From owner-freebsd-security Mon Feb 9 21:15:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA16189 for security-outgoing; Mon, 9 Feb 1998 21:15:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fh102.infi.net (fh102.infi.net [208.131.160.101]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA16130 for ; Mon, 9 Feb 1998 21:14:59 -0800 (PST) (envelope-from hoffman7@bouldernews.infi.net) Received: from bouldernews.infi.net (pm2-110.1v5.infi.net [208.129.61.110]) by fh102.infi.net (8.8.8/8.8.8) with ESMTP id AAA06530 for ; Tue, 10 Feb 1998 00:14:47 -0500 (EST) Message-ID: <34DF6026.5199AD15@bouldernews.infi.net> Date: Mon, 09 Feb 1998 12:59:35 -0700 From: Mark Hoffman X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: satan-1.1.1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I have installed FreeBSD 2.2.5 with Perl5, and I've installed Satan-1.1.1. I have set the dont_use_nslookup variable to 1. Yet, when I start up Satan, I still get the message that I need to set that variable to one. I'm using a Toshiba Satellite Pro over a PPP link to check the outside of one of my firewalls. Any help? I'm trying desperately to use use FreeBSD for all of my security auditing and reports, and this is the only snag I've run into. Mark Hoffman Network Security Administrator SCC Communications Corp. 303.581.5680 mhoffman@scc911.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Feb 11 21:41:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA06093 for security-outgoing; Wed, 11 Feb 1998 21:41:52 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA06078 for ; Wed, 11 Feb 1998 21:41:45 -0800 (PST) (envelope-from softweyr@xmission.com) Received: from xmission.com [166.70.2.38] by mail.xmission.com with esmtp (Exim 1.73 #4) id 0y2rOx-000107-00; Wed, 11 Feb 1998 22:41:37 -0700 Message-ID: <34E2927E.FEC72ABF@xmission.com> Date: Wed, 11 Feb 1998 23:11:11 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) MIME-Version: 1.0 To: Mark Hoffman CC: freebsd-security@FreeBSD.ORG Subject: Re: satan-1.1.1 References: <34DF6026.5199AD15@bouldernews.infi.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Mark Hoffman wrote: > I have installed FreeBSD 2.2.5 with Perl5, and I've installed > Satan-1.1.1. I have set the dont_use_nslookup variable to 1. Yet, when I > start up Satan, I still get the message that I need to set that variable > to one. I'm using a Toshiba Satellite Pro over a PPP link to check the > outside of one of my firewalls. Any help? Do you need to remove "bind" from /etc/host.conf? This may be telling the FreeBSD resolver routines to use bind even though you've told Satan not to. > I'm trying desperately to use use FreeBSD for all of my security > auditing and reports, and this is the only snag I've run into. No good deed goes unpunished. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Feb 13 14:34:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA22835 for freebsd-security-outgoing; Fri, 13 Feb 1998 14:34:52 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA22781 for ; Fri, 13 Feb 1998 14:34:41 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id RAA18514 for ; Fri, 13 Feb 1998 17:20:59 -0500 (EST) Date: Fri, 13 Feb 1998 17:20:59 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@FreeBSD.ORG Subject: Secure Linux patch (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Per jmb's request, I am resending this message to make sure the mailing list works. I'd also, of course, be interested in discussion of the issues below. :) Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ ---------- Forwarded message ---------- Date: Thu, 29 Jan 1998 15:43:01 -0500 (EST) From: Robert Watson Reply-To: Robert Watson To: freebsd-security@freebsd.org Subject: Secure Linux patch (fwd) It would be nice to have some of these features (see bottom of email) available on FreeBSD. I don't have the experience/knowledge to do most of this, or I would do it myself :). Most of these are really security work-arounds, and succeed in blocking a number of traditional attacks, although they do not fix the sources of the attack :). Better application writing is the only long-term solution, I suspect. We also have securelevel already, but I am not sure that the features they have match ours. BTW, in -current, has their been any thought to requiring that time monotonically increase (as BSDI has done) while in securelevel > 0? With appropriate use of single-user mode, xntpd, and ntpdate, this can be very useful. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ ---------- Forwarded message ---------- Date: Thu, 29 Jan 1998 19:31:39 -0300 From: Solar Designer To: BUGTRAQ@NETSPACE.ORG Subject: Secure Linux patch Hello, > mkdir /tmp/foo (no sticky bit on foo) > ln /etc/passwd /tmp/foo > mv /tmp/{foo/,}passwd Thanks for reporting this. A stupid problem, I should have thought a bit more of things like this. ;-) I wonder why noone reported it earlier... I wasn't going to release my new patch right now, but since I would have to release a fix anyway, ...here goes the full thing. You can get my new Secure Linux patch at: http://www.false.com/security/linux/secure-linux.tar.gz ftp://ftp.dataforce.net/pub/solar/secure-linux.tar.gz Features: * Non-executable user stack area * Link-in-/tmp fix (fixed;-) * Restricted /proc (extra functionality compared to original route's patch) * Improved securelevel support (finally really secure, and extra features) * Unofficial bugfixes (hope I'll be able to remove them when 2.0.34 is out) Signed, Solar Designer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Feb 13 15:02:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA27167 for freebsd-security-outgoing; Fri, 13 Feb 1998 15:02:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from java.coffeehaus.net (root@java.coffeehaus.net [146.115.119.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA27154 for ; Fri, 13 Feb 1998 15:02:35 -0800 (PST) (envelope-from jkowall@coffeehaus.net) Received: from jkpc (jkpc.coffeehaus.net [146.115.119.115]) by java.coffeehaus.net (8.8.5/8.8.5) with SMTP id SAA26697 for ; Fri, 13 Feb 1998 18:06:21 -0500 (EST) Message-Id: <199802132306.SAA26697@java.coffeehaus.net> From: "Jonah Kowall" To: Subject: LAND revisitied Date: Fri, 13 Feb 1998 18:00:40 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I cvsuped my sources and recompiled, and LAND still crashes the machine, is there any file I can look in the make sure the patch was indeed installed in the tree? - Jonah Kowall VP Technology Coffeehaus Networks / Content Advisor Somerville, MA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Feb 13 15:18:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29725 for freebsd-security-outgoing; Fri, 13 Feb 1998 15:18:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29704 for ; Fri, 13 Feb 1998 15:17:56 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id PAA04829; (8.8.8/RDY) Fri, 13 Feb 1998 15:17:49 -0800 (PST) Message-Id: <199802132317.PAA04829@burka.rdy.com> Subject: Re: LAND revisitied In-Reply-To: <199802132306.SAA26697@java.coffeehaus.net> from Jonah Kowall at "Feb 13, 98 06:00:40 pm" To: jkowall@coffeehaus.net (Jonah Kowall) Date: Fri, 13 Feb 1998 15:17:49 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Jonah Kowall writes: > I cvsuped my sources and recompiled, and LAND still crashes the machine, is > there any file I can look in the make sure the patch was indeed installed in > the tree? /sys/netinet/tcp_input.c should have the following code: /* * Reject attempted self-connects. XXX This actually masks * a bug elsewhere, since self-connect should work. * However, a urrently-active DoS attack in the Internet * sends a phony self-connect request which causes an infinite * loop. */ if (ti->ti_src.s_addr == ti->ti_dst.s_addr && ti->ti_sport == ti->ti_dport) { tcpstat.tcps_badsyn++; goto drop; } > > - Jonah Kowall > > VP Technology > Coffeehaus Networks / Content Advisor > Somerville, MA > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Feb 13 15:19:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29976 for freebsd-security-outgoing; Fri, 13 Feb 1998 15:19:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nash.pr.mcs.net (nash.pr.mcs.net [204.95.47.72]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29956 for ; Fri, 13 Feb 1998 15:19:11 -0800 (PST) (envelope-from alex@nash.pr.mcs.net) Received: (from alex@localhost) by nash.pr.mcs.net (8.8.8/8.8.7) id RAA15473; Fri, 13 Feb 1998 17:17:39 -0600 (CST) (envelope-from alex) Message-Id: <199802132317.RAA15473@nash.pr.mcs.net> Date: Fri, 13 Feb 1998 17:17:39 -0600 (CST) From: Alex Nash Subject: Re: Secure Linux patch (fwd) To: robert+freebsd@cyrus.watson.org cc: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On 13 Feb, Robert Watson wrote: > BTW, in -current, has their been any thought to requiring that time > monotonically increase (as BSDI has done) while in securelevel > 0? With > appropriate use of single-user mode, xntpd, and ntpdate, this can be very > useful. FreeBSD already