASE #3: Wed Mar 31 14:59:17 > EST 1999 keith@work.xxx.com.au:/usr/src/sys/compile/WORK i386 > > > what is the '137.132.85.96' or who It's the machine's hostname. Try typing 'hostname' or 'sysctl -n kern.hostname' and see what it returns. BTW, this IP address belongs to compl-r4.iscs.nus.sg, which seems to be your attacker. My guess is that you typed 'hostname 137.132.85.96' instead of 'host 137.132.85.96' trying to look up the IP address. I can't see any reason for the attacker to change your hostname to his IP address. > Jun 27 19:13:41 work sshd[3005]: fatal: Local: Sorry, you are not allowed to > connect. > Jun 27 19:18:24 work telnetd[3014]: refused connect from compl-r4.iscs.nus.sg > Jun 27 19:18:26 work telnetd[3015]: refused connect from compl-r4.iscs.nus.sg Looks like a 'known services' scan turned down by TCP wrappers. > Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received He tried to exploit your POP server. Doesn't seem like he succeeded, but I can't tell for sure. Call the National University of Singapore (+65 8748026) and complain. Don't email or fax; calling them voice forces them to take a decision there and then, whereas email and faxes can be blackholed or answered with form letters. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 8:28:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 18F0815250 for ; Mon, 28 Jun 1999 08:27:29 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 28 Jun 1999 09:27:29 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma010452; Mon, 28 Jun 99 09:27:03 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA14873; Mon, 28 Jun 1999 09:24:58 -0600 (MDT) Date: Mon, 28 Jun 1999 09:24:58 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Dag-Erling Smorgrav Cc: Keith Anderson , security@FreeBSD.ORG Subject: Re: Whats going on please In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 28 Jun 1999, Dag-Erling Smorgrav wrote: > > Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > > Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > > Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > > He tried to exploit your POP server. Doesn't seem like he succeeded, > but I can't tell for sure. That's not necessarily an exploit attempt; the message only means that the socket connection to popper was closed before the daemon expected it to close. This is also a symptom of a TCP port scan. I think that the original poster mentioned that he is running Qualcomm popper 2.53 which should be fixed with regards to the overflow in pop_msg() from last year (which is probably the hole everyone is thinking of), but that doesn't mean that other undiscovered holes aren't lurking in the code. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 10: 4:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from cerberus.techfuel.com (irvine.techfuel.com [209.80.51.55]) by hub.freebsd.org (Postfix) with ESMTP id 785821538D for ; Mon, 28 Jun 1999 10:04:20 -0700 (PDT) (envelope-from kehlet@techfuel.com) Received: from basilisk.techfuel.com (basilisk.techfuel.com [172.16.1.2]) by cerberus.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA02019 for ; Mon, 28 Jun 1999 10:04:07 -0700 (PDT) Received: from phoenix.techfuel.com (phoenix.techfuel.com [172.16.1.5]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA18167 for ; Mon, 28 Jun 1999 10:01:50 -0700 (PDT) Received: from localhost (kehlet@localhost) by phoenix.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA00878 for ; Mon, 28 Jun 1999 10:07:06 -0700 X-Authentication-Warning: phoenix.techfuel.com: kehlet owned process doing -bs Date: Mon, 28 Jun 1999 10:07:06 -0700 (PDT) From: Steven Kehlet To: freebsd-security@freebsd.org Subject: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm trying to set up a VPN using IPSec tunnelling between two FreeBSD 3.1 boxes across the Internet. I'm using the IPSec for FreeBSD implementation from www.r4k.net. The setup looks okay, and the tunnelling seems to work great. Unfortunately the problem comes with large data transfers; I think there might be some sort of IP fragmentation problem. When I try to read a large mailbox with IMAP over the link, it connects but then it just hangs there with the other end sending me nothing but fragments (see tcpdump below). For some reason POP works fine, Netscape and web stuff doesn't work, and sometimes even doing a "man ipsecadm" or "ps -aux" (i.e. sudden burst of data) in a telnet session will cause it to hang. I've set up the SAs and flows okay; everything looks fine and I'm able to ping and telnet to and from boxes on non-routable IP ranges behind each box. That is, site A has 172.16/16 behind A.A.A.A, and site B has 172.17/16 behind B.B.B.B, and I can ping/telnet 172.17.X.X from 172.16.X.X no problem. Here's a tcpdump log on A.A.A.A while I'm trying to use IMAP from 172.16.X.X to B.B.B.B. Notice about half-way down all the sudden there's all this fragmentation happening, at which point my session never recovers. Can anyone offer any sort of explanation, offer tips for debugging, anything I can try, some way I can reduce the fragmentation (lower the mtu on my ethernet interface?), etc? Thanks! :-) :-) A.A.A.A# tcpdump -n host B.B.B.B tcpdump: listening on xl0 15:19:23.517547 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] 15:19:23.580292 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] 15:19:23.593400 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] 15:19:23.601293 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] 15:19:23.654207 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] 15:19:23.673426 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] 15:19:28.368815 A.A.A.A > B.B.B.B: ip-proto-50 84 15:19:28.399378 B.B.B.B > A.A.A.A: ip-proto-50 68 15:19:28.400009 A.A.A.A > B.B.B.B: ip-proto-50 68 15:19:28.441323 B.B.B.B > A.A.A.A: ip-proto-50 116 15:19:28.447346 B.B.B.B > A.A.A.A: ip-proto-50 124 15:19:28.448072 A.A.A.A > B.B.B.B: ip-proto-50 68 15:19:28.448476 A.A.A.A > B.B.B.B: ip-proto-50 84 15:19:28.481736 B.B.B.B > A.A.A.A: ip-proto-50 220 15:19:28.484531 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.513555 B.B.B.B > A.A.A.A: ip-proto-50 84 15:19:28.533459 A.A.A.A > B.B.B.B: ip-proto-50 68 15:19:28.552944 A.A.A.A > B.B.B.B: ip-proto-50 76 15:19:28.583303 B.B.B.B > A.A.A.A: ip-proto-50 84 15:19:28.584113 A.A.A.A > B.B.B.B: ip-proto-50 76 15:19:28.619272 B.B.B.B > A.A.A.A: ip-proto-50 148 15:19:28.623804 B.B.B.B > A.A.A.A: ip-proto-50 100 15:19:28.624694 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.684544 B.B.B.B > A.A.A.A: ip-proto-50 68 15:19:28.705040 B.B.B.B > A.A.A.A: ip-proto-50 428 15:19:28.707171 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.747522 B.B.B.B > A.A.A.A: ip-proto-50 116 15:19:28.749721 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.806969 B.B.B.B > A.A.A.A: ip-proto-50 564 15:19:28.809320 A.A.A.A > B.B.B.B: ip-proto-50 92 15:19:28.863102 B.B.B.B > A.A.A.A: ip-proto-50 580 15:19:28.865950 A.A.A.A > B.B.B.B: ip-proto-50 204 15:19:28.962327 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 60039:1480@0+) 15:19:28.962394 B.B.B.B > A.A.A.A: (frag 60039:44@1480) 15:19:29.003582 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 28411:1480@0+) 15:19:29.003650 B.B.B.B > A.A.A.A: (frag 28411:44@1480) 15:19:29.044684 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 56344:1480@0+) 15:19:29.044750 B.B.B.B > A.A.A.A: (frag 56344:44@1480) 15:19:29.063749 A.A.A.A > B.B.B.B: ip-proto-50 204 15:19:29.086139 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64175:1480@0+) 15:19:29.086207 B.B.B.B > A.A.A.A: (frag 64175:44@1480) 15:19:29.128743 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 32580:1480@0+) 15:19:29.128809 B.B.B.B > A.A.A.A: (frag 32580:44@1480) 15:19:29.169049 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 55233:1480@0+) 15:19:29.169116 B.B.B.B > A.A.A.A: (frag 55233:44@1480) 15:19:29.210538 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 24250:1480@0+) 15:19:29.210605 B.B.B.B > A.A.A.A: (frag 24250:44@1480) 15:19:29.251771 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64284:1480@0+) 15:19:29.251838 B.B.B.B > A.A.A.A: (frag 64284:44@1480) 15:19:29.292988 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 15716:1480@0+) 15:19:29.293055 B.B.B.B > A.A.A.A: (frag 15716:44@1480) 15:19:29.334187 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 42527:1480@0+) 15:19:29.334254 B.B.B.B > A.A.A.A: (frag 42527:44@1480) 15:19:29.380159 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 41459:1480@0+) 15:19:29.380225 B.B.B.B > A.A.A.A: (frag 41459:44@1480) 15:19:29.380328 B.B.B.B > A.A.A.A: ip-proto-50 68 15:19:30.335041 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 63704:1480@0+) 15:19:30.335107 B.B.B.B > A.A.A.A: (frag 63704:44@1480) 15:19:32.335848 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 45951:1480@0+) 15:19:32.335913 B.B.B.B > A.A.A.A: (frag 45951:44@1480) 15:19:36.338218 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 52615:1480@0+) 15:19:36.338284 B.B.B.B > A.A.A.A: (frag 52615:44@1480) 15:19:44.334750 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 61321:1480@0+) 15:19:44.334817 B.B.B.B > A.A.A.A: (frag 61321:44@1480) For grins, here are my SAs and ipsec flows (from A.A.A.A): cerberus# sysctl net.ipsec.setup net.ipsec.setup: IPsec Setup SPI = 00001001, Destination = A.A.A.A, Sproto = 50 established 15 seconds ago src = B.B.B.B, flags = 00000040, SAtype = 0 xform = encryption = authentication = OSrc = B.B.B.B ODst = A.A.A.A, TTL = 0 0 flows counted (use netstat -r for more information) Expirations: Currently 0 bytes processed Currently 0 packets processed (none) SPI = 00001000, Destination = B.B.B.B, Sproto = 50 established 15 seconds ago src = A.A.A.A, flags = 00000040, SAtype = 0 xform = encryption = authentication = OSrc = A.A.A.A ODst = B.B.B.B, TTL = 0 0 flows counted (use netstat -r for more information) Expirations: Currently 0 bytes processed Currently 0 packets processed (none) cerberus# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire Encap: Source address/netmask Port Destination address/netmask Port Proto SA(Address/SPI/Proto) 0.0.0.0/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 0.0.0.0/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 172.16.0.0/255.255.0.0 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 172.16.0.0/255.255.0.0 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 A.A.A.A/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 A.A.A.A/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 10:26:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 35DCD14F19 for ; Mon, 28 Jun 1999 10:26:00 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.2/8.8.8) id SAA11372; Mon, 28 Jun 1999 18:25:51 +0100 (BST) (envelope-from joe) Date: Mon, 28 Jun 1999 18:25:51 +0100 From: Josef Karthauser To: Steven Kehlet Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: <19990628182551.T60952@pavilion.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Steven Kehlet on Mon, Jun 28, 1999 at 10:07:06AM -0700 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had a similar problem with an IPoverIP tunnel between two cisco routers. You may need to reduce the MTU to 1500-ipsec packet overhead. In my case an IPoverIP tunnel adds 14 bytes of information so I needed to set the MTU to 1500-14. Under normal circumstances this shouldn't matter, but as it turns out a lot of the internet is "broken" when it comes to ICMP _must_ fragment packets. It seems that a fairly standard firewall configuration is to filter these out! You may have some milege in this. Joe On Mon, Jun 28, 1999 at 10:07:06AM -0700, Steven Kehlet wrote: > Hi, > > I'm trying to set up a VPN using IPSec tunnelling between two FreeBSD 3.1 boxes > across the Internet. I'm using the IPSec for FreeBSD implementation from > www.r4k.net. > > The setup looks okay, and the tunnelling seems to work great. Unfortunately > the problem comes with large data transfers; I think there might be some sort > of IP fragmentation problem. When I try to read a large mailbox with IMAP over > the link, it connects but then it just hangs there with the other end sending > me nothing but fragments (see tcpdump below). For some reason POP works fine, > Netscape and web stuff doesn't work, and sometimes even doing a "man ipsecadm" > or "ps -aux" (i.e. sudden burst of data) in a telnet session will cause it to > hang. > > I've set up the SAs and flows okay; everything looks fine and I'm able to ping > and telnet to and from boxes on non-routable IP ranges behind each box. That > is, site A has 172.16/16 behind A.A.A.A, and site B has 172.17/16 behind > B.B.B.B, and I can ping/telnet 172.17.X.X from 172.16.X.X no problem. > > Here's a tcpdump log on A.A.A.A while I'm trying to use IMAP from 172.16.X.X to > B.B.B.B. Notice about half-way down all the sudden there's all this > fragmentation happening, at which point my session never recovers. > > Can anyone offer any sort of explanation, offer tips for debugging, anything I > can try, some way I can reduce the fragmentation (lower the mtu on my ethernet > interface?), etc? Thanks! :-) :-) > > A.A.A.A# tcpdump -n host B.B.B.B > tcpdump: listening on xl0 > 15:19:23.517547 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] > 15:19:23.580292 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] > 15:19:23.593400 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] > 15:19:23.601293 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] > 15:19:23.654207 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] > 15:19:23.673426 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] > 15:19:28.368815 A.A.A.A > B.B.B.B: ip-proto-50 84 > 15:19:28.399378 B.B.B.B > A.A.A.A: ip-proto-50 68 > 15:19:28.400009 A.A.A.A > B.B.B.B: ip-proto-50 68 > 15:19:28.441323 B.B.B.B > A.A.A.A: ip-proto-50 116 > 15:19:28.447346 B.B.B.B > A.A.A.A: ip-proto-50 124 > 15:19:28.448072 A.A.A.A > B.B.B.B: ip-proto-50 68 > 15:19:28.448476 A.A.A.A > B.B.B.B: ip-proto-50 84 > 15:19:28.481736 B.B.B.B > A.A.A.A: ip-proto-50 220 > 15:19:28.484531 A.A.A.A > B.B.B.B: ip-proto-50 92 > 15:19:28.513555 B.B.B.B > A.A.A.A: ip-proto-50 84 > 15:19:28.533459 A.A.A.A > B.B.B.B: ip-proto-50 68 > 15:19:28.552944 A.A.A.A > B.B.B.B: ip-proto-50 76 > 15:19:28.583303 B.B.B.B > A.A.A.A: ip-proto-50 84 > 15:19:28.584113 A.A.A.A > B.B.B.B: ip-proto-50 76 > 15:19:28.619272 B.B.B.B > A.A.A.A: ip-proto-50 148 > 15:19:28.623804 B.B.B.B > A.A.A.A: ip-proto-50 100 > 15:19:28.624694 A.A.A.A > B.B.B.B: ip-proto-50 92 > 15:19:28.684544 B.B.B.B > A.A.A.A: ip-proto-50 68 > 15:19:28.705040 B.B.B.B > A.A.A.A: ip-proto-50 428 > 15:19:28.707171 A.A.A.A > B.B.B.B: ip-proto-50 92 > 15:19:28.747522 B.B.B.B > A.A.A.A: ip-proto-50 116 > 15:19:28.749721 A.A.A.A > B.B.B.B: ip-proto-50 92 > 15:19:28.806969 B.B.B.B > A.A.A.A: ip-proto-50 564 > 15:19:28.809320 A.A.A.A > B.B.B.B: ip-proto-50 92 > 15:19:28.863102 B.B.B.B > A.A.A.A: ip-proto-50 580 > 15:19:28.865950 A.A.A.A > B.B.B.B: ip-proto-50 204 > 15:19:28.962327 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 60039:1480@0+) > 15:19:28.962394 B.B.B.B > A.A.A.A: (frag 60039:44@1480) > 15:19:29.003582 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 28411:1480@0+) > 15:19:29.003650 B.B.B.B > A.A.A.A: (frag 28411:44@1480) > 15:19:29.044684 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 56344:1480@0+) > 15:19:29.044750 B.B.B.B > A.A.A.A: (frag 56344:44@1480) > 15:19:29.063749 A.A.A.A > B.B.B.B: ip-proto-50 204 > 15:19:29.086139 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64175:1480@0+) > 15:19:29.086207 B.B.B.B > A.A.A.A: (frag 64175:44@1480) > 15:19:29.128743 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 32580:1480@0+) > 15:19:29.128809 B.B.B.B > A.A.A.A: (frag 32580:44@1480) > 15:19:29.169049 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 55233:1480@0+) > 15:19:29.169116 B.B.B.B > A.A.A.A: (frag 55233:44@1480) > 15:19:29.210538 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 24250:1480@0+) > 15:19:29.210605 B.B.B.B > A.A.A.A: (frag 24250:44@1480) > 15:19:29.251771 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64284:1480@0+) > 15:19:29.251838 B.B.B.B > A.A.A.A: (frag 64284:44@1480) > 15:19:29.292988 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 15716:1480@0+) > 15:19:29.293055 B.B.B.B > A.A.A.A: (frag 15716:44@1480) > 15:19:29.334187 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 42527:1480@0+) > 15:19:29.334254 B.B.B.B > A.A.A.A: (frag 42527:44@1480) > 15:19:29.380159 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 41459:1480@0+) > 15:19:29.380225 B.B.B.B > A.A.A.A: (frag 41459:44@1480) > 15:19:29.380328 B.B.B.B > A.A.A.A: ip-proto-50 68 > 15:19:30.335041 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 63704:1480@0+) > 15:19:30.335107 B.B.B.B > A.A.A.A: (frag 63704:44@1480) > 15:19:32.335848 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 45951:1480@0+) > 15:19:32.335913 B.B.B.B > A.A.A.A: (frag 45951:44@1480) > 15:19:36.338218 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 52615:1480@0+) > 15:19:36.338284 B.B.B.B > A.A.A.A: (frag 52615:44@1480) > 15:19:44.334750 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 61321:1480@0+) > 15:19:44.334817 B.B.B.B > A.A.A.A: (frag 61321:44@1480) > > > > For grins, here are my SAs and ipsec flows (from A.A.A.A): > > cerberus# sysctl net.ipsec.setup > net.ipsec.setup: > IPsec Setup > > SPI = 00001001, Destination = A.A.A.A, Sproto = 50 > established 15 seconds ago > src = B.B.B.B, flags = 00000040, SAtype = 0 > xform = > encryption = > authentication = > OSrc = B.B.B.B ODst = A.A.A.A, TTL = 0 > 0 flows counted (use netstat -r for more information) > Expirations: > Currently 0 bytes processed > Currently 0 packets processed > (none) > SPI = 00001000, Destination = B.B.B.B, Sproto = 50 > established 15 seconds ago > src = A.A.A.A, flags = 00000040, SAtype = 0 > xform = > encryption = > authentication = > OSrc = A.A.A.A ODst = B.B.B.B, TTL = 0 > 0 flows counted (use netstat -r for more information) > Expirations: > Currently 0 bytes processed > Currently 0 packets processed > (none) > > > cerberus# netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > > > > Encap: > Source address/netmask Port Destination address/netmask Port Proto SA(Address/SPI/Proto) > 0.0.0.0/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > 0.0.0.0/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > 172.16.0.0/255.255.0.0 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > 172.16.0.0/255.255.0.0 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > A.A.A.A/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > A.A.A.A/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 10:52: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from cerberus.techfuel.com (irvine.techfuel.com [209.80.51.55]) by hub.freebsd.org (Postfix) with ESMTP id 4907814C33 for ; Mon, 28 Jun 1999 10:52:02 -0700 (PDT) (envelope-from kehlet@techfuel.com) Received: from basilisk.techfuel.com (basilisk.techfuel.com [172.16.1.2]) by cerberus.