From owner-freebsd-security Sun Jun 6 6:11:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 923FB15249 for ; Sun, 6 Jun 1999 06:11:40 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id PAA27310; Sun, 6 Jun 1999 15:11:27 +0200 (CEST) (envelope-from des) To: Nicholas Brawn Cc: Wes Peters , Mike Nowlin , freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness References: From: Dag-Erling Smorgrav Date: 06 Jun 1999 15:11:26 +0200 In-Reply-To: Nicholas Brawn's message of "Sun, 6 Jun 1999 16:32:17 +1000 (EST)" Message-ID: Lines: 8 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Brawn writes: > Correct me if i'm wrong, but isn't that a security hazard? Only insofar as one may consider NIS a security hazard. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 6 6:13: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8396515249 for ; Sun, 6 Jun 1999 06:12:59 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id PAA27321; Sun, 6 Jun 1999 15:12:53 +0200 (CEST) (envelope-from des) To: Mike Nowlin Cc: Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness References: From: Dag-Erling Smorgrav Date: 06 Jun 1999 15:12:53 +0200 In-Reply-To: Mike Nowlin's message of "Sun, 6 Jun 1999 01:34:26 -0400 (EDT)" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin writes: > > Did you add the +::::::: entry to the passwd file? > > Be sure to do group as well, if that's the problem. ;^) > Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa > +:*::::: in it..... Seems OK there..... :) Remove the star - that's what's preventing kathleen from logging in. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 6 10:55:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id 0E08114BCF for ; Sun, 6 Jun 1999 10:55:18 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id MAA03136 for freebsd-security@freebsd.org; Sun, 6 Jun 1999 12:55:18 -0500 (CDT) From: Igor Roshchin Message-Id: <199906061755.MAA03136@alecto.physics.uiuc.edu> Subject: Q.: any new ftp vulnerabilities ? To: freebsd-security@freebsd.org Date: Sun, 6 Jun 1999 12:55:17 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I have observed a few occasions when some people were establishing multiple connections to the ftp server within the last week (there is no anonymous access, so it should not be "by mistake"). Usually, the logs do not indicate any attempt of login, even as anonymous. The frequency of connects (reported by tcpwrapper) is not too high, but probably indicated that those are launched by a script (about 25-35 connections within 2-5 minutes). I haven't seen any new security hole or DOS vulnerability in any ftpd recently (except the one found in February or so, regarding the realpath, and some similar issues, but that hole would not require multiple connects), so I wonder if anybody has observed anything similar, and if anybody knows of any new vulnerability ? IgoR PS. The machine is running 2.2.7 and wu-ftpd-2.4.2v17. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 6 19:28: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.erols.com (smtp1.erols.com [207.172.3.234]) by hub.freebsd.org (Postfix) with ESMTP id 24CDE14F26 for ; Sun, 6 Jun 1999 19:27:57 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from john.baldwin.cx (207-172-143-225.s34.as3.hgt.md.dialup.rcn.com [207.172.143.225]) by smtp1.erols.com (8.8.8/8.8.5) with ESMTP id WAA16969; Sun, 6 Jun 1999 22:27:53 -0400 (EDT) Message-Id: <199906070227.WAA16969@smtp1.erols.com> X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Sun, 06 Jun 1999 22:27:52 -0400 (EDT) From: John Baldwin To: Dag-Erling Smorgrav Subject: Re: NIS strangeness Cc: freebsd-security@FreeBSD.ORG, Wes Peters , Mike Nowlin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 06-Jun-99 Dag-Erling Smorgrav wrote: > Mike Nowlin writes: >> > Did you add the +::::::: entry to the passwd file? >> > Be sure to do group as well, if that's the problem. ;^) >> Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa >> +:*::::: in it..... Seems OK there..... :) > > Remove the star - that's what's preventing kathleen from logging in. If it was in /etc/master.passwd, yes. In /etc/passwd, no. At least, I run a lab of 80+ machines running NIS over FreeBSD and Digital Unix and all the FreeBSD clients have +:::::::: in /etc/master.passwd and +:*::::::: in /etc/passwd. > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no --- John Baldwin -- http://members.freedomnet.com/~jbaldwin/ PGP Key: http://members.freedomnet.com/~jbaldwin/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 6 19:30:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.erols.com (smtp4.erols.com [207.172.3.237]) by hub.freebsd.org (Postfix) with ESMTP id 9BF3A14E9A for ; Sun, 6 Jun 1999 19:30:46 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from john.baldwin.cx (207-172-143-225.s34.as3.hgt.md.dialup.rcn.com [207.172.143.225]) by smtp4.erols.com (8.8.8/smtp-v1) with ESMTP id WAA09234; Sun, 6 Jun 1999 22:27:50 -0400 (EDT) Message-Id: <199906070227.WAA09234@smtp4.erols.com> X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <375A140C.5ABCA08D@softweyr.com> Date: Sun, 06 Jun 1999 22:27:04 -0400 (EDT) From: John Baldwin To: Wes Peters Subject: Re: NIS strangeness Cc: freebsd-security@FreeBSD.ORG, Mike Nowlin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 06-Jun-99 Wes Peters wrote: > Mike Nowlin wrote: >> >> > >> > Did you add the +::::::: entry to the passwd file? >> > Be sure to do group as well, if that's the problem. ;^) >> >> Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa >> +:*::::: in it..... Seems OK there..... :) > > I'm not so sure about that *. If "ypmatch -k username passwd" works, > the network transport and NIS parts are working just fine. The star's fine, it's part of the shadow password stuff. We run NIS at a lab I administer with and our /etc/passwd's all have *'s in them, just like every other entry in /etc/passwd. > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > http://www.softweyr.com/~softweyr wes@softweyr.com --- John Baldwin -- http://members.freedomnet.com/~jbaldwin/ PGP Key: http://members.freedomnet.com/~jbaldwin/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 6 20:53:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id 89BEA14CA9 for ; Sun, 6 Jun 1999 20:53:49 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id XAA04222; Sun, 6 Jun 1999 23:56:08 -0400 Date: Sun, 6 Jun 1999 23:56:07 -0400 (EDT) From: Mike Nowlin To: John Baldwin Cc: Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness In-Reply-To: <199906070227.WAA09234@smtp4.erols.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org More info about this whole problem: > > I'm not so sure about that *. If "ypmatch -k username passwd" works, > > the network transport and NIS parts are working just fine. Basically, if "root" is who's calling getpwnam(), the NIS lookup fails. If any other user calls getpwnam(), it works. Example: -------------------- #include #include main() { struct passwd *pwdinfo; pwdinfo = getpwnam("steph"); printf("Name: %s\n", pwdinfo->pw_name); printf("Passwd: %s\n", pwdinfo->pw_passwd); } ------------------ (It sucks, I know... But it was to test a theory.) If root runs this program, it SEGV's and blows up. But if anybody else runs it, it comes back with Name: steph Passwd: * ...as expected. (Steph is another NIS-defined user.) If I replace "steph" with "mike" in the above program, both root & non-root can run it fine. "mike" is NOT a NIS-defined user -- that one actually exists in the local password file. I can do a "ypcat master.passwd", "ypcat passwd", or "ypmatch rubino master.passwd", and they all work -- it's not a missing master.passwd map. This is slowly driving me insane... --Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 6 22: 4:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id 1FEDC15529 for ; Sun, 6 Jun 1999 22:04:21 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id BAA04329 for ; Mon, 7 Jun 1999 01:09:50 -0400 Date: Mon, 7 Jun 1999 01:09:50 -0400 (EDT) From: Mike Nowlin To: freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Basically, if "root" is who's calling getpwnam(), the NIS lookup fails. > If any other user calls getpwnam(), it works. Example: > Here's an interesting bit of information: Running tcpdump with the "-x" option and decoding the hex bytes off the network, the NIS server IS sending back the correct line from master.passwd.byname in the 4th packet in the transaction when root calls getpwnam(). For some reason, it never seems to get back to the user program that called it, though. Ho, hum..... Time to go digging through libc's source.... :) --Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 6 23:31:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id 807E115185 for ; Sun, 6 Jun 1999 23:31:36 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.14]) by david.siemens.de (8.9.3/8.9.3) with ESMTP id IAA22678 for ; Mon, 7 Jun 1999 08:31:35 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail2.siemens.de (8.9.3/8.9.3) with ESMTP id IAA27449 for ; Mon, 7 Jun 1999 08:31:34 +0200 (MET DST) Received: (from daemon@localhost) by curry.mchp.siemens.de (8.9.3/8.9.3) id IAA83604 for ; Mon, 7 Jun 1999 08:31:35 +0200 (CEST) Date: Mon, 7 Jun 1999 08:31:31 +0200 From: Andre Albsmeier To: John Baldwin Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG, Wes Peters , Mike Nowlin Subject: Re: NIS strangeness Message-ID: <19990607083131.A43845@internal> References: <199906070227.WAA16969@smtp1.erols.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <199906070227.WAA16969@smtp1.erols.com>; from John Baldwin on Sun, Jun 06, 1999 at 10:27:52PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 06-Jun-1999 at 22:27:52 -0400, John Baldwin wrote: > > On 06-Jun-99 Dag-Erling Smorgrav wrote: > > Mike Nowlin writes: > >> > Did you add the +::::::: entry to the passwd file? > >> > Be sure to do group as well, if that's the problem. ;^) > >> Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa > >> +:*::::: in it..... Seems OK there..... :) > > > > Remove the star - that's what's preventing kathleen from logging in. Now, please let me jump in here... I am currently debugging some curious effects of NIS/ELF together with John Polstra. I am looking for someone who has: 1.) A recent 3.2-STABLE installation with at least a version 1.13.2.8 of libexec/rtld-elf/rtld.c 2.) A working NIS master server with the machine from 1.) 3.) Two or more slave server with the machine from 1.) If all the above points apply, I would like to know the output of the following command on the NIS master (replace the hostnames, they are not important here): yppush -vvv Thanks a lot, -Andre - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 2:48: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B463314C96 for ; Mon, 7 Jun 1999 02:47:59 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id LAA30442; Mon, 7 Jun 1999 11:46:59 +0200 (CEST) (envelope-from des) To: John Baldwin Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG, Wes Peters , Mike Nowlin Subject: Re: NIS strangeness References: <199906070227.WAA16969@smtp1.erols.com> From: Dag-Erling Smorgrav Date: 07 Jun 1999 11:46:58 +0200 In-Reply-To: John Baldwin's message of "Sun, 06 Jun 1999 22:27:52 -0400 (EDT)" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Baldwin writes: > If it was in /etc/master.passwd, yes. In /etc/passwd, no. At least, I run a > lab of 80+ machines running NIS over FreeBSD and Digital Unix and all the > FreeBSD clients have +:::::::: in /etc/master.passwd and +:*::::::: in > /etc/passwd. /etc/passwd is a dummy. It isn't used for anything. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 3:39:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.erols.com (smtp1.erols.com [207.172.3.234]) by hub.freebsd.org (Postfix) with ESMTP id 242A714CD1 for ; Mon, 7 Jun 1999 03:39:55 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from john.baldwin.cx (207-172-143-122.s59.as1.hgt.md.dialup.rcn.com [207.172.143.122]) by smtp1.erols.com (8.8.8/8.8.5) with ESMTP id GAA16710; Mon, 7 Jun 1999 06:38:15 -0400 (EDT) Message-Id: <199906071038.GAA16710@smtp1.erols.com> X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <19990607083131.A43845@internal> Date: Mon, 07 Jun 1999 06:38:13 -0400 (EDT) From: John Baldwin To: Andre Albsmeier Subject: Re: NIS strangeness Cc: Mike Nowlin , Wes Peters , freebsd-security@FreeBSD.ORG, Dag-Erling Smorgrav , John Baldwin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 07-Jun-99 Andre Albsmeier wrote: > On Sun, 06-Jun-1999 at 22:27:52 -0400, John Baldwin wrote: >> >> On 06-Jun-99 Dag-Erling Smorgrav wrote: >> > Mike Nowlin writes: >> >> > Did you add the +::::::: entry to the passwd file? >> >> > Be sure to do group as well, if that's the problem. ;^) >> >> Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa >> >> +:*::::: in it..... Seems OK there..... :) >> > >> > Remove the star - that's what's preventing kathleen from logging in. > > Now, please let me jump in here... I am currently debugging some curious > effects of NIS/ELF together with John Polstra. I am looking for > someone who has: > > 1.) A recent 3.2-STABLE installation with at least a > version 1.13.2.8 of libexec/rtld-elf/rtld.c > > 2.) A working NIS master server with the machine from 1.) > > 3.) Two or more slave server with the machine from 1.) > > > If all the above points apply, I would like to know the output of > the following command on the NIS master (replace the hostnames, they > are not important here): > > yppush -vvv Well, the server is running 2.2.7. We've had problems using 3.0 and 3.1 machines as slaves, so our only slave right now is running Digital UNIX. The next chance I get, I'll setup a slave server on one of our 3.2 servers and see how that goes. There are plans to upgrade the NIS master to 3.2 eventually, just not quite yet. :( > Thanks a lot, > > -Andre > - --- John Baldwin -- http://members.freedomnet.com/~jbaldwin/ PGP Key: http://members.freedomnet.com/~jbaldwin/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 4:25:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id EF7B414C57 for ; Mon, 7 Jun 1999 04:25:12 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.14]) by david.siemens.de (8.9.3/8.9.3) with ESMTP id NAA28723 for ; Mon, 7 Jun 1999 13:25:11 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail2.siemens.de (8.9.3/8.9.3) with ESMTP id NAA26818 for ; Mon, 7 Jun 1999 13:25:09 +0200 (MET DST) Received: (from daemon@localhost) by curry.mchp.siemens.de (8.9.3/8.9.3) id NAA86225 for ; Mon, 7 Jun 1999 13:25:09 +0200 (CEST) Date: Mon, 7 Jun 1999 13:25:07 +0200 From: Andre Albsmeier To: John Baldwin Cc: Andre Albsmeier , Mike Nowlin , Wes Peters , freebsd-security@FreeBSD.ORG, Dag-Erling Smorgrav , John Baldwin Subject: Re: NIS strangeness Message-ID: <19990607132507.A69066@internal> References: <19990607083131.A43845@internal> <199906071038.GAA16710@smtp1.erols.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <199906071038.GAA16710@smtp1.erols.com>; from John Baldwin on Mon, Jun 07, 1999 at 06:38:13AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 07-Jun-1999 at 06:38:13 -0400, John Baldwin wrote: > > On 07-Jun-99 Andre Albsmeier wrote: > > On Sun, 06-Jun-1999 at 22:27:52 -0400, John Baldwin wrote: > >> > >> On 06-Jun-99 Dag-Erling Smorgrav wrote: > >> > Mike Nowlin writes: > >> >> > Did you add the +::::::: entry to the passwd file? > >> >> > Be sure to do group as well, if that's the problem. ;^) > >> >> Used "vipw" to add it into /etc/master.passwd, and /etc/passwd now hsa > >> >> +:*::::: in it..... Seems OK there..... :) > >> > > >> > Remove the star - that's what's preventing kathleen from logging in. > > > > Now, please let me jump in here... I am currently debugging some curious > > effects of NIS/ELF together with John Polstra. I am looking for > > someone who has: > > > > 1.) A recent 3.2-STABLE installation with at least a > > version 1.13.2.8 of libexec/rtld-elf/rtld.c > > > > 2.) A working NIS master server with the machine from 1.) > > > > 3.) Two or more slave server with the machine from 1.) > > > > > > If all the above points apply, I would like to know the output of > > the following command on the NIS master (replace the hostnames, they > > are not important here): > > > > yppush -vvv > > Well, the server is running 2.2.7. We've had problems using 3.0 and 3.1 > machines as slaves, so our only slave right now is running Digital UNIX. The > next chance I get, I'll setup a slave server on one of our 3.2 servers and see > how that goes. There are plans to upgrade the NIS master to 3.2 eventually, > just not quite yet. :( I see. The problem occures when the master runs a libexec/rtld-elf/rtld.c with version 1.13.2.8 or newer and has to update 2 or more slaves. Both slaves get updated but the callback to the master, indicating that all is well, fails for the second slave. So, if anyone got the setting as I described in the previous mail, please run the above yppush command and send me the output. Thanks, -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 6: 0:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 64E7914D12 for ; Mon, 7 Jun 1999 06:00:39 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id KAA22891; Mon, 7 Jun 1999 10:00:24 -0300 (GMT) Message-Id: <199906071300.KAA22891@ns1.sminter.com.ar> Subject: Re: Q.: any new ftp vulnerabilities ? In-Reply-To: <199906061755.MAA03136@alecto.physics.uiuc.edu> from Igor Roshchin at "Jun 6, 99 12:55:17 pm" To: igor@physics.uiuc.edu (Igor Roshchin) Date: Mon, 7 Jun 1999 10:00:24 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Igor Roshchin escribió: [...] Search bugtraq, there was some problem with wu-ftpd. If I don't recall wrong the problem was not exploitable on FreeBSD, but I may be mixing things up here. Maybe they were scannig for some fptd hole. Swith to the VR version to be sure. Regards. > IgoR > > PS. The machine is running 2.2.7 and wu-ftpd-2.4.2v17. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 8:14:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6A0D61522D for ; Mon, 7 Jun 1999 08:14:51 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id RAA33892; Mon, 7 Jun 1999 17:14:45 +0200 (CEST) (envelope-from des) To: Mike Nowlin Cc: John Baldwin , Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness References: From: Dag-Erling Smorgrav Date: 07 Jun 1999 17:14:45 +0200 In-Reply-To: Mike Nowlin's message of "Sun, 6 Jun 1999 23:56:07 -0400 (EDT)" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin writes: > [test program snipped] > If root runs this program, it SEGV's and blows up. But if anybody else > runs it, it comes back with The test program you posted doesn't do *any* error-checking... which means that if getpwnam() fails, your program will happily try to dereference a null pointer, hence the SIGSEGV. As to *why* getpwnam() fails, I have no clue. It works fine for me, both as a regular user and as root. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 8:18:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id ADC6815046 for ; Mon, 7 Jun 1999 08:18:26 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id LAA04987; Mon, 7 Jun 1999 11:23:47 -0400 Date: Mon, 7 Jun 1999 11:23:47 -0400 (EDT) From: Mike Nowlin To: Dag-Erling Smorgrav Cc: John Baldwin , Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The test program you posted doesn't do *any* error-checking... which > means that if getpwnam() fails, your program will happily try to > dereference a null pointer, hence the SIGSEGV. Shoulda put that disclaimer in -- that one was quick-and-dirty -- normally, my programs aren't that badly done.. :) mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 8:29:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8DF2014C02 for ; Mon, 7 Jun 1999 08:29:16 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id RAA34918; Mon, 7 Jun 1999 17:29:11 +0200 (CEST) (envelope-from des) To: Mike Nowlin Cc: Dag-Erling Smorgrav , John Baldwin , Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: NIS strangeness References: From: Dag-Erling Smorgrav Date: 07 Jun 1999 17:29:11 +0200 In-Reply-To: Mike Nowlin's message of "Mon, 7 Jun 1999 11:23:47 -0400 (EDT)" Message-ID: Lines: 16 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin writes: > > The test program you posted doesn't do *any* error-checking... which > > means that if getpwnam() fails, your program will happily try to > > dereference a null pointer, hence the SIGSEGV. > Shoulda put that disclaimer in -- that one was quick-and-dirty -- > normally, my programs aren't that badly done.. :) Yes. I was trying to point out that the SIGSEGV is not a manifestation of the bug itself, but a consequence of the lack of error checking. Anyway, I can't seem to reproduce this bug, and I suppose it would be too much to ask for a root shell on the affected machine :) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 16: 9:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id CB46414CC5 for ; Mon, 7 Jun 1999 16:09:10 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.198] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A3CB280102; Mon, 07 Jun 1999 20:20:43 -0300 Message-ID: <375C26BA.3B5414F5@tdnet.com.br> Date: Mon, 07 Jun 1999 20:08:26 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: security@freebsd.org Subject: Preventing users from .... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How could i prevent ones from detecting which OS/WEB Server i am using? There are script (http://www.unix-vs-nt.org) that can do it! thank you for your time and cooperation. -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 16:16:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id 8969414F91 for ; Mon, 7 Jun 1999 16:16:20 -0700 (PDT) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id TAA21763; Mon, 7 Jun 1999 19:06:38 -0400 (EDT) Message-Id: <199906072306.TAA21763@easeway.com> Subject: Re: Preventing users from .... In-Reply-To: <375C26BA.3B5414F5@tdnet.com.br> from Unknow User at "Jun 7, 99 08:08:26 pm" To: kernel@tdnet.com.br (Unknow User) Date: Mon, 7 Jun 1999 19:06:38 -0400 (EDT) Cc: security@FreeBSD.ORG From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Very little. Different TCP/IP stacks return different sorts of responses to different packets. These scripts use these different answers to give results. =ml > How could i prevent ones from detecting which OS/WEB Server i am using? > There are script (http://www.unix-vs-nt.org) that can do it! > > thank you for your time and cooperation. > > -- > "The box said 'Requires Windows 98, NT, Linux or better' so I > installed FreeBSD." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 16:23:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from rossel.saarnet.de (rossel.saarnet.de [145.253.240.29]) by hub.freebsd.org (Postfix) with ESMTP id 2DE2B14F7D for ; Mon, 7 Jun 1999 16:23:14 -0700 (PDT) (envelope-from doehrm@aubi.de) Received: from igate.aubi.de (root@igate.aubi.de [145.253.242.249]) by rossel.saarnet.de (8.8.8/8.8.8) with ESMTP id BAA19984; Tue, 8 Jun 1999 01:29:29 +0200 (MET DST) Received: from cisco.aubi.de (soraya.aubi.de [170.56.121.252]) by igate.aubi.de (8.9.1a/8.9.1) with ESMTP id BAA16316; Tue, 8 Jun 1999 01:16:44 +0200 Received: from exchange.aubi.de (EXCHANGE.aubi.de [170.56.121.91]) by cisco.aubi.de (8.9.1/8.9.1) with ESMTP id BAA28855; Tue, 8 Jun 1999 01:42:32 +0200 (CEST) Received: by EXCHANGE.aubi.de with Internet Mail Service (5.5.2232.9) id ; Tue, 8 Jun 1999 01:18:43 +0200 Message-ID: From: =?iso-8859-1?Q?Markus_D=F6hr?= To: "'mwlucas@exceptionet.com'" , kernel@tdnet.com.br Cc: security@FreeBSD.ORG Subject: RE: Preventing users from .... Date: Tue, 8 Jun 1999 01:18:34 +0200 Importance: high X-Priority: 1 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > How could i prevent ones from detecting which OS/WEB Server=20 > i am using? > > There are script (http://www.unix-vs-nt.org) that can do it! lynx -head -dump www.target.com gives you the used webserver. There are several articles around on http://www.genocide2600.com/~tattooman/main.shtml how to prevent OS detection.