From owner-freebsd-security Tue Oct 7 14:17:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA23519 for security-outgoing; Tue, 7 Oct 1997 14:17:07 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from pericles.aipo.gov.au (pericles.aipo.gov.au [202.14.186.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA23512 for ; Tue, 7 Oct 1997 14:17:03 -0700 (PDT) (envelope-from Stanley.Hopcroft@aipo.gov.au) From: Stanley.Hopcroft@aipo.gov.au Received: (from smap@localhost) by pericles.aipo.gov.au (8.8.5/8.6.12) id HAA01546 for ; Wed, 8 Oct 1997 07:14:19 +1000 (EST) X-Authentication-Warning: pericles.aipo.gov.au: smap set sender to using -f Received: from notes.aipo.gov.au(192.3.1.11) by pericles.aipo.gov.au via smap (V1.3) id sma001544; Wed Oct 8 07:13:59 1997 Received: by notes.aipo.gov.au(Lotus SMTP MTA v1.05b4 (287.3 12-16-1996)) id 4A256529.0074C0D9 ; Wed, 8 Oct 1997 07:15:15 +1000 X-Lotus-FromDomain: INTERNET To: security@freebsd.org Message-ID: <4A256529.0074BF72.00@notes.aipo.gov.au> Date: Wed, 8 Oct 1997 06:30:08 +1000 Subject: How do I get warned about unsuccessful root login attemtps Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Dear Ladies and Gentlemen, I am writing to ask how FreeBSD may alert me to unsuccessfull root login attempts (as distinct from a successfull login) ? One possibility is replacing getpasswd by a locally produced one that writes all attempst to the syslog facility, however I don't really want to do that even with the source available. Any suggestions will be gratefully received. Thank you. Yours sincerely, S Hopcroft AIPO (better known by its former name of Patents Trade Marks & Designs Offices) From owner-freebsd-security Tue Oct 7 20:23:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA14134 for security-outgoing; Tue, 7 Oct 1997 20:23:07 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from cwsys.cwent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA14114 for ; Tue, 7 Oct 1997 20:23:02 -0700 (PDT) (envelope-from cy@cwsys.cwent.com) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.7/8.6.10) id UAA04881 for ; Tue, 7 Oct 1997 20:22:58 -0700 (PDT) Message-Id: <199710080322.UAA04881@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd004796; Wed Oct 8 03:22:37 1997 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 07 Oct 1997 20:22:36 -0700 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The following looks like it could be rather handy under FreeBSD. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.7/8.6.10) id IAA29559; Tue, 7 Oct 1997 08:09:19 -0700 (PDT) X-UIDL: 876267727.016 Resent-Message-Id: <199710071509.IAA29559@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaatpia; Tue Oct 7 08:09:12 1997 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.7/8.6.10) id IAA00124 for ; Tue, 7 Oct 1997 08:09:08 -0700 (PDT) Received: from orca.gov.bc.ca(142.32.102.25) via SMTP by passer.osg.gov.bc.ca, id smtpdaaCFFa; Tue Oct 7 08:09:07 1997 Received: from brimstone.netspace.org by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA25425; Tue, 7 Oct 1997 08:09:00 -0700 Received: from IDENT-NONSENSE@netspace.org (port 34308 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <48678-22663>; Tue, 7 Oct 1997 11:02:28 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 5024005 for BUGTRAQ@NETSPACE.ORG; Tue, 7 Oct 1997 10:58:05 -0400 Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id KAA00929 for ; Tue, 7 Oct 1997 10:57:14 -0400 Received: from IDENT-NONSENSE@netspace.org (port 34308 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <23490-22665>; Tue, 7 Oct 1997 10:57:14 -0400 Approved-By: aleph1@UNDERGROUND.ORG Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by netspace.org (8.8.7/8.8.2) with SMTP id GAA12905 for ; Tue, 7 Oct 1997 06:13:21 -0400 Received: from Holland.Sun.COM ([129.159.201.1]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id DAA27258 for ; Tue, 7 Oct 1997 03:14:11 -0700 Received: from albano by Holland.Sun.COM (SMI-8.6/SMI-SVR4-sd.fkk200) id MAA04717; Tue, 7 Oct 1997 12:10:17 +0200 Received: from holland by albano (SMI-8.6/SMI-SVR4-se.fkk201) id MAA26628; Tue, 7 Oct 1997 12:10:14 +0200 Message-Id: <199710071010.MAA26628@albano> Date: Tue, 7 Oct 1997 12:12:24 +0200 Reply-To: Casper Dik Sender: Bugtraq List From: Casper Dik Subject: Re: HP-UX tcp_random_seq To: BUGTRAQ@netspace.org In-Reply-To: Your message of "Mon, 06 Oct 1997 10:22:09 CDT." Resent-To: cy@passer.osg.gov.bc.ca, pblake@uumail.gov.bc.ca Resent-Date: Tue, 07 Oct 1997 08:09:10 -0700 Resent-From: Cy Schubert - ITSD Open Systems Group >I dont belive this is been given enough distribution. Under HP-UX you can >configure it to use random TCP sequence numbers by setting the >tcp_random_seq variable. The values are: > > 0 - old behavior (default) > 1 - rand(3) bahavior > 2 - rand48(3) behhavior > >The seed value for the rand*() functions is based on the time when >tcp_init() (or nettune) is called, so dont make your uptime public >(i.e. rstatd). > Solaris 2.x has a similar option. ndd -set /dev/tcp tcp_string_iss It accepts three values (2 in 2.5*) 0 - old behaviour 1 - using random(3) [default] 2 - new in 2.6., RFC 1948 support The password for this is set from root's /etc/shadow entry using ndd -set /dev/tcp tcp_1948_phrase The method to set this in 2.6 is editing /etc/default/inetinit and add TCP_STRONG_ISS=2 If you have lots of clients with the same encrypted root password, you'd want to find another way of setting the tcp_1948_phrase Casper ------- End of Forwarded Message From owner-freebsd-security Wed Oct 8 14:08:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA14584 for security-outgoing; Wed, 8 Oct 1997 14:08:03 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from bgbio.aubg.bg (root@bgbio.aubg.bg [193.68.137.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA14524 for ; Wed, 8 Oct 1997 14:06:58 -0700 (PDT) (envelope-from ivaylo@bgbio.aubg.bg) Received: from localhost (ivaylo@localhost) by bgbio.aubg.bg (8.8.5/8.8.5) with SMTP id XAA03492 for ; Wed, 8 Oct 1997 23:43:58 +0300 (EEST) Date: Wed, 8 Oct 1997 23:43:58 +0300 (EEST) From: Ivaylo Kostadinov Reply-To: Ivaylo Kostadinov To: security@freebsd.org Subject: Re: How do I get warned about unsuccessful root login attemtps In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 8 Oct 1997, Stanley.Hopcroft@aipo.gov.au wrote: > Dear Ladies and Gentlemen, > > I am writing to ask how FreeBSD may alert me to unsuccessful root > login attempts (as distinct from a successful login) ? > I run a FreeBSD 2.2.2 machine, and it DOES log both successful and unsuccesfull root login attempts: Oct 8 23:27:18 bgbio login: login on ttyv0 as root Oct 8 23:27:18 bgbio login: ROOT LOGIN (root) ON ttyv0 Oct 8 23:27:41 bgbio telnetd[3460]: connect from root@bgbio.aubg.bg Oct 8 23:27:43 bgbio login: 1 LOGIN FAILURE FROM bgbio.aubg.bg Oct 8 23:27:43 bgbio login: 1 LOGIN FAILURE FROM bgbio.aubg.bg, root "login" has the code for logging implemented in itself. Your problem might be with the configuration of your syslogd - /etc/syslog.conf , which might not be set to log the facility or the level at which "login" logs. Anyway, I do not think that it is a good policy root logins to be allowed from anywhere but the console. From owner-freebsd-security Sat Oct 11 11:53:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA02286 for security-outgoing; Sat, 11 Oct 1997 11:53:14 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA02281 for ; Sat, 11 Oct 1997 11:53:08 -0700 (PDT) (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id MAA02582; Sat, 11 Oct 1997 12:52:55 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id MAA16102; Sat, 11 Oct 1997 12:56:54 -0600 (MDT) Date: Sat, 11 Oct 1997 12:56:54 -0600 (MDT) From: Marc Slemko To: Marc Slemko Subject: Huge security holes in Microsoft FP98 server extensions for Apache Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [Copies sent to bugtraq, inet-access, freebsd-security, the Apache development mailing list, and the comp.infosystems.www.servers.unix and microsoft.public.frontpage.extensions.unix newsgroups.] Microsoft's FrontPage 98 server side extensions for Apache under Unix include a small setuid root program (fpexe) to allow the FrontPage CGIs to be run as the user who owns the pages as opposed to them all running as the user the web server runs as. This is necessary to get around gaping loopholes that occur when all FrontPage documents are owned by the user the web server runs as. There are, however, gaping holes in this fpexe program that make it easily exploitable to eventually gain root. This is only in the FrontPage 98 extensions and is only in the Apache version; it is completely unrelated to any Apache code and only occurs in the Apache version simply because that is the only version where this functionality is provided. Details are at http://www.worldgate.com/~marcs/fp/