does this, although the check is against securelevel > 1: sys/kern_time.c revision 1.23 date: 1997/05/08 14:16:25; author: peter; state: Exp; lines: +215 -33 [...] Note that I picked up the securelevel > 1 check from NetBSD that prevents the clock being set backwards in high securelevel mode (this was a hole that allowed resetting of inode access timestamps to arbitary values) Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Feb 13 15:27:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA02018 for freebsd-security-outgoing; Fri, 13 Feb 1998 15:27:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nash.pr.mcs.net (nash.pr.mcs.net [204.95.47.72]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01979 for ; Fri, 13 Feb 1998 15:27:10 -0800 (PST) (envelope-from alex@nash.pr.mcs.net) Received: (from alex@localhost) by nash.pr.mcs.net (8.8.8/8.8.7) id RAA15558; Fri, 13 Feb 1998 17:25:31 -0600 (CST) (envelope-from alex) Message-Id: <199802132325.RAA15558@nash.pr.mcs.net> Date: Fri, 13 Feb 1998 17:25:31 -0600 (CST) From: Alex Nash Subject: Re: LAND revisitied To: jkowall@coffeehaus.net cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199802132306.SAA26697@java.coffeehaus.net> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On 13 Feb, Jonah Kowall wrote: > I cvsuped my sources and recompiled, and LAND still crashes the machine, is > there any file I can look in the make sure the patch was indeed installed in > the tree? The complete fix went into -current on January 20th, and -stable on the 30th. Look at the output of 'ident /sys/netinet/tcp_input.c'. These are the fixed versions: -current 1.68 -stable 1.54.2.7 Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Feb 13 17:27:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA27423 for freebsd-security-outgoing; Fri, 13 Feb 1998 17:27:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA27406 for ; Fri, 13 Feb 1998 17:27:17 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id RAA05573; (8.8.8/RDY) Fri, 13 Feb 1998 17:26:48 -0800 (PST) Message-Id: <199802140126.RAA05573@burka.rdy.com> Subject: Re: LAND revisitied In-Reply-To: <199802140114.SAA14195@mt.sri.com> from Nate Williams at "Feb 13, 98 06:14:55 pm" To: nate@mt.sri.com (Nate Williams) Date: Fri, 13 Feb 1998 17:26:47 -0800 (PST) Cc: dima@best.net, jkowall@coffeehaus.net, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk That is very possible. I think, I've just missed it. Nate Williams writes: > > > I cvsuped my sources and recompiled, and LAND still crashes the machine, is > > > there any file I can look in the make sure the patch was indeed installed in > > > the tree? > > > > /sys/netinet/tcp_input.c should have the following code: > > That's the old fix. Bill has a new fix that is different in both > -stable and -current. > > In stable that file would be: > * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 > * $Id: tcp_input.c,v 1.54.2.7 1998/01/30 19:13:55 fenner Exp $ > > And in -current it would be some version greater than 1.68. > > > Nate > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Feb 13 17:44:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA00487 for freebsd-security-outgoing; Fri, 13 Feb 1998 17:44:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA00477 for ; Fri, 13 Feb 1998 17:44:34 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id SAA24883; Fri, 13 Feb 1998 18:14:56 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id SAA14195; Fri, 13 Feb 1998 18:14:55 -0700 Date: Fri, 13 Feb 1998 18:14:55 -0700 Message-Id: <199802140114.SAA14195@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: dima@best.net Cc: jkowall@coffeehaus.net (Jonah Kowall), freebsd-security@FreeBSD.ORG Subject: Re: LAND revisitied In-Reply-To: <199802132317.PAA04829@burka.rdy.com> References: <199802132306.SAA26697@java.coffeehaus.net> <199802132317.PAA04829@burka.rdy.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > I cvsuped my sources and recompiled, and LAND still crashes the machine, is > > there any file I can look in the make sure the patch was indeed installed in > > the tree? > > /sys/netinet/tcp_input.c should have the following code: That's the old fix. Bill has a new fix that is different in both -stable and -current. In stable that file would be: * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 * $Id: tcp_input.c,v 1.54.2.7 1998/01/30 19:13:55 fenner Exp $ And in -current it would be some version greater than 1.68. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message