=20 -- Markus Doehr =20 IT Admin =20 AUBI Baubeschl=E4ge GmbH =20 Tel.: +49 6503 917 152 =20 Fax : +49 6503 917 190 =20 e-Mail: doehrm@aubi.de MD1139-RIPE =20 ************************* =20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 19: 5:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id E557C1502B for ; Mon, 7 Jun 1999 19:04:11 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id TAA31422; Mon, 7 Jun 1999 19:04:09 -0700 (PDT) (envelope-from dillon) Date: Mon, 7 Jun 1999 19:04:09 -0700 (PDT) From: Matthew Dillon Message-Id: <199906080204.TAA31422@apollo.backplane.com> To: Igor Roshchin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Q.: any new ftp vulnerabilities ? References: <199906061755.MAA03136@alecto.physics.uiuc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Hello! : :I have observed a few occasions when some people were establishing :multiple connections to the ftp server within the last week (there is no :anonymous access, so it should not be "by mistake"). :Usually, the logs do not indicate any attempt of login, even :as anonymous. The frequency of connects (reported by tcpwrapper) is not too :high, but probably indicated that those are launched by a script :(about 25-35 connections within 2-5 minutes). : :I haven't seen any new security hole or DOS vulnerability in any ftpd recently :(except the one found in February or so, regarding the realpath, :and some similar issues, but that hole would not require multiple :connects), so I wonder if anybody has observed anything similar, :and if anybody knows of any new vulnerability ? : :IgoR : :PS. The machine is running 2.2.7 and wu-ftpd-2.4.2v17. There was a login overflow root exploit w/ anonymous FTP but I think it was fixed in v16. However, since I left BEST I haven't been keeping up with wu-ftpd bugs so I do not know if any new problems have occured. I do seem to recall that the *new* version of wu-ftpd ( 3.x or something like that ) introduced a bunch of new exploitable holes which they then scrambled to close. Doh! There was also a recent hole found on Linux boxes due to the implementation of a directory pathing routine in libc, but FreeBSD's version of the routine is not vulnerable. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 7 22:19:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from firewall.itsec-debis.de (gatekeeper.itsec-debis.de [195.227.50.26]) by hub.freebsd.org (Postfix) with ESMTP id 483C414E0D for ; Mon, 7 Jun 1999 22:18:35 -0700 (PDT) (envelope-from rhs@itsec-debis.de) Received: by firewall.itsec-debis.de œid HAA25365; Tue, 8 Jun 1999 07:20:40 GMT Received: by firewall.itsec-debis.de via smap id xma025363; Tue, 8 Jun 99 07:20:22 GMT Received: by itsec-debis.de id HAA24050; Tue, 8 Jun 1999 07:32:31 +0200 Message-ID: <19990608073228.A11419@merlin.itsec-debis.de> Date: Tue, 8 Jun 1999 07:32:28 +0200 From: Randolf-Heiko Skerka To: security@FreeBSD.ORG Subject: Re: Preventing users from .... References: <375C26BA.3B5414F5@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Mailer: Mutt 0.91i In-Reply-To: <375C26BA.3B5414F5@tdnet.com.br>; from Unknow User on Mon, Jun 07, 1999 at 08:08:26PM +0000 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by itsec-debis.de id HAA24050 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 07, 1999 at 08:08:26PM +0000, Unknow User wrote: > How could i prevent ones from detecting which OS/WEB Server i am using? > There are script (http://www.unix-vs-nt.org) that can do it! Well, try http://www.genocide2600.com/~tattooman/ there are several paper= s on that topic. Another ressource is http://www.insecure.org/index.html th= e homepage of nmap. I think there are some other papers on os detection prevention. There must be an article from Phrack about fingerprinting. It= =B4s quite good. Randolf Skerka --=20 +------------------------------------------------------------------------= + | Randolf Skerka debis IT Security Services = | | Tel. +49-228-9841-510 Rabinstrasse 8, 53111 Bonn = | | 2 weeks free trial: Security news every day www.dcert.de = | | 14 Tage kostenlos tagesaktuelle Sicherheitsmeldungen www.dcert.de = | +------------------------------------------------------------------------= + To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 0: 8:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from is2.nyu.edu (IS2.NYU.EDU [128.122.253.135]) by hub.freebsd.org (Postfix) with ESMTP id 8629414EF9; Tue, 8 Jun 1999 00:07:50 -0700 (PDT) (envelope-from hqy2446@is2.nyu.edu) Received: from localhost (hqy2446@localhost) by is2.nyu.edu (8.8.8/8.8.7) with SMTP id DAA13671; Tue, 8 Jun 1999 03:07:49 -0400 (EDT) Date: Tue, 8 Jun 1999 03:07:49 -0400 (EDT) From: hqy2446 To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: newbie question: ssh Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a newbie question regarding X connection forward by ssh. After I installed ssh-1.2.27 and ssh-2.0.13, I was unable to use 'X connection forwarding' at certain servers. Now I tried this command: $ ssh -l [username] [remote host] xterm -display [my ip address]:0.0 xterm of the remote host was opened and I could run X clients on the host. I want to make sure that this connection is secured or not by experts or experienced users of ssh. And one more question: What is the difference between above way of connection and just a connection to a remote host by ssh(just like a telnet) and run X clinets at the remote host shell? Thank you. -Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 3:32:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id F36B814E54 for ; Tue, 8 Jun 1999 03:31:55 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id MAA13078; Tue, 8 Jun 1999 12:31:50 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id MAA07541; Tue, 8 Jun 1999 12:31:49 +0200 (MET DST) Date: Tue, 8 Jun 1999 12:31:49 +0200 From: Eivind Eklund To: matt Cc: security@freebsd.org Subject: Re: slocate v1.6 Message-ID: <19990608123149.A7512@bitbox.follo.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from matt on Sat, Jun 05, 1999 at 09:52:46AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jun 05, 1999 at 09:52:46AM -0400, matt wrote: > > Thanks to Kevin Lindsay and his willingness > to work with me. Secure Locate v1.6 is now FreeBSD compatible =) I > originally worked up a patch for 1.5, together we cleaned it all up > and it was included in the 1.6 release. For those who do not know what > secure locate is, it is a replacement for GNU locate, fixes many security > problems and is faster (imho) then locate. It also does not allow a user > to see any files that they don't have permission to read, ie; A user can't > do "locate root" and see everything in root's home dir.. or so on.. This is not a change from the default FreeBSD locate - it builds its database as 'nobody', and has done so for at least three years. I've considered installing slocate, as the functionality to actually see all files you have access to (and not just the ones readable by everybody) seems useful. However, the need to add another potentially insecure setuid[1] program has stopped me. Thanks for putting in the work to make it work with FreeBSD, though - it seems useful, just misnamed :-) [1] I at least seem to remember it being setuid - it should really be enough to make it setgid, and add a group for it... Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 3:34:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id C995014E54; Tue, 8 Jun 1999 03:34:40 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id MAA13536; Tue, 8 Jun 1999 12:34:39 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id MAA07566; Tue, 8 Jun 1999 12:34:39 +0200 (MET DST) Date: Tue, 8 Jun 1999 12:34:39 +0200 From: Eivind Eklund To: hqy2446 Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: newbie question: ssh Message-ID: <19990608123439.B7512@bitbox.follo.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from hqy2446 on Tue, Jun 08, 1999 at 03:07:49AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 08, 1999 at 03:07:49AM -0400, hqy2446 wrote: > I have a newbie question regarding X connection forward by ssh. > > After I installed ssh-1.2.27 and ssh-2.0.13, I was unable to use 'X > connection forwarding' at certain servers. Now I tried this command: > > $ ssh -l [username] [remote host] xterm -display [my ip address]:0.0 > > xterm of the remote host was opened and I could run X clients on the host. > > I want to make sure that this connection is secured or not by experts or > experienced users of ssh. Not secured. > And one more question: What is the difference between above way of > connection and just a connection to a remote host by ssh(just like a > telnet) and run X clinets at the remote host shell? ssh will normally set up an emulated display at localhost:10.0 (or 11.0, 12.0, etc - depends on how many other ssh users you have.) This is securely forwarded, and is what you'll normally use. Your setup makes the program use an insecure connection over the normal net instead. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 7:28:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id 6AF6214D86 for ; Tue, 8 Jun 1999 07:27:14 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Tue, 08 Jun 99 07:26:51 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA11C7; Tue, 8 Jun 1999 10:27:13 -0400 Message-ID: <375D292F.D750BFEB@hamquist.com> Date: Tue, 08 Jun 1999 07:31:11 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Unknow User" Cc: Subject: Re: Preventing users from .... References: <375C26BA.3B5414F5@tdnet.com.br> X-WSS-ID: 1B43F7A1459473-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Reilly has a great book on writing your own HTTP-conversant clients using readily-available Perl modules; I believe it is the client that is passing the so-called 'cookies' in the HTTP header. If none of this makes sense, get the book; it's by Clinton Wong, if memory serves me correctly (and it usually does :-). -- richard Richard Childers Senor UNIX Systems Administrator & Chief Bottle Washer Hambrecht & Quist, LLC (415) 439-3838 Unknow User wrote: > > How could i prevent ones from detecting which OS/WEB Server i am using? > There are script (http://www.unix-vs-nt.org) that can do it! > > thank you for your time and cooperation. > > -- > "The box said 'Requires Windows 98, NT, Linux or better' so I > installed FreeBSD." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 8: 9:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id B0D1A14FFE for ; Tue, 8 Jun 1999 08:09:18 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id MAA19423 for freebsd-security@freebsd.org; Tue, 8 Jun 1999 12:09:50 -0300 (GMT) Message-Id: <199906081509.MAA19423@ns1.sminter.com.ar> Subject: Passive FTP To: freebsd-security@freebsd.org Date: Tue, 8 Jun 1999 12:09:50 -0300 (GMT) From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello: Anyone has a sample on how to set up ipfw to permit passive FTP conections to the server? In my architecture the FTP server is firewalling itself. I'm needing to allow passive FTP because browsers (Netscape at least) issue PASV. TIA and regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 9:28:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from aic-gw.mlink.net (aic-gw.mlink.net [209.104.118.65]) by hub.freebsd.org (Postfix) with SMTP id 84FE814D43 for ; Tue, 8 Jun 1999 09:28:31 -0700 (PDT) (envelope-from matt@AIC-GW.MLINK.NET) Received: (qmail 4744 invoked by uid 1001); 8 Jun 1999 16:28:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Jun 1999 16:28:30 -0000 Date: Tue, 8 Jun 1999 12:28:30 -0400 (EDT) From: matt To: Eivind Eklund Cc: security@freebsd.org Subject: Re: slocate v1.6 In-Reply-To: <19990608123149.A7512@bitbox.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 8 Jun 1999, Eivind Eklund wrote: [...] : [1] I at least seem to remember it being setuid - it should really be : enough to make it setgid, and add a group for it... That is exactly what it does on install. root[aic-gw]:/usr/bin# ls -l slocate -rwxr-sr-x 1 root slocate 41436 Jun 5 09:32 slocate* root[aic-gw]:/etc# grep slocate group slocate:*:30002: And to clairfy, I was never trying to say how slocate is all better then the default locate or whatnot, so I'm not trying to have a war or a 'my dick is bigger then yours' type arguement... =) : Eivind. Matt -- DISCLAIMER: Anyone sending me unsolicited commercial electronic mail will be charged a $100 fee for time spent reading it. Do NOT send this type of electronic mail to me. In reading this, you automatically agree to be subjected to these terms: US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 11:15:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from bubba.whistle.com (s205m7.