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA02391; Mon, 28 Jun 1999 10:51:47 -0700 (PDT) Received: from phoenix.techfuel.com (phoenix.techfuel.com [172.16.1.5]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA20307; Mon, 28 Jun 1999 10:49:31 -0700 (PDT) Received: from localhost (kehlet@localhost) by phoenix.techfuel.com (8.9.3/8.9.3) with ESMTP id KAA00971; Mon, 28 Jun 1999 10:54:46 -0700 X-Authentication-Warning: phoenix.techfuel.com: kehlet owned process doing -bs Date: Mon, 28 Jun 1999 10:54:46 -0700 (PDT) From: Steven Kehlet To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) In-Reply-To: <19990628182551.T60952@pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks! for the reply. I tried just now turning down my mtu on both ends (to 1400) but the same thing happens. I'm wondering if changing the mtu on the interface is too late, i.e. the packet size reduction needs to be done earlier in the processing or something. I don't see any way to do this (though ipsecadm?) though. Steve On Mon, 28 Jun 1999, Josef Karthauser wrote: > Date: Mon, 28 Jun 1999 18:25:51 +0100 > From: Josef Karthauser > To: Steven Kehlet > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) > > I had a similar problem with an IPoverIP tunnel between two cisco routers. > You may need to reduce the MTU to 1500-ipsec packet overhead. In my case an > IPoverIP tunnel adds 14 bytes of information so I needed to set the MTU > to 1500-14. Under normal circumstances this shouldn't matter, but as it > turns out a lot of the internet is "broken" when it comes to ICMP _must_ > fragment packets. It seems that a fairly standard firewall configuration > is to filter these out! > > You may have some milege in this. > > Joe > > On Mon, Jun 28, 1999 at 10:07:06AM -0700, Steven Kehlet wrote: > > Hi, > > > > I'm trying to set up a VPN using IPSec tunnelling between two FreeBSD 3.1 boxes > > across the Internet. I'm using the IPSec for FreeBSD implementation from > > www.r4k.net. > > > > The setup looks okay, and the tunnelling seems to work great. Unfortunately > > the problem comes with large data transfers; I think there might be some sort > > of IP fragmentation problem. When I try to read a large mailbox with IMAP over > > the link, it connects but then it just hangs there with the other end sending > > me nothing but fragments (see tcpdump below). For some reason POP works fine, > > Netscape and web stuff doesn't work, and sometimes even doing a "man ipsecadm" > > or "ps -aux" (i.e. sudden burst of data) in a telnet session will cause it to > > hang. > > > > I've set up the SAs and flows okay; everything looks fine and I'm able to ping > > and telnet to and from boxes on non-routable IP ranges behind each box. That > > is, site A has 172.16/16 behind A.A.A.A, and site B has 172.17/16 behind > > B.B.B.B, and I can ping/telnet 172.17.X.X from 172.16.X.X no problem. > > > > Here's a tcpdump log on A.A.A.A while I'm trying to use IMAP from 172.16.X.X to > > B.B.B.B. Notice about half-way down all the sudden there's all this > > fragmentation happening, at which point my session never recovers. > > > > Can anyone offer any sort of explanation, offer tips for debugging, anything I > > can try, some way I can reduce the fragmentation (lower the mtu on my ethernet > > interface?), etc? Thanks! :-) :-) > > > > A.A.A.A# tcpdump -n host B.B.B.B > > tcpdump: listening on xl0 > > 15:19:23.517547 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] > > 15:19:23.580292 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] > > 15:19:23.593400 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] > > 15:19:23.601293 A.A.A.A > B.B.B.B: ip-proto-50 84 [tos 0x10] > > 15:19:23.654207 B.B.B.B > A.A.A.A: ip-proto-50 92 [tos 0x10] > > 15:19:23.673426 A.A.A.A > B.B.B.B: ip-proto-50 68 [tos 0x10] > > 15:19:28.368815 A.A.A.A > B.B.B.B: ip-proto-50 84 > > 15:19:28.399378 B.B.B.B > A.A.A.A: ip-proto-50 68 > > 15:19:28.400009 A.A.A.A > B.B.B.B: ip-proto-50 68 > > 15:19:28.441323 B.B.B.B > A.A.A.A: ip-proto-50 116 > > 15:19:28.447346 B.B.B.B > A.A.A.A: ip-proto-50 124 > > 15:19:28.448072 A.A.A.A > B.B.B.B: ip-proto-50 68 > > 15:19:28.448476 A.A.A.A > B.B.B.B: ip-proto-50 84 > > 15:19:28.481736 B.B.B.B > A.A.A.A: ip-proto-50 220 > > 15:19:28.484531 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.513555 B.B.B.B > A.A.A.A: ip-proto-50 84 > > 15:19:28.533459 A.A.A.A > B.B.B.B: ip-proto-50 68 > > 15:19:28.552944 A.A.A.A > B.B.B.B: ip-proto-50 76 > > 15:19:28.583303 B.B.B.B > A.A.A.A: ip-proto-50 84 > > 15:19:28.584113 A.A.A.A > B.B.B.B: ip-proto-50 76 > > 15:19:28.619272 B.B.B.B > A.A.A.A: ip-proto-50 148 > > 15:19:28.623804 B.B.B.B > A.A.A.A: ip-proto-50 100 > > 15:19:28.624694 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.684544 B.B.B.B > A.A.A.A: ip-proto-50 68 > > 15:19:28.705040 B.B.B.B > A.A.A.A: ip-proto-50 428 > > 15:19:28.707171 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.747522 B.B.B.B > A.A.A.A: ip-proto-50 116 > > 15:19:28.749721 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.806969 B.B.B.B > A.A.A.A: ip-proto-50 564 > > 15:19:28.809320 A.A.A.A > B.B.B.B: ip-proto-50 92 > > 15:19:28.863102 B.B.B.B > A.A.A.A: ip-proto-50 580 > > 15:19:28.865950 A.A.A.A > B.B.B.B: ip-proto-50 204 > > 15:19:28.962327 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 60039:1480@0+) > > 15:19:28.962394 B.B.B.B > A.A.A.A: (frag 60039:44@1480) > > 15:19:29.003582 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 28411:1480@0+) > > 15:19:29.003650 B.B.B.B > A.A.A.A: (frag 28411:44@1480) > > 15:19:29.044684 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 56344:1480@0+) > > 15:19:29.044750 B.B.B.B > A.A.A.A: (frag 56344:44@1480) > > 15:19:29.063749 A.A.A.A > B.B.B.B: ip-proto-50 204 > > 15:19:29.086139 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64175:1480@0+) > > 15:19:29.086207 B.B.B.B > A.A.A.A: (frag 64175:44@1480) > > 15:19:29.128743 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 32580:1480@0+) > > 15:19:29.128809 B.B.B.B > A.A.A.A: (frag 32580:44@1480) > > 15:19:29.169049 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 55233:1480@0+) > > 15:19:29.169116 B.B.B.B > A.A.A.A: (frag 55233:44@1480) > > 15:19:29.210538 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 24250:1480@0+) > > 15:19:29.210605 B.B.B.B > A.A.A.A: (frag 24250:44@1480) > > 15:19:29.251771 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 64284:1480@0+) > > 15:19:29.251838 B.B.B.B > A.A.A.A: (frag 64284:44@1480) > > 15:19:29.292988 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 15716:1480@0+) > > 15:19:29.293055 B.B.B.B > A.A.A.A: (frag 15716:44@1480) > > 15:19:29.334187 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 42527:1480@0+) > > 15:19:29.334254 B.B.B.B > A.A.A.A: (frag 42527:44@1480) > > 15:19:29.380159 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 41459:1480@0+) > > 15:19:29.380225 B.B.B.B > A.A.A.A: (frag 41459:44@1480) > > 15:19:29.380328 B.B.B.B > A.A.A.A: ip-proto-50 68 > > 15:19:30.335041 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 63704:1480@0+) > > 15:19:30.335107 B.B.B.B > A.A.A.A: (frag 63704:44@1480) > > 15:19:32.335848 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 45951:1480@0+) > > 15:19:32.335913 B.B.B.B > A.A.A.A: (frag 45951:44@1480) > > 15:19:36.338218 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 52615:1480@0+) > > 15:19:36.338284 B.B.B.B > A.A.A.A: (frag 52615:44@1480) > > 15:19:44.334750 B.B.B.B > A.A.A.A: ip-proto-50 1480 (frag 61321:1480@0+) > > 15:19:44.334817 B.B.B.B > A.A.A.A: (frag 61321:44@1480) > > > > > > > > For grins, here are my SAs and ipsec flows (from A.A.A.A): > > > > cerberus# sysctl net.ipsec.setup > > net.ipsec.setup: > > IPsec Setup > > > > SPI = 00001001, Destination = A.A.A.A, Sproto = 50 > > established 15 seconds ago > > src = B.B.B.B, flags = 00000040, SAtype = 0 > > xform = > > encryption = > > authentication = > > OSrc = B.B.B.B ODst = A.A.A.A, TTL = 0 > > 0 flows counted (use netstat -r for more information) > > Expirations: > > Currently 0 bytes processed > > Currently 0 packets processed > > (none) > > SPI = 00001000, Destination = B.B.B.B, Sproto = 50 > > established 15 seconds ago > > src = A.A.A.A, flags = 00000040, SAtype = 0 > > xform = > > encryption = > > authentication = > > OSrc = A.A.A.A ODst = B.B.B.B, TTL = 0 > > 0 flows counted (use netstat -r for more information) > > Expirations: > > Currently 0 bytes processed > > Currently 0 packets processed > > (none) > > > > > > cerberus# netstat -rn > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif Expire > > > > > > > > Encap: > > Source address/netmask Port Destination address/netmask Port Proto SA(Address/SPI/Proto) > > 0.0.0.0/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > > 0.0.0.0/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > > 172.16.0.0/255.255.0.0 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > > 172.16.0.0/255.255.0.0 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > > A.A.A.A/255.255.255.255 0 172.17.0.0/255.255.0.0 0 0 B.B.B.B/00001000/50 > > A.A.A.A/255.255.255.255 0 B.B.B.B/255.255.255.255 0 0 B.B.B.B/00001000/50 > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 11: 5:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 7C1E315413 for ; Mon, 28 Jun 1999 11:05:01 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.2/8.8.8) id TAA18138; Mon, 28 Jun 1999 19:04:58 +0100 (BST) (envelope-from joe) Date: Mon, 28 Jun 1999 19:04:58 +0100 From: Josef Karthauser To: Steven Kehlet Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Message-ID: <19990628190458.U60952@pavilion.net> References: <19990628182551.T60952@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Steven Kehlet on Mon, Jun 28, 1999 at 10:54:46AM -0700 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > Thanks! for the reply. I tried just now turning down my mtu on both > ends (to 1400) but the same thing happens. I'm wondering if changing > the mtu on the interface is too late, i.e. the packet size reduction > needs to be done earlier in the processing or something. I don't see > any way to do this (though ipsecadm?) though. I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the physical interface itself (The physical interface was an ethernet and was fixed at 1500 anyway.) I'm sure that you've done that though. ...that said, I've just checked my config, and actually it is the other way around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco allow this and fragment though the tunnel transparently to avoid sending must fragment bits back. I remember now.... the problem was that some sites on the net send packets with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP packets that the tunnel was sending. Result: Broken MTU path discovery. The _only_ way around the problem was to transparently fragment into two packets and reassemble at the far end. I don't know whether this is your problem though. Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 11:40: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 6145A15448 for ; Mon, 28 Jun 1999 11:39:52 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from ivy.ezo.net (ivy.ezo.net [206.150.211.171]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id OAA19159; Mon, 28 Jun 1999 14:39:38 -0400 (EDT) Message-ID: <001d01bec195$e90a3240$abd396ce@ezo.net> From: "Jim Flowers" To: "Josef Karthauser" , "Steven Kehlet" Cc: References: <19990628182551.T60952@pavilion.net> <19990628190458.U60952@pavilion.net> Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) Date: Mon, 28 Jun 1999 14:42:00 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I note SKIP implementation is designed to report a lower MTU to discovery requests to accomodate the additional header bits on incoming packets. Does IPSEC implementation have something similar and can it be configured? ----- Original Message ----- From: Josef Karthauser To: Steven Kehlet Cc: Sent: Monday, June 28, 1999 2:04 PM Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) > On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > > Thanks! for the reply. I tried just now turning down my mtu on both > > ends (to 1400) but the same thing happens. I'm wondering if changing > > the mtu on the interface is too late, i.e. the packet size reduction > > needs to be done earlier in the processing or something. I don't see > > any way to do this (though ipsecadm?) though. > > I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the > physical interface itself (The physical interface was an ethernet and was > fixed at 1500 anyway.) I'm sure that you've done that though. > > ...that said, I've just checked my config, and actually it is the other way > around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco > allow this and fragment though the tunnel transparently to avoid sending > must fragment bits back. > > I remember now.... the problem was that some sites on the net send packets > with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP > packets that the tunnel was sending. Result: Broken MTU path discovery. > The _only_ way around the problem was to transparently fragment into two > packets and reassemble at the far end. > > I don't know whether this is your problem though. > > Joe > -- > Josef Karthauser FreeBSD: How many times have you booted today? > Technical Manager Viagra for your server (http://www.uk.freebsd.org) > Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 11:47:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from cerberus.techfuel.com (irvine.techfuel.com [209.80.51.55]) by hub.freebsd.org (Postfix) with ESMTP id E8AFB15240 for ; Mon, 28 Jun 1999 11:47:07 -0700 (PDT) (envelope-from kehlet@techfuel.com) Received: from basilisk.techfuel.com (basilisk.techfuel.com [172.16.1.2]) by cerberus.techfuel.com (8.9.3/8.9.3) with ESMTP id LAA02738; Mon, 28 Jun 1999 11:46:50 -0700 (PDT) Received: from phoenix.techfuel.com (phoenix.techfuel.com [172.16.1.5]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id LAA22637; Mon, 28 Jun 1999 11:44:33 -0700 (PDT) Received: from localhost (kehlet@localhost) by phoenix.techfuel.com (8.9.3/8.9.3) with ESMTP id LAA01002; Mon, 28 Jun 1999 11:49:49 -0700 X-Authentication-Warning: phoenix.techfuel.com: kehlet owned process doing -bs Date: Mon, 28 Jun 1999 11:49:49 -0700 (PDT) From: Steven Kehlet To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) In-Reply-To: <19990628190458.U60952@pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm, problem is there's no way I can tell to change the MTU on the "virtual interface" that is IPSec. This implementation offers an enc0 interface for packets that have come *in* and are decrypted by IPSec (really just for use by firewall rules), but nothing for on the way *out*. So I can't limit the packet size. Arg! :-) Steve On Mon, 28 Jun 1999, Josef Karthauser wrote: > Date: Mon, 28 Jun 1999 19:04:58 +0100 > From: Josef Karthauser > To: Steven Kehlet > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: having problems with IPSec VPN using FreeBSD -- help please! :-) > > On Mon, Jun 28, 1999 at 10:54:46AM -0700, Steven Kehlet wrote: > > Thanks! for the reply. I tried just now turning down my mtu on both > > ends (to 1400) but the same thing happens. I'm wondering if changing > > the mtu on the interface is too late, i.e. the packet size reduction > > needs to be done earlier in the processing or something. I don't see > > any way to do this (though ipsecadm?) though. > > I had to changed the MTU on the 'tunnel' or 'VPN' interface, not on the > physical interface itself (The physical interface was an ethernet and was > fixed at 1500 anyway.) I'm sure that you've done that though. > > ...that said, I've just checked my config, and actually it is the other way > around. I had to turn the MTU up, to bring it back to 1500 bytes. Cisco > allow this and fragment though the tunnel transparently to avoid sending > must fragment bits back. > > I remember now.... the problem was that some sites on the net send packets > with 'don't fragment' bits set, but then ignore the 'must fragment' ICMP > packets that the tunnel was sending. Result: Broken MTU path discovery. > The _only_ way around the problem was to transparently fragment into two > packets and reassemble at the far end. > > I don't know whether this is your problem though. > > Joe > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 12:31:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id 2F81C14FAF for ; Mon, 28 Jun 1999 12:31:34 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 18934 invoked by uid 1000); 28 Jun 1999 19:29:39 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Jun 1999 19:29:39 -0000 Date: Mon, 28 Jun 1999 15:29:39 -0400 (EDT) From: Barrett Richardson To: Dan Langille Cc: security@freebsd.org Subject: Re: ssh from windows In-Reply-To: <19990624074719.OAVT688839.mta2-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 24 Jun 1999, Dan Langille wrote: > > The password you enter is the password for your account. > > Granted. I was worried they were transmitting the password in clear text. Oh. The client encrypts it with the public key sent by the server - but the server's private key isn't passphrase protected (it is, however, readable only by root -- unless you change it). - Barrett > -- > Dan Langille - DVL Software Limited > The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ > NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ > The Racing System - http://www.racingsystem.com/racingsystem.htm > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 28 23:45:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from alfik.ms.mff.cuni.cz (alfik.ms.mff.cuni.cz [195.113.19.71]) by hub.freebsd.org (Postfix) with ESMTP id 0F79E14C87 for ; Mon, 28 Jun 1999 23:45:27 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from nenya.ms.mff.cuni.cz by alfik.ms.mff.cuni.cz; (8.8.8/v1.00/19990210.0854) id IAA17299; Tue, 29 Jun 1999 08:45:26 +0200 (MET DST) Received: from localhost by nenya.ms.mff.cuni.cz (SMI-8.6/SMI-SVR4) id IAA02093; Tue, 29 Jun 1999 08:40:51 +0200 Date: Tue, 29 Jun 1999 08:40:51 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" X-Sender: mencl@nenya To: security@FreeBSD.ORG Subject: Re: ssh from windows In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 28 Jun 1999, Barrett Richardson wrote: > > > On Thu, 24 Jun 1999, Dan Langille wrote: > > > > The password you enter is the password for your account. > > > > Granted. I was worried they were transmitting the password in clear text. > > Oh. The client encrypts it with the public key sent by the server - but > the server's private key isn't passphrase protected (it is, however, > readable only by root -- unless you change it). I'm afraid you are wrong. The RSA keys stored on disk are used for host authentication only. Passwords (and all other session data) are encrypted by a ``session key'', which is generated every (?3?) hours, and is not stored anywhere. And is not bound to RSA, the session encryption uses other encryption algorithms (with not that much overhead). Like blowfish, idea ... and I think, it generally uses shorter keys. However, if you are root, you can attach to the sshd process, and get the session keys out of its memory ... BTW, is there any way of limiting attaching to system processes at higher securelevels? I was thinking about attaching to init (because "init can lower securelevel"), but I received a "permission denied" at securelevel 2, and a signal 11 at securelevel -1 ???? I don't know why, I received it not only in 'gdb `which init` 1', but also in a later 'gdb `which gdb` gdb.core' ... is init protected against debugging in a special way? Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 0:40:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from beach.silcom.com (beach.silcom.com [199.201.128.19]) by hub.freebsd.org (Postfix) with ESMTP id E954415383 for ; Tue, 29 Jun 1999 00:40:29 -0700 (PDT) (envelope-from brian@CSUA.Berkeley.EDU) Received: from smarter.than.nu (pm0-21.vpop1.avtel.net [207.71.237.21]) by beach.silcom.com (Postfix) with ESMTP id 665F794E; Tue, 29 Jun 1999 00:39:40 -0700 (PDT) Date: Tue, 29 Jun 1999 00:39:09 -0700 (PDT) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: "Vladimir Mencl, MK, susSED" Cc: security@FreeBSD.ORG Subject: Re: ssh from windows In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Jun 1999, Vladimir Mencl, MK, susSED wrote: > BTW, is there any way of limiting attaching to system processes at > higher securelevels? I was thinking about attaching to init (because > "init can lower securelevel"), but I received a "permission denied" at > securelevel 2, and a signal 11 at securelevel -1 ???? I don't know why, > I received it not only in 'gdb `which init` 1', but also in a later > 'gdb `which gdb` gdb.core' ... is init protected against debugging > in a special way? Yes, init cannot be attached to by a debugger when securelevel > 0. This change was made a good while back after I pointed out that it was possible to lower the securelevel by this method. I believe that the kernel was also later changed to not allow the securelevel to be lowered by any process, period. I don't think it should be causing gdb to crash, though. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 4:15:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id A1C1914C87 for ; Tue, 29 Jun 1999 04:15:32 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id NAA22862; Tue, 29 Jun 1999 13:15:30 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id NAA61439; Tue, 29 Jun 1999 13:15:29 +0200 (MET DST) Date: Tue, 29 Jun 1999 13:15:29 +0200 From: Eivind Eklund To: Wes Peters Cc: cjclark@home.com, FreeBSD Security Subject: Re: Secure Deletion Message-ID: <19990629131529.A61249@bitbox.follo.net> References: <199906250212.WAA07810@cc942873-a.ewndsr1.nj.home.com> <3773F67A.CC9B6215@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <3773F67A.CC9B6215@softweyr.com>; from Wes Peters on Fri, Jun 25, 1999 at 03:36:58PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 25, 1999 at 03:36:58PM -0600, Wes Peters wrote: > This won't do it, if you're really interested in obliterating the file > contents. What you want to do is overwrite the file blocks with ^^^^ disk > alternating patterns of 10101010 then 01010101 at least 100 times. > Due to the way modern recording formats work, and the memory of the > cells that actually store the bits on the disk, anything less won't > really erase the disk. More or less correct. There are a lot of details to this, and just writing 0x55/0xaa as normal data values won't make them hit the disk that way. Since what I have to write about this topic would just end up being a paraphrase of what Peter Gutmann has to say, I suggest you read the paper he presented at Usenix 1996: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 6: 1:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f155.hotmail.com [207.82.251.34]) by hub.freebsd.org (Postfix) with SMTP id 56C4214BCE for ; Tue, 29 Jun 1999 06:01:33 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 96758 invoked by uid 0); 29 Jun 1999 13:01:32 -0000 Message-ID: <19990629130132.96757.qmail@hotmail.com> Received: from 195.96.144.201 by www.hotmail.com with HTTP; Tue, 29 Jun 1999 06:01:32 PDT X-Originating-IP: [195.96.144.201] From: N.N.M To: freebsd-security@FREEBSD.ORG Subject: A strange process Date: Tue, 29 Jun 1999 06:01:32 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everybody, Any knows what the following process can mean? login -p zzzzzzzz I have it in the result of "ps -aux" entry with the owner of "root". It also re-appears in a moment after being killed by me! What can it be? Thanks, Nazila M. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 6: 4:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65]) by hub.freebsd.org (Postfix) with ESMTP id D670614BCE for ; Tue, 29 Jun 1999 06:04:24 -0700 (PDT) (envelope-from nick.hibma@jrc.it) Received: from elect8 (elect8.jrc.it [139.191.71.152]) by mrelay.jrc.it (LMC5692) with SMTP id PAA04875; Tue, 29 Jun 1999 15:04:18 +0200 (MET DST) Date: Tue, 29 Jun 1999 15:04:17 +0200 (MET DST) From: Nick Hibma X-Sender: n_hibma@elect8 Reply-To: Nick Hibma To: "N.N.M" Cc: freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: <19990629130132.96757.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yup, the guy sitting behind the console has dropped a book on the 'z' key. It's most probably not a German or French keyboard. :) Nick On Tue, 29 Jun 1999, N.N.M wrote: > Hi everybody, > > Any knows what the following process can mean? > > login -p zzzzzzzz > > I have it in the result of "ps -aux" entry with the owner of "root". It also > re-appears in a moment after being killed by me! What can it be? > > > Thanks, > Nazila M. > > > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 6: 4:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 2B88E1514E for ; Tue, 29 Jun 1999 06:04:32 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id PAA36176; Tue, 29 Jun 1999 15:04:20 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "N.N.M" Cc: freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-reply-to: Your message of "Tue, 29 Jun 1999 06:01:32 PDT." <19990629130132.96757.qmail@hotmail.com> Date: Tue, 29 Jun 1999 15:04:19 +0200 Message-ID: <36174.930661459@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Somebody is trying to break into your machine. In message <19990629130132.96757.qmail@hotmail.com>, "N.N.M" writes: >Hi everybody, > >Any knows what the following process can mean? > >login -p zzzzzzzz > >I have it in the result of "ps -aux" entry with the owner of "root". It also >re-appears in a moment after being killed by me! What can it be? > > >Thanks, >Nazila M. > > > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 6:24: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f176.hotmail.com [207.82.251.62]) by hub.freebsd.org (Postfix) with SMTP id B569F14C56 for ; Tue, 29 Jun 1999 06:24:06 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 51157 invoked by uid 0); 29 Jun 1999 13:24:06 -0000 Message-ID: <19990629132406.51156.qmail@hotmail.com> Received: from 195.96.144.201 by wy1lg.hotmail.com with HTTP; Tue, 29 Jun 1999 06:24:05 PDT X-Originating-IP: [195.96.144.201] From: N.N.M To: nick.hibma@jrc.it, phk@critter.freebsd.dk Cc: freebsd-security@FreeBSD.ORG Subject: Re: A strange process Date: Tue, 29 Jun 1999 06:24:05 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for your replies. I got worried (and still am!), as I am not behind the console right now, so can't get sure if it's a simple mistake or a true effort to break in. Anyway, I hope it is just a book on "z" key! (-: Nazila >From: Nick Hibma >Reply-To: Nick Hibma >To: "N.N.M" >CC: freebsd-security@FreeBSD.ORG >Subject: Re: A strange process >Date: Tue, 29 Jun 1999 15:04:17 +0200 (MET DST) >MIME-Version: 1.0 >From nick.hibma@jrc.it Tue Jun 29 06:04:23 1999 >Received: from [139.191.1.65] by hotmail.com (1.5) with SMTP id >MHotMailB9420F550149D821979D8BBF0141AA650; Tue Jun 29 06:04:23 1999 >Received: from elect8 (elect8.jrc.it [139.191.71.152])by mrelay.jrc.it >(LMC5692) with SMTP id PAA04875; Tue, 29 Jun 1999 15:04:18 +0200 (MET DST) >X-Sender: n_hibma@elect8 >In-Reply-To: <19990629130132.96757.qmail@hotmail.com> >Message-ID: > > >Yup, the guy sitting behind the console has dropped a book on the 'z' >key. It's most probably not a German or French keyboard. :) > >Nick > > >On Tue, 29 Jun 1999, N.N.M wrote: > > > Hi everybody, > > > > Any knows what the following process can mean? > > > > login -p zzzzzzzz > > > > I have it in the result of "ps -aux" entry with the owner of "root". It >also > > re-appears in a moment after being killed by me! What can it be? > > > > > > Thanks, > > Nazila M. > > > > > > > > ______________________________________________________ > > Get Your Private, Free Email at http://www.hotmail.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > >-- >ISIS/STA, T.P.270, Joint Research Centre, 21020 Ispra, Italy > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 6:46:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from fire.devmail.com (unknown [209.112.7.65]) by hub.freebsd.org (Postfix) with ESMTP id B1A5C15128 for ; Tue, 29 Jun 1999 06:46:12 -0700 (PDT) (envelope-from Ken@esaquatic.on.ca) Received: from ken3500 ([192.168.0.211]) by fire.devmail.com (8.8.5/8.8.5) with SMTP id JAA16469 for ; Tue, 29 Jun 1999 09:34:45 -0400 (EDT) From: "Ken Brown" To: Subject: RE: A strange process Date: Tue, 29 Jun 1999 09:51:05 -0400 Message-ID: <001401bec236$6ef93180$d300a8c0@ken3500.devmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0 In-Reply-To: <19990629130132.96757.qmail@hotmail.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tried it here, it's definitely from the 'z' key being held down. But looking at my keyboard, I'm not sure how you could get a small z with a book. It more likely a stuck key, Usually happens around here when someone dumps a coke in the keyboard. Ken -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of N.N.M Sent: Tuesday, June 29, 1999 9:02 AM To: freebsd-security@FreeBSD.ORG Subject: A strange process Hi everybody, Any knows what the following process can mean? login -p zzzzzzzz I have it in the result of "ps -aux" entry with the owner of "root". It also re-appears in a moment after being killed by me! What can it be? Thanks, Nazila M. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 7:29:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id C2AAF15221 for ; Tue, 29 Jun 1999 07:29:51 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id KAA00830; Tue, 29 Jun 1999 10:33:39 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Tue, 29 Jun 1999 10:33:38 -0400 (EDT) From: Bill Fumerola To: "N.N.M" Cc: freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: <19990629130132.96757.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Jun 1999, N.N.M wrote: > Hi everybody, > > Any knows what the following process can mean? > > login -p zzzzzzzz > > I have it in the result of "ps -aux" entry with the owner of "root". It also > re-appears in a moment after being killed by me! What can it be? The password given at the command line, however login 'hides' that password in the process list so people snooping around don't catch it. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 8:30:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 9705514C44 for ; Tue, 29 Jun 1999 08:30:42 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id RAA18553; Tue, 29 Jun 1999 17:30:37 +0200 (CEST) (envelope-from des) To: Bill Fumerola Cc: "N.N.M" , freebsd-security@FreeBSD.ORG Subject: Re: A strange process References: From: Dag-Erling Smorgrav Date: 29 Jun 1999 17:30:37 +0200 In-Reply-To: Bill Fumerola's message of "Tue, 29 Jun 1999 10:33:38 -0400 (EDT)" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola writes: > On Tue, 29 Jun 1999, N.N.M wrote: > > login -p zzzzzzzz > > The password given at the command line, however login 'hides' that > password in the process list so people snooping around don't catch it. No. 'man login'. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 8:35:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 62B1A14C44 for ; Tue, 29 Jun 1999 08:35:07 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id LAA25317; Tue, 29 Jun 1999 11:39:08 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Tue, 29 Jun 1999 11:39:08 -0400 (EDT) From: Bill Fumerola To: Dag-Erling Smorgrav Cc: "N.N.M" , freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 29 Jun 1999, Dag-Erling Smorgrav wrote: > Bill Fumerola writes: > > On Tue, 29 Jun 1999, N.N.M wrote: > > > login -p zzzzzzzz > > > > The password given at the command line, however login 'hides' that > > password in the process list so people snooping around don't catch it. > > No. 'man login'. Oh, well, that's what the mysql client does, I just made a guess. :> - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 9: 5: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdserve1.comsite.net (bsdserve1.comsite.net [205.238.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 8F6BA14C82 for ; Tue, 29 Jun 1999 09:05:02 -0700 (PDT) (envelope-from dave@comsite.net) Received: from localhost (dave@localhost) by bsdserve1.comsite.net (8.9.1/8.9.1) with SMTP id LAA11899; Tue, 29 Jun 1999 11:04:40 -0500 (CDT) Date: Tue, 29 Jun 1999 11:04:40 -0500 (CDT) From: dave To: Bill Fumerola Cc: Dag-Erling Smorgrav , "N.N.M" , freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Having the password on the command line is a huge security hole, BTW... Even if the program erases it from argv, there is still the time between when the program is invoked and when it erases argv when the password can be grabbed. A script doing nothing but ps would eventually grab one. On Tue, 29 Jun 1999, Bill Fumerola wrote: > On 29 Jun 1999, Dag-Erling Smorgrav wrote: > > > Bill Fumerola writes: > > > On Tue, 29 Jun 1999, N.N.M wrote: > > > > login -p zzzzzzzz > > > > > > The password given at the command line, however login 'hides' that > > > password in the process list so people snooping around don't catch it. > > > > No. 'man login'. > > Oh, well, that's what the mysql client does, I just made a guess. :> > > - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - > - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 9: 7:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id BECFF1529A for ; Tue, 29 Jun 1999 09:07:22 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 7024 invoked by uid 1000); 29 Jun 1999 16:05:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Jun 1999 16:05:22 -0000 Date: Tue, 29 Jun 1999 12:05:22 -0400 (EDT) From: Barrett Richardson To: "Vladimir Mencl, MK, susSED" Cc: security@FreeBSD.ORG Subject: Re: ssh from windows In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Jun 1999, Vladimir Mencl, MK, susSED wrote: > > Oh. The client encrypts it with the public key sent by the server - but > > the server's private key isn't passphrase protected (it is, however, > > readable only by root -- unless you change it). > > I'm afraid you are wrong. The RSA keys stored on disk are used for > host authentication only. Passwords (and all other session data) are > encrypted by a ``session key'', which is generated every (?3?) hours, > and is not stored anywhere. And is not bound to RSA, the session > encryption uses other encryption algorithms (with not that much > overhead). Like blowfish, idea ... and I think, it generally uses > shorter keys. > Well, I haven't actually studied the code -- but, if RSA authentication fails, there is no way the server can securely send a session key back to the client -- nor can the client securely send it to the server without RSA. The client can, however, use the server's public key to seal the password or session key in a RSA envelope in a secure manner and send it to the server. To answer the original posters question, if the server's public key is not used to create an RSA envelope, then yes, a password (or session key) is transmitted in clear text -- and I was indeed wrong. But ... the man page says that no password informtion is transmitted in the clear and the aforementioned use of the server's public key is the only way that can be accomplished. -- Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 9:34: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 22A821534D for ; Tue, 29 Jun 1999 09:34:00 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Tue, 29 Jun 1999 10:33:55 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma012617; Tue, 29 Jun 99 10:33:54 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id KAA24302; Tue, 29 Jun 1999 10:33:02 -0600 (MDT) Date: Tue, 29 Jun 1999 10:33:02 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: dave Cc: freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Jun 1999, dave wrote: > Having the password on the command line is a huge security hole, BTW... > Even if the program erases it from argv, there is still the time between > when the program is invoked and when it erases argv when the password can > be grabbed. A script doing nothing but ps would eventually grab one. > > login -p zzzzzzzz Uhh, are you thinking that "zzzzzzzz" is the password? Maybe I'm missing something but "man login" says: SYNOPSIS login [-fp] [-h hostname] [user] [...] -p By default, login discards any previous environment. The -p option disables this behavior. Wouldn't that mean that "zzzzzzzz" is a username? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 9:39:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 4D6F314CA7 for ; Tue, 29 Jun 1999 09:39:10 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id MAA19023; Tue, 29 Jun 1999 12:43:00 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Tue, 29 Jun 1999 12:43:00 -0400 (EDT) From: Bill Fumerola To: Paul Hart Cc: dave , freebsd-security@FreeBSD.ORG Subject: Re: A strange process In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Jun 1999, Paul Hart wrote: > Wouldn't that mean that "zzzzzzzz" is a username? Yes, I assumed this program worked like the mysql client, mistakenly. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 17:19:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from fasterix.frmug.org (d066.paris-81.cybercable.fr [212.198.81.66]) by hub.freebsd.org (Postfix) with ESMTP id 0026515384 for ; Tue, 29 Jun 1999 17:19:13 -0700 (PDT) (envelope-from pb@fasterix.frmug.org) Received: (from pb@localhost) by fasterix.frmug.org (8.9.3/8.9.3/pb-19990315) id CAA20264; Wed, 30 Jun 1999 02:19:09 +0200 (CEST) Message-ID: <19990630021908.A20109@fasterix.frmug.fr.net> Date: Wed, 30 Jun 1999 02:19:08 +0200 From: Pierre Beyssac To: "N.N.M" , freebsd-security@FreeBSD.ORG Subject: Re: A strange process References: <19990629130132.96757.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.8i In-Reply-To: <19990629130132.96757.qmail@hotmail.com>; from N.N.M on Tue, Jun 29, 1999 at 06:01:32AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 29, 1999 at 06:01:32AM -0700, N.N.M wrote: > Any knows what the following process can mean? > > login -p zzzzzzzz Looks like a login process exec'd by getty. getty reads the username itself, then starts login with option -p. Subsequent password:/login: prompts are then handled by login until it quits. telnetd does more or less the same but adds a "-h remotehostname", so it doesn't look like a remote attack. If it's indeed exec'd from getty, its parent pid should be 1 (init) and it should be attached to some tty on the machine for which a getty is spawned by /etc/ttys. As already answered, it's probably a stuck key. It might be started by something else, but I'm out of imagination now. If it's not started by anything familiar, then you can start worrying. -- Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org {Free,Net,Open}BSD, Linux : il y a moins bien, mais c'est plus cher Free domains: http://www.eu.org/ or mail dns-manager@EU.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 19: 6:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from atlas.topquark.org (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (Postfix) with ESMTP id B4BA21507C for ; Tue, 29 Jun 1999 19:06:18 -0700 (PDT) (envelope-from drwho@xnet.com) Received: (from drwho@localhost) by atlas.topquark.org (8.9.3/8.9.3) id VAA08251 for freebsd-security@FreeBSD.ORG; Tue, 29 Jun 1999 21:06:16 -0500 (CDT) Date: Tue, 29 Jun 1999 21:06:16 -0500 From: Michael Maxwell To: freebsd-security@FreeBSD.ORG Subject: Re: A strange process Message-ID: <19990629210616.B8207@atlas.topquark.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <19990629130132.96757.qmail@hotmail.com> <36174.930661459@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <36174.930661459@critter.freebsd.dk>; from Poul-Henning Kamp on Tue, Jun 29, 1999 at 03:04:19PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 29, 1999 at 03:04:19PM +0200, Poul-Henning Kamp wrote: > > Somebody is trying to break into your machine. > > In message <19990629130132.96757.qmail@hotmail.com>, "N.N.M" writes: > >Hi everybody, > > > >Any knows what the following process can mean? > > > >login -p zzzzzzzz Either that or someone fell asleep at the login prompt... (sorry, couldn't resist) -- Michael Maxwell | http://www.xnet.com/~drwho/ -- NATO: Now that you've destroyed Serbia, who you gonna kill next? -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 29 19:30:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from atlas.topquark.org (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (Postfix) with ESMTP id 3442315496 for ; Tue, 29 Jun 1999 19:30:24 -0700 (PDT) (envelope-from drwho@xnet.com) Received: (from drwho@localhost) by atlas.topquark.org (8.9.3/8.9.3) id VAA08257 for freebsd-security@FreeBSD.ORG; Tue, 29 Jun 1999 21:08:20 -0500 (CDT) Date: Tue, 29 Jun 1999 21:08:20 -0500 From: Michael Maxwell To: freebsd-security@FreeBSD.ORG Subject: Re: A strange process Message-ID: <19990629210820.C8207@atlas.topquark.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <19990629132406.51156.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <19990629132406.51156.qmail@hotmail.com>; from N.N.M on Tue, Jun 29, 1999 at 06:24:05AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 29, 1999 at 06:24:05AM -0700, N.N.M wrote: > > Thanks for your replies. I got worried (and still am!), as I am not behind > the console right now, so can't get sure if it's a simple mistake or a true > effort to break in. Anyway, I hope it is just a book on "z" key! (-: > If you cannot find any "stuck keys", try looking at terminals and workstations to see if they have connection problems. May be some garbage characters are getting through somehow from a bad connection, etc... Check modems, too. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 9:38:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from entic.net (shell.entic.net [209.157.122.66]) by hub.freebsd.org (Postfix) with SMTP id 1A5CC15546 for ; Wed, 30 Jun 1999 09:38:41 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 6760 invoked by uid 1000); 30 Jun 1999 16:39:27 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Jun 1999 16:39:27 -0000 Date: Wed, 30 Jun 1999 09:39:27 -0700 (PDT) From: Anil Jangity To: freebsd-security@freebsd.org Subject: kill!!! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ;-) I was wondering, is it possible/safe to make kill(1) to not allow it to kill a root process run from the console? Only the console should be able to kill those processes and no one else. The reason is, I leave a root login on the console at all times... just incase something stupid happens like the passwd is changed for root or you can no longer su to root etc because of a compromise or whatever, but if you have a logged in root already, it'll be easy to fix those. I was thinking making kill not be able to kill the shell after it was hacked etc. -- Anil Jangity To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 11:30:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (Postfix) with ESMTP id B47181564D for ; Wed, 30 Jun 1999 11:30:12 -0700 (PDT) (envelope-from brooks@one-eyed-alien.net) Received: from localhost (brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) with ESMTP id LAA23033; Wed, 30 Jun 1999 11:30:05 -0700 (PDT) From: brooks@one-eyed-alien.net X-Authentication-Warning: orion.ac.hmc.edu: brdavis owned process doing -bs Date: Wed, 30 Jun 1999 11:30:04 -0700 (PDT) X-Sender: brdavis@orion.ac.hmc.edu To: Anil Jangity Cc: freebsd-security@FreeBSD.ORG Subject: Re: kill!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 30 Jun 1999, Anil Jangity wrote: > I was wondering, is it possible/safe to make kill(1) to not allow it to > kill a root process run from the console? Only the console should be able > to kill those processes and no one else. > > The reason is, I leave a root login on the console at all times... just > incase something stupid happens like the passwd is changed for root or you > can no longer su to root etc because of a compromise or whatever, but if > you have a logged in root already, it'll be easy to fix those. I was > thinking making kill not be able to kill the shell after it was hacked > etc. If you really wanted to, you could probalb implement that feature, but I think it would require a higher secure level. In reality, it's probably a waste of time for your purposes. See the commit message below (this was also comitted to the RELENG_3 branch): ---- peter 1999/04/03 20:36:50 PST Modified files: libexec/getty gettytab.5 gettytab.h init.c main.c Log: Add an 'al' (autologin username) capability to getty/gettytab. This is a damn useful thing for using with serial consoles in clusters etc or secure console locations. Using a custom gettytab entry for console with an entry like 'al=root' means that there is *always* a root login ready on the console. This should replace hacks like those which go with conserver etc. (This is a loaded gun, watch out for those feet!) Submitted by: "Andrew J. Korty" ---- -- Brooks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 11:42:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from calliope1.fm.intel.com (calliope1.fm.intel.com [132.233.247.10]) by hub.freebsd.org (Postfix) with ESMTP id D79AC1564D for ; Wed, 30 Jun 1999 11:42:12 -0700 (PDT) (envelope-from douglas.h.jackson@intel.com) Received: from fmsmsx17.intel.com (fmsmsx17.fm.intel.com [132.233.58.209]) by calliope1.fm.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.6 1998/11/24 22:10:56 iwep Exp iwep $) with ESMTP id LAA10670; Wed, 30 Jun 1999 11:42:11 -0700 (PDT) Received: by fmsmsx17.fm.intel.com with Internet Mail Service (5.5.2448.0) id ; Wed, 30 Jun 1999 11:42:11 -0700 Message-ID: <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com> From: "Jackson, Douglas H" To: freebsd-security@FreeBSD.ORG Cc: "'brooks@one-eyed-alien.net'" , Anil Jangity Subject: RE: kill!!! Date: Wed, 30 Jun 1999 11:42:09 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There are a number of ways to deal with a lost root password. You can always boot to single user mode with no password. I guess a drawback is that it requires a bit of down time while you do the reboot, and change the password. But if your system is so insecure that you are loosing your root passwords, you probably have lots of downtime anyway. You could also use su2, which would allow you to have a number of different passwords which each allow you root access. If you're loosing track of the current root because multiple people are all using su from time-to-time, then this is probably a better bet for you anyway. Doug > -----Original Message----- > From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net] > Sent: Wednesday, June 30, 1999 11:30 AM > To: Anil Jangity > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: kill!!! > > > On Wed, 30 Jun 1999, Anil Jangity wrote: > > > I was wondering, is it possible/safe to make kill(1) to not > allow it to > > kill a root process run from the console? Only the console > should be able > > to kill those processes and no one else. > > > > The reason is, I leave a root login on the console at all > times... just > > incase something stupid happens like the passwd is changed > for root or you > > can no longer su to root etc because of a compromise or > whatever, but if > > you have a logged in root already, it'll be easy to fix those. I was > > thinking making kill not be able to kill the shell after it > was hacked > > etc. > > If you really wanted to, you could probalb implement that > feature, but I > think it would require a higher secure level. In reality, > it's probably a > waste of time for your purposes. See the commit message > below (this was > also comitted to the RELENG_3 branch): > > ---- > peter 1999/04/03 20:36:50 PST > > Modified files: > libexec/getty gettytab.5 gettytab.h init.c main.c > Log: > Add an 'al' (autologin username) capability to > getty/gettytab. This is a > damn useful thing for using with serial consoles in > clusters etc or secure > console locations. Using a custom gettytab entry for console with > an entry like 'al=root' means that there is *always* a root > login ready on > the console. This should replace hacks like those which go > with conserver > etc. (This is a loaded gun, watch out for those feet!) > > Submitted by: "Andrew J. Korty" > ---- > > -- Brooks > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 12:31:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from serveri.netti.fi (serveri.netti.fi [195.16.192.130]) by hub.freebsd.org (Postfix) with ESMTP id 6EFCA15230 for ; Wed, 30 Jun 1999 12:31:46 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-4-114.tku.netti.fi [195.16.219.115]) by serveri.netti.fi (8.8.8/8.8.3) with ESMTP id WAA22605; Wed, 30 Jun 1999 22:31:31 +0300 Message-ID: <377A6FA6.2967F7E1@ispro.net.tr> Date: Wed, 30 Jun 1999 22:27:34 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: "Jackson, Douglas H" , freebsd-security@freebsd.org Subject: how to keep track of root users? References: <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org what is su2? in our system there are multiple people who are logging in as root and I want to keep track of what they are doing when they are root, how can I do that? "Jackson, Douglas H" wrote: > There are a number of ways to deal with a lost root password. > > You can always boot to single user mode with no password. I guess a drawback > is that it requires a bit of down time while you do the reboot, and change > the password. But if your system is so insecure that you are loosing your > root passwords, you probably have lots of downtime anyway. > > You could also use su2, which would allow you to have a number of different > passwords which each allow you root access. If you're loosing track of the > current root because multiple people are all using su from time-to-time, > then this is probably a better bet for you anyway. > > Doug > > > -----Original Message----- > > From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net] > > Sent: Wednesday, June 30, 1999 11:30 AM > > To: Anil Jangity > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: kill!!! > > > > > > On Wed, 30 Jun 1999, Anil Jangity wrote: > > > > > I was wondering, is it possible/safe to make kill(1) to not > > allow it to > > > kill a root process run from the console? Only the console > > should be able > > > to kill those processes and no one else. > > > > > > The reason is, I leave a root login on the console at all > > times... just > > > incase something stupid happens like the passwd is changed > > for root or you > > > can no longer su to root etc because of a compromise or > > whatever, but if > > > you have a logged in root already, it'll be easy to fix those. I was > > > thinking making kill not be able to kill the shell after it > > was hacked > > > etc. > > > > If you really wanted to, you could probalb implement that > > feature, but I > > think it would require a higher secure level. In reality, > > it's probably a > > waste of time for your purposes. See the commit message > > below (this was > > also comitted to the RELENG_3 branch): > > > > ---- > > peter 1999/04/03 20:36:50 PST > > > > Modified files: > > libexec/getty gettytab.5 gettytab.h init.c main.c > > Log: > > Add an 'al' (autologin username) capability to > > getty/gettytab. This is a > > damn useful thing for using with serial consoles in > > clusters etc or secure > > console locations. Using a custom gettytab entry for console with > > an entry like 'al=root' means that there is *always* a root > > login ready on > > the console. This should replace hacks like those which go > > with conserver > > etc. (This is a loaded gun, watch out for those feet!) > > > > Submitted by: "Andrew J. Korty" > > ---- > > > > -- Brooks > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 12:55:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id A2752155CE for ; Wed, 30 Jun 1999 12:55:15 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 19891 invoked by uid 1000); 30 Jun 1999 19:53:04 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Jun 1999 19:53:04 -0000 Date: Wed, 30 Jun 1999 15:53:04 -0400 (EDT) From: Barrett Richardson To: Evren Yurtesen Cc: "Jackson, Douglas H" , freebsd-security@freebsd.org Subject: Re: how to keep track of root users? In-Reply-To: <377A6FA6.2967F7E1@ispro.net.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 30 Jun 1999, Evren Yurtesen wrote: > what is su2? > in our system there are multiple people who are logging in as root and > I want to keep track of what they are doing when they are root, > how can I do that? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 13: 4:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id 73B4615646 for ; Wed, 30 Jun 1999 13:04:29 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 22317 invoked by uid 1000); 30 Jun 1999 20:02:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Jun 1999 20:02:22 -0000 Date: Wed, 30 Jun 1999 16:02:21 -0400 (EDT) From: Barrett Richardson To: Evren Yurtesen Cc: "Jackson, Douglas H" , freebsd-security@freebsd.org Subject: Re: how to keep track of root users? In-Reply-To: <377A6FA6.2967F7E1@ispro.net.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I plead stuck keyboard on that last message. Yes. Definitely stuck keyboard. Have a look at accton(8) and lastcomm(1). I've had to explicity specify the filename on 3.x. -- Barrett On Wed, 30 Jun 1999, Evren Yurtesen wrote: > what is su2? > in our system there are multiple people who are logging in as root and > I want to keep track of what they are doing when they are root, > how can I do that? > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 13:58:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9FE2314F68 for ; Wed, 30 Jun 1999 13:58:36 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA16412; Wed, 30 Jun 1999 13:58:28 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda16410; Wed Jun 30 13:58:17 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id NAA00679; Wed, 30 Jun 1999 13:58:15 -0700 (PDT) Message-Id: <199906302058.NAA00679@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdyjL675; Wed Jun 30 13:58:13 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.1-RELEASE X-Sender: cschuber To: Evren Yurtesen Cc: "Jackson, Douglas H" , freebsd-security@FreeBSD.ORG Subject: Re: how to keep track of root users? In-reply-to: Your message of "Wed, 30 Jun 1999 22:27:34 +0300." <377A6FA6.2967F7E1@ispro.net.tr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 30 Jun 1999 13:58:12 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <377A6FA6.2967F7E1@ispro.net.tr>, Evren Yurtesen writes: > what is su2? > in our system there are multiple people who are logging in as root and > I want to keep track of what they are doing when they are root, > how can I do that? Sudo is another alternative. Symark markets a product similar to sudo and su2 that will even perform keystroke logging. Currently they support various platforms, including Linux (we can run the Linux binary). They've told me that if there is enough interest they can recompile the product for other platforms not currently supported. You could use a combination of sudo/su2 with script(1) to perform keystroke logging or create a hacked shell that logs commands and return codes to syslog. Finally, process accounting can provide a limited logging capability. Of course all of the above logging can be defeated by anyone with root wishing to hide their tracks. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 14:15:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from kinetic.tiora.net (kinetic.tiora.net [206.251.130.15]) by hub.freebsd.org (Postfix) with ESMTP id 508D415737 for ; Wed, 30 Jun 1999 14:15:51 -0700 (PDT) (envelope-from liam@kinetic.tiora.net) Received: from localhost (liam@localhost) by kinetic.tiora.net (8.9.3/8.9.3) with ESMTP id OAA09050; Wed, 30 Jun 1999 14:13:26 -0700 (PDT) Date: Wed, 30 Jun 1999 14:13:26 -0700 (PDT) From: Liam Slusser To: Evren Yurtesen Cc: "Jackson, Douglas H" , freebsd-security@FreeBSD.ORG Subject: Re: how to keep track of root users? In-Reply-To: <377A6FA6.2967F7E1@ispro.net.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try sudo. ;) You can find it in the ports under security/sudo. It will allow you to do all sorta of neato stuff. From allow one person to only run a single program to allow another to do anything he/her wants. liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote On Wed, 30 Jun 1999, Evren Yurtesen wrote: > what is su2? > in our system there are multiple people who are logging in as root and > I want to keep track of what they are doing when they are root, > how can I do that? > > "Jackson, Douglas H" wrote: > > > There are a number of ways to deal with a lost root password. > > > > You can always boot to single user mode with no password. I guess a drawback > > is that it requires a bit of down time while you do the reboot, and change > > the password. But if your system is so insecure that you are loosing your > > root passwords, you probably have lots of downtime anyway. > > > > You could also use su2, which would allow you to have a number of different > > passwords which each allow you root access. If you're loosing track of the > > current root because multiple people are all using su from time-to-time, > > then this is probably a better bet for you anyway. > > > > Doug > > > > > -----Original Message----- > > > From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net] > > > Sent: Wednesday, June 30, 1999 11:30 AM > > > To: Anil Jangity > > > Cc: freebsd-security@FreeBSD.ORG > > > Subject: Re: kill!!! > > > > > > > > > On Wed, 30 Jun 1999, Anil Jangity wrote: > > > > > > > I was wondering, is it possible/safe to make kill(1) to not > > > allow it to > > > > kill a root process run from the console? Only the console > > > should be able > > > > to kill those processes and no one else. > > > > > > > > The reason is, I leave a root login on the console at all > > > times... just > > > > incase something stupid happens like the passwd is changed > > > for root or you > > > > can no longer su to root etc because of a compromise or > > > whatever, but if > > > > you have a logged in root already, it'll be easy to fix those. I was > > > > thinking making kill not be able to kill the shell after it > > > was hacked > > > > etc. > > > > > > If you really wanted to, you could probalb implement that > > > feature, but I > > > think it would require a higher secure level. In reality, > > > it's probably a > > > waste of time for your purposes. See the commit message > > > below (this was > > > also comitted to the RELENG_3 branch): > > > > > > ---- > > > peter 1999/04/03 20:36:50 PST > > > > > > Modified files: > > > libexec/getty gettytab.5 gettytab.h init.c main.c > > > Log: > > > Add an 'al' (autologin username) capability to > > > getty/gettytab. This is a > > > damn useful thing for using with serial consoles in > > > clusters etc or secure > > > console locations. Using a custom gettytab entry for console with > > > an entry like 'al=root' means that there is *always* a root > > > login ready on > > > the console. This should replace hacks like those which go > > > with conserver > > > etc. (This is a loaded gun, watch out for those feet!) > > > > > > Submitted by: "Andrew J. Korty" > > > ---- > > > > > > -- Brooks > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 17:18:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from velvet.eilio.com (velvet.eilio.com [216.160.67.91]) by hub.freebsd.org (Postfix) with ESMTP id C865515781; Wed, 30 Jun 1999 17:18:14 -0700 (PDT) (envelope-from philip@adhesivemedia.com) Received: from localhost (philip@localhost) by velvet.eilio.com (8.9.2/8.9.2) with ESMTP id RAA40249; Wed, 30 Jun 1999 17:22:26 -0700 (PDT) (envelope-from philip@adhesivemedia.com) Date: Wed, 30 Jun 1999 17:22:26 -0700 (PDT) From: Philip Hallstrom X-Sender: philip@velvet.eilio.com To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: ipf vs. ipfw??? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi - I'm just getting my feet wet with firewalls and it appears I have two options: ipf and ipfw. I don't want to start any wars, but which one should I choose? What are the pros/cons of both? Please reply privately (I'm not subscribed to either list). If I get enough info I'll summarize it and put it up online somewhere for later. Thanks! -philip To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 17:26: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from entic.net (shell.entic.net [209.157.122.66]) by hub.freebsd.org (Postfix) with SMTP id EC0731572A for ; Wed, 30 Jun 1999 17:26:01 -0700 (PDT) (envelope-from aj@entic.net) Received: (qmail 18763 invoked by uid 1000); 1 Jul 1999 00:26:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jul 1999 00:26:52 -0000 Date: Wed, 30 Jun 1999 17:26:52 -0700 (PDT) From: Anil Jangity To: Philip Hallstrom Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: ipf vs. ipfw??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You may want to check this URL out: http://www.freebsdzine.org/199901/ I don't know how accurate/complete it is but it could be a start for you... I haven't read through all of it. There was also a recent ipf-howto faq in the freebsd-security archive, you may want to read through that as well and see if it meets your needs. Have fun! - Anil On Wed, 30 Jun 1999, Philip Hallstrom wrote: > Hi - > I'm just getting my feet wet with firewalls and it appears I have > two options: ipf and ipfw. > > I don't want to start any wars, but which one should I choose? What are > the pros/cons of both? > > Please reply privately (I'm not subscribed to either list). If I get > enough info I'll summarize it and put it up online somewhere for later. > > Thanks! > > -philip > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 30 21:59:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id A7D9A1559F; Wed, 30 Jun 1999 21:59:28 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id BAA17307; Thu, 1 Jul 1999 01:00:52 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199907010500.BAA17307@cc942873-a.ewndsr1.nj.home.com> Subject: SSH Working Like rsh To: freebsd-questions@FreeBSD.ORG (FreeBSD Questions), freebsd-security@FreeBSD.ORG Date: Thu, 1 Jul 1999 01:00:52 -0400 (EDT) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As in the past (http://www.freebsd.org/cgi/getmsg.cgi?fetch=3815870+3818463+/usr/local/www/db/text/1999/freebsd-questions/19990509.freebsd-questions), I seem to be having some trouble understanding the SSH manpages. I have two machines, lets call them hostA and hostB. hostA is a server and hostB is its backup. On a daily basis, I want to run a cron job on hostB that sucks up various files from hostA and then deposits them where they belong on hostB. Now, to me, the simple solution seemed to just use ssh (as I would have used rsh in past, simpler times), to do something like, ssh hostA "tar cf - $FILE_LIST" | tar xf - Where ssh runs a command on hostA and pipes the stdout over the net back to the stdin of a command on hostB. The ssh(1) manpage says, The second (and primary) authentication method is the rhosts or hosts.equiv method combined with RSA-based host authentication. It means that if the login would be per- mitted by .rhosts, .shosts, /etc/hosts.equiv, or /usr/local/etc/shosts.equiv, and additionally it can ver- ify the client's host key (see $HOME/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts in the FILES section), only then login is permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: /etc/hosts.equiv, .rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] To me, it is saying that ssh should function like the rsh from the user's point of view. However, on hostA, I have placed hostB in the /etc/shost file, the user's .rhosts (root user), and made sure that the pub key for hostB is on hostA in /root/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts, but I still get a request for a passphrase. How do I set up ssh so it can run a ssh like this from a cronjob? Is the solution to give root a null passphrased private key? However, the documentation has the scary statement about 'do not use null passphrases unless you know what you are doing.' I do not know enough about what I am doing to ignore that warning for a root account. Thanks for any pointers. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 2:23:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from usgs.gov (igsmn002.wr.usgs.gov [130.118.41.22]) by hub.freebsd.org (Postfix) with SMTP id 800FE15706; Thu, 1 Jul 1999 02:23:16 -0700 (PDT) (envelope-from rsowders@usgs.gov) Received: from IGSMN-Message_Server by usgs.gov with Novell_GroupWise; Thu, 01 Jul 1999 02:23:13 -0700 Message-Id: X-Mailer: Novell GroupWise 5.2 Date: Thu, 01 Jul 1999 02:22:41 -0700 From: "Robert Sowders" To: cjc@cc942873-a.ewndsr1.nj.home.com, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, cjclark@home.com Subject: Re: SSH Working Like rsh Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It doesn't look like anyones answered you yet. So I'll give it a try. Sorry for the long post but, what can I say? I assume you know the location of all ssh config=20 files. Note, fbsd 3.2 incorporates tcpwrappers by default and by default ssh is compiled with libwrap so you must make sure that your hosts.allow file is allowing=20 the connection between the two machines. If your=20 not running 3.2 or you don't have any hosts.allow or hosts.deny files then don't worry about it. First let me say that using password less logins will defeat part of the security of using ssh both with RhostsAuthentication and RhostsRSAAuthentication. With that said I have found that only the very elete can=20 leverage this into anything useful without a toehold already established on one of your machines. Make sure the sshd_config file on the=20 receiving machine allows root logins,=20 rhosts logins and RSA while we're at it. From here on It might be a good idea to=20 the same thing on both sending and receiving=20 machines so your script will work it's redirection. ( I haven't done that ) PermitRootLogin yes IgnoreRhosts no RhostsAuthentication yes RhostsRSAAuthentication yes Now kill and restart or HUP the sshd server. Place a .shosts file in the home directory of the receiving machine you wish to connect to=20 with the following line in the file somewhere. root@the.machine.your.coming.from Connect from the sending machine to the=20 receiving machine manually and accept the query to connect to the machine for the first time. Connect back to the sending machine=20 from the receiving machine just to be sure. The reason for this is so the known_host files will be writtian on both machines. After this the query will not appear. Now as root from the sending machine try to ssh to the receiving machine. If it still asks for=20 a passwd or RSA passphrase, try it again, but=20 this time on the receiving machine kill and restart=20 sshd with the -d switch so it will send the debug=20 output to the screen. Now from the sending machine=20 ssh to the receiving machine with the -v switch so it's verbose output is sent to the screen. The sending machine will tell you where it's failing and if you go to the receiving machine it will also=20 show you what's going on and hopefully this will=20 give you a clue about how to proceed. If you would like to do password less logins with RSA passphrase then you will need to do the=20 following. Be aware that the scary statements about null passphrased private key are there for a=20 good reason. If someone can steal your key or copy=20 it then they will have root on the receiving machine with no questions asked, but to do this from any=20 machine other than the one they stole it from is very=20 difficult and again they would have to have a toehold=20 on your machine to start with. So Caveot Emptor. In addition to the above, in the ssh_config uncomment the lines just to be sure, but it=20 should already be the default. RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication yes Now on each machine run the command ssh-keygen and when it asks for a passphrase just hit the enter key twice. Now transfer the=20 identity.pub file from each machine to the other renaming it authorized_keys and place it in the=20 .ssh directory in the home of root. Again run the server and client with the -d and -v=20 switches respectivly and watch the output for errors. If you can't get passwd less logins with RSA passphrase but .shosts works for you then you might try running a cron job and taring the files you need and then using=20 scp to move the files for you. Hope this helps. >>> "Crist J. Clark" 6/30/99 10:00:52 = PM >>> As in the past (http://www.freebsd.org/cgi/getmsg.cgi?fetch=3D3815870+3818463+/usr/local/w= ww/db/text/1999/freebsd-questions/19990509.freebsd-questions), I seem to be having some trouble understanding the SSH manpages. I have two machines, lets call them hostA and hostB. hostA is a server and hostB is its backup. On a daily basis, I want to run a cron job on hostB that sucks up various files from hostA and then deposits them where they belong on hostB. Now, to me, the simple solution seemed to just use ssh (as I would have used rsh in past, simpler times), to do something like, ssh hostA "tar cf - $FILE_LIST" | tar xf - Where ssh runs a command on hostA and pipes the stdout over the net back to the stdin of a command on hostB. The ssh(1) manpage says, The second (and primary) authentication method is the rhosts or hosts.equiv method combined with RSA-based host authentication. It means that if the login would be per- mitted by .rhosts, .shosts, /etc/hosts.equiv, or /usr/local/etc/shosts.equiv, and additionally it can ver- ify the client's host key (see $HOME/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts in the FILES section), only then login is permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: /etc/hosts.equiv, .rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] To me, it is saying that ssh should function like the rsh from the user's point of view. However, on hostA, I have placed hostB in the /etc/shost file, the user's .rhosts (root user), and made sure that the pub key for hostB is on hostA in /root/.ssh/known_hosts and /usr/local/etc/ssh_known_hosts, but I still get a request for a passphrase.=20 How do I set up ssh so it can run a ssh like this from a cronjob? Is the solution to give root a null passphrased private key? However, the documentation has the scary statement about 'do not use null passphrases unless you know what you are doing.' I do not know enough about what I am doing to ignore that warning for a root account. Thanks for any pointers. --=20 Crist J. Clark cjclark@home.com=20 To Unsubscribe: send mail to majordomo@FreeBSD.org=20 with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 5:29:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 1C7BE15363 for ; Thu, 1 Jul 1999 05:29:26 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id WAA09184; Thu, 1 Jul 1999 22:29:20 +1000 Date: Thu, 1 Jul 1999 22:29:19 +1000 (EST) From: Nicholas Brawn To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: how to keep track of root users? In-Reply-To: <199906302058.NAA00679@passer.osg.gov.bc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 30 Jun 1999, Cy Schubert wrote: > Finally, process accounting can provide a limited logging > capability. It appears that the process accounting in FreeBSD is a remnant of a bygone era, where all cpu time was costly and had to be accounted for. From a security perspective, process accounting would need to: - log uid, gid, and euid of the user calling the process. - log the process name, executable name, and path to the executable. - log arguments to the process being executed. - log date and amount of time the process took to complete. - log the tty the user who called the process executed it from. That being said, who wants to write it? ;) Nick > > Of course all of the above logging can be defeated by anyone with > root wishing to hide their tracks. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Province of BC > "e**(i*pi)+1=0" > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 6:16:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from support.euronet.nl (support.euronet.nl [194.134.32.134]) by hub.freebsd.org (Postfix) with ESMTP id 0C1C9156A3 for ; Thu, 1 Jul 1999 06:16:12 -0700 (PDT) (envelope-from beng@support.euronet.nl) Received: (from beng@localhost) by support.euronet.nl (8.9.1/8.9.1) id PAA22709 for freebsd-security@freebsd.org; Thu, 1 Jul 1999 15:16:11 +0200 (CEST) (envelope-from beng) Message-Id: <199907011316.PAA22709@support.euronet.nl> Subject: Re: how to keep track of root users? In-Reply-To: from Nicholas Brawn at "Jul 1, 99 10:29:19 pm" To: freebsd-security@freebsd.org Date: Thu, 1 Jul 1999 15:16:11 +0200 (CEST) From: Ben Gras X-Mailer: ELM [version 2.4ME+ PL31H (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Folks, > It appears that the process accounting in FreeBSD is a remnant of a bygone > era, where all cpu time was costly and had to be accounted for. From a > security perspective, process accounting would need to: > - log uid, gid, and euid of the user calling the process. > - log the process name, executable name, and path to the executable. > - log arguments to the process being executed. > - log date and amount of time the process took to complete. > - log the tty the user who called the process executed it from. Hmm, this isn't quite that simple; then we're dealing with . forks: Log uid/gid/euid/pid of parent, and pid of child. . execs: Log arguments and "process stack" (parent and it's ancestors; the pid and process p_comm for each process). Also log executable used (filesystem + inode number + lookup path + the root used to do the lookup, along with md5 of the executable in a perfect world). . exits: Log pid, exit code and/or signal. (I think that's all. setuid/seteuid/setgid/setegid/chroot and several others could be useful too.. hmm. this smells like a flexible rule-based config.) After all, a process might exec() multiple times, or fork() without exec()ing, or exec() multiple times before execing, not showing up in the accounting logs (that command that is; it'll show up as the last exec() I suppose) -- so accounting isn't flexible enough. Also p_comm isn't very meaningful at all (as far as I can see) if you're dealing with someone purposefully trying to hide what he's doing. I've already written a kernel extension that provides this, more elaborate, kind of logging, the idea is to syslog it to a remote host (or line printer :)) to create a trail of actions that have ever happened on systems, so should the box ever be hacked into, one can go to the secure host and reconstruct how it was done (well.. often) and what was done afterwards (root commands to install back doors, cover tracks etc). Especially the process "stack" mentioned above is useful in putting things in perspective. The log works quite well, I'm just concerned it'll eat a lot of CPU on the system it runs on, and will eat lots of network bandwidth too.. the idea, however, is nice :). I realized at the time that an accounting-style file is better suited for this information than syslog is; however, accounting doesn't work that way.. (It logs the information on exit()ing, which isn't the right time to gather all the information we want to log, it's too little too late, it's just not what it's meant to do.) Ehm is this making sense yet? =Ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 6:33:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id D8A7E14CAB for ; Thu, 1 Jul 1999 06:33:45 -0700 (PDT) (envelope-from netch@lucky.net) Received: (from netch@localhost) by burka.carrier.kiev.ua (8.Who.Cares/Guinness_Is_Better) id QAA25528; Thu, 1 Jul 1999 16:33:43 +0300 (EEST) (envelope-from netch) Date: Thu, 1 Jul 1999 16:33:43 +0300 (EEST) From: Valentin Nechayev Message-Id: <199907011333.QAA25528@burka.carrier.kiev.ua> To: freebsd-security@freebsd.org Subject: Re: kill!!! In-Reply-To: <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com> Organization: Lucky Netch Incorporated User-Agent: tin/pre-1.4-980226 (UNIX) (FreeBSD/2.2.6-RELEASE (i386)) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At Wed, 30 Jun 1999 11:42:09 -0700, in article <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com> Jackson, Douglas H wrote to sita.freebsd.security: JDH> There are a number of ways to deal with a lost root password. JDH> You can always boot to single user mode with no password. No, if "console" entry in /etc/ttys has "insecure" flag, you must type down root password to enter the single user mode shell. JDH> You could also use su2, which would allow you to have a number of JDH> different passwords which each allow you root access. Or one can create accounts root_a, root_b, ... ;) Or one can patch sudo utility to use another password file... ;) -- -- Valentin Nechayev netch@lucky.net II:LDXIII/MCMLXXII.CCC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 7:13:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id D84F31524D for ; Thu, 1 Jul 1999 07:13:48 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id AAA02422; Fri, 2 Jul 1999 00:13:57 +1000 (EST) From: Darren Reed Message-Id: <199907011413.AAA02422@cheops.anu.edu.au> Subject: Re: how to keep track of root users? To: ben@nl.euro.net (Ben Gras) Date: Fri, 2 Jul 1999 00:13:56 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199907011316.PAA22709@support.euronet.nl> from "Ben Gras" at Jul 1, 99 03:16:11 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It appears that the process accounting in FreeBSD is a remnant of a bygone > era, where all cpu time was costly and had to be accounted for. From a > security perspective, process accounting would need to: > - log uid, gid, and euid of the user calling the process. > - log the process name, executable name, and path to the executable. > - log arguments to the process being executed. > - log date and amount of time the process took to complete. > - log the tty the user who called the process executed it from. Process accounting provides information for what it was intended to do. Attempting to use that information for different purposes is going to lead you down the garden path. Process accounting is still useful, in its current form, so `fixing' it is not the right thing to do. What's required here is auditting. I *think* the POSIX security module being worked on at present is more in line with what you're aiming to achieve. If you've got access to Solaris, checkout the man pages for auditd, bsm, etc. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 7:43:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id A25291579D for ; Thu, 1 Jul 1999 07:43:27 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from rainbow5.scientia.demon.co.uk ([192.168.1.2] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.02 #1) id 10zhMo-0004fV-00; Thu, 01 Jul 1999 14:59:06 +0100 (envelope-from ben@rainbow5.scientia.demon.co.uk) Received: from rainbow5.scientia.demon.co.uk (ident=ben) by rainbow5.scientia.demon.co.uk with local (Exim 3.02 #1) id 10zhMn-0002Aa-00; Thu, 01 Jul 1999 14:59:05 +0100 (envelope-from ben@rainbow5.scientia.demon.co.uk) Date: Thu, 1 Jul 1999 14:59:04 +0100 From: Ben Smithurst To: Evren Yurtesen Cc: freebsd-security@freebsd.org Subject: Re: how to keep track of root users? Message-ID: <19990701145904.A8289@rainbow5.scientia.demon.co.uk> References: <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com> <377A6FA6.2967F7E1@ispro.net.tr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <377A6FA6.2967F7E1@ispro.net.tr> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Evren Yurtesen wrote: > what is su2? Similar to su. (You'd never have guessed that. :-) It allows you to list usernames in /usr/local/etc/superusers (I think), who can become any user using their own password. (e.g. I can "su2 news", where news has an invalid "*" password, without having to su to root first, I don't even need to know the root password.) Also individual users can put other usernames in their ~/.su2rc, so if usera has userb in ~usera/.su2rc, userb can use his own password to become usera. The program's documentation will probably explain its intended uses better than I can. It's in the ports collection. -- Ben Smithurst | PGP: 0x99392F7D ben@scientia.demon.co.uk | key available from keyservers and | ben+pgp@scientia.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 8:24: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop.intrafish.no (pop.intrafish.no [195.204.144.43]) by hub.freebsd.org (Postfix) with SMTP id 8F92B14D50 for ; Thu, 1 Jul 1999 08:23:58 -0700 (PDT) (envelope-from ros@intrafish.no) Received: (qmail 28628 invoked from network); 1 Jul 1999 15:39:43 -0000 Received: from wkst3.intrafish.no (HELO wkst3) (195.204.144.39) by pop.intrafish.no with SMTP; 1 Jul 1999 15:39:43 -0000 Message-ID: <007701bec3d5$b36d7ce0$2790ccc3@intrafish.no> From: "Roger Rabbit" To: Subject: tcp wrappers Date: Thu, 1 Jul 1999 17:23:41 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0074_01BEC3E6.76DC5C40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0074_01BEC3E6.76DC5C40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I've just installed 3.2 RELEASE from cdrom and on the cover it says that = tcp wrappers now are part of the base system. But I can't see tcpd anywhere, only tcpdcheck and so on. Why is this ? What if I want to set up different access rules based on the protocol in = use, not the program ? is there any way to do that with tcp wrappers ? = (I need different rules for smtp and pop3, and they both use tcp-env, so = setting a rule for tcp-env makes it all bad) I used tcpserver on my previous system (3.0) and it worked great but on = my 3.2 there's no ld.so for some reason, and tcpserver needs it. Roger O. Svenning ------=_NextPart_000_0074_01BEC3E6.76DC5C40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I've just installed 3.2 RELEASE from = cdrom and on=20 the cover it says that tcp wrappers now are part of the base=20 system.

But I can't see tcpd anywhere, only = tcpdcheck and=20 so on. Why is this ?

What if I want to set up different = access rules=20 based on the protocol in use, not the program ? is there any way to do = that with=20 tcp wrappers ? (I need different rules for smtp and pop3, and they both = use=20 tcp-env, so setting a rule for tcp-env makes it all bad)

I used tcpserver on my previous system = (3.0) and it=20 worked great but on my 3.2 there's no ld.so for some reason, and = tcpserver needs=20 it.

Roger O. = Svenning

------=_NextPart_000_0074_01BEC3E6.76DC5C40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 8:31:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from well.apcs.com.au (unknown [203.41.196.19]) by hub.freebsd.org (Postfix) with ESMTP id 717AB14CB4 for ; Thu, 1 Jul 1999 08:30:56 -0700 (PDT) (envelope-from keith@well.apcs.com.au) Received: (from keith@localhost) by well.apcs.com.au (8.9.3/8.9.2) id BAA01230; Fri, 2 Jul 1999 01:30:28 +1000 (EST) (envelope-from keith) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <007701bec3d5$b36d7ce0$2790ccc3@intrafish.no> Date: Fri, 02 Jul 1999 01:30:28 +1000 (EST) From: Keith Anderson To: Roger Rabbit Subject: RE: tcp wrappers Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Roger, I have tcp_wrappers working just fine /usr/local/libexec/tcpd and it keeps the little buggers out ! Keith On 01-Jul-99 Roger Rabbit wrote: > I've just installed 3.2 RELEASE from cdrom and on the cover it says that tcp > wrappers now are part of the base system. > But I can't see tcpd anywhere, only tcpdcheck and so on. Why is this ? > What if I want to set up different access rules based on the protocol in use, > not the program ? is there any way to do that with tcp wrappers ? (I need > different rules for smtp and pop3, and they both use tcp-env, so setting a > rule for tcp-env makes it all bad) > I used tcpserver on my previous system (3.0) and it worked great but on my > 3.2 there's no ld.so for some reason, and tcpserver needs it. > > Roger O. Svenning "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! ---------------------------------- E-Mail: Keith Anderson Australia Power Control Systems Pty. Limited. Date: 02-Jul-99 Time: 01:29:14 Satelite Service 64K to 2Meg This message was sent by XFMail ---------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 8:37:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id CEC8D14A13 for ; Thu, 1 Jul 1999 08:37:32 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1) id 10zitc-000Dcf-00; Thu, 01 Jul 1999 17:37:04 +0200 From: Sheldon Hearn To: "Roger Rabbit" Reply-To: freebsd-questions@freebsd.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: tcp wrappers In-reply-to: Your message of "Thu, 01 Jul 1999 17:23:41 +0200." <007701bec3d5$b36d7ce0$2790ccc3@intrafish.no> Date: Thu, 01 Jul 1999 17:37:04 +0200 Message-ID: <52368.930843424@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 01 Jul 1999 17:23:41 +0200, "Roger Rabbit" wrote: > But I can't see tcpd anywhere, only tcpdcheck and so on. Why is this ? If you look at the inetd manpage, you'll see that it supports builtin wrapping. You don't need tcpd. > What if I want to set up different access rules based on the protocol in = > use, not the program ? That's a limitation of hosts.allow. Short of creating a copy of the daemon binary with a new name, you can't do what you want to with inetd and TCP Wrappers. For information on why you don't have an ld.so for your old AOUT tcpserver program, see the 3.2RELEASE notes: http://www.freebsd.org/releases/3.2R/errata.html If you have further questions on configuration issues, please continue this thread in freebsd-questions, not on the security list. Thanks, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 8:48: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 69AE3157CF for ; Thu, 1 Jul 1999 08:47:26 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1) id 10zj3H-000Djf-00; Thu, 01 Jul 1999 17:47:03 +0200 From: Sheldon Hearn To: Keith Anderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: tcp wrappers In-reply-to: Your message of "Fri, 02 Jul 1999 01:30:28 +1000." Date: Thu, 01 Jul 1999 17:47:03 +0200 Message-ID: <52802.930844023@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 02 Jul 1999 01:30:28 +1000, Keith Anderson wrote: > I have tcp_wrappers working just fine > > /usr/local/libexec/tcpd Hi Keith, I don't really think this kind of answer is necessary. If you read the mail, you'll see that "Roger Rabit" has misunderstood what TCP Wrapper support means. Telling him that it works fine for you doesn't really accomplish anything. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 9:25:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from asteroid.svib.ru (asteroid.svib.ru [195.151.166.145]) by hub.freebsd.org (Postfix) with ESMTP id 6103115018 for ; Thu, 1 Jul 1999 09:25:30 -0700 (PDT) (envelope-from tarkhil@asteroid.svib.ru) Received: from shuttle.svib.ru (shuttle.svib.ru [195.151.166.144]) by asteroid.svib.ru (8.9.3/8.9.3) with ESMTP id UAA06304 for ; Thu, 1 Jul 1999 20:25:27 +0400 (MSD) (envelope-from tarkhil@asteroid.svib.ru) Received: from shuttle.svib.ru (minas-tirith.pol.ru [127.0.0.1]) by shuttle.svib.ru (8.9.3/8.8.8) with ESMTP id UAA06058 for ; Thu, 1 Jul 1999 20:29:11 +0400 (MSD) (envelope-from tarkhil@shuttle.svib.ru) Message-Id: <199907011629.UAA06058@shuttle.svib.ru> X-Mailer: exmh version 2.0.3 To: security@freebsd.org Reply-To: tarkhil@asteroid.svib.ru Subject: SSL-enabled pop3/imap X-URL: http://freebsd.svib.ru Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 01 Jul 1999 20:29:09 +0400 From: Alex Povolotsky Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I'm going to implement secure POP/IMAP connection, and I'm seeking advise. How do I rebuild pop-server to allow it's usage via SSL only? Alex. -- Alexander B. Povolotsky [ICQ 18277558] [2:5020/145] [http://freebsd.svib.ru] [tarkhil@asteroid.svib.ru] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 10:42:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop.intrafish.no (pop.intrafish.no [195.204.144.43]) by hub.freebsd.org (Postfix) with SMTP id DA34A14CAA for ; Thu, 1 Jul 1999 10:42:30 -0700 (PDT) (envelope-from ros@intrafish.no) Received: (qmail 29501 invoked from network); 1 Jul 1999 17:58:16 -0000 Received: from wkst3.intrafish.no (HELO wkst3) (195.204.144.39) by pop.intrafish.no with SMTP; 1 Jul 1999 17:58:16 -0000 Message-ID: <00c801bec3e9$0cbd9560$2790ccc3@intrafish.no> From: "Roger Rabbit" To: "David Pick" Cc: References: Subject: SV: tcp wrappers Date: Thu, 1 Jul 1999 19:42:11 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thnx a lot for the help guys. I got my hands on the tcpserver source and compiled it (I only had the = precompiled package and it was a.out) ... works like a dream so tcp wrappers are of no interest anymore. :) -Roger ----- Original Message -----=20 From: David Pick To: Sent: Thursday, July 01, 1999 7:32 PM Subject: Re: tcp wrappers=20 >=20 > > > But I can't see tcpd anywhere, only tcpdcheck and so on. Why is = this ? > >=20 > > If you look at the inetd manpage, you'll see that it supports = builtin > > wrapping. You don't need tcpd. >=20 > To be explicit - inetd is linked with the libwrap library so it's > unnecessary to activate a separate program with the extra overheads > that involves. >=20 > > > What if I want to set up different access rules based on the = protocol in =3D > > > use, not the program ? > >=20 > > That's a limitation of hosts.allow. Short of creating a copy of the > > daemon binary with a new name, you can't do what you want to with = inetd > > and TCP Wrappers. >=20 > Actually, a separate copy is not necessary; a hard (or soft) link > is sufficient to make the wrappers see a new name so different rules > can be used. >=20 > --=20 > David Pick >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 12:12:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from unix1.digital-web.net (unix1.digital-web.net [216.65.27.2]) by hub.freebsd.org (Postfix) with ESMTP id BC22015336; Thu, 1 Jul 1999 12:12:38 -0700 (PDT) (envelope-from joseph@randomnetworks.com) Received: from localhost (jmscott@localhost) by unix1.digital-web.net (8.9.3/8.9.3) with ESMTP id PAA50589; Thu, 1 Jul 1999 15:00:19 -0400 (EDT) Date: Thu, 1 Jul 1999 15:00:18 -0400 (EDT) From: Joseph Scott X-Sender: jmscott@unix1.digital-web.net Reply-To: Joseph Scott To: cjclark@home.com Cc: FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: SSH Working Like rsh In-Reply-To: <199907010500.BAA17307@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You may want to look at /usr/local/etc/sshd_config on the backup machine a take a look at turning RhostAuthentication no to RhostAuthentication yes It's been awhile, but I think that will tell ssh to pay attention to .rhosts files. Of course you'll want to make sure that your .rhosts files are set up very tightly. Also you may want to look at using rsync instead of tar. Thu, 1 Jul 1999, Crist J. Clark wrote: > As in the past > (http://www.freebsd.org/cgi/getmsg.cgi?fetch=3815870+3818463+/usr/local/www/db/text/1999/freebsd-questions/19990509.freebsd-questions), > I seem to be having some trouble understanding the SSH manpages. > > I have two machines, lets call them hostA and hostB. hostA is a server > and hostB is its backup. On a daily basis, I want to run a cron job > on hostB that sucks up various files from hostA and then deposits them > where they belong on hostB. > > Now, to me, the simple solution seemed to just use ssh (as I would > have used rsh in past, simpler times), to do something like, > > ssh hostA "tar cf - $FILE_LIST" | tar xf - > > Where ssh runs a command on hostA and pipes the stdout over the net > back to the stdin of a command on hostB. > > The ssh(1) manpage says, > > The second (and primary) authentication method is the > rhosts or hosts.equiv method combined with RSA-based host > authentication. It means that if the login would be per- > mitted by .rhosts, .shosts, /etc/hosts.equiv, or > /usr/local/etc/shosts.equiv, and additionally it can ver- > ify the client's host key (see $HOME/.ssh/known_hosts and > /usr/local/etc/ssh_known_hosts in the FILES section), only > then login is permitted. This authentication method > closes security holes due to IP spoofing, DNS spoofing and > routing spoofing. [Note to the administrator: > /etc/hosts.equiv, .rhosts, and the rlogin/rsh protocol in > general, are inherently insecure and should be disabled if > security is desired.] > > To me, it is saying that ssh should function like the rsh from the > user's point of view. However, on hostA, I have placed hostB in the > /etc/shost file, the user's .rhosts (root user), and made sure that > the pub key for hostB is on hostA in /root/.ssh/known_hosts and > /usr/local/etc/ssh_known_hosts, but I still get a request for a > passphrase. > > How do I set up ssh so it can run a ssh like this from a cronjob? Is > the solution to give root a null passphrased private key? However, the > documentation has the scary statement about 'do not use null > passphrases unless you know what you are doing.' I do not know enough > about what I am doing to ignore that warning for a root account. > > Thanks for any pointers. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > Joseph Scott joseph@randomnetworks.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 12:12:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.unacom.com (phoenix.unacom.com [206.113.48.50]) by hub.freebsd.org (Postfix) with SMTP id 1B82E15514 for ; Thu, 1 Jul 1999 12:12:28 -0700 (PDT) (envelope-from ethereal@phoenix.unacom.com) Received: (qmail 39622 invoked by uid 1001); 1 Jul 1999 19:04:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jul 1999 19:04:11 -0000 Date: Thu, 1 Jul 1999 15:04:11 -0400 (EDT) From: Master Of Spirits To: freebsd-security@FreeBSD.ORG Subject: Tracking Root Users Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have found that the simplest way (which I use myself) it a few modifictions to the shells themself, and to syslog.conf. For the purposes of tracking commands used by uid 0, the shells script waits for su to send a confirmed su signal and then logs to a log file and continues to log all commands sent through the shell untill su sends a termination signal. This bypasses syslog entirely save for the notification of a failed or successful SU attempts. Minor adustments could also pipe this feedback to a printer or external device, thus removing the possibility of hackers editing the logs themselves. -= UNACOM System Admin =- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 13:36:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 53D4214E2A; Thu, 1 Jul 1999 13:36:47 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id QAA19191; Thu, 1 Jul 1999 16:37:55 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199907012037.QAA19191@cc942873-a.ewndsr1.nj.home.com> Subject: Re: SSH Working Like rsh In-Reply-To: from Robert Sowders at "Jul 1, 99 02:22:41 am" To: rsowders@usgs.gov (Robert Sowders) Date: Thu, 1 Jul 1999 16:37:55 -0400 (EDT) Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Sowders wrote, [snip some good step-by-step directions, but directrions for stuff I presonally had already figured out.] > If you would like to do password less logins with > RSA passphrase then you will need to do the > following. Be aware that the scary statements > about null passphrased private key are there for a > good reason. If someone can steal your key or copy > it then they will have root on the receiving machine > with no questions asked, but to do this from any > machine other than the one they stole it from is very > difficult and again they would have to have a toehold > on your machine to start with. > So Caveot Emptor. OK, I guess this is what I was really after. First, is RSA-based host authentification not better than old-fashioned rhosts authentification? Isn't it better to use this, even if I am going to have to go with null-passphrases, than to use rhost authentification within SSH (or gods forbid, using the actual rsh suite). Hmmm... Now that I think about it, there really is no reason for root to be able to ssh in from any other machine but that one (I typically ssh in with a mortal user and su to root when being interactive). Hmmm... How does an individual user tell the sshd configuration which hosts to allow access to this account? The ~/.ssh/authroized_keys lets people in, but it does not necesarily turn people away. I would like to be able to restrict what hosts can access root, but not put any restrictions on certain other users. If that is possible, it seems using the null-passphrase would not be much of a risk (if it even is in the first place). Thanks a lot for the very complete reply. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 15: 0:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.aqis.com (ns.aqis.com [63.64.247.11]) by hub.freebsd.org (Postfix) with ESMTP id B63FC156C5 for ; Thu, 1 Jul 1999 15:00:29 -0700 (PDT) (envelope-from bill@billfink.com) Received: from billoffice (billoffice.aqis.com [63.64.247.253]) by mail.aqis.com (8.9.3/8.9.3) with SMTP id SAA07299 for ; Thu, 1 Jul 1999 18:00:28 -0400 (EDT) From: "Bill Fink" To: Subject: Date: Thu, 1 Jul 1999 18:00:28 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When I display our 'arp table' (i.e. %> arp -a ) This is an entry - this looks strange to me: 6x.6x.2xx.255 ff:ff:ff:ff:ff:ff UHLWb 3 192 ed0 Any help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 15:12: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from narcissus.net (narcissus.net [209.73.230.146]) by hub.freebsd.org (Postfix) with ESMTP id AF312156B3 for ; Thu, 1 Jul 1999 15:11:59 -0700 (PDT) (envelope-from ben@narcissus.net) Received: by narcissus.net (Postfix, from userid 1000) id 612C9213; Thu, 1 Jul 1999 18:01:55 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by narcissus.net (Postfix) with SMTP id 54D4B212; Thu, 1 Jul 1999 18:01:55 -0400 (EDT) Date: Thu, 1 Jul 1999 18:01:55 -0400 (EDT) From: Snob Art Genre To: Bill Fink Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Jul 1999, Bill Fink wrote: > When I display our 'arp table' (i.e. %> arp -a ) > > This is an entry - this looks strange to me: > > 6x.6x.2xx.255 ff:ff:ff:ff:ff:ff UHLWb 3 192 ed0 That's the broadcast address for your LAN. Nothing to worry about. -- Ben "The world is conspiring in your favor." -- de la Vega To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 15:19:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.aqis.com (ns.aqis.com [63.64.247.11]) by hub.freebsd.org (Postfix) with ESMTP id 9790314C8E for ; Thu, 1 Jul 1999 15:19:51 -0700 (PDT) (envelope-from bill@billfink.com) Received: from billoffice (billoffice.aqis.com [63.64.247.253]) by mail.aqis.com (8.9.3/8.9.3) with SMTP id SAA07422; Thu, 1 Jul 1999 18:19:49 -0400 (EDT) From: "Bill Fink" To: "Snob Art Genre" Cc: Subject: RE: your mail Date: Thu, 1 Jul 1999 18:19:49 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks. (And Whoops - that's actually the result of the 'netstat -r') What's worrying us is the fact that we always receive a 'broken pipe' when we are backing up from that machine to another. (As if the NIC was defective - or someone's playing around.) Bill > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Snob Art Genre > Sent: Thursday, July 01, 1999 6:02 PM > To: Bill Fink > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: your mail > > > On Thu, 1 Jul 1999, Bill Fink wrote: > > > When I display our 'arp table' (i.e. %> arp -a ) > > > > This is an entry - this looks strange to me: > > > > 6x.6x.2xx.255 ff:ff:ff:ff:ff:ff UHLWb 3 192 ed0 > > That's the broadcast address for your LAN. Nothing to worry about. > > -- > Ben > > "The world is conspiring in your favor." -- de la Vega > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 15:59:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.erols.com (smtp3.erols.com [207.172.3.236]) by hub.freebsd.org (Postfix) with ESMTP id A7C1814FE7; Thu, 1 Jul 1999 15:59:46 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from john.baldwin.cx (207-172-143-127.s64.as1.hgt.md.dialup.rcn.com [207.172.143.127]) by smtp3.erols.com (8.8.8/8.8.5) with ESMTP id SAA17933; Thu, 1 Jul 1999 18:59:41 -0400 (EDT) Message-Id: <199907012259.SAA17933@smtp3.erols.com> X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199907012037.QAA19191@cc942873-a.ewndsr1.nj.home.com> Date: Thu, 01 Jul 1999 18:59:39 -0400 (EDT) From: John Baldwin To: cjclark@home.com Subject: Re: SSH Working Like rsh Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, (Robert Sowders) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 01-Jul-99 Crist J. Clark wrote: > Robert Sowders wrote, > > [snip some good step-by-step directions, but directrions for stuff I > presonally had already figured out.] > >> If you would like to do password less logins with >> RSA passphrase then you will need to do the >> following. Be aware that the scary statements >> about null passphrased private key are there for a >> good reason. If someone can steal your key or copy >> it then they will have root on the receiving machine >> with no questions asked, but to do this from any >> machine other than the one they stole it from is very >> difficult and again they would have to have a toehold >> on your machine to start with. >> So Caveot Emptor. > > OK, I guess this is what I was really after. First, is RSA-based host > authentification not better than old-fashioned rhosts authentification? > Isn't it better to use this, even if I am going to have to go with > null-passphrases, than to use rhost authentification within SSH (or > gods forbid, using the actual rsh suite). > > Hmmm... Now that I think about it, there really is no reason for root > to be able to ssh in from any other machine but that one (I typically > ssh in with a mortal user and su to root when being > interactive). Hmmm... How does an individual user tell the sshd > configuration which hosts to allow access to this account? The > ~/.ssh/authroized_keys lets people in, but it does not necesarily turn > people away. I would like to be able to restrict what hosts can access > root, but not put any restrictions on certain other users. If that is > possible, it seems using the null-passphrase would not be much of a > risk (if it even is in the first place). Check the sshd manpage. You can add options to each key listed in authorized_keys, including which hosts are allowed to use it and even to restrict it to a certain command. If you are only going to be running one command with this key, then take a look at that option. That way, if someone gets your host key, the only thing they can do is run that one command. This may still be bad, but it's not the same as having a root shell on your box. --- John Baldwin -- http://members.freedomnet.com/~jbaldwin/ PGP Key: http://members.freedomnet.com/~jbaldwin/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 22:28:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 1271514DC7 for ; Thu, 1 Jul 1999 22:28:12 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id WAA12876; Thu, 1 Jul 1999 22:27:31 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id WAA27557; Thu, 1 Jul 1999 22:27:31 -0700 Received: from softweyr.com ([204.68.178.39]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA10799; Thu, 1 Jul 99 22:27:29 PDT Message-Id: <377C4DBE.A9C326DF@softweyr.com> Date: Thu, 01 Jul 1999 23:27:26 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Bill Fink Cc: freebsd-security@FreeBSD.ORG Subject: Re: References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fink wrote: > > When I display our 'arp table' (i.e. %> arp -a ) > > This is an entry - this looks strange to me: > > 6x.6x.2xx.255 ff:ff:ff:ff:ff:ff UHLWb 3 192 ed0 > > Any help. Somebody's been playing with your local broadcast address. It's probably nothing to worry about. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 1 23:22:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from yucca.daewoo.lublin.pl (yucca.daewoo.lublin.pl [195.205.71.11]) by hub.freebsd.org (Postfix) with ESMTP id 0B1B914DCC for ; Thu, 1 Jul 1999 23:22:21 -0700 (PDT) (envelope-from rafal.sliwinski@daewoo.lublin.pl) Received: from localhost (sliwa@localhost) by yucca.daewoo.lublin.pl (GetMail 1.2/sliffka0.3) with SMTP id IAA08096; Fri, 2 Jul 1999 08:22:31 +0200 (CEST) From: rafal.sliwinski@daewoo.lublin.pl X-Authentication-Warning: yucca.daewoo.lublin.pl: sliwa owned process doing -bs Date: Fri, 2 Jul 1999 08:22:31 +0200 (CEST) X-Sender: sliwa@yucca.daewoo.lublin.pl Reply-To: rafal.sliwinski@daewoo.lublin.pl To: Alex Povolotsky Cc: security@FreeBSD.ORG Subject: Re: SSL-enabled pop3/imap In-Reply-To: <199907011629.UAA06058@shuttle.svib.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 1 Jul 1999, Alex Povolotsky wrote: > Hello! > > I'm going to implement secure POP/IMAP connection, and I'm seeking advise. > > How do I rebuild pop-server to allow it's usage via SSL only? > > Alex. > -- > Alexander B. Povolotsky [ICQ 18277558] > [2:5020/145] [http://freebsd.svib.ru] [tarkhil@asteroid.svib.ru] > Try SSLeay + sslwrap before you start other modifications... -- Regards, Rafal Sliwinski To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 1:59:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 197A614CF3 for ; Fri, 2 Jul 1999 01:59:12 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.2/8.8.8) id JAA18169; Fri, 2 Jul 1999 09:58:59 +0100 (BST) (envelope-from joe) Date: Fri, 2 Jul 1999 09:58:58 +0100 From: Josef Karthauser To: Snob Art Genre Cc: Bill Fink , freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <19990702095858.V69050@pavilion.net> References:

Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Snob Art Genre on Thu, Jul 01, 1999 at 06:01:55PM -0400 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 01, 1999 at 06:01:55PM -0400, Snob Art Genre wrote: > On Thu, 1 Jul 1999, Bill Fink wrote: > > > When I display our 'arp table' (i.e. %> arp -a ) > > > > This is an entry - this looks strange to me: > > > > 6x.6x.2xx.255 ff:ff:ff:ff:ff:ff UHLWb 3 192 ed0 > > That's the broadcast address for your LAN. Nothing to worry about. As an associated thing can anyone think of an easy way of ignoring traffic coming from a particular MAC address on the network? I've got a user who keeps changing their IP address to get arround the fact that I've restricted traffic to that address. Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 2:24:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 883A014FEC for ; Fri, 2 Jul 1999 02:24:09 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id LAA12325; Fri, 2 Jul 1999 11:24:05 +0200 (CEST) (envelope-from des) To: Josef Karthauser Cc: Snob Art Genre , Bill Fink , freebsd-security@FreeBSD.ORG Subject: Re: your mail References:

<19990702095858.V69050@pavilion.net> From: Dag-Erling Smorgrav Date: 02 Jul 1999 11:24:04 +0200 In-Reply-To: Josef Karthauser's message of "Fri, 2 Jul 1999 09:58:58 +0100" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Josef Karthauser writes: > As an associated thing can anyone think of an easy way of ignoring traffic > coming from a particular MAC address on the network? I've got a user who > keeps changing their IP address to get arround the fact that I've restricted > traffic to that address. So terminate him. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 2:42:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 5646314C04 for ; Fri, 2 Jul 1999 02:42:44 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.2/8.8.8) id KAA30209; Fri, 2 Jul 1999 10:42:40 +0100 (BST) (envelope-from joe) Date: Fri, 2 Jul 1999 10:42:40 +0100 From: Josef Karthauser To: Dag-Erling Smorgrav Cc: Snob Art Genre , Bill Fink , freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <19990702104239.X69050@pavilion.net> References:

<19990702095858.V69050@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Dag-Erling Smorgrav on Fri, Jul 02, 1999 at 11:24:04AM +0200 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jul 02, 1999 at 11:24:04AM +0200, Dag-Erling Smorgrav wrote: > Josef Karthauser writes: > > As an associated thing can anyone think of an easy way of ignoring traffic > > coming from a particular MAC address on the network? I've got a user who > > keeps changing their IP address to get arround the fact that I've restricted > > traffic to that address. > > So terminate him. Ah, if only life were that simple ;) There are laws against that kind of thing :o). He's on a local area network that I'm part of. I provide routed access to the internet, but he's allowed access to the network to connect to other users (this is at home, not at work - he rent's a room from me.) The problem is that he's running Internet Explorer 5 in stupid "go on line for no reason at all" mode and until he's either un-installed it, or fixed the problem I've told him that I'm shutting down his internet access. That said he's been a naughty boy and changed his IP address a couple of times to other people's. He thinks that I don't know, but of course I've got changing ARP addresses. What I'd like to do now is ignore his MAC address on the server instead to get around this. (I could disconnect him from the network but that's harder to police.) Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 3:10:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4]) by hub.freebsd.org (Postfix) with ESMTP id 33A2C14D52 for ; Fri, 2 Jul 1999 03:10:31 -0700 (PDT) (envelope-from marc@bowtie.nl) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id MAA26291; Fri, 2 Jul 1999 12:10:05 +0200 (MET DST) Received: from localhost (localhost [127.0.0.1]) by bowtie.nl (8.8.8/8.8.8) with ESMTP id MAA08755; Fri, 2 Jul 1999 12:05:12 +0200 (CEST) (envelope-from marc@bowtie.nl) Message-Id: <199907021005.MAA08755@bowtie.nl> X-Mailer: exmh version 2.0.2 2/24/98 To: Josef Karthauser Cc: Dag-Erling Smorgrav , Snob Art Genre , Bill Fink , freebsd-security@FreeBSD.ORG Subject: Re: your mail In-reply-to: joe's message of Fri, 02 Jul 1999 10:42:40 +0100. <19990702104239.X69050@pavilion.net> Date: Fri, 02 Jul 1999 12:05:12 +0200 From: Marc van Kempen Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, Jul 02, 1999 at 11:24:04AM +0200, Dag-Erling Smorgrav wrote: > > Josef Karthauser writes: > > > As an associated thing can anyone think of an easy way of ignoring traffic > > > coming from a particular MAC address on the network? I've got a user who > > > keeps changing their IP address to get arround the fact that I've restricted > > > traffic to that address. > > > > So terminate him. > > Ah, if only life were that simple ;) There are laws against that kind of > thing :o). > > He's on a local area network that I'm part of. I provide routed access to > the internet, but he's allowed access to the network to connect to other > users (this is at home, not at work - he rent's a room from me.) The problem > is that he's running Internet Explorer 5 in stupid "go on line for no reason > at all" mode and until he's either un-installed it, or fixed the problem > I've told him that I'm shutting down his internet access. That said he's > been a naughty boy and changed his IP address a couple of times to other > people's. He thinks that I don't know, but of course I've got changing > ARP addresses. What I'd like to do now is ignore his MAC address on the > server instead to get around this. (I could disconnect him from the network > but that's harder to police.) > Write a little script that inserts/deletes ipfw entries based on the output of arp -a. If you find his MAC address in the list, then add the corresponding ipnr to your firewall rules, if not, delete it again. Now run this script every minute (or so) and he should effectively loose access :-) Regards, Marc. ---------------------------------------------------- Marc van Kempen BowTie Technology Email: marc@bowtie.nl WWW & Databases tel. +31 40 2 43 20 65 fax. +31 40 2 44 21 86 http://www.bowtie.nl ---------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 3:12:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 4801D15059 for ; Fri, 2 Jul 1999 03:12:24 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id DAA01796; Fri, 2 Jul 1999 03:10:47 -0700 (PDT) Date: Fri, 2 Jul 1999 03:10:47 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Josef Karthauser Cc: Dag-Erling Smorgrav , Snob Art Genre , Bill Fink , freebsd-security@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <19990702104239.X69050@pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Add permanent, static arp entries for all your legit mac/ip combos, then disable arp on your gateway. You can disable arp with a "-arp" on the ifconfig line according to the man page. This should keep him busy, of course I would just swap ethernet cards with another user in the house...never mind. Cliff On Fri, 2 Jul 1999, Josef Karthauser wrote: > On Fri, Jul 02, 1999 at 11:24:04AM +0200, Dag-Erling Smorgrav wrote: > > Josef Karthauser writes: > > > As an associated thing can anyone think of an easy way of ignoring traffic > > > coming from a particular MAC address on the network? I've got a user who > > > keeps changing their IP address to get arround the fact that I've restricted > > > traffic to that address. > > > > So terminate him. > > Ah, if only life were that simple ;) There are laws against that kind of > thing :o). > > He's on a local area network that I'm part of. I provide routed access to > the internet, but he's allowed access to the network to connect to other > users (this is at home, not at work - he rent's a room from me.) The problem > is that he's running Internet Explorer 5 in stupid "go on line for no reason > at all" mode and until he's either un-installed it, or fixed the problem > I've told him that I'm shutting down his internet access. That said he's > been a naughty boy and changed his IP address a couple of times to other > people's. He thinks that I don't know, but of course I've got changing > ARP addresses. What I'd like to do now is ignore his MAC address on the > server instead to get around this. (I could disconnect him from the network > but that's harder to police.) > > Joe > -- > Josef Karthauser FreeBSD: How many times have you booted today? > Technical Manager Viagra for your server (http://www.uk.freebsd.org) > Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Cliff Skolnick | "They that can give up essential liberty to obtain Steam Tunnel Operations | a little temporary safety deserve neither liberty cliff@steam.com | nor safety." http://www.steam.com/ | -- Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 3:20: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 8C1BF14CC6 for ; Fri, 2 Jul 1999 03:20:01 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.2/8.8.8) id LAA40169; Fri, 2 Jul 1999 11:19:53 +0100 (BST) (envelope-from joe) Date: Fri, 2 Jul 1999 11:19:53 +0100 From: Josef Karthauser To: Cliff Skolnick Cc: Dag-Erling Smorgrav , Snob Art Genre , Bill Fink , freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <19990702111953.Z69050@pavilion.net> References: <19990702104239.X69050@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Cliff Skolnick on Fri, Jul 02, 1999 at 03:10:47AM -0700 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jul 02, 1999 at 03:10:47AM -0700, Cliff Skolnick wrote: > > Add permanent, static arp entries for all your legit mac/ip combos, then > disable arp on your gateway. You can disable arp with a "-arp" on the > ifconfig line according to the man page. This should keep him busy, of > course I would just swap ethernet cards with another user in the > house...never mind. > > Cliff Ahha, That's the cookie. Thanks :) Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 3:25:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gamma.qmw.ac.uk (gamma.qmw.ac.uk [138.37.6.8]) by hub.freebsd.org (Postfix) with SMTP id C51021504D for ; Fri, 2 Jul 1999 03:25:11 -0700 (PDT) (envelope-from D.M.Pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk by gamma.qmw.ac.uk with SMTP-QMW with ESMTP; Fri, 2 Jul 1999 11:25:01 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 1100V8-00004N-00; Fri, 2 Jul 1999 11:24:58 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail In-reply-to: Your message of "Fri, 02 Jul 1999 10:42:40 BST." <19990702104239.X69050@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 02 Jul 1999 11:24:58 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, Jul 02, 1999 at 11:24:04AM +0200, Dag-Erling Smorgrav wrote: > = > Ah, if only life were that simple ;) There are laws against that kind = of > thing :o). > = > He's on a local area network that I'm part of. I provide routed access= to > the internet, but he's allowed access to the network to connect to othe= r > users (this is at home, not at work - he rent's a room from me.) The p= roblem > is that he's running Internet Explorer 5 in stupid "go on line for no r= eason > at all" mode and until he's either un-installed it, or fixed the proble= m > I've told him that I'm shutting down his internet access. That said he= 's > been a naughty boy and changed his IP address a couple of times to othe= r > people's. He thinks that I don't know, but of course I've got changing= > ARP addresses. What I'd like to do now is ignore his MAC address on th= e = > server instead to get around this. (I could disconnect him from the ne= twork > but that's harder to police.) 1) Use "arpwatch" to watch for ARP packets containing his MAC address 2) Use the "ipfw" or "ipfilter" options in your kernel 3) Catch the log entries from "arpwatch" and use them to dynamically update the filter lists in your kernel to block whichever IP address he's using at the time. -- = David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 3:29:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 137B3150BA for ; Fri, 2 Jul 1999 03:29:27 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA13794; Fri, 2 Jul 1999 12:29:22 +0200 (CEST) (envelope-from des) To: Josef Karthauser Cc: Dag-Erling Smorgrav , Snob Art Genre , Bill Fink , freebsd-security@FreeBSD.ORG Subject: Re: your mail References:

<19990702095858.V69050@pavilion.net> <19990702104239.X69050@pavilion.net> From: Dag-Erling Smorgrav Date: 02 Jul 1999 12:29:22 +0200 In-Reply-To: Josef Karthauser's message of "Fri, 2 Jul 1999 10:42:40 +0100" Message-ID: Lines: 18 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Josef Karthauser writes: > On Fri, Jul 02, 1999 at 11:24:04AM +0200, Dag-Erling Smorgrav wrote: > > Josef Karthauser writes: > > > As an associated thing can anyone think of an easy way of ignoring traffic > > > coming from a particular MAC address on the network? I've got a user who > > > keeps changing their IP address to get arround the fact that I've restricted > > > traffic to that address. > > So terminate him. > [...] (I could disconnect him from the network > but that's harder to police.) So disconnect him from the network. It's your network. You set the rules. He breaks the rules, he loses access. Anything short of that is an invitation for him to try and circumvent your measures. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 2 3:45:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from support.euronet.nl (support.euronet.nl [194.134.32.134]) by hub.freebsd.org (Postfix) with ESMTP id 4D0DC14DC3 for ; Fri, 2 Jul 1999 03:45:56 -0700 (PDT) (envelope-from beng@support.euronet.nl) Received: (from beng@localhost) by support.euronet.nl (8.9.1/8.9.1) id MAA25609; Fri, 2 Jul 1999 12:45:44 +0200 (CEST) (envelope-from beng) Message-Id: <199907021045.MAA25609@support.euronet.nl> Subject: Re: how to keep track of root users? In-Reply-To: <199907011413.AAA02422@cheops.anu.edu.au> from Darren Reed at "Jul 2, 99 00:13:56 am" To: avalon@coombs.anu.edu.au (Darren Reed) Date: Fri, 2 Jul 1999 12:45:44 +0200 (CEST) Cc: freebsd-security@freebsd.org From: Ben Gras