From owner-freebsd-security Sun Oct 18 01:09:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA21819 for freebsd-security-outgoing; Sun, 18 Oct 1998 01:09:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA21813 for ; Sun, 18 Oct 1998 01:09:22 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id BAA27463; Sun, 18 Oct 1998 01:08:57 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <3629A219.8260A48F@dal.net> Date: Sun, 18 Oct 1998 01:08:57 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5b2 [en] (X11; I; FreeBSD 2.2.7-STABLE-1015 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jeffrey J. Mountin" CC: security@FreeBSD.ORG Subject: Re: syslogd and syslog.conf (new feature) References: <199810171855.NAA18114@set.spradley.tmi.net> <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" wrote: > With that in mind why not have the LEVEL after the FACILITY > in > the log? > > []: : Start syslogd with the flags -vv Good luck, Doug -- *** Chief Operations Officer, DALnet IRC network *** Go PADRES! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 18 02:14:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA26428 for freebsd-security-outgoing; Sun, 18 Oct 1998 02:14:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA26413 for ; Sun, 18 Oct 1998 02:14:34 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199810180914.CAA26413@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA275201999; Sun, 18 Oct 1998 19:13:19 +1000 From: Darren Reed Subject: Re: syslogd and syslog.conf (new feature) To: jeff-ml@mountin.net (Jeffrey J. Mountin) Date: Sun, 18 Oct 1998 19:13:19 +1000 (EST) Cc: jkb@best.com, axl@iafrica.com, igor@physics.uiuc.edu, security@FreeBSD.ORG In-Reply-To: <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> from "Jeffrey J. Mountin" at Oct 18, 98 01:10:33 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jeffrey J. Mountin, sie said: > > One last thought about syslogd. If you consider the default setup for > syslog.conf and the fact that *most* messages are going to one logfile, > which can get messy and difficult to discern the important from the > routine. With that in mind why not have the LEVEL after the FACILITY in > the log? > > []: : > > Programs like ssh and Apache do something along this line. make sure it is compatible with the format used by IRIX. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 18 04:56:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA10445 for freebsd-security-outgoing; Sun, 18 Oct 1998 04:56:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA10440 for ; Sun, 18 Oct 1998 04:56:49 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id GAA20107; Sun, 18 Oct 1998 06:56:27 -0500 (CDT) Received: from aridius-104.isdn.mke.execpc.com(169.207.66.231) by peak.mountin.net via smap (V1.3) id sma020105; Sun Oct 18 06:56:25 1998 Message-Id: <3.0.3.32.19981018065553.00f2eee0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 18 Oct 1998 06:55:53 -0500 To: Studded From: "Jeffrey J. Mountin" Subject: Re: syslogd and syslog.conf (new feature) Cc: security@FreeBSD.ORG In-Reply-To: <3629A219.8260A48F@dal.net> References: <199810171855.NAA18114@set.spradley.tmi.net> <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:08 AM 10/18/98 -0700, Studded wrote: >"Jeffrey J. Mountin" wrote: > Start syslogd with the flags -vv Not in 2.2.7, but 3.0 has it. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 18 08:15:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA23238 for freebsd-security-outgoing; Sun, 18 Oct 1998 08:15:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA23232 for ; Sun, 18 Oct 1998 08:15:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id JAA12983; Sun, 18 Oct 1998 09:14:19 -0600 (MDT) Message-Id: <4.1.19981018091111.0411fef0@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 18 Oct 1998 09:13:05 -0600 To: "Jeffrey J. Mountin" , "Jan B. Koum " , Sheldon Hearn , Igor Roshchin From: Brett Glass Subject: Re: syslogd and syslog.conf (new feature) Cc: security@FreeBSD.ORG In-Reply-To: <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> References: <19981017134231.C22818@best.com> <199810171855.NAA18114@set.spradley.tmi.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:10 AM 10/18/98 -0500, Jeffrey J. Mountin wrote: >One last thought about syslogd. If you consider the default setup for >syslog.conf and the fact that *most* messages are going to one logfile, >which can get messy and difficult to discern the important from the >routine. With that in mind why not have the LEVEL after the FACILITY in >the log? > > []: : > >Programs like ssh and Apache do something along this line. There's a good reason for this. If you want to delimit the fields with spaces rather than tabs, it's easiest if one puts the field that's most likely to contain spaces (e.g. the message) at the end. Then, when the software parses the line, it can stop treating spaces as field delimiters at that point. Yes, it's a hack, but it's used in everything from Apache to inetd. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 18 08:38:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA25794 for freebsd-security-outgoing; Sun, 18 Oct 1998 08:38:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA25780; Sun, 18 Oct 1998 08:38:12 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id JAA13113; Sun, 18 Oct 1998 09:37:48 -0600 (MDT) Message-Id: <4.1.19981018093136.040d3390@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 18 Oct 1998 09:32:30 -0600 To: "H. Eckert" , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG From: Brett Glass Subject: Re: syslogd and syslog.conf In-Reply-To: <19981017095905.23337@nostromo.in-berlin.de> References: <3626320A.712D129F@internationalschool.co.uk> <199810151535.KAA09617@alecto.physics.uiuc.edu> <3626320A.712D129F@internationalschool.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:59 AM 10/17/98 +0200, H. Eckert wrote: >Ee does that ? One more reason to hate it. >The first thing I do on a new installation is edit root's >dotfiles to change the editor to vim or at least vi. It >would be nice if sysconfig would copy the default editor >from the config options page if it had been changed during >the installation. I'd really like it to bring in jove. Yes, I can use vi if I must, but the command structure is so awful that I have to go very slowly.... --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 18 11:41:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA22220 for freebsd-security-outgoing; Sun, 18 Oct 1998 11:41:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA22215 for ; Sun, 18 Oct 1998 11:41:56 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id LAA03061; Sun, 18 Oct 1998 11:41:32 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <362A365B.7B99B85C@dal.net> Date: Sun, 18 Oct 1998 11:41:31 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5b2 [en] (X11; I; FreeBSD 2.2.7-STABLE-1015 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jeffrey J. Mountin" CC: security@FreeBSD.ORG Subject: Re: syslogd and syslog.conf (new feature) References: <199810171855.NAA18114@set.spradley.tmi.net> <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> <3.0.3.32.19981018065553.00f2eee0@207.227.119.2> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" wrote: > > At 01:08 AM 10/18/98 -0700, Studded wrote: > >"Jeffrey J. Mountin" wrote: > > Start syslogd with the flags -vv > > Not in 2.2.7, but 3.0 has it. 2.2.7-Stable does, that's what I use. :) -- *** Chief Operations Officer, DALnet IRC network *** Go PADRES! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 18 12:41:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA29177 for freebsd-security-outgoing; Sun, 18 Oct 1998 12:41:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA29163 for ; Sun, 18 Oct 1998 12:41:30 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id NAA14612; Sun, 18 Oct 1998 13:41:02 -0600 (MDT) Message-Id: <4.1.19981018133930.06ce1e90@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 18 Oct 1998 13:39:50 -0600 To: Studded , "Jeffrey J. Mountin" From: Brett Glass Subject: Re: syslogd and syslog.conf (new feature) Cc: security@FreeBSD.ORG In-Reply-To: <362A365B.7B99B85C@dal.net> References: <199810171855.NAA18114@set.spradley.tmi.net> <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> <3.0.3.32.19981018065553.00f2eee0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What has been added to -stable since 2.2.7? Any fixes of special note? --Brett At 11:41 AM 10/18/98 -0700, Studded wrote: >"Jeffrey J. Mountin" wrote: >> >> At 01:08 AM 10/18/98 -0700, Studded wrote: >> >"Jeffrey J. Mountin" wrote: >> > Start syslogd with the flags -vv >> >> Not in 2.2.7, but 3.0 has it. > > 2.2.7-Stable does, that's what I use. :) >-- >*** Chief Operations Officer, DALnet IRC network *** > > Go PADRES! > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 18 12:50:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA00832 for freebsd-security-outgoing; Sun, 18 Oct 1998 12:50:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA00813 for ; Sun, 18 Oct 1998 12:50:29 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA21121; Sun, 18 Oct 1998 14:50:07 -0500 (CDT) Received: from luthien-51.isdn.mke.execpc.com(169.207.65.51) by peak.mountin.net via smap (V1.3) id sma021119; Sun Oct 18 14:50:03 1998 Message-Id: <3.0.3.32.19981018144922.00f25934@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 18 Oct 1998 14:49:22 -0500 To: Studded From: "Jeffrey J. Mountin" Subject: Re: syslogd and syslog.conf (new feature) Cc: security@FreeBSD.ORG In-Reply-To: <362A365B.7B99B85C@dal.net> References: <199810171855.NAA18114@set.spradley.tmi.net> <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> <3.0.3.32.19981018065553.00f2eee0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:41 AM 10/18/98 -0700, Studded wrote: >"Jeffrey J. Mountin" wrote: >> >> At 01:08 AM 10/18/98 -0700, Studded wrote: >> >"Jeffrey J. Mountin" wrote: >> > Start syslogd with the flags -vv >> >> Not in 2.2.7, but 3.0 has it. > > 2.2.7-Stable does, that's what I use. :) Thought you would say that. Since the server isn't close, I've only incorporated bug/security fixes. Until I get a few more 'make [build|install]worlds under my belt and a -stable system at home.... Not fun driving 50 miles if something happens. :( Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 19 03:38:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA18667 for freebsd-security-outgoing; Mon, 19 Oct 1998 03:38:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f248.hotmail.com [207.82.251.139]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA18662 for ; Mon, 19 Oct 1998 03:38:08 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 11611 invoked by uid 0); 19 Oct 1998 10:37:45 -0000 Message-ID: <19981019103745.11610.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Mon, 19 Oct 1998 03:37:45 PDT X-Originating-IP: [208.218.169.84] From: "N. N.M" To: andrew@squiz.co.nz Cc: freebsd-security@FreeBSD.ORG Subject: Re: Again logging! Content-Type: text/plain Date: Mon, 19 Oct 1998 03:37:45 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >inetd needs to be run with the '-l' flag. Restart it using this flag, and >also put the flag into your rc.conf ( inetd_flags="-l" ) > >Andrew > I had already done what you said. But it still doesn't work! Do you have any idea on problem? Nazila N. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 19 05:49:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA01078 for freebsd-security-outgoing; Mon, 19 Oct 1998 05:49:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from carp.gbr.epa.gov (carp.gbr.epa.gov [204.46.159.110]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA01071 for ; Mon, 19 Oct 1998 05:48:59 -0700 (PDT) (envelope-from mjenkins@carp.gbr.epa.gov) Received: (from mjenkins@localhost) by carp.gbr.epa.gov (8.8.8/8.8.8) id HAA07576; Mon, 19 Oct 1998 07:48:33 -0500 (CDT) (envelope-from mjenkins) Date: Mon, 19 Oct 1998 07:48:33 -0500 (CDT) From: Mike Jenkins Message-Id: <199810191248.HAA07576@carp.gbr.epa.gov> To: madrapour@hotmail.com Subject: Re: Again logging! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19981017133137.1623.qmail@hotmail.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Oct 1998, "N. N.M" wrote: > !inetd > *.* /var/log/inetd > > !tcpd > *.* tab> /var/log/tcpd Make sure you only have TAB characters between the *.* and the log filename. (I just copy and paste the ppp lines and then change the names.) Also if you are using the ee editor use the -e switch which will prevent expanding TABs to spaces. And notify syslogd with a HUP if you modify /etc/syslog.conf. Can you "logger -p lpr.info message" and get a message in /var/log/messages? (Just verifying that syslogd is working.) Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 19 09:07:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA18965 for freebsd-security-outgoing; Mon, 19 Oct 1998 09:07:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from po1.cert.org (po1.cert.org [192.88.209.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA18960 for ; Mon, 19 Oct 1998 09:07:17 -0700 (PDT) (envelope-from jjc@cert.org) Received: from smtp.cert.org (smtp.cert.org [192.88.210.47]) by po1.cert.org (8.8.8/8.8.8) with ESMTP id MAA22916; Mon, 19 Oct 1998 12:04:48 -0400 (EDT) Received: from unix1.cert.org (Jgxj1ULUA32EJPixy6x8yUtzl2oMfdhp@unix1.cert.org [192.88.210.35]) by smtp.cert.org (8.8.8/8.8.8) with ESMTP id MAA05164; Mon, 19 Oct 1998 12:04:37 -0400 (EDT) Received: by unix1.cert.org (8.9.1/8.9.1) id MAA18105; Mon, 19 Oct 1998 12:04:37 -0400 (EDT) Message-Id: <199810191604.MAA18105@unix1.cert.org> From: "CERT(R) Coordination Center" Reply-To: "CERT(R) Coordination Center" Date: Mon, 19 Oct 98 11:47:08 EDT To: Robert Watson Cc: Darren Reed , grimace , security@FreeBSD.ORG, "CERT(R) Coordination Center" , Brett Glass Subject: INFO#98.35960 Re: Spoofed connections on port 13223?? References: In-Reply-To: from Robert Watson on Tue, 13 Oct 1998 17:31:16 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hello Robert, >On Tue, 13 Oct 1998, Brett Glass wrote: >> CERT? Don't bother. They'll respond several months after it's too late >> and say, "Oh, dear." Because of the high volume of incidents we receive (now averaging about 100 per week) and the number of people we have dedicated to incident response, it is not possible for us to provide personal guidance to every site reporting incidents to us as we did in the early years of CERT. The benefit in reporting incidents to us is for us to understand the current activity. This has direct impact on the issuing of advisories and other documents. We are working to produce more documents because our release of a document benefits a significantly larger number of people and sites than spending the equivalent amount of time helping a single site. We do assist sites directly when large incidents occur especially if they threaten the Internet infrastructure, if new types of attacks are involved, if people's lives are at risk, etc. We also encourage and assist in the formation of new incident response teams. Being a constituent of a response team with a focused constituency allows you to have a response team that can meet your specific needs. >This does not seem to meet with the experiences I have had with CERT. >Last year someone attempted to attack one of my machines by corrupting DNS >cache entries on a caching name server at another location -- when I >reported this to CERT, they called me that evening and offered to manage >communications between me and the other site being spoofed, etc. While >they did not offer much in the way of technical advice, this was not a >problem as I am fairly experienced in this area. My only real problem >with the CERT process is their incredibly long form that must be submitted >by email. It is inappropriate for use (or was last time I looked) in >situations where more than one machine might be involved, or in situations >where there is an ongoing attack but no successful breakin. A more >flexible (and simple) form would go a long way. I am certain that there >are far fewer reports to CERT because of the complexity of the reporting >process. We are in the process of developing several new reporting mechanisms, including a shorter incident reporting form. However, it is not necessary to use the reporting form to report an incident to us. Sending an email message to us with the relevant information. Regards, jeff - --- Jeffrey J. Carpenter Technical Coordinator _____________________________________________________________________________ CERT* Coordination Center | Internet E-mail: cert@cert.org Software Engineering Institute | Telephone: +1 412 268-7090 24-hour hotline Carnegie Mellon University | Answered by CERT, 8:30-17:00 EDT (GMT-4) Pittsburgh, PA 15213-3890 | On call for emergencies, 24 hours/day. - ----------------------------------------------------------------------------- *Registered U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNitjEnVP+x0t4w7BAQETPgQAmmWIn/d2LXubgf0kr29UqNME1i65APmO 4GgPv2wlT8IOHP06trdXEFlxjF6VqzTr8J5B1go1AyzxKYgym91nMLEyGhPJIPc0 oRzeJxlX6AnAiQZn9ckKQxFXGZrpKJmvGZYAHzLt6QSPLUT6CzxzwTJpCSx3M26v dGLg7Rd6LXc= =3z5q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 01:00:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA27527 for freebsd-security-outgoing; Wed, 21 Oct 1998 01:00:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f253.hotmail.com [207.82.251.144]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA27520 for ; Wed, 21 Oct 1998 01:00:37 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 12545 invoked by uid 0); 21 Oct 1998 08:00:10 -0000 Message-ID: <19981021080010.12544.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Wed, 21 Oct 1998 01:00:10 PDT X-Originating-IP: [208.218.169.84] From: "N. N.M" To: mjenkins@carp.gbr.epa.gov Cc: andrew@squiz.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: Again logging! Content-Type: text/plain Date: Wed, 21 Oct 1998 01:00:10 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, >Make sure you only have TAB characters between the *.* and the log filename. I'm sure about it. You know, all of these discussions on TABS and SPACES in this mailing list, started when I had some problems with my syslogd.conf (you see, I've had some problems with logging for a long time!!!) and sent a mail there. Then someone kindly noticed me about the difference between spaces and tabs! >Can you "logger -p lpr.info message" and get a message in /var/log/messages? >(Just verifying that syslogd is working.) Yes, it works. I also used the syslogd with switch -d (debug mode), as it (syslogd -d) works, it mentions whenever it logs something, it doesn't log anything realted to TELNET or FTP to "inetd.log" (the files is supposed to log the inetd-related matters). Thanks, Nazila N. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 06:12:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA13827 for freebsd-security-outgoing; Wed, 21 Oct 1998 06:12:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA13676 for ; Wed, 21 Oct 1998 06:12:51 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id IAA20829; Wed, 21 Oct 1998 08:12:26 -0500 (CDT) Received: from harkol-51.isdn.mke.execpc.com(169.207.64.179) by peak.mountin.net via smap (V1.3) id sma020824; Wed Oct 21 08:11:57 1998 Message-Id: <3.0.3.32.19981021080757.010c7324@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 21 Oct 1998 08:07:57 -0500 To: "N. N.M" From: "Jeffrey J. Mountin" Subject: Re: Again logging! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19981021080010.12544.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:00 AM 10/21/98 PDT, N. N.M wrote: >I'm sure about it. You know, all of these discussions on TABS and SPACES >in this mailing list, started when I had some problems with my >syslogd.conf (you see, I've had some problems with logging for a long >time!!!) and sent a mail there. Then someone kindly noticed me about the >difference between spaces and tabs! vi syslog.conf / pattern not found? Surely you are certain. ;) Looking back on the thread you make no mention of what version or any other details, maybe that will help. Maybe a long shot, but compare the /usr/sbin/syslogd to the one on the 2nd CD. Is it possible the system was compromized? Not likely, but twice I have been paniced and not taking it for granted did an audit. To my relief and chagrin, both time were pilot error. Still I've done enough audits to not make light of the possiblity. Or something corrupted, do you have other servers setup in a similar fashion? >>Can you "logger -p lpr.info message" and get a message in >/var/log/messages? >>(Just verifying that syslogd is working.) > >Yes, it works. I also used the syslogd with switch -d (debug mode), as >it (syslogd -d) works, it mentions whenever it logs something, it >doesn't log anything realted to TELNET or FTP to "inetd.log" (the files >is supposed to log the inetd-related matters). You tried 'logger -p (telnet|ftp).info' too? Distribution ftpd? You inetd.conf has entries like: ftp stream tcp nowait root /usr/local/libexec/tcpd /usr/libexec/ftpd -l telnet stream tcp nowait root /usr/local/libexec/tcpd /usr/libexec/telnetd -h The /usr/local/etc/hosts.(allow|deny) has: ftpd: telnetd: Have you tried the following in inetd.conf: auth.*/path/to/inetd.log And inetd.log is at least mode 600 owned by root. If all this checks out, my preference would be wipe the system and start over again. This may not be an option, but is worth considering. luck! Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 06:35:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA17576 for freebsd-security-outgoing; Wed, 21 Oct 1998 06:35:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA17569 for ; Wed, 21 Oct 1998 06:35:23 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id HAA20783; Wed, 21 Oct 1998 07:53:56 -0500 (CDT) Received: from harkol-51.isdn.mke.execpc.com(169.207.64.179) by peak.mountin.net via smap (V1.3) id sma020777; Wed Oct 21 07:53:30 1998 Message-Id: <3.0.3.32.19981021074931.010c36dc@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 21 Oct 1998 07:49:31 -0500 To: Cy Schubert - ITSD Open Systems Group From: "Jeffrey J. Mountin" Subject: Re: Again logging! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199810151357.GAA06509@cwsys.cwsent.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:57 AM 10/15/98 -0700, Cy Schubert - ITSD Open Systems Group wrote: >Or you could configure tcpd to log to a file instead of syslog, though >I wouldn't recommend it. (I know many sysadmins who do). If the tought here was to "hide" the log, they would do better to hide tcpd from ps et all. Obscurity method? Better to have a highly secured system taking in the logs and work from there. It should alarm if they stop coming too. >I especially like Mike Jenkins' comment. An excellent suggestion. Agreed. Only used that method on a few server with just too many daemons and not enough LOCAL's. >I've noticed that the ports, some in particular, have become quite >configurable. Yet another opportunity... How so? Usually I either mod the patch or 'make patch' and tweak the source. Both are just a slight hassle, but it seems more correct to change the Makefile or make.conf, which I just happened to do for Apache, since the default structure to me is unwanted. For tcpd it's only one in patch-aa. Sshd needs a quick change in the config file, and my first use of the popper port had me recompiling 2 custom daemons, so as to avoid changes. Overall once you get used to the assumptions the ports are good, but one really should follow the changes and make sure that they meet your needs. Turning on every single bell and whistle in Apache didn't seem sensible, but then knowing what is needed and the fact it doesn't clobber existing files. 8-) Still it can be an opportunity to shoot yourself, especially when you've developed certain habits over the years of rolling your own. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 07:11:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA22258 for freebsd-security-outgoing; Wed, 21 Oct 1998 07:11:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA22253 for ; Wed, 21 Oct 1998 07:11:39 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id HAA14866; Wed, 21 Oct 1998 07:11:05 -0700 (PDT) Message-Id: <199810211411.HAA14866@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdy14857; Wed Oct 21 07:10:13 1998 Reply-to: Cy Schubert - ITSD Open Systems Group X-Mailer: MH X-Sender: cschuber To: "Jeffrey J. Mountin" cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: Again logging! In-reply-to: Your message of "Wed, 21 Oct 1998 07:49:31 CDT." <3.0.3.32.19981021074931.010c36dc@207.227.119.2> Date: Wed, 21 Oct 1998 07:10:13 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3.0.3.32.19981021074931.010c36dc@207.227.119.2>, "Jeffrey J. Mounti n" writes: > At 06:57 AM 10/15/98 -0700, Cy Schubert - ITSD Open Systems Group wrote: > >Or you could configure tcpd to log to a file instead of syslog, though > >I wouldn't recommend it. (I know many sysadmins who do). > > If the tought here was to "hide" the log, they would do better to hide tcpd > from ps et all. Obscurity method? Some people like to have independent logs. If so, why hack syslogd? Why use the scarce LOCAL syslogd resource if there are other ways? Have the daemon write to its own log or better yet Mike Jenken's comment about !daemon_name in syslog.conf would be a better suggestion. > > Better to have a highly secured system taking in the logs and work from > there. It should alarm if they stop coming too. > > >I especially like Mike Jenkins' comment. An excellent suggestion. > > Agreed. Only used that method on a few server with just too many daemons > and not enough LOCAL's. > > >I've noticed that the ports, some in particular, have become quite > >configurable. Yet another opportunity... > > How so? > > Usually I either mod the patch or 'make patch' and tweak the source. Both > are just a slight hassle, but it seems more correct to change the Makefile > or make.conf, which I just happened to do for Apache, since the default > structure to me is unwanted. For tcpd it's only one in patch-aa. Sshd > needs a quick change in the config file, and my first use of the popper > port had me recompiling 2 custom daemons, so as to avoid changes. Been there, done that. My suggestion was that since the ports are becoming more configurable, e.g. $KRB5_HOME, why not use the same concept and set up an environment variable that defines where the logs go and what syslog facility a particular port is to use? For example if someone likes to use local1.info for tcpd logs, then define that in make.conf or make.conf.local? At the site that I work at syslog locals are a scarce resource. A number of vendor products use local; and we have a locally written application & a Remedy front end on each machine that use two of the local facilities. Software that arbitrarily uses a local syslog facility is a pain. ** ... And no, I am not suggesting that FreeBSD's syslogd support more local facilities. In a heterogeneous environment like ours (FreeBSD, Linux, Solaris 1 & 2, DEC UNIX, AIX, NCR SYSVR4, DG/UX, and HP-UX) local0-7 is all we can use, and beating up on the vendors to add a feature or enhance a product is a futile exercise. > > Overall once you get used to the assumptions the ports are good, but one > really should follow the changes and make sure that they meet your needs. > Turning on every single bell and whistle in Apache didn't seem sensible, > but then knowing what is needed and the fact it doesn't clobber existing > files. 8-) > > Still it can be an opportunity to shoot yourself, especially when you've > developed certain habits over the years of rolling your own. > > > Jeff Mountin - Unix Systems TCP/IP networking > jeff@mountin.net Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 11:24:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA19768 for freebsd-security-outgoing; Wed, 21 Oct 1998 11:24:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bagira.iit.bme.hu (bagira.iit.bme.hu [152.66.241.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA19758 for ; Wed, 21 Oct 1998 11:24:43 -0700 (PDT) (envelope-from mohacsi@bagira.iit.bme.hu) Received: from localhost (mohacsi@localhost) by bagira.iit.bme.hu (8.9.0.Beta5/8.9.0.Beta3+BME-IIT) with SMTP id UAA22361 for ; Wed, 21 Oct 1998 20:24:07 +0200 (MET DST) Date: Wed, 21 Oct 1998 20:24:05 +0200 (MET DST) From: Janos Mohacsi To: security@FreeBSD.ORG Subject: login/shell/ftp/e-mail policy Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sirs, What is the policy to use in the FreeBSD in the logins? Which shells should I use for different sets of users? I have following scheme: login ftp email(pop,imap) ordinary shells (sh,csh,bash,tcsh): + + + nologin (I have put to /etc/shells): - + + /bin/false - - + nonexistent - - - Is it good, or do you have other scheme? To able to get this scheme work (for a less trained person) I had to change the adduser script. (of course I can deny some users ftp access by /etc/ftpusers, and pop access by /etc/noauthfile). Any comments are welcome, Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 11:25:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA19975 for freebsd-security-outgoing; Wed, 21 Oct 1998 11:25:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA19958 for ; Wed, 21 Oct 1998 11:25:41 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 11446 invoked by uid 1000); 21 Oct 1998 18:23:46 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Oct 1998 18:23:46 -0000 Date: Wed, 21 Oct 1998 13:23:24 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu To: security@FreeBSD.ORG Subject: SKIP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From the looks of it and documentation of it, SKIP seems to be a very nice secure-communications program; however, I'm having a lot of difficulty getting it to communicate with other machines. Here's a summary of what I've done and attempted: - - Installed via the port's Makefile. - - Verified skipd is starting up okay, a public and secret key exists. - - Added a SKIP-secure host in the authorized list (via skiptool). - - Attempted connections via ping, and failed. - - Transferred public keys manually to each machine; connections still failed. - - /var/log/messages has lines such as: Oct 20 21:28:44 isr3277 skipd: sending CDP request for nsid=1 mkid=c7588652 to 199.88.134.82 Oct 20 21:28:44 isr3277 skipd: IP 199.88.134.82:1640 action=getfail nsid=1 mkid=c7588652 cert=NULL : response=getfail Oct 20 21:28:49 isr3277 skipd: NOCERT: kernel query nsid=1 mkid=c7588652 *Note* the above logs were after attempting to communicate with a machine I had _not_ transferred public keys with manually. I don't have the logs that say what happened with the machine I did transfer keys with. - - SKIP _does_ deny the disallowed hosts. All of this was reciprocally done on two other remote machines to test with (e.g., SKIP was setup in the same manner on the other machine I was attempting to connect with). I've read through all of the documentation, especially the sections that deal with 'Why isn't it working?' to no avail. I've tried everything (I think). This looks like a lovely program, one I'd really like to get working, and _any_ help such as noting common pitfalls when setting it up would be extremely appreciated. - -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNi4YnAL4UDr0DrZeEQKkbgCfXXkETrE+leRXkaOPr75toKOUGLsAoPad YFsYw0O2og7yDxfD02IlWOWQ =BJil -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 12:35:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA29175 for freebsd-security-outgoing; Wed, 21 Oct 1998 12:35:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA29169 for ; Wed, 21 Oct 1998 12:35:29 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from ivy.ezo.net (ivy.ezo.net [206.150.211.171]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id PAA09860; Wed, 21 Oct 1998 15:34:49 -0400 (EDT) Message-ID: <005301bdfd2a$f58611e0$abd396ce@ivy.ezo.net> From: "Jim Flowers" To: "Frank Tobin" Cc: Subject: Re: SKIP Date: Wed, 21 Oct 1998 15:42:37 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There are a number of possibilities. Make sure the times of the two machines are synched. Are you using udh keys? One techique I have found quite useful is to do a 'skiplocal export > /tmp/add_remote' on each host which generates a shell script. Then ftp them to the opposite host and run it 'sh /tmp/add_remote', all before turning skip on with 'skiphost -o on'. This is particularly useful when setting up tunnels although you have to edit the script. I just use the examples from the manual pages as a template. Good idea to do a 'skiphost -a default' while your getting the feel of it to eliminate side issues. Use tcpdump host skiphost.machine.name on another virtual console to see what's going on. Another thing to watch. Both keys must be the same length and the NSID must be correct (8 if you're using UDH). If you generate multiple keys, you may not be using the one you think you are. Skiplocal export will tell you what it thinks the default is (it's in slot 0). Also, the update of the certificate database can be non-intuitive. Do a skipdb_restart when it doesn't work and you think it should. Good luck and stay with it. Skip on FreeBSD is very robust and once you get the hang of it, very capable. Got one VPN up almost a year now. Archie Cobb's port is great and it sounds like you got through the whole thing correctly. -----Original Message----- From: Frank Tobin To: security@FreeBSD.ORG Date: Wednesday, October 21, 1998 2:48 PM Subject: SKIP >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >- From the looks of it and documentation of it, SKIP seems to be a very nice >secure-communications program; however, I'm having a lot of difficulty >getting it to communicate with other machines. Here's a summary of what >I've done and attempted: > >- - Installed via the port's Makefile. >- - Verified skipd is starting up okay, a public and secret key exists. >- - Added a SKIP-secure host in the authorized list (via skiptool). >- - Attempted connections via ping, and failed. >- - Transferred public keys manually to each machine; connections still > failed. > >- - /var/log/messages has lines such as: > > Oct 20 21:28:44 isr3277 skipd: sending CDP request for nsid=1 > mkid=c7588652 to 199.88.134.82 > Oct 20 21:28:44 isr3277 skipd: IP 199.88.134.82:1640 action=getfail > nsid=1 mkid=c7588652 cert=NULL : response=getfail > Oct 20 21:28:49 isr3277 skipd: NOCERT: kernel query nsid=1 mkid=c7588652 > > *Note* the above logs were after attempting to communicate with a > machine I had _not_ transferred public keys with manually. I don't have > the logs that say what happened with the machine I did transfer keys > with. > >- - SKIP _does_ deny the disallowed hosts. > > >All of this was reciprocally done on two other remote machines to test >with (e.g., SKIP was setup in the same manner on the other machine I was >attempting to connect with). > >I've read through all of the documentation, especially the sections that >deal with 'Why isn't it working?' to no avail. I've tried everything (I >think). This looks like a lovely program, one I'd really like to get >working, and _any_ help such as noting common pitfalls when setting it up >would be extremely appreciated. > >- -- > >Frank Tobin "To learn what is good and what is to be >http://www.bigfoot.com/~ftobin valued, those truths which cannot be > shaken or changed." Myst: The Book of Atrus >FreeBSD: The Power To Serve > > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQA/AwUBNi4YnAL4UDr0DrZeEQKkbgCfXXkETrE+leRXkaOPr75toKOUGLsAoPad >YFsYw0O2og7yDxfD02IlWOWQ >=BJil >-----END PGP SIGNATURE----- > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 21 13:49:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA08980 for freebsd-security-outgoing; Wed, 21 Oct 1998 13:49:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA08971 for ; Wed, 21 Oct 1998 13:49:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id NAA29918; Wed, 21 Oct 1998 13:47:56 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA18479; Wed, 21 Oct 1998 13:47:56 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id OAA20203; Wed, 21 Oct 1998 14:47:54 -0600 Message-ID: <362E487A.30EFDE31@softweyr.com> Date: Wed, 21 Oct 1998 14:47:54 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.07 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: Janos Mohacsi CC: security@FreeBSD.ORG Subject: Re: login/shell/ftp/e-mail policy References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Janos Mohacsi wrote: > > Dear Sirs, > What is the policy to use in the FreeBSD in the logins? Which > shells should I use for different sets of users? > > I have following scheme: > login ftp email(pop,imap) > ordinary shells (sh,csh,bash,tcsh): + + + > nologin (I have put to /etc/shells): - + + You don't want to put nologin in /etc/shells; some user may accidentally select it with chsh. This also blocks ftp logins when using /etc/nologin. We had a discussion about this not long ago; none of the current email servers seem to check /etc/shells, but they should. This could be handled with a FreeBSD-specific patch in the ports collection, or by contributing the code to do so back to the maintainer of the server. I've just looked through a couple of servers, and found that the much maligned qpopper DOES validate shells using getusershell(3). imap-uw has support for login classes, and seems to use classes auth-imap and auth-pop3 for authenticating users, based on their connection protocol. I don't know if the FreeBSD imap-uw is current using the login class support or not, but if not, it certainly should be. This is the ideal way to handle controlling logins, not with hacks like special shells. (Even if you use my nologin program. ;^) -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 06:16:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA29340 for freebsd-security-outgoing; Thu, 22 Oct 1998 06:16:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA29315 for ; Thu, 22 Oct 1998 06:15:59 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id IAA00754 for ; Thu, 22 Oct 1998 08:15:26 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id IAA04777 for freebsd-security@freebsd.org; Thu, 22 Oct 1998 08:14:17 -0500 (CDT) From: john Message-Id: <199810221314.IAA04777@leonardo.cascss.unt.edu> Subject: FrontPage Server Extensions To: freebsd-security@FreeBSD.ORG Date: Thu, 22 Oct 1998 08:14:17 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone know of any glaring security wholes on a FreeBSD system (we're currently at 2.2.6-Stable) that has the Microsoft FrontPage Server Extensions installed? I've heard it wreaks havoc on ownership/permissions of some files. Any ideas/comments are welcome. ---------------------------------------------- John Booth Computer Support Specialist University of North Texas Arts & Sciences Computing Services phone: (940)565-4498, campus extension 4498 Internet: john@unt.edu GroupWise: cas.po7.john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 09:30:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA17277 for freebsd-security-outgoing; Thu, 22 Oct 1998 09:30:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA17243 for ; Thu, 22 Oct 1998 09:30:07 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by cyclops.xtra.co.nz (8.9.1/8.9.1) with SMTP id FAA27065 for ; Fri, 23 Oct 1998 05:29:37 +1300 (NZDT) Message-Id: <199810221629.FAA27065@cyclops.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: freebsd-security@FreeBSD.ORG Date: Fri, 23 Oct 1998 05:29:47 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: default rules in rc.firewall cause problem Reply-to: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been setting up a firewall using the open model supplied in /etc/rc.firewall as the basis of our security. I've found that one of the rules, designed to "# Stop RFC1918 nets on the outside interface" does not seem to be very useful, at least in my situation. The rule in question is: $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} The subnet is within the 192.168.*.* range. ed1 is the subnet, and ed0 is the ISP. In order for any traffic to get outside, I need to modify the above rule to: $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out Does this make sense? I suspect the other rules will exhibit the same characteristics with their respective subnets. -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 10:01:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA21315 for freebsd-security-outgoing; Thu, 22 Oct 1998 10:01:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from accessone.com (blaze.accessone.com [198.68.191.19]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA21308; Thu, 22 Oct 1998 10:01:03 -0700 (PDT) (envelope-from chadth@atvideo.com) Received: from scan.atvideo.com (root@scan.atvideo.com [204.118.35.14]) by accessone.com (8.8.5/8.8.5/PIH) with ESMTP id KAA15239; Thu, 22 Oct 1998 10:00:30 -0700 (PDT) Received: from tarn ([204.118.35.239]) by scan.atvideo.com (8.9.1/8.8.5) with SMTP id KAA05218; Thu, 22 Oct 1998 10:04:11 -0400 From: "Chad Thunberg" To: , Subject: firewall + internal mail server Date: Thu, 22 Oct 1998 10:05:08 -0700 Message-ID: <000501bdfdde$1f5f53b0$ef2376cc@tarn.atvideo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 In-Reply-To: <199810221629.FAA27065@cyclops.xtra.co.nz> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am setting up a firewall and enabled natd but have an internal mail server. Is there a way to still be able to access the internal mail server from the outside for sending and receiving email? I thought about giving the firewall a vhost of mail.host.com and diverting packets that came in from 110 and 25 to the internal mail server but from the man pages, divert seems to be used for diverting packets from one port to another on the same machine instead of diverting them to a new or ineternal ip. Any help on the subject would be great. I would rather not put the mail server outside of the firewall. Thanks, -Chad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 10:02:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA21700 for freebsd-security-outgoing; Thu, 22 Oct 1998 10:02:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA21683 for ; Thu, 22 Oct 1998 10:02:07 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 13378 invoked from network); 22 Oct 1998 17:26:57 -0000 Received: from terry.dcomm.net (HELO terry) (209.63.174.33) by deepwell.com with SMTP; 22 Oct 1998 17:26:57 -0000 Message-Id: <4.1.0.67.19981022093228.009d4450@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.67 (Beta) Date: Thu, 22 Oct 1998 09:44:46 -0700 To: freebsd-security@FreeBSD.ORG From: Deepwell Internet Subject: Re: FrontPage Server Extensions In-Reply-To: <199810221314.IAA04777@leonardo.cascss.unt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm in EXACTLY the same position. We run an ISP where our primary web server is a FreeBSD 2.2.6 box. If someone requests to use frontpage I have to go through the point-and-click hell of adding them into the NT server (Add a user into the domain, create a new folder, add them into IIS with both a website and an FTP account). This just turns into hell. I've been seriously thinking about installing the frontpage extensions, but I'm a little weary since this is a Stronghold secure webserver. People around the office have been saying that the FP extensions are insecure and buggy, but no one can point to any real examples. At 08:14 AM 10/22/98 -0500, you wrote: >Does anyone know of any glaring security wholes on a FreeBSD >system (we're currently at 2.2.6-Stable) that has the Microsoft >FrontPage Server Extensions installed? I've heard it wreaks >havoc on ownership/permissions of some files. Any ideas/comments >are welcome. > >---------------------------------------------- >John Booth >Computer Support Specialist >University of North Texas >Arts & Sciences Computing Services >phone: (940)565-4498, campus extension 4498 >Internet: john@unt.edu >GroupWise: cas.po7.john > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 10:02:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA21724 for freebsd-security-outgoing; Thu, 22 Oct 1998 10:02:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antioche.lip6.fr (antioche.lip6.fr [132.227.61.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA21699 for ; Thu, 22 Oct 1998 10:02:10 -0700 (PDT) (envelope-from bouyer@antioche.lip6.fr) Received: from antifer.ipv6.lip6.fr (antifer.ipv6.lip6.fr [132.227.72.132]) by antioche.lip6.fr (8.8.8/8.8.5) with ESMTP id TAA07300; Thu, 22 Oct 1998 19:01:35 +0200 (MEST) Received: (bouyer@localhost) by antifer.ipv6.lip6.fr (8.8.8/8.6.4) id TAA12313; Thu, 22 Oct 1998 19:01:35 +0200 (MEST) Message-ID: <19981022190135.02835@antioche.lip6.fr> Date: Thu, 22 Oct 1998 19:01:35 +0200 From: Manuel Bouyer To: john Cc: freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions References: <199810221314.IAA04777@leonardo.cascss.unt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.76e In-Reply-To: <199810221314.IAA04777@leonardo.cascss.unt.edu>; from john on Thu, Oct 22, 1998 at 08:14:17AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Oct 22, john wrote > Does anyone know of any glaring security wholes on a FreeBSD > system (we're currently at 2.2.6-Stable) that has the Microsoft > FrontPage Server Extensions installed? I've heard it wreaks > havoc on ownership/permissions of some files. Any ideas/comments > are welcome. > Also, the last time I looked at it, it needed to be suid root (or at last some parts). I don't trust microsoft enouth. -- Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 10:34:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA26730 for freebsd-security-outgoing; Thu, 22 Oct 1998 10:34:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA26718 for ; Thu, 22 Oct 1998 10:34:03 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id NAA04207; Thu, 22 Oct 1998 13:32:56 -0400 (EDT) Date: Thu, 22 Oct 1998 13:32:56 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Deepwell Internet cc: freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions In-Reply-To: <4.1.0.67.19981022093228.009d4450@mail1.dcomm.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Oct 1998, Deepwell Internet wrote: > I'm in EXACTLY the same position. We run an ISP where our primary web > server is a FreeBSD 2.2.6 box. If someone requests to use frontpage I have > to go through the point-and-click hell of adding them into the NT server > (Add a user into the domain, create a new folder, add them into IIS with > both a website and an FTP account). This just turns into hell. > > I've been seriously thinking about installing the frontpage extensions, but > I'm a little weary since this is a Stronghold secure webserver. People > around the office have been saying that the FP extensions are insecure and > buggy, but no one can point to any real examples. At SafePort, we have some BSD/OS machines, and the same problem. We would far rather run UNIX than NT -- it's more manageable, customizable, secure, etc. However, we have lots of customers asking for FPE now. I thought about trying to reverse-engineer, but I don't have the time. I wonder if anyone on the Apache project, etc, has looked at doing this? The security issues with the MS product are a real concern, and we have been losing a few customers because we are reluctant to install a known problem on our servers. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 11:20:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA03429 for freebsd-security-outgoing; Thu, 22 Oct 1998 11:20:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from picasso.tellique.de (big-gw.tellique.de [195.126.133.179]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA03408; Thu, 22 Oct 1998 11:20:35 -0700 (PDT) (envelope-from ni@tellique.de) Received: from tellique.de (nolde.tellique.de [62.144.106.52]) by picasso.tellique.de (8.8.8/8.8.8) with ESMTP id UAA23321; Thu, 22 Oct 1998 20:19:39 +0200 (MET DST) Message-ID: <362F773A.AB9F196B@tellique.de> Date: Thu, 22 Oct 1998 20:19:38 +0200 From: Juergen Nickelsen Organization: Tellique Kommunikationstechnik GmbH X-Mailer: Mozilla 4.07 [en] (WinNT; U) MIME-Version: 1.0 To: Chad Thunberg CC: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: firewall + internal mail server References: <000501bdfdde$1f5f53b0$ef2376cc@tarn.atvideo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chad Thunberg wrote: > I am setting up a firewall and enabled natd but have an internal > mail server. Is there a way to still be able to access the internal > mail server from the outside for sending and receiving email? [...] > I would rather not put the mail server outside of the firewall. Sure. What about putting a mail server for incoming mail on the firewall host itself? In a similar setup, I wanted the "real" mail server to be inaccessible from the outside at all, because it contains critical data (e-mail being only part of it). I use the firewall host (running FreeBSD) as the external mail server, but it only forwards the mail to the internal mail server.(*) The firewall also acts as FTP and WWW server, but since the mail resides only for seconds on it, the risk is minimized. The internal mail server is able to go outside through the firewall to deliver mail. (*) Time being a scarce resource, I do this at the moment with an alias entry for each internal mail address on the firewall host ("ni: ni@picasso.tellique.de"), so I didn't have to change the sendmail configuration from the default. As we are just a few people here yet, this is bearable, but for a long-term solution I'll have to work out a sendmail configuration where the mail exchanger for the domain delivers the mail to a non-MX. I am sure there is a simple way, but I don't know it yet. Greetings, Juergen. -- Juergen Nickelsen Tellique Kommunikationstechnik GmbH Gustav-Meyer-Allee 25, 13355 Berlin, Germany Tel. +49 30 46307-552 / Fax +49 30 46307-579 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 11:34:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA06131 for freebsd-security-outgoing; Thu, 22 Oct 1998 11:34:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA06122 for ; Thu, 22 Oct 1998 11:34:13 -0700 (PDT) (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id MAA03335; Thu, 22 Oct 1998 12:33:35 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id LAA10537; Thu, 22 Oct 1998 11:33:55 -0700 (PDT) Date: Thu, 22 Oct 1998 11:33:55 -0700 (PDT) From: Marc Slemko To: Manuel Bouyer cc: freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions In-Reply-To: <19981022190135.02835@antioche.lip6.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Oct 1998, Manuel Bouyer wrote: > On Oct 22, john wrote > > Does anyone know of any glaring security wholes on a FreeBSD > > system (we're currently at 2.2.6-Stable) that has the Microsoft > > FrontPage Server Extensions installed? I've heard it wreaks > > havoc on ownership/permissions of some files. Any ideas/comments > > are welcome. > > > > Also, the last time I looked at it, it needed to be suid root (or at > last some parts). I don't trust microsoft enouth. You have source to the part that is setuid. Originally, when they first came out with the setuid bit, it give anyone almost instant root. Now it is better. There are no obvious insecurities in the wrapper. The issues now revolve around their installation procedure and ensuring everything is properly configured, plus the very poor manner in which it uses and requires configuration, and the fact that if there are holes in the CGI scripts that they do run as the user (and holes are likely) then you can compromise that user's account. If you can compromise an arbitrary user's account, you can get root on the vast majority of boxes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 11:34:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA06244 for freebsd-security-outgoing; Thu, 22 Oct 1998 11:34:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.clearsail.net (mail.clearsail.net [207.252.227.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA06227 for ; Thu, 22 Oct 1998 11:34:35 -0700 (PDT) (envelope-from jase@clearsail.net) Received: from clearsail.net (pirate.clearsail.net [207.252.222.75]) by mail.clearsail.net (8.9.1/8.8.8) with ESMTP id NAA28676; Thu, 22 Oct 1998 13:20:19 -0500 (CDT) Message-ID: <362F7A80.747BAE3C@clearsail.net> Date: Thu, 22 Oct 1998 13:33:37 -0500 From: jase X-Mailer: Mozilla 4.5b2 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson CC: Deepwell Internet , freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did a search of the security mailing list archives and came up with: http://www.worldgate.com/~marcs/fp/ Enjoy. :) Robert Watson wrote: > On Thu, 22 Oct 1998, Deepwell Internet wrote: > > > I'm in EXACTLY the same position. We run an ISP where our primary web > > server is a FreeBSD 2.2.6 box. If someone requests to use frontpage I have > > to go through the point-and-click hell of adding them into the NT server > > (Add a user into the domain, create a new folder, add them into IIS with > > both a website and an FTP account). This just turns into hell. > > > > I've been seriously thinking about installing the frontpage extensions, but > > I'm a little weary since this is a Stronghold secure webserver. People > > around the office have been saying that the FP extensions are insecure and > > buggy, but no one can point to any real examples. > > At SafePort, we have some BSD/OS machines, and the same problem. We would > far rather run UNIX than NT -- it's more manageable, customizable, secure, > etc. However, we have lots of customers asking for FPE now. I thought > about trying to reverse-engineer, but I don't have the time. I wonder if > anyone on the Apache project, etc, has looked at doing this? The security > issues with the MS product are a real concern, and we have been losing a > few customers because we are reluctant to install a known problem on our > servers. > > Robert N Watson > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > SafePort Network Services http://www.safeport.com/ > robert@fledge.watson.org http://www.watson.org/~robert/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 11:39:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA07277 for freebsd-security-outgoing; Thu, 22 Oct 1998 11:39:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA07272 for ; Thu, 22 Oct 1998 11:39:15 -0700 (PDT) (envelope-from Studded@gorean.org) Received: from gorean.org (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id LAA03197; Thu, 22 Oct 1998 11:38:42 -0700 (PDT) (envelope-from Studded@gorean.org) Message-ID: <362F7BB1.71A13EF3@gorean.org> Date: Thu, 22 Oct 1998 11:38:41 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-STABLE-1015 i386) X-Accept-Language: en MIME-Version: 1.0 To: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem References: <199810221629.FAA27065@cyclops.xtra.co.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is about the 8th time I've seen this post of yours. You are missing several important aspects of this situation. First off, the outside interface should NEVER see traffic from RFC 1918 space, so if you have to modify this rule to get your system to work then your system is screwed. Second, there is no possible way that anyone can help you with this problem if you don't post the details of your setup. The fragment that you've posted here is virtually meaningless, and the only reason I understand what you're talking about is that I've read this or similar posts so many times. If you want help, post your whole firewall setup to freebsd-questions and ask for help. However if you're not interested in help, please stop making this post as you are incorrect and I for one am tired of seeing it. Doug Dan Langille wrote: > > I've been setting up a firewall using the open model supplied in > /etc/rc.firewall as the basis of our security. I've found that one of the > rules, designed to "# Stop RFC1918 nets on the outside interface" does not > seem to be very useful, at least in my situation. The rule in question is: > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > > The subnet is within the 192.168.*.* range. ed1 is the subnet, and ed0 is > the ISP. In order for any traffic to get outside, I need to modify the > above rule to: > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out > > Does this make sense? > > I suspect the other rules will exhibit the same characteristics with their > respective subnets. > > -- > Dan Langille > DVL Software Limited > The FreeBSD Diary - my [mis]adventures > http://www.FreeBSDDiary.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- *** Chief Operations Officer, DALnet IRC network *** Go PADRES! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 12:03:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA09972 for freebsd-security-outgoing; Thu, 22 Oct 1998 12:03:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA09966 for ; Thu, 22 Oct 1998 12:03:43 -0700 (PDT) (envelope-from Studded@gorean.org) Received: from gorean.org (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id MAA03792; Thu, 22 Oct 1998 12:02:33 -0700 (PDT) (envelope-from Studded@gorean.org) Message-ID: <362F8148.D178BA79@gorean.org> Date: Thu, 22 Oct 1998 12:02:32 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-STABLE-1015 i386) X-Accept-Language: en MIME-Version: 1.0 To: Deepwell Internet CC: freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions References: <4.1.0.67.19981022093228.009d4450@mail1.dcomm.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Deepwell Internet wrote: > I've been seriously thinking about installing the frontpage extensions, but > I'm a little weary since this is a Stronghold secure webserver. People > around the office have been saying that the FP extensions are insecure and > buggy, but no one can point to any real examples. A good friend and sometime customer of mine who makes his living as one of the most successful NT ISV's has nothing but bad things to say about FPE. His exact words aren't printable in a family newspaper. :) YMMV. Doug -- *** Chief Operations Officer, DALnet IRC network *** Go PADRES! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 12:07:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA10622 for freebsd-security-outgoing; Thu, 22 Oct 1998 12:07:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA10617 for ; Thu, 22 Oct 1998 12:07:26 -0700 (PDT) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.9.1/8.9.1) with ESMTP id MAA03442; Thu, 22 Oct 1998 12:06:17 -0700 (PDT) (envelope-from ejs@bfd.com) Date: Thu, 22 Oct 1998 12:06:16 -0700 (PDT) From: "Eric J. Schwertfeger" To: Studded cc: junkmale@xtra.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem In-Reply-To: <362F7BB1.71A13EF3@gorean.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Oct 1998, Studded wrote: > This is about the 8th time I've seen this post of yours. You are > missing several important aspects of this situation. First off, the > outside interface should NEVER see traffic from RFC 1918 space, so if > you have to modify this rule to get your system to work then your system > is screwed. True for -current, but not for -stable. In -stable (as of 19980828), when a packet goes through natd, it gets reinjected at the start of the rules again, so all of a sudden, the ipfw rules are seeing a packet from the outside with a destination within RFC 1918 space. Three solutions that I know of: 1) delete the rule 2) one that I'm working on, involving diverting to other interfaces, or 3) upgrade to -current, which by default puts the packet back in the queue so that it picks up with the next rule after the divert. I find #1 extremely distasteful, which is why I'm working on #2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 12:23:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA13071 for freebsd-security-outgoing; Thu, 22 Oct 1998 12:23:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from carp.gbr.epa.gov (carp.gbr.epa.gov [204.46.159.110]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA13034; Thu, 22 Oct 1998 12:23:12 -0700 (PDT) (envelope-from mjenkins@carp.gbr.epa.gov) Received: (from mjenkins@localhost) by carp.gbr.epa.gov (8.8.8/8.8.8) id OAA00882; Thu, 22 Oct 1998 14:22:03 -0500 (CDT) (envelope-from mjenkins) Date: Thu, 22 Oct 1998 14:22:03 -0500 (CDT) From: Mike Jenkins Message-Id: <199810221922.OAA00882@carp.gbr.epa.gov> To: chadth@atvideo.com Subject: Re: firewall + internal mail server Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <000501bdfdde$1f5f53b0$ef2376cc@tarn.atvideo.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: "Chad Thunberg" > Subject: firewall + internal mail server > > I am setting up a firewall and enabled natd but have an internal mail > server. Is there a way to still be able to access the internal mail server > from the outside for sending and receiving email? I thought about giving > the firewall a vhost of mail.host.com and diverting packets that came in > from 110 and 25 to the internal mail server but from the man pages, divert > seems to be used for diverting packets from one port to another on the same > machine instead of diverting them to a new or ineternal ip. Any help on the > subject would be great. I would rather not put the mail server outside of > the firewall. See the -redirect_port option of natd. You might also be interested in the -redirect_address option. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 12:36:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA15611 for freebsd-security-outgoing; Thu, 22 Oct 1998 12:36:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA15500; Thu, 22 Oct 1998 12:36:01 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id PAA07445; Thu, 22 Oct 1998 15:35:11 -0400 (EDT) Date: Thu, 22 Oct 1998 15:35:11 -0400 (EDT) From: Jim Flowers To: Chad Thunberg cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: firewall + internal mail server In-Reply-To: <000501bdfdde$1f5f53b0$ef2376cc@tarn.atvideo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just did it. Very simple to implement NAT (natd) and use the redirect-port capability: natd - interface ed0 redirect_port other_host:smtp smtp \ -redirect_port other_host:pop3 pop3 All your other reserved addresses will be translated per usual. Works like a charm with MS Exchange. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Thu, 22 Oct 1998, Chad Thunberg wrote: > I am setting up a firewall and enabled natd but have an internal mail > server. Is there a way to still be able to access the internal mail server > from the outside for sending and receiving email? I thought about giving > the firewall a vhost of mail.host.com and diverting packets that came in > from 110 and 25 to the internal mail server but from the man pages, divert > seems to be used for diverting packets from one port to another on the same > machine instead of diverting them to a new or ineternal ip. Any help on the > subject would be great. I would rather not put the mail server outside of > the firewall. good idea, although on a perimeter network with a good wrapper is even better. > > Thanks, > -Chad > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 12:49:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA17645 for freebsd-security-outgoing; Thu, 22 Oct 1998 12:49:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA17637 for ; Thu, 22 Oct 1998 12:49:02 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Thu, 22 Oct 1998 13:48:28 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma026701; Thu, 22 Oct 98 13:48:25 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.8) id NAA05447; Thu, 22 Oct 1998 13:48:53 -0600 (MDT) Date: Thu, 22 Oct 1998 13:48:52 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Deepwell Internet cc: freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions In-Reply-To: <4.1.0.67.19981022093228.009d4450@mail1.dcomm.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Oct 1998, Deepwell Internet wrote: > People around the office have been saying that the FP extensions are > insecure and buggy, but no one can point to any real examples. Here's one for a start: http://users.worldgate.com/~marcs/fp/ Another possible attack that I have heard of is the lackadaisical attitude of the extensions with regards to the service.pwd files that contain password information, a la /etc/passwd, that can often be cracked by any of the popular DES/UNIX password cracking programs. Other anecdotes on FrontPage (in)security can be found by searching the BugTraq archives (search for "frontpage") at: http://www.netspace.org/lsv-archive/bugtraq.html Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 12:51:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA18272 for freebsd-security-outgoing; Thu, 22 Oct 1998 12:51:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from megadeth.rtci.com (megadeth.noc.rtci.com [216.27.37.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA18255; Thu, 22 Oct 1998 12:51:35 -0700 (PDT) (envelope-from dhopkins@rtci.com) Received: from rtci.com (oxygen.schizo.com [216.27.37.251]) by megadeth.rtci.com (8.8.8/8.8.8) with ESMTP id PAA00588; Thu, 22 Oct 1998 15:53:27 -0400 (EDT) (envelope-from dhopkins@rtci.com) Message-ID: <362F8E3C.E3C820B7@rtci.com> Date: Thu, 22 Oct 1998 15:57:48 -0400 From: Damon Hopkins Organization: Research Triangle Consultants, Inc. X-Mailer: Mozilla 4.5 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Chad Thunberg CC: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: firewall + internal mail server References: <000501bdfdde$1f5f53b0$ef2376cc@tarn.atvideo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I do it this way.. I don't think that the udp stuff is necessary but I put it in there because Im to lazy to find out my natd.conf file #smtp redirect_port tcp 10.0.0.2:25 216.27.37.251:25 redirect_port udp 10.0.0.2:25 216.27.37.251:25 #pop3 redirect_port tcp 10.0.0.2:110 216.27.37.251:110 redirect_port udp 10.0.0.2:110 216.27.37.251:110 #imap redirect_port tcp 10.0.0.2:143 216.27.37.251:143 redirect_port udp 10.0.0.2:143 216.27.37.251:143 Chad Thunberg wrote: > > I am setting up a firewall and enabled natd but have an internal mail > server. Is there a way to still be able to access the internal mail server > from the outside for sending and receiving email? I thought about giving > the firewall a vhost of mail.host.com and diverting packets that came in > from 110 and 25 to the internal mail server but from the man pages, divert > seems to be used for diverting packets from one port to another on the same > machine instead of diverting them to a new or ineternal ip. Any help on the > subject would be great. I would rather not put the mail server outside of > the firewall. > > Thanks, > -Chad > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 13:07:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA21665 for freebsd-security-outgoing; Thu, 22 Oct 1998 13:07:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA21643; Thu, 22 Oct 1998 13:07:12 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id QAA08153; Thu, 22 Oct 1998 16:05:46 -0400 (EDT) Date: Thu, 22 Oct 1998 16:05:45 -0400 (EDT) From: Jim Flowers To: Juergen Nickelsen cc: Chad Thunberg , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: firewall + internal mail server In-Reply-To: <362F773A.AB9F196B@tellique.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A fairly simple way would be to use a hidden dns. Run sendmail normally on your fbsd machine with resolv.conf entry pointed to internal (hidden) dns server hosting MX resource record pointing to internal mail-hub host running smtp. MX records on external server (at ISP for example) point to your fbsd machine. That way the only external dns record necessary is your mail-relay so all the good stuff is hidden from the rest of the world. Mail is sent to your mail-relay and then relayed on to your internal mail-hub and you don't have to modify your sendmail setup at all. Even better if you use a wrapper like smap. Jim Flowers #4 ISP on C|NET, #1 in Ohio Juergen wrote:------------------ > > As we are just a few people here yet, this is bearable, but for a > long-term solution I'll have to work out a sendmail configuration > where the mail exchanger for the domain delivers the mail to a > non-MX. I am sure there is a simple way, but I don't know it yet. > > Greetings, Juergen. > > -- > Juergen Nickelsen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 13:43:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27020 for freebsd-security-outgoing; Thu, 22 Oct 1998 13:43:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA27008 for ; Thu, 22 Oct 1998 13:43:45 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 8999 invoked by uid 1001); 22 Oct 1998 20:43:13 +0000 (GMT) To: Studded@gorean.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem In-Reply-To: Your message of "Thu, 22 Oct 1998 11:38:41 -0700" References: <362F7BB1.71A13EF3@gorean.org> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 22 Oct 1998 22:43:13 +0200 Message-ID: <8997.909088993@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > First off, the > outside interface should NEVER see traffic from RFC 1918 space, so if > you have to modify this rule to get your system to work then your system > is screwed. Unfortunately, there's plenty of traffic out there with RFC 1918 addresses. From one of the nearby routers here: gw> sh access-list 104 Extended IP access list 104 ... deny ip 10.0.0.0 0.255.255.255 any (2161 matches) deny ip 172.16.0.0 0.15.255.255 any (5942 matches) deny ip 192.168.0.0 0.0.255.255 any (10313 matches) ... - There are plenty of ISPs using RFC 1918 addresses for their internal links (bad idea!), which results in these addresses being visible as source addresses when you run traceroute etc. - There are plenty of installations using some form of RFC 1918 for their internal network, without sufficient filtering. This results in RFC 1918 destination addresses being visible externally - until they reach a default free router, where they are of course dropped in the bit bucket. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 13:58:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA29144 for freebsd-security-outgoing; Thu, 22 Oct 1998 13:58:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from witch.xtra.co.nz (witch.xtra.co.nz [202.27.184.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29130 for ; Thu, 22 Oct 1998 13:58:20 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by witch.xtra.co.nz (8.9.1/8.9.1) with SMTP id JAA23805; Fri, 23 Oct 1998 09:56:46 +1300 (NZDT) Message-Id: <199810222056.JAA23805@witch.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: "Eric J. Schwertfeger" Date: Fri, 23 Oct 1998 09:56:57 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: default rules in rc.firewall cause problem Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG References: <362F7BB1.71A13EF3@gorean.org> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Oct 98, at 12:06, Eric J. Schwertfeger wrote: > True for -current, but not for -stable. In -stable (as of 19980828), when > a packet goes through natd, it gets reinjected at the start of the rules > again, so all of a sudden, the ipfw rules are seeing a packet from the > outside with a destination within RFC 1918 space. > > Three solutions that I know of: 1) delete the rule 2) one that I'm working > on, involving diverting to other interfaces, or 3) upgrade to -current, > which by default puts the packet back in the queue so that it picks up > with the next rule after the divert. > > I find #1 extremely distasteful, which is why I'm working on #2. Hmmm, could your explanation be the cause of I'm seeing here? And would the modification to the rule make sense? $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out It will deny all out going packets but allow incoming packets, which are what natd is effectively doing. If I read /etc/rc.firewall correctly, there are other default rules higher up in the list which will prevent incoming packets pretending to be from 192.168.0.0/24. For example: $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} I'm on 2.2.7 right now, and upgrading to curent isn't under consideration at the moment. If the change I've made will cause other problems, then we'll probably have to reconsider that. thanks Eric. -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 14:07:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01074 for freebsd-security-outgoing; Thu, 22 Oct 1998 14:07:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01063 for ; Thu, 22 Oct 1998 14:07:13 -0700 (PDT) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.9.1/8.9.1) with ESMTP id OAA04810; Thu, 22 Oct 1998 14:06:22 -0700 (PDT) (envelope-from ejs@bfd.com) Date: Thu, 22 Oct 1998 14:06:22 -0700 (PDT) From: "Eric J. Schwertfeger" To: Dan Langille cc: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem In-Reply-To: <199810222056.JAA23805@witch.xtra.co.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 23 Oct 1998, Dan Langille wrote: > Hmmm, could your explanation be the cause of I'm seeing here? And would > the modification to the rule make sense? Yes. > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out As long as that comes before the natd divert, it will keep any packets resulting from the crack attempt from going back. Most DOS attacks don't need to get their replies back, however. It's better than nothing, though. > It will deny all out going packets but allow incoming packets, which are what natd is effectively doing. If > I read /etc/rc.firewall correctly, there are other default rules higher up in the list which will prevent > incoming packets pretending to be from 192.168.0.0/24. For example: The problem is, under -stable, when a packet going back into a masqueraded connection goes into natd, it comes back out starting all over at the first rule, and the firewall rules have no way of knowing that the packet didn't really come from the outside world. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 14:53:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA07226 for freebsd-security-outgoing; Thu, 22 Oct 1998 14:53:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07220 for ; Thu, 22 Oct 1998 14:53:41 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id RAA00816; Thu, 22 Oct 1998 17:52:49 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <13871.43312.567718.19808@trooper.velocet.ca> Date: Thu, 22 Oct 1998 17:52:48 -0400 (EDT) To: Robert Watson Cc: Deepwell Internet , freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions In-Reply-To: References: <4.1.0.67.19981022093228.009d4450@mail1.dcomm.net> X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Robert" == Robert Watson writes: Robert> On Thu, 22 Oct 1998, Deepwell Internet wrote: [... other stuff on FPE deleted] Don't mistake me for being pro-M$ in any way, but the current set of FPE must be run as root, but installs as suid-user (user who own's directory). It's not particularly smart, and it does make a mess of your apache configs (you may want to feed it a config file all it's own), but it no longer installs suid root. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 15:01:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08512 for freebsd-security-outgoing; Thu, 22 Oct 1998 15:01:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from witch.xtra.co.nz (witch.xtra.co.nz [202.27.184.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08504 for ; Thu, 22 Oct 1998 15:01:19 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by witch.xtra.co.nz (8.9.1/8.9.1) with SMTP id KAA04958; Fri, 23 Oct 1998 10:59:49 +1300 (NZDT) Message-Id: <199810222159.KAA04958@witch.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: "Eric J. Schwertfeger" , freebsd-security@FreeBSD.ORG Date: Fri, 23 Oct 1998 11:00:00 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: default rules in rc.firewall cause problem Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG References: <199810222056.JAA23805@witch.xtra.co.nz> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Oct 98, at 14:06, Eric J. Schwertfeger wrote: > On Fri, 23 Oct 1998, Dan Langille wrote: > > > Hmmm, could your explanation be the cause of I'm seeing here? And would > > the modification to the rule make sense? > > Yes. > > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out > > As long as that comes before the natd divert, it will keep any packets > resulting from the crack attempt from going back. Most DOS attacks don't > need to get their replies back, however. It's better than nothing, > though. For what it's worth, I moved the modified rule to be above the divert. It seems to work fine. As it did before, but as you say, better than nothing. Cheers. > > It will deny all out going packets but allow incoming packets, which are > > what natd is effectively doing. If I read /etc/rc.firewall correctly, > > there are other default rules higher up in the list which will prevent > > incoming packets pretending to be from 192.168.0.0/24. For example: > > The problem is, under -stable, when a packet going back into a > masqueraded connection goes into natd, it comes back out starting all over > at the first rule, and the firewall rules have no way of knowing that the > packet didn't really come from the outside world. This may be enough to push us onto -current. Will the fix be included with 2.2.8? Thanks. Your help has been appreciated. -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 15:11:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA10140 for freebsd-security-outgoing; Thu, 22 Oct 1998 15:11:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gate.az.com ([206.63.203.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA10133 for ; Thu, 22 Oct 1998 15:11:02 -0700 (PDT) (envelope-from yankee@gate.az.com) Received: (from yankee@localhost) by gate.az.com (8.8.5/8.8.5) id PAA15557; Thu, 22 Oct 1998 15:10:49 -0700 (PDT) Date: Thu, 22 Oct 1998 15:10:48 -0700 (PDT) From: "Dan Seafeldt, AZ.COM System Administrator" To: Paul Hart cc: Deepwell Internet , freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Regarding your comments about the dangers of using Frontpage 98 extension modified apache server, and the home page you mentioned: http://users.worldgate.com/~marcs/fp Short of user to user content security problems, according to this page the primary root exploit is: 1. discover key file using, among other things, ps because frontpage passes key using environment variables 2. key file allows (like the httpd daemon can) user to invoke fpexe, a SUID 3. with key, you can also tell fpexe to execute a /tmp/nasty as the user bin 4. the bin priveledged program replaces/modifies a well known bin owned prog 5. next time root (cron) runs that well know program ... well you know the rest... The problem that I see with this security flaw theory is: The current source code, at least the source code in the ports collection for apache-fp I looked at reveal that fpexe.c does not SGID or SUID to values lower than specially set defines at the beginning of the code. Thus, user ID #3 (bin) is to low and fpexe would not allow a SUID/SGID to that user. Also, it doesn't appear that after SUID'ing that fpexe will execute anything other than the specific CGI programs in the specially designated directories that it was designed to invoke. I would tend to think those values should be bumped to at least higher than any/all staff accounts on a given machine since non security minded people might setup a cron'd program somewhere or a similar hole without giving thought to what's happening behind the scenes. You would assign common userid's in the upper range only. In addition, the author of that home page mentioned just a few checks that the Frontpage extensions do to enhance security and complained that there were not enough. When I scanned through freebsd ports collection apache-fp fpexe.c, I saw many, many more checks than just the ones he talked about. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 15:12:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA10449 for freebsd-security-outgoing; Thu, 22 Oct 1998 15:12:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA10393 for ; Thu, 22 Oct 1998 15:11:57 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199810222211.PAA10393@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA087564263; Fri, 23 Oct 1998 08:11:03 +1000 From: Darren Reed Subject: Re: default rules in rc.firewall cause problem To: ejs@bfd.com (Eric J. Schwertfeger) Date: Fri, 23 Oct 1998 08:11:03 +1000 (EST) Cc: junkmale@xtra.co.nz, freebsd-security@FreeBSD.ORG In-Reply-To: from "Eric J. Schwertfeger" at Oct 22, 98 02:06:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bah! Junk ipfw/natd, and just use IP Filter - it doesn't have these problems with packets going in again :-) darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 16:08:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA18432 for freebsd-security-outgoing; Thu, 22 Oct 1998 16:08:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA18382 for ; Thu, 22 Oct 1998 16:08:05 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id MAA20673; Fri, 23 Oct 1998 12:06:39 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 23 Oct 1998 12:06:39 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Dan Langille cc: freebsd-security@FreeBSD.ORG Subject: Re: default rules in rc.firewall cause problem In-Reply-To: <199810221629.FAA27065@cyclops.xtra.co.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 23 Oct 1998, Dan Langille wrote: > I've been setting up a firewall using the open model supplied in > /etc/rc.firewall as the basis of our security. I've found that one of the > rules, designed to "# Stop RFC1918 nets on the outside interface" does not > seem to be very useful, at least in my situation. The rule in question is: > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > > The subnet is within the 192.168.*.* range. ed1 is the subnet, and ed0 is > the ISP. In order for any traffic to get outside, I need to modify the > above rule to: > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out Are you using natd or iijppp's address translation? The ppp translation seems to happen after the packets have been through the firewall. In any case, if you are using ppp's translation the RFC1918 rules are not needed or useful. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 22 18:27:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA04191 for freebsd-security-outgoing; Thu, 22 Oct 1998 18:27:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA04185 for ; Thu, 22 Oct 1998 18:27:36 -0700 (PDT) (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id TAA07326; Thu, 22 Oct 1998 19:25:35 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id SAA11804; Thu, 22 Oct 1998 18:25:50 -0700 (PDT) Date: Thu, 22 Oct 1998 18:25:50 -0700 (PDT) From: Marc Slemko To: "Dan Seafeldt, AZ.COM System Administrator" cc: Paul Hart , Deepwell Internet , freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Oct 1998, Dan Seafeldt, AZ.COM System Administrator wrote: > > Regarding your comments about the dangers of using Frontpage 98 extension > modified apache server, and the home page you mentioned: > > > http://users.worldgate.com/~marcs/fp > > > Short of user to user content security problems, according to this page > the primary root exploit is: > > 1. discover key file using, among other things, ps because frontpage passes > key using environment variables > 2. key file allows (like the httpd daemon can) user to invoke fpexe, a SUID > 3. with key, you can also tell fpexe to execute a /tmp/nasty as the user bin > 4. the bin priveledged program replaces/modifies a well known bin owned prog > 5. next time root (cron) runs that well know program ... well you know > the rest... > > The problem that I see with this security flaw theory is: Read the page a bit more closely, and look at MS's release dates. The reason the security checks are in the current version is due to my complaints. They essentially went through and added the things I complained they didn't have, plus it looks like they copied the checking that Apache's suexec does. This is no "security flaw theory". It is hard evidence of how braindead and boneheaded the extensions were when that page was written. The current version does not have the flaws described on that page, but does have the ones (some of them somewhat fundamental to what it is trying to do, some implementation messups) that I briefly described earlier to the list. Regardless, I certainly am not overly willing to put much trust in programs written by the same people that wrote the horrible monstrosity that the original fpexe.c was. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 23 00:43:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA03607 for freebsd-security-outgoing; Fri, 23 Oct 1998 00:43:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ujf.ujf-grenoble.fr (ujf.ujf-grenoble.fr [193.54.232.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA03602 for ; Fri, 23 Oct 1998 00:43:12 -0700 (PDT) (envelope-from Gilles.Bruno@ujf-grenoble.fr) Received: from antigua.ujf-grenoble.fr (adm-bruno.ujf-grenoble.fr [193.54.232.177]) by ujf.ujf-grenoble.fr (8.8.5/8.8.5) with SMTP id JAA03503 for ; Fri, 23 Oct 1998 09:42:38 +0200 (MET DST) Message-Id: <4.1.19981023093637.00af1df0@adm.ujf-grenoble.fr> X-Sender: bruno@adm.ujf-grenoble.fr X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 23 Oct 1998 09:41:23 +0200 To: freebsd-security@FreeBSD.ORG From: Gilles Bruno Subject: nestea v2 against freebsd 3.0-Release Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everyone, we tested yesterday the old nestea v2 against a brand new 3.0-Release : it has prooved to be effective against it (the box rebooted - invalid page fault while in kernel mode). The same test against 2.2.[6,7]-Release didn't harm at all. Am I missing something ? some sysctl ? a special kernel config ? Let us know... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 23 05:55:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA24952 for freebsd-security-outgoing; Fri, 23 Oct 1998 05:55:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cyclue.bsdi.com (nat1.firehouse.net [209.42.203.32]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA24939 for ; Fri, 23 Oct 1998 05:55:05 -0700 (PDT) (envelope-from abc@cyclue.bsdi.com) Received: (qmail 14171 invoked by uid 100); 23 Oct 1998 12:54:00 -0000 Message-ID: <19981023125400.14169.qmail@cyclue.bsdi.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Marc Slemko cc: "Dan Seafeldt, AZ.COM System Administrator" , Paul Hart , Deepwell Internet , freebsd-security@FreeBSD.ORG, abc@cyclue.bsdi.com Subject: Re: FrontPage Server Extensions In-reply-to: Your message of "Thu, 22 Oct 1998 18:25:50 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 23 Oct 1998 08:54:00 -0400 From: "Alan B. Clegg" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [.. snippage ..] > Regardless, I certainly am not overly willing to put much trust in > programs written by the same people that wrote the horrible monstrosity > that the original fpexe.c was. And you run sendmail perhaps? Just because a previous version was bad does not PROVE that the newer ones are still bad. -abc {who runs qmail} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 23 08:07:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA07609 for freebsd-security-outgoing; Fri, 23 Oct 1998 08:07:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA07602 for ; Fri, 23 Oct 1998 08:07:07 -0700 (PDT) (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id JAA13041; Fri, 23 Oct 1998 09:05:15 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id IAA13971; Fri, 23 Oct 1998 08:00:00 -0700 (PDT) Date: Fri, 23 Oct 1998 08:00:00 -0700 (PDT) From: Marc Slemko To: "Alan B. Clegg" cc: freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions In-Reply-To: <19981023125400.14169.qmail@cyclue.bsdi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 23 Oct 1998, Alan B. Clegg wrote: > [.. snippage ..] > > > Regardless, I certainly am not overly willing to put much trust in > > programs written by the same people that wrote the horrible monstrosity > > that the original fpexe.c was. > > And you run sendmail perhaps? > > Just because a previous version was bad does not PROVE that the newer ones > are still bad. Erm... it doesn't prove they are bad (and I never said or implied that it did), but it sure as heck is a pretty damn big black mark against thiking that they are good. Here are the facts: If there is any hole in the FrontPage CGI scripts, then someone can compromise any account that is setup to use it. The fpexe program, which did have source available, was obviously written by someone who had absolutely no concept of or thought for security. I don't have the source for the FrontPage CGI scripts, but they come in the same package as the fpexe monstrosity. Therefore, you have to work on the assumption that the FrontPage CGI scripts probably have numerous security holes in them. Regardless of what you may think, people and companies don't magically change overnight from producing code without a "security clue" in the world to producing secure code. If you don't think past problems matter then go right ahead and do whatever you want. I, however, do think that past problems matter a heck of a lot, especially in this situation due to the nature of the problems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 23 14:04:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10032 for freebsd-security-outgoing; Fri, 23 Oct 1998 14:04:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gate.az.com ([206.63.203.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10021 for ; Fri, 23 Oct 1998 14:04:46 -0700 (PDT) (envelope-from yankee@gate.az.com) Received: (from yankee@localhost) by gate.az.com (8.8.5/8.8.5) id NAA00502; Fri, 23 Oct 1998 13:43:40 -0700 (PDT) Date: Fri, 23 Oct 1998 13:43:40 -0700 (PDT) From: "Dan Seafeldt, AZ.COM System Administrator" To: freebsd-security@FreeBSD.ORG Subject: SUID variations In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone thought of (or is already being done) a file in /etc which contains a list of special users who, when a root process does a SUID to that user and begins execution of the program as that user the kernel simultaneously also does a CHROOT to a branch of the file system also specified in the /etc file? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message