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 3C74714C46 for ; Tue, 8 Jun 1999 11:15:15 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id LAA57994; Tue, 8 Jun 1999 11:14:33 -0700 (PDT) From: Archie Cobbs Message-Id: <199906081814.LAA57994@bubba.whistle.com> Subject: Re: Passive FTP In-Reply-To: <199906081509.MAA19423@ns1.sminter.com.ar> from Fernando Schapachnik at "Jun 8, 99 12:09:50 pm" To: fpscha@via-net-works.net.ar (Fernando Schapachnik) Date: Tue, 8 Jun 1999 11:14:33 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik writes: > Anyone has a sample on how to set up ipfw to permit passive FTP > conections to the server? In my architecture the FTP server is > firewalling itself. Simple... find out what client port ranges your FTP server uses (see the -U option to ftpd(8)) and then open your firewall to allow incoming TCP packets (including setup packets) to this port range on your server. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 8 11:49:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8AD0F14D2A for ; Tue, 8 Jun 1999 11:49:15 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id UAA71638; Tue, 8 Jun 1999 20:49:11 +0200 (CEST) (envelope-from des) To: Archie Cobbs Cc: fpscha@via-net-works.net.ar (Fernando Schapachnik), freebsd-security@FreeBSD.ORG Subject: Re: Passive FTP References: <199906081814.LAA57994@bubba.whistle.com> From: Dag-Erling Smorgrav Date: 08 Jun 1999 20:49:10 +0200 In-Reply-To: Archie Cobbs's message of "Tue, 8 Jun 1999 11:14:33 -0700 (PDT)" Message-ID: Lines: 16 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Archie Cobbs writes: > Fernando Schapachnik writes: > > Anyone has a sample on how to set up ipfw to permit passive FTP > > conections to the server? In my architecture the FTP server is > > firewalling itself. > Simple... find out what client port ranges your FTP server uses (see > the -U option to ftpd(8)) and then open your firewall to allow incoming > TCP packets (including setup packets) to this port range on your server. The description of the -U option in the ftpd(8) man page is misleading. The actual range is defined by sysctl variables (which default to the values given in the ftpd(8) man page); see ip(4). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 0:12:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from is2.nyu.edu (IS2.NYU.EDU [128.122.253.135]) by hub.freebsd.org (Postfix) with ESMTP id 4C89615401; Wed, 9 Jun 1999 00:12:25 -0700 (PDT) (envelope-from hqy2446@is2.nyu.edu) Received: from localhost (hqy2446@localhost) by is2.nyu.edu (8.8.8/8.8.7) with SMTP id DAA11783; Wed, 9 Jun 1999 03:12:25 -0400 (EDT) Date: Wed, 9 Jun 1999 03:12:25 -0400 (EDT) From: hqy2446 To: Eivind Eklund Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: newbie question: ssh In-Reply-To: <3.0.6.32.19990609015904.007faa30@is2.nyu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Jun 1999, Eivind Eklund wrote: > Date: Wed, 09 Jun 1999 01:59:04 -0400 > From: Eivind Eklund > To: hqy2446@nyu.edu > Subject: Re: newbie question: ssh > > On Tue, Jun 08, 1999 at 03:07:49AM -0400, hqy2446 wrote: > > I have a newbie question regarding X connection forward by ssh. > > > > After I installed ssh-1.2.27 and ssh-2.0.13, I was unable to use 'X > > connection forwarding' at certain servers. Now I tried this command: > > > > $ ssh -l [username] [remote host] xterm -display [my ip address]:0.0 > > > > xterm of the remote host was opened and I could run X clients on the host. > > > > I want to make sure that this connection is secured or not by experts or > > experienced users of ssh. > > Not secured. > > > And one more question: What is the difference between above way of > > connection and just a connection to a remote host by ssh(just like a > > telnet) and run X clinets at the remote host shell? > > ssh will normally set up an emulated display at localhost:10.0 (or > 11.0, 12.0, etc - depends on how many other ssh users you have.) This > is securely forwarded, and is what you'll normally use. Your setup > makes the program use an insecure connection over the normal net > instead. > > Eivind. > > Thanks for your reply. Now I have a question. How can I make a secure connection to a remote host using by ssh? My FreeBSD box is stand-alone, I am the only user. I re-complie ssh-1.2.27 and ssh-2.0.13 with X connection forward option (it was default option, though). I still can't make X connection forward to a certain remote host, not all of them. What I did is $ xhost +[remote host] and then $ ssh -l [my user name] [remote host] or, $ DISPLAY=[my ip address]:0.0; export DISPLAY $ ssh -l [my user name] [remote host] Both of above, usually shell connection is fine, but X connection. When I tried to open a X client, I got this error message: 'Error: Can't open display: :0' The following is 'ssh -v' message: $ ssh -v -l [user name] [remote host] debug: hostname is 'foo.bar'. debug: Unable to open /home/foo/.ssh2/ssh2_config debug: connecting to foo.bar... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: ssh_client_wrap: creating userauth protocol debug: Ssh2Transport/trcommon.c:592/ssh_tr_input_version: Remote version: SSH-1.99-2.0.12 (non-commercial) debug: Remote version: SSH-1.99-2.0.12 (non-commercial) debug: Host key found from the database. debug: Ssh2Common/sshcommon.c:155/ssh_common_special: special packet received from connection protocol: 3 debug: Ssh2Common/sshcommon.c:155/ssh_common_special: special packet received from connection protocol: 4 debug: Unable to open /home/foo/.ssh2/identification password: debug: Ssh2Common/sshcommon.c:155/ssh_common_special: special packet received from connection protocol: 6 debug: Ssh2/ssh2.c:304/client_authenticated: client_authenticated debug: Ssh2Common/sshcommon.c:466/ssh_common_new_channel: num_channels now 1 Last login: Wed Jun 9 01:45:13 1999 % Any help would be greatly appreciately. Thanks again. -Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 0:44:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from hydrogen.fircrest.net (metriclient-3.uoregon.edu [128.223.172.3]) by hub.freebsd.org (Postfix) with ESMTP id B6ADE14E61; Wed, 9 Jun 1999 00:44:43 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by hydrogen.fircrest.net (8.9.1/8.8.7) id AAA11570; Wed, 9 Jun 1999 00:44:37 -0700 (PDT) Message-ID: <19990609004437.15372@hydrogen.nike.efn.org> Date: Wed, 9 Jun 1999 00:44:37 -0700 From: John-Mark Gurney To: hqy2446 Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: newbie question: ssh References: <3.0.6.32.19990609015904.007faa30@is2.nyu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: ; from hqy2446 on Wed, Jun 09, 1999 at 03:12:25AM -0400 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hqy2446 scribbled this message on Jun 9: > On Wed, 9 Jun 1999, Eivind Eklund wrote: > > > Date: Wed, 09 Jun 1999 01:59:04 -0400 > > From: Eivind Eklund > > To: hqy2446@nyu.edu > > Subject: Re: newbie question: ssh > > > > On Tue, Jun 08, 1999 at 03:07:49AM -0400, hqy2446 wrote: > > > I have a newbie question regarding X connection forward by ssh. > > > > > > After I installed ssh-1.2.27 and ssh-2.0.13, I was unable to use 'X > > > connection forwarding' at certain servers. Now I tried this command: > > > > > > $ ssh -l [username] [remote host] xterm -display [my ip address]:0.0 > > > > > > xterm of the remote host was opened and I could run X clients on the host. > > > > > > I want to make sure that this connection is secured or not by experts or > > > experienced users of ssh. > > > > Not secured. > > > > > And one more question: What is the difference between above way of > > > connection and just a connection to a remote host by ssh(just like a > > > telnet) and run X clinets at the remote host shell? > > > > ssh will normally set up an emulated display at localhost:10.0 (or > > 11.0, 12.0, etc - depends on how many other ssh users you have.) This > > is securely forwarded, and is what you'll normally use. Your setup > > makes the program use an insecure connection over the normal net > > instead. > > Thanks for your reply. Now I have a question. How can I make a secure > connection to a remote host using by ssh? My FreeBSD box is stand-alone, > I am the only user. I re-complie ssh-1.2.27 and ssh-2.0.13 with X > connection forward option (it was default option, though). I still can't > make X connection forward to a certain remote host, not all of them. > > What I did is > > $ xhost +[remote host] NEVER EVER do this!!! this is BAD, anyone on [remote host] can now connect to your server and intercept ANY keystrokes that you may time, this includes any passwords you may type... instead you want to run xauth on the local machine, extract the info for the tcp/ip transport one, and add it to the remote machine's xauth database, then you can export your display info properly... example: hydrogen,ttypb,~,501$xauth Using authority file /a/home/johng/.Xauthority xauth> list lead.fircrest.net:0 MIT-MAGIC-COOKIE-1 12402031784e167c4c261c1d50781e07 xauth> quit the lead.fircrest.net line is because I used xdm to query and login remotely... now I would run xauth on the remote machine and issue the command: add lead.fircrest.net:0 MIT-MAGIC-COOKIE-1 12402031784e167c4c261c1d50781e07 and then: export DISPLAY=lead.fircrest.net:0 then I can run my applications, but the X connection is still not encrypted, just protected from other non-root users from being able to listen in... as for why ssh isn't doing all the forwarding work for you, that's another puzzle, you need to make sure you build ssh when the X libs are installed on the machine, I built ssh once, then installed the X libs, of course X forwarding didn't work till we rebuilt ssh... -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 3:40:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from cybernex.net.au (isppp.cybernex.net.au [203.28.168.1]) by hub.freebsd.org (Postfix) with ESMTP id BE9BB14E77 for ; Wed, 9 Jun 1999 03:40:16 -0700 (PDT) (envelope-from jj@cybernex.net.au) Received: from jacobr (pppR3.cybernex.net.au [203.28.168.33]) by cybernex.net.au (8.8.5/8.8.5) with SMTP id UAA28635 for ; Wed, 9 Jun 1999 20:40:12 +1000 Message-Id: <199906091040.UAA28635@cybernex.net.au> From: "Jacob Rhoden" To: freebsd-security@FreeBSD.ORG Date: Wed, 9 Jun 1999 20:42:37 +1000 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Subject: setuid diff Reply-To: jj@cybernex.net.au In-reply-to: <199906081814.LAA57994@bubba.whistle.com> References: <199906081509.MAA19423@ns1.sminter.com.ar> from Fernando Schapachnik at "Jun 8, 99 12:09:50 pm" X-mailer: Pegasus Mail for Win32 (v3.11) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org shells.dominoid.dhs.org setuid diffs: 4c4 < -r-x--s--x 1 jj jj 15111 Jun 7 00:48:43 1999 /home/jj/afip/afip.log hi, i got this message from the daily security run, and dont understand how a user could have set a flag s, and what is s?? ive never been able to figure it out, is this bad? sorry if i sound stupid which i probably do (: thanks Jacob .---------------[ jj@cybernex.net.au ]--------------------------------. | Settle, Settle for, Settle for nothing, Settle for nothing less | |Settle for nothing less than, Settle for nothing less than the object| | Settle for nothing less than the object of your desire | `-----------------------------------------[ Bj=F6rk - 1991 ]------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 4:15:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id EF11815401 for ; Wed, 9 Jun 1999 04:15:07 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1) id 10rgJj-000EoA-00; Wed, 09 Jun 1999 13:14:47 +0200 From: Sheldon Hearn To: jj@cybernex.net.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: setuid diff In-reply-to: Your message of "Wed, 09 Jun 1999 20:42:37 +1000." <199906091040.UAA28635@cybernex.net.au> Date: Wed, 09 Jun 1999 13:14:47 +0200 Message-ID: <56925.928926887@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 09 Jun 1999 20:42:37 +1000, "Jacob Rhoden" wrote: > shells.dominoid.dhs.org setuid diffs: > 4c4 > < -r-x--s--x 1 jj jj 15111 Jun 7 00:48:43 1999 > /home/jj/afip/afip.log Anyone can execute afip.log (assuming it's a runnable binary). The process created will have the runner's UID, but with the effective GID of group jj. Looks like a mistake or a user offering other users on your box a service in what he thinks is a sneaky way. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 6:54:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from is2.nyu.edu (IS2.NYU.EDU [128.122.253.135]) by hub.freebsd.org (Postfix) with ESMTP id 5F30914C13; Wed, 9 Jun 1999 06:54:48 -0700 (PDT) (envelope-from hqy2446@is2.nyu.edu) Received: from localhost (hqy2446@localhost) by is2.nyu.edu (8.8.8/8.8.7) with SMTP id JAA22567; Wed, 9 Jun 1999 09:54:26 -0400 (EDT) Date: Wed, 9 Jun 1999 09:54:26 -0400 (EDT) From: hqy2446 To: gurney_j@efn.org Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: newbie question: ssh Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >as for why ssh isn't doing all the forwarding work for you, that's >another puzzle, you need to make sure you build ssh when the X libs are >installed on the machine, I built ssh once, then installed the X libs, >of course X forwarding didn't work till we rebuilt ssh... Can you tell me more specifically about above? What X libs are you talking about? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 8:23: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id C5ED61507E for ; Wed, 9 Jun 1999 08:22:59 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Wed, 9 Jun 1999 09:22:55 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma022399; Wed, 9 Jun 99 09:22:32 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA05628; Wed, 9 Jun 1999 09:21:59 -0600 (MDT) Date: Wed, 9 Jun 1999 09:21:58 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: John-Mark Gurney Cc: hqy2446 , freebsd-security@FreeBSD.ORG Subject: Re: newbie question: ssh In-Reply-To: <19990609004437.15372@hydrogen.nike.efn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Jun 1999, John-Mark Gurney wrote: > > What I did is > > > > $ xhost +[remote host] > > NEVER EVER do this!!! this is BAD, anyone on [remote host] can now > connect to your server and intercept ANY keystrokes that you may time, > this includes any passwords you may type... Oooh, yeah, this is very very bad. > as for why ssh isn't doing all the forwarding work for you, that's > another puzzle, you need to make sure you build ssh when the X libs > are installed on the machine, I built ssh once, then installed the X > libs, of course X forwarding didn't work till we rebuilt ssh... Did you make sure that the remote sshd has X11 forwarding turned on? You need to have X11 forwarding turned on in your local SSH client configuration and the remote sshd has to have it turned on as well. If the remote machine does not have X installed, it may be difficult to get sshd to do X11 forwarding because SSH likes to do things like create .Xauthority files for you on the remote machine using xauth and stock them with cookies. X11 forwarding will also be missing from sshd if the build process was unable to locate xauth at the SSH compilation configuration stage on the remote machine, as I recall. If you use the defaults everywhere that come with SSH, your client installation will have X11 forwarding turned on and the remote sshd should also have it enabled. Then just log in to the remote server with SSH and immediately check your DISPLAY environment variable (don't you set it!). You should see DISPLAY set to a high numbered display (like >10) on the the remote machine. This will be your sign that SSH X11 forwarding is in effect. Try running some X clients on the remote machine, verify that they do appear on your local X server, and check the list of open sockets on the local machine with netstat to verify that the X clients in fact did not come over a socket directly to your local X server (i.e. you don't see any active connections from the remote machine to port 6000 or so on the local machine). Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 8:43:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 78D6B15038; Wed, 9 Jun 1999 08:43:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id JAA06439; Wed, 9 Jun 1999 09:43:04 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <375E8B87.84A47C9D@softweyr.com> Date: Wed, 09 Jun 1999 09:43:03 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: hqy2446 Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: newbie question: ssh References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hqy2446 wrote: > > I have a newbie question regarding X connection forward by ssh. > > After I installed ssh-1.2.27 and ssh-2.0.13, I was unable to use 'X > connection forwarding' at certain servers. Now I tried this command: > > $ ssh -l [username] [remote host] xterm -display [my ip address]:0.0 No no no no! Watch: wes@homer$ echo $DISPLAY :0.0 wes@homer$ ssh freefall.cdrom.com Enter passphrase for RSA key 'wes@homer': ... bash-2.02$ echo $DISPLAY freefall.freebsd.org:12.0 bash-2.02$ /usr/X11R6/bin/xdpyinfo name of display: freefall.freebsd.org:12.0 version number: 11.0 vendor string: The XFree86 Project, Inc vendor release number: 3330 Homer is my laptop running FreeBSD. As you can see, when I login to freefall via ssh, a secure X proxy connection has already been setup for my by ssh. It will do this if it finds the $DISPLAY variable set on the client side. Use this connection and only this connection for secure transport. Your command should be: $ ssh -l [username] [remote host] xterm and nothing more. $ ssh -l username remotehost env will allow you to determine that the remote $DISPLAY is being set correctly. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 9: 1:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from www.netlabs.net (www.netlabs.net [216.116.128.3]) by hub.freebsd.org (Postfix) with ESMTP id B51DC150A5 for ; Wed, 9 Jun 1999 09:01:29 -0700 (PDT) (envelope-from keerf@www.netlabs.net) Received: (from keerf@localhost) by www.netlabs.net (8.9.2/8.9.0) id MAA24788 for freebsd-security@FreeBSD.ORG; Wed, 9 Jun 1999 12:01:34 -0400 (EDT) Date: Wed, 9 Jun 1999 12:01:34 -0400 (EDT) From: Terry Warner Message-Id: <199906091601.MAA24788@www.netlabs.net> To: freebsd-security@FreeBSD.ORG Subject: ssh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there any improvments for ssh? like from 1.2.26 to 1.2.27? and any bugs in it? Please let me know .. Thanks Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 9 12:46:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from web126.yahoomail.com (web126.yahoomail.com [205.180.60.195]) by hub.freebsd.org (Postfix) with SMTP id 02B021547F for ; Wed, 9 Jun 1999 12:46:08 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <19990609194642.5800.rocketmail@web126.yahoomail.com> Received: from [209.191.62.23] by web126.yahoomail.com; Wed, 09 Jun 1999 12:46:42 PDT Date: Wed, 9 Jun 1999 12:46:42 -0700 (PDT) From: Holtor Subject: MOD/CG32 Virus To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I've heard some stories lately about this MOD/CG32 virus that infects unix? Right when I heard it I said "bull". A virus for unix..i don't think so. But now that a few people have asked/talked to me about it, i'm trying to get to some answers about this. I'm told it can edit BIOS and several things which I know can't be done really, I hope. ;) Can someone please give me some input on this? If this did exist, its not like the user would have root, so how is it possible to infect a system? If it was, many systems would be in trouble right now.. Thanks, Holt _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 5:21:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id D796914F36 for ; Thu, 10 Jun 1999 05:21:12 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA26071; Thu, 10 Jun 1999 09:21:21 -0300 (GMT) Message-Id: <199906101221.JAA26071@ns1.sminter.com.ar> Subject: Re: ssh In-Reply-To: <199906091601.MAA24788@www.netlabs.net> from Terry Warner at "Jun 9, 99 12:01:34 pm" To: keerf@www.netlabs.net (Terry Warner) Date: Thu, 10 Jun 1999 09:21:20 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 1.2.27 closes several possible buffer overflows due to sprintf. Regards. En un mensaje anterior, Terry Warner escribió: > > Is there any improvments for ssh? like from 1.2.26 to 1.2.27? and any bugs in it? Please let me know .. Thanks > > Terry Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 8:47:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from pinochet.cityline.ru (pinochet.cityline.ru [195.46.160.34]) by hub.freebsd.org (Postfix) with ESMTP id C818014BF8 for ; Thu, 10 Jun 1999 08:46:56 -0700 (PDT) (envelope-from ratebor@cityline.ru) Received: from ppp36-5-75.cityline.ru (ppp36-5-75.cityline.ru [195.46.165.75]) by pinochet.cityline.ru (8.9.2/t/08-Oct-1998) with SMTP id TAA09631 for ; Thu, 10 Jun 1999 19:43:52 +0400 (MSD) Date: Thu, 10 Jun 1999 19:39:59 +0400 From: Dmitriy Bokiy X-Mailer: The Bat! (v1.32) UNREG / CD5BF9353B3B7091 Reply-To: Dmitriy Bokiy X-Priority: 3 (Normal) Message-ID: <18819.990610@cityline.ru> To: freebsd-security@FreeBSD.ORG Subject: Newbie questions: DoS & xinetd Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, 1)I've been wondering how FreeBSD (3.1-Stable, inetd - some_version - how is it obtained?) can handle these DoS attacks: ICMP Redirect,SYN Flood. Specifically I`m interested in knowing about those kernels variables and inetd options which are known to change the default behavior. I found this: net.inet.ip.redirect=1. Is it bad? 2)Is it worth moving to/making use of xinetd? Thanks for any bit of information. - Dmitriy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 12: 8:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id 1FF3B14D4F for ; Thu, 10 Jun 1999 12:08:53 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Thu, 10 Jun 99 12:08:28 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA23EA; Thu, 10 Jun 1999 15:08:52 -0400 Message-ID: <37600E33.9A11E641@hamquist.com> Date: Thu, 10 Jun 1999 12:12:51 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Dmitriy Bokiy" Cc: Subject: Re: Newbie questions: DoS & xinetd References: <18819.990610@cityline.ru> X-WSS-ID: 1B7ED2A6703365-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I see a lot of postings that contain good, but not thoroughly researched, questions. I would like to propose the following to everyone. Before you post to any list asking any UNIX questions about any system where you have "root" access, are responsible for administering it, or installed the system, and want to ask about "Topic X", do yourself and everyone else a favor, and use the find(1) command to search for relevant information. For instance, if I wanted to search for all occurrences of the string "net.inet.ip.redirect", I would do: # find / -type f -exec grep -i "net.inet.ip.redirect" {} \; -print Doing so (you may wish to redirect the output into a temporary file, to keep binary from scrawling across your screen), you will see that the following files reference this string: /usr/src/share/doc/smm/01.setup/5.t /usr/src/share/doc/smm/01.setup/spell.OK /var/db/kvm_kernel.db The file /usr/src/share/doc/smm/01.setup/5.t appears to be a text file, containing documentation describing how to comprehensively configuring network interfaces; unfortunately, despite some twenty years of wrestling with roff(1), nroff(1) and troff(1), I was unable to get this file to print out properly. I *was* able to print it out as both ASCII and PostScript files, successfully, but some syntax errors in the top of the file keep it from being interpreted correctly, such that it emerges missing the first few paragraphs or pages and is thus of marginal use. You should not let the fact that the file is impossible to feed to troff(1) stop you, however, there is still some interesting information in the file, and it is not unreadable. (Commands used were: cat /usr/src/share/doc/smm/01.setup/5.t | groff -Tascii cat /usr/src/share/doc/smm/01.setup/5.t | groff -Tps cat /usr/src/share/doc/smm/01.setup/5.t | nroff -ms cat /usr/src/share/doc/smm/01.setup/5.t | nroff -man ... as I iterated through various utilities in search of the best output; '-man' isn't too bad.) Back to our thread ... you'll note that as a result of our search we may also have noticed that there is a directory called /usr/src/share/doc/smm/01.setup/, and another called /usr/src/share/doc/smm/, which may also contain useful information; searching these directories, we may also find other keywords to search for, akin to "net.inet.ip.redirect"; through a recursive process, it is possible to quickly build up a list of related keywords and documents which will do much to increase the scope of your understanding of the issues at hand. (Think of it as reinventing 'man -k', or 'apropos'; and believe me, sometimes manual pages are not installed, or are not installed in the "correct" place, or your $MANPATH variable is undefined; find(1) is one of the most powerful tools a UNIX administrator can have, and it should be one of your favorite manual pages; its use incorporates intimate understanding of UNIX filesystems, inode structures, and file permissions and can be used to cut right through confused situations like a hot knife through warm butter.) I hope this diatribe (as some might call it :-) has been useful in better understanding how to squeeze every drop of available information from your FreeBSD installation; here's hoping this leads to better questions, as well as better answers. FreeBSD's documentation is a little scattered; but it's generally there. Just look. Sure, maybe you didn't install the 'docs' module; or the 'src' module. But at least *look*; then you'll know what's there, and when someone tells you they found it in /usr/src/somewhere, at least you'll have an idea of why you could not find the documents ... and what to do, to correct the situation. And, remember ... use find(1). It's your friend; the closest thing to a Swiss knife in the panopoly of UNIX commands, short of Perl; it's an administrator's best friend, more important than your security dongle, even. (-: -- richard Richard Childers Senior UNIX Systems Administrator & Chief Bottle Washer Hambrecht & Quist, LLC (415) 439-3838 Dmitriy Bokiy wrote: > > Hi all, > > 1)I've been wondering how FreeBSD (3.1-Stable, inetd - some_version - > how is it obtained?) can handle these DoS attacks: ICMP Redirect,SYN Flood. > > Specifically I`m interested in knowing about those kernels variables > and inetd options which are known to change the default behavior. > I found this: net.inet.ip.redirect=1. Is it bad? > > 2)Is it worth moving to/making use of xinetd? > > Thanks for any bit of information. > > - Dmitriy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 13:18:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (Postfix) with ESMTP id CE2B114F7F for ; Thu, 10 Jun 1999 13:18:41 -0700 (PDT) (envelope-from GregoryC@stcinc.com) Received: from stcinc.com (gw-covad768k-cognitivetech.ncal.verio.com [207.20.238.29] (may be forged)) by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id NAA10787 for ; Thu, 10 Jun 1999 13:16:51 -0700 (PDT) Message-ID: <375F7453.77C0F526@stcinc.com> Date: Thu, 10 Jun 1999 01:16:19 -0700 From: Gregory Carvalho X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.1-RELEASE i386) MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: ports and applications Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Using ipfw I am allowing port 80 through the wall (could you imagine if I denied the good people of Gotham their web fix). Suppose I deny telnet, but some external server has its telnet server configured for port 80. Is there a method to prevent the telnet session from operating? FreeBSD 3.1-Release off the CDROM. Cordially, Gregory Carvalho GregoryC@stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 13:23:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 80E5415438 for ; Thu, 10 Jun 1999 13:23:24 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id QAA11663; Thu, 10 Jun 1999 16:26:04 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Thu, 10 Jun 1999 16:26:04 -0400 (EDT) From: Bill Fumerola To: Gregory Carvalho Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications In-Reply-To: <375F7453.77C0F526@stcinc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Jun 1999, Gregory Carvalho wrote: > Using ipfw I am allowing port 80 through the wall (could you imagine if > I denied the good people of Gotham their web fix). Suppose I deny > telnet, but some external server has its telnet server configured for > port 80. Is there a method to prevent the telnet session from operating? This is how I telnetted into my machines at work on a daily basis at school. As for stopping it? Hmmm.. you'd need some application level thing. OR Force your people through a proxy, which is the better choice. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 13:32:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from hydrogen.fircrest.net (metriclient-3.uoregon.edu [128.223.172.3]) by hub.freebsd.org (Postfix) with ESMTP id F130E153CD for ; Thu, 10 Jun 1999 13:32:26 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by hydrogen.fircrest.net (8.9.1/8.8.7) id NAA11413; Thu, 10 Jun 1999 13:32:10 -0700 (PDT) Message-ID: <19990610133210.60388@hydrogen.nike.efn.org> Date: Thu, 10 Jun 1999 13:32:10 -0700 From: John-Mark Gurney To: Richard Childers Cc: Dmitriy Bokiy , freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd References: <18819.990610@cityline.ru> <37600E33.9A11E641@hamquist.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <37600E33.9A11E641@hamquist.com>; from Richard Childers on Thu, Jun 10, 1999 at 12:12:51PM -0700 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Richard Childers scribbled this message on Jun 10: > For instance, if I wanted to search for all occurrences of the string > "net.inet.ip.redirect", I would do: > > # find / -type f -exec grep -i "net.inet.ip.redirect" {} \; -print you might try zgrep instead of grep, this will look in gzip files also.. > Doing so (you may wish to redirect the output into a temporary file, to > keep binary from scrawling across your screen), you will see that the > following files reference this string: > > /usr/src/share/doc/smm/01.setup/5.t > /usr/src/share/doc/smm/01.setup/spell.OK > /var/db/kvm_kernel.db if you used zgrep, you would see the /usr/share/doc/smm/01.setup/paper.ascii.gz is an ascii version of the data you are looking for... /usr/share/doc/{smm,psd,usd}/* is a GREAT reference and contains MUCH information... I think we should publicize these docs more... > The file /usr/src/share/doc/smm/01.setup/5.t appears to be a text file, > containing documentation describing how to comprehensively configuring > network interfaces; unfortunately, despite some twenty years of > wrestling with roff(1), nroff(1) and troff(1), I was unable to get this > file to print out properly. if you looked at the Makefile in the same directory, you would see that it uses -ms, and you need to add the -t because of USE_TBL.. so you could read it with: groff -t -Tascii -ms 5.t | more and that should give you readable output... -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 13:46:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id B055C14CFD for ; Thu, 10 Jun 1999 13:46:43 -0700 (PDT) (envelope-from GregoryC@stcinc.com) Received: from stcinc.com (gw-covad768k-cognitivetech.ncal.verio.com [207.20.238.29] (may be forged)) by proxy3.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id NAA01003; Thu, 10 Jun 1999 13:45:06 -0700 (PDT) Message-ID: <375F7AF3.A10C68BD@stcinc.com> Date: Thu, 10 Jun 1999 01:44:35 -0700 From: Gregory Carvalho X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.1-RELEASE i386) MIME-Version: 1.0 To: Bill Fumerola Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I found this on www.freebsd.org: The FreeBSD development team is as concerned about security as they are about performance. FreeBSD includes kernel support for IP firewalling, as well other services, such as IP proxy gateways. Do you know the specialized server naming conventions (ie telnetd, ftpd, etc for the normal operation servers)? Bill Fumerola wrote: > > On Thu, 10 Jun 1999, Gregory Carvalho wrote: > > > Using ipfw I am allowing port 80 through the wall (could you imagine if > > I denied the good people of Gotham their web fix). Suppose I deny > > telnet, but some external server has its telnet server configured for > > port 80. Is there a method to prevent the telnet session from operating? > > This is how I telnetted into my machines at work on a daily basis at > school. > > As for stopping it? Hmmm.. you'd need some application level thing. > > OR > > Force your people through a proxy, which is the better choice. > > - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - > - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - -- Cordially, Gregory Carvalho GregoryC@stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 13:53: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 380E815104 for ; Thu, 10 Jun 1999 13:52:58 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id QAA22106; Thu, 10 Jun 1999 16:56:13 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Thu, 10 Jun 1999 16:56:13 -0400 (EDT) From: Bill Fumerola To: Gregory Carvalho Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications In-Reply-To: <375F7AF3.A10C68BD@stcinc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Jun 1999, Gregory Carvalho wrote: > The FreeBSD development team is as concerned about security as they are > about performance. FreeBSD includes kernel support for IP firewalling, > as well other services, such as IP proxy gateways. Yes, many programs have been ported to help you. Check out http://www.FreeBSD.org/ports/ > Do you know the specialized server naming conventions (ie telnetd, ftpd, > etc for the normal operation servers)? I'm not sure what you mean by this. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 14: 7:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 73F4114C24 for ; Thu, 10 Jun 1999 14:07:43 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id PAA42597; Thu, 10 Jun 1999 15:07:39 -0600 (MDT) Date: Thu, 10 Jun 1999 15:07:39 -0600 (MDT) From: Nick Rogness To: Gregory Carvalho Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications In-Reply-To: <375F7453.77C0F526@stcinc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Jun 1999, Gregory Carvalho wrote: > Using ipfw I am allowing port 80 through the wall (could you imagine if > I denied the good people of Gotham their web fix). Suppose I deny > telnet, but some external server has its telnet server configured for > port 80. Is there a method to prevent the telnet session from operating? Why would anyone run telnet on port 80? Is this an incoming or outgoing telnet session? I'm assuming outoing telnet sessions. The only thing I can think of is running the machines through a proxy server. > > FreeBSD 3.1-Release off the CDROM. > > Cordially, > Gregory Carvalho GregoryC@stcinc.com > Simplified Technology Company http://www.stcinc.com > In God I Trust! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ******************************************************************* Nick Rogness "Never settle with words what System Administrator can be accomplished with a RapidNet, INC flame-thrower" nick@rapidnet.com ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 15:53:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id 6F2F615326 for ; Thu, 10 Jun 1999 15:53:29 -0700 (PDT) (envelope-from GregoryC@stcinc.com) Received: from stcinc.com (gw-covad768k-cognitivetech.ncal.verio.com [207.20.238.29] (may be forged)) by proxy3.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id PAA06866 for ; Thu, 10 Jun 1999 15:53:26 -0700 (PDT) Message-ID: <375F9924.CB665E53@stcinc.com> Date: Thu, 10 Jun 1999 03:53:24 -0700 From: Gregory Carvalho X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.1-RELEASE i386) MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: fwtk and delegate Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone used either of these ports? Comments on usability and performance would be appreciated. Cordially, Gregory Carvalho GregoryC@stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 17: 1:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from toxic.magnesium.net (toxic.magnesium.net [204.188.6.238]) by hub.freebsd.org (Postfix) with SMTP id 4DBFA15474 for ; Thu, 10 Jun 1999 17:01:51 -0700 (PDT) (envelope-from unfurl@toxic.magnesium.net) Received: (qmail 1078 invoked by uid 1001); 11 Jun 1999 00:01:51 -0000 Date: 10 Jun 1999 17:01:51 -0700 Date: Thu, 10 Jun 1999 17:01:51 -0700 From: Bill Swingle To: Nick Rogness Cc: Gregory Carvalho , "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications Message-ID: <19990610170151.D843@dub.net> References: <375F7453.77C0F526@stcinc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Nick Rogness on Thu, Jun 10, 1999 at 03:07:39PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 10, 1999 at 03:07:39PM -0600, Nick Rogness wrote: > On Thu, 10 Jun 1999, Gregory Carvalho wrote: > > > Using ipfw I am allowing port 80 through the wall (could you imagine if > > I denied the good people of Gotham their web fix). Suppose I deny > > telnet, but some external server has its telnet server configured for > > port 80. Is there a method to prevent the telnet session from operating? > > Why would anyone run telnet on port 80? > > Is this an incoming or outgoing telnet session? I'm assuming > outoing telnet sessions. The only thing I can think of is running > the machines through a proxy server. Once, while working for a rather fascist employer that denied outgoing connections on ports 22/23 I set up telnet, then later sshd, on port 80 on my home machine. They employers couldnt do without their web access it seems :) I think this is what the original writer is trying to avoid. :) -Bill -- -=| Bill Swingle - unfurl@dub.net - unfurl@freebsd.org - bill@cdrom.com -=| "Computers are useless. They can only give you answers" Pablo Picasso To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 17: 6:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from ciao.cc.columbia.edu (ciao.cc.columbia.edu [128.59.59.11]) by hub.freebsd.org (Postfix) with ESMTP id F0A6A15311 for ; Thu, 10 Jun 1999 17:06:47 -0700 (PDT) (envelope-from stuyman@confusion.net) Received: from confusion.net (dialup-9-6.cc.columbia.edu [128.59.36.210]) by ciao.cc.columbia.edu (8.8.5/8.8.5) with ESMTP id UAA14340; Thu, 10 Jun 1999 20:06:32 -0400 (EDT) Message-ID: <376052E0.6D8FFF3D@confusion.net> Date: Thu, 10 Jun 1999 20:05:52 -0400 From: Laurence Berland Organization: B.R.A.T.T. X-Mailer: Mozilla 4.5 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Bill Swingle Cc: Nick Rogness , Gregory Carvalho , "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications References: <375F7453.77C0F526@stcinc.com> <19990610170151.D843@dub.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just how would you go about running telnet on port 80? Bill Swingle wrote: > > On Thu, Jun 10, 1999 at 03:07:39PM -0600, Nick Rogness wrote: > > On Thu, 10 Jun 1999, Gregory Carvalho wrote: > > > > > Using ipfw I am allowing port 80 through the wall (could you imagine if > > > I denied the good people of Gotham their web fix). Suppose I deny > > > telnet, but some external server has its telnet server configured for > > > port 80. Is there a method to prevent the telnet session from operating? > > > > Why would anyone run telnet on port 80? > > > > Is this an incoming or outgoing telnet session? I'm assuming > > outoing telnet sessions. The only thing I can think of is running > > the machines through a proxy server. > > Once, while working for a rather fascist employer that denied outgoing > connections on ports 22/23 I set up telnet, then later sshd, on port 80 > on my home machine. They employers couldnt do without their web access > it seems :) I think this is what the original writer is trying to avoid. > :) > > -Bill > > -- > -=| Bill Swingle - unfurl@dub.net - unfurl@freebsd.org - bill@cdrom.com > -=| "Computers are useless. They can only give you answers" Pablo Picasso > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Laurence Berland, Stuyvesant HS Debate <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Windows 98: n. useless extension to a minor patch release for 32-bit extensions and a graphical shell for a 16-bit patch to an 8-bit operating system originally coded for a 4-bit microprocessor, written by a 2-bit company that can't stand for 1 bit of competition. http://stuy.debate.net icq #7434346 aol imer E1101 The above email Copyright (C) 1999 Laurence Berland All rights reserved To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 17:17: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id B7C5A15493 for ; Thu, 10 Jun 1999 17:17:00 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40350>; Fri, 11 Jun 1999 10:00:36 +1000 Date: Fri, 11 Jun 1999 10:16:47 +1000 From: Peter Jeremy Subject: Re: ports and applications In-reply-to: <376052E0.6D8FFF3D@confusion.net> To: stuyman@confusion.net Cc: freebsd-security@FreeBSD.ORG Message-Id: <99Jun11.100036est.40350@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Laurence Berland wrote: >Just how would you go about running telnet on port 80? In /etc/inetd.conf: -telnet stream tcp nowait root /usr/libexec/telnetd telnetd +80 stream tcp nowait root /usr/libexec/telnetd telnetd Then send inetd a SIGHUP. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 10 19:23:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from cantor.boolean.net (cantor.boolean.net [209.133.111.73]) by hub.freebsd.org (Postfix) with ESMTP id 4E57914DEF for ; Thu, 10 Jun 1999 19:23:10 -0700 (PDT) (envelope-from Kurt@OpenLDAP.Org) Received: from gypsy (localhost [127.0.0.1]) by cantor.boolean.net (8.9.2/8.9.1) with SMTP id CAA17459; Fri, 11 Jun 1999 02:22:22 GMT (envelope-from Kurt@OpenLDAP.Org) Message-Id: <3.0.5.32.19990610191916.0096a6f0@localhost> X-Sender: guru@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Jun 1999 19:19:16 -0700 To: Bill Swingle From: "Kurt D. Zeilenga" Subject: Re: ports and applications Cc: Nick Rogness , Gregory Carvalho , "freebsd-security@FreeBSD.ORG" In-Reply-To: <19990610170151.D843@dub.net> References: <375F7453.77C0F526@stcinc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:01 PM 6/10/99 -0700, Bill Swingle wrote: >On Thu, Jun 10, 1999 at 03:07:39PM -0600, Nick Rogness wrote: >> On Thu, 10 Jun 1999, Gregory Carvalho wrote: >> >> > Using ipfw I am allowing port 80 through the wall (could you imagine if >> > I denied the good people of Gotham their web fix). Suppose I deny >> > telnet, but some external server has its telnet server configured for >> > port 80. Is there a method to prevent the telnet session from operating? >> >> Why would anyone run telnet on port 80? >> >> Is this an incoming or outgoing telnet session? I'm assuming >> outoing telnet sessions. The only thing I can think of is running >> the machines through a proxy server. > >Once, while working for a rather fascist employer that denied outgoing >connections on ports 22/23 I set up telnet, then later sshd, on port 80 >on my home machine. They employers couldnt do without their web access >it seems :) I think this is what the original writer is trying to avoid. We're actually running a public CVS server on port 443 (https) so that users behind firewalls can get at our source. It's hard to proxy https, which makes it much better tunneling port than 80 (http). Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 8:51:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 2FE4914F3D for ; Fri, 11 Jun 1999 08:51:02 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id LAA25149; Fri, 11 Jun 1999 11:53:24 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Fri, 11 Jun 1999 11:53:24 -0400 (EDT) From: Bill Fumerola To: Laurence Berland Cc: Bill Swingle , Nick Rogness , Gregory Carvalho , "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications In-Reply-To: <376052E0.6D8FFF3D@confusion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Jun 1999, Laurence Berland wrote: > Just how would you go about running telnet on port 80? Change 'telnet' in the first column in your inetd.conf to 'http' or copy the line and change it (better idea.) - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 9:36:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from socrates.i-pi.com (static87.conference.usenix.edu [209.179.127.87]) by hub.freebsd.org (Postfix) with ESMTP id A05C6154A1 for ; Fri, 11 Jun 1999 09:36:39 -0700 (PDT) (envelope-from ingham@socrates.i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.9.3/8.9.3) id KAA02522; Fri, 11 Jun 1999 10:34:57 -0600 Date: Fri, 11 Jun 1999 10:34:57 -0600 From: Kenneth Ingham To: Gregory Carvalho Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: fwtk and delegate Message-ID: <19990611103457.A2500@socrates.i-pi.com> References: <375F9924.CB665E53@stcinc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4us In-Reply-To: <375F9924.CB665E53@stcinc.com>; from Gregory Carvalho on Thu, Jun 10, 1999 at 03:53:24AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am using delegate to set up a simple proxy for telnet. I'm about to hack the source to change telnet to ssh. It was fairly easy to set up. The documentation took a little bit to figure out how to do what I wanted to do because my use seemed to be a little different from how they expected people to use it. However, I think I spent less than an hour overall getting it up and running. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 10:28:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7F1F914D0B for ; Fri, 11 Jun 1999 10:28:31 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id TAA66009; Fri, 11 Jun 1999 19:28:27 +0200 (CEST) (envelope-from des) To: "Richard Childers" Cc: "Dmitriy Bokiy" , Subject: Re: Newbie questions: DoS & xinetd References: <18819.990610@cityline.ru> <37600E33.9A11E641@hamquist.com> From: Dag-Erling Smorgrav Date: 11 Jun 1999 19:28:27 +0200 In-Reply-To: "Richard Childers"'s message of "Thu, 10 Jun 1999 12:12:51 -0700" Message-ID: Lines: 31 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Richard Childers" writes: > For instance, if I wanted to search for all occurrences of the string > "net.inet.ip.redirect", I would do: > > # find / -type f -exec grep -i "net.inet.ip.redirect" {} \; -print Which starts a grep process for every file on disk, which - needless to say - is extremely inefficient. Use xargs. Anyway, there is no need to use find(1) to find information about net.inet.ip.redirect. Just: $ cd /sys/netinet $ grep 'SYSCTL.*redirect' *.c will give you the name of the source file where the variable is defined (ip_input.c, which I or any other kernel hacker could've told you without even needing grep). A quick scan of that file would show you that this sysctl variable controls *sending* redirects. As for receiving them, incoming ICMP packets are handled in ip_icmp.c (also in /sys/netinet). They are always honored, and the only way to avoid honoring them is to run a firewall. A good rule is to block all ICMP except types 0,3,8,11. The paranoid will want to block 0 and 8 as well. Blocking 11 prevents traceroute(8) from working, but should not have any adverse effects on performance (I don't know of any place on the globe with is more than 64 hops away from me). Blocking 3 (UNREACH) is usually a bad idea. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 12: 1:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from alice.gba.oz.au (gba-254.tmx.com.au [203.9.155.254]) by hub.freebsd.org (Postfix) with SMTP id 11F4714F01 for ; Fri, 11 Jun 1999 12:01:16 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 29860 invoked by uid 1001); 11 Jun 1999 01:54:30 -0000 Message-ID: <19990611015430.29859.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Fri, 11 Jun 1999 11:54:29 +1000 From: Greg Black To: "Richard Childers" Cc: "Dmitriy Bokiy" , freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd References: <18819.990610@cityline.ru> <37600E33.9A11E641@hamquist.com> In-reply-to: <37600E33.9A11E641@hamquist.com> of Thu, 10 Jun 1999 12:12:51 MST Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Richard Childers" writes: > For instance, if I wanted to search for all occurrences of the string > "net.inet.ip.redirect", I would do: > > # find / -type f -exec grep -i "net.inet.ip.redirect" {} \; -print One word of caution for indiscriminate use of "find /" is that it can lead to long waits and lots of disk thrashing on machines with lots of files. Here's one I just ran: # /usr/bin/time find / -print | wc -l 3296.20 real 96.33 user 968.21 sys 711184 Obviously, to do something like run grep over however many of those 700k entries and <6GB of data that are actually files would add quite a bit to the 55 minutes the simple find took. Of course, this is not to argue that people should not look for answers on their machines. -- Greg Black -- or Fight censorship in Australia: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 12:15:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from blackie.cruzers.com (cruzers.com [205.215.232.2]) by hub.freebsd.org (Postfix) with ESMTP id 4ED5914FE4 for ; Fri, 11 Jun 1999 12:15:43 -0700 (PDT) (envelope-from dkulp@board66.cruzers.com) Received: from board66.cruzers.com (board66.cruzers.com [205.215.233.66]) by blackie.cruzers.com (8.8.7/8.8.5) with ESMTP id MAA11231 for ; Fri, 11 Jun 1999 12:30:31 -0700 (PDT) Received: (from dkulp@localhost) by board66.cruzers.com (8.8.8/8.7.3) id MAA02601; Fri, 11 Jun 1999 12:15:40 -0700 (PDT) Date: Fri, 11 Jun 1999 12:15:40 -0700 (PDT) Message-Id: <199906111915.MAA02601@board66.cruzers.com> From: David Kulp MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: maxuser, table full, and Saint's tcpscan X-Mailer: VM 6.22 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was trying to do some diagnostics using Saint and when the tcp_scan program kicked in I would get 100's of lines of Jun 11 10:13:30 board66 /kernel: file: table is full Jun 11 10:13:30 board66 syslogd: /var/run/utmp: Too many open files in system So I recompiled my 2.2.8 kernel with: maxusers 100 options CHILD_MAX=128 options OPEN_MAX=128 and rebooted. Now when I run saint, tcp_scan just core dumps. So I poked around in the source and found that there is a buffer overflow on a select. (it's not checking FD_SETSIZE.) I found that I could successfully run tcp_scan using the -l option to limit the number of open sockets (i.e. add "-l $fw_loadlimit" to line 46 in tcpscan.saint). Anyone familiar with these issues? If not, well, let this be a data point for anyone else who has the same problem. I'll send an email to the developers, too. cheers, -david. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 12:51:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id 6C02614C09 for ; Fri, 11 Jun 1999 12:51:41 -0700 (PDT) (envelope-from GregoryC@stcinc.com) Received: from stcinc.com (gw-covad768k-cognitivetech.ncal.verio.com [207.20.238.29] (may be forged)) by proxy3.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id MAA27831; Fri, 11 Jun 1999 12:49:12 -0700 (PDT) Message-ID: <3760BF76.FA304E6E@stcinc.com> Date: Fri, 11 Jun 1999 00:49:10 -0700 From: Gregory Carvalho X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.1-RELEASE i386) MIME-Version: 1.0 To: Kenneth Ingham Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: fwtk and delegate References: <375F9924.CB665E53@stcinc.com> <19990611103457.A2500@socrates.i-pi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are you using delegate 5.7.2 on FreeBSD 3.1? When I run make install, it doesn't create a directory /usr/ports/net/delegate/work/delegate5.7.2 and it prompts: #pwd /usr/ports/net/delegate # make ===> Patching for delegate-5.7.2 ===> Applying FreeBSD patches for delegate-5.7.2 File to patch: If I run make install the same result occurrs. Did you receive this kind of messase? Kenneth Ingham wrote: > > I am using delegate to set up a simple proxy for telnet. I'm about to > hack the source to change telnet to ssh. It was fairly easy to set up. > The documentation took a little bit to figure out how to do what I > wanted to do because my use seemed to be a little different from how they > expected people to use it. However, I think I spent less than an hour > overall getting it up and running. > > Kenneth > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Cordially, Gregory Carvalho GregoryC@stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 13:23:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop05.iname.net (pop05.iname.net [165.251.8.70]) by hub.freebsd.org (Postfix) with ESMTP id 044F815249 for ; Fri, 11 Jun 1999 13:23:22 -0700 (PDT) (envelope-from jschwab@royal.net) Received: from usr15-dialup60.mix1.Irving.cw.net (usr15-dialup60.mix1.Irving.cw.net [166.62.215.60]) by pop05.iname.net (8.9.0/8.8.0) with ESMTP id QAA17017; Fri, 11 Jun 1999 16:23:20 -0400 (EDT) Date: Fri, 11 Jun 1999 14:21:27 -0700 (MST) From: "Jason L. Schwab" X-Sender: jschwab@fkr.dynip.com To: ghandi@mindless.com Cc: freebsd-security@freebsd.org Subject: firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all of you, What rules should i add to ipfw to make it to where no one can Denial Of Service or D.o.S. me or any of those kinds of things? but i wanna allow everything else thro. i'm on 56k dialup.. hope to be on 256k once our phone company here gets it up and running... thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 14:12:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from fantasy.netreach.net (fantasy.netreach.net [205.197.101.219]) by hub.freebsd.org (Postfix) with ESMTP id 7A43814C42 for ; Fri, 11 Jun 1999 14:12:18 -0700 (PDT) (envelope-from petef@netreach.net) Received: from static-petef.netreach.net (static-petef.netreach.net [209.116.208.124]) by fantasy.netreach.net (8.9.3/8.9.0) with SMTP id RAA29616; Fri, 11 Jun 1999 17:13:02 -0400 (EDT) Date: Fri, 11 Jun 1999 17:15:07 -0400 (EDT) From: Pete Fritchman To: "Jason L. Schwab" Cc: ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You probably just want to deny all icmp to your dialup. ipfw add deny icmp from any to any -------------------- [ Pete Fritchman ] [ Systems Engineer ] [petef@netreach.net] -------------------- On Fri, 11 Jun 1999, Jason L. Schwab wrote: > Date: Fri, 11 Jun 1999 14:21:27 -0700 (MST) > From: "Jason L. Schwab" > To: ghandi@mindless.com > Cc: freebsd-security@FreeBSD.ORG > Subject: firewalls > > Dear all of you, > > What rules should i add to ipfw to make it to where no one can > Denial Of Service or D.o.S. me or any of those kinds of things? but i > wanna allow everything else thro. i'm on 56k dialup.. hope to be on > 256k once our phone company here gets it up and running... thanks > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 14:51:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id A8DFB14D55 for ; Fri, 11 Jun 1999 14:50:19 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id AAA30944; Sat, 12 Jun 1999 00:46:33 +0300 (EEST) (envelope-from ru) Date: Sat, 12 Jun 1999 00:46:33 +0300 From: Ruslan Ermilov To: Pete Fritchman Cc: "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls Message-ID: <19990612004633.A29090@relay.ucb.crimea.ua> Mail-Followup-To: Pete Fritchman , "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Pete Fritchman on Fri, Jun 11, 1999 at 05:15:07PM -0400 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 11, 1999 at 05:15:07PM -0400, Pete Fritchman wrote: > You probably just want to deny all icmp to your dialup. > > ipfw add deny icmp from any to any > > -------------------- > [ Pete Fritchman ] > [ Systems Engineer ] > [petef@netreach.net] > -------------------- > Don't do it!!! It will broke Path MTU discovery: http://www.worldgate.com/~marcs/mtu/ Instead, use ICMP_BANDLIM option: * Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option * is specified in kernel config, icmplim defaults to 100 pps. Setting it * to 0 will disable the feature. This feature limits ICMP error responses * for packets sent to bad tcp or udp ports, which does a lot to help the * machine handle network D.O.S. attacks. * * The kernel will report packet rates that exceed the limit at a rate of * one kernel printf per second. There is one issue in regards to the * 'tail end' of an attack... the kernel will not output the last report * until some unrelated and valid icmp error packet is return at some * point after the attack is over. This is a minor reporting issue only. Cheers, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 16: 5:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 74769154C6 for ; Fri, 11 Jun 1999 16:05:41 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id RAA46957; Fri, 11 Jun 1999 17:03:44 -0600 (MDT) Date: Fri, 11 Jun 1999 17:03:44 -0600 (MDT) From: Nick Rogness To: "Jason L. Schwab" Cc: Pete Fritchman , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Jun 1999, Pete Fritchman wrote: > You probably just want to deny all icmp to your dialup. > > ipfw add deny icmp from any to any Some online games rely on icmp packets to monitor your speed to the server (eg. Quake2). With some games this might be a problem. > > -------------------- > [ Pete Fritchman ] > [ Systems Engineer ] > [petef@netreach.net] > -------------------- > > On Fri, 11 Jun 1999, Jason L. Schwab wrote: > > > Date: Fri, 11 Jun 1999 14:21:27 -0700 (MST) > > From: "Jason L. Schwab" > > To: ghandi@mindless.com > > Cc: freebsd-security@FreeBSD.ORG > > Subject: firewalls > > > > Dear all of you, > > > > What rules should i add to ipfw to make it to where no one can > > Denial Of Service or D.o.S. me or any of those kinds of things? but i > > wanna allow everything else thro. i'm on 56k dialup.. hope to be on > > 256k once our phone company here gets it up and running... thanks > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ******************************************************************* Nick Rogness "Never settle with words what System Administrator can be accomplished with a RapidNet, INC flame-thrower" nick@rapidnet.com ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 16:16:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from unreal.gatekeep.net (gatekeep.net [209.17.177.144]) by hub.freebsd.org (Postfix) with ESMTP id 188E9154C6 for ; Fri, 11 Jun 1999 16:16:06 -0700 (PDT) (envelope-from freebsd@unreal.gatekeep.net) Received: from localhost (freebsd@localhost) by unreal.gatekeep.net (8.9.3/8.9.3) with ESMTP id QAA46176; Fri, 11 Jun 1999 16:06:03 -0700 (PDT) Date: Fri, 11 Jun 1999 16:06:02 -0700 (PDT) From: freebsd To: Nick Rogness Cc: "Jason L. Schwab" , Pete Fritchman , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I suggest installing ICMP_BANDLIM into the kernel (gret LINT) and setting it to about 20... sysctl -w net.inet.icmp.icmplim=20 Also for syn floods, i suggest going to geek-girl.com and getting the new syn protection patch for FreeBSD, it works, you also set it via sysctl... On Fri, 11 Jun 1999, Nick Rogness wrote: > On Fri, 11 Jun 1999, Pete Fritchman wrote: > > > You probably just want to deny all icmp to your dialup. > > > > ipfw add deny icmp from any to any > > > Some online games rely on icmp packets to monitor > your speed to the server (eg. Quake2). With some > games this might be a problem. > > > > > > -------------------- > > [ Pete Fritchman ] > > [ Systems Engineer ] > > [petef@netreach.net] > > -------------------- > > > > On Fri, 11 Jun 1999, Jason L. Schwab wrote: > > > > > Date: Fri, 11 Jun 1999 14:21:27 -0700 (MST) > > > From: "Jason L. Schwab" > > > To: ghandi@mindless.com > > > Cc: freebsd-security@FreeBSD.ORG > > > Subject: firewalls > > > > > > Dear all of you, > > > > > > What rules should i add to ipfw to make it to where no one can > > > Denial Of Service or D.o.S. me or any of those kinds of things? but i > > > wanna allow everything else thro. i'm on 56k dialup.. hope to be on > > > 256k once our phone company here gets it up and running... thanks > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ******************************************************************* > Nick Rogness "Never settle with words what > System Administrator can be accomplished with a > RapidNet, INC flame-thrower" > nick@rapidnet.com > ******************************************************************* > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Brandon Hicks - Gate Keeper Technologies www.gatekeep.net bhicks@gatekeep.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 16:23:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from aic-gw.mlink.net (aic-gw.mlink.net [209.104.118.65]) by hub.freebsd.org (Postfix) with SMTP id 49AEE154C6 for ; Fri, 11 Jun 1999 16:23:09 -0700 (PDT) (envelope-from matt@AIC-GW.MLINK.NET) Received: (qmail 2528 invoked by uid 1001); 11 Jun 1999 23:23:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Jun 1999 23:23:08 -0000 Date: Fri, 11 Jun 1999 19:23:08 -0400 (EDT) From: matt To: freebsd Cc: Nick Rogness , "Jason L. Schwab" , Pete Fritchman , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Jun 1999, freebsd wrote: : I suggest installing ICMP_BANDLIM into the kernel (gret LINT) and setting : it to about 20... sysctl -w net.inet.icmp.icmplim=20 I use both patches, they work nicely, however, I set the limits at 200 for both on bootup with sysctl.. I think the default of 100 is a lil low, and 20 lord. a portscan would trip that off like crazy. Course, I run portsentry with ipfw to handle those *grin* .. Still though, 20 might be a bit low... : Also for syn floods, i suggest going to geek-girl.com and getting the new : syn protection patch for FreeBSD, it works, you also set it via sysctl... [...] Matt -- DISCLAIMER: Anyone sending me unsolicited commercial electronic mail automatically agrees to be held to the following legal terms: US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 16:31:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from unreal.gatekeep.net (gatekeep.net [209.17.177.144]) by hub.freebsd.org (Postfix) with ESMTP id 51A1E154D3 for ; Fri, 11 Jun 1999 16:31:37 -0700 (PDT) (envelope-from freebsd@unreal.gatekeep.net) Received: from localhost (freebsd@localhost) by unreal.gatekeep.net (8.9.3/8.9.3) with ESMTP id QAA49575; Fri, 11 Jun 1999 16:24:37 -0700 (PDT) Date: Fri, 11 Jun 1999 16:24:37 -0700 (PDT) From: freebsd To: matt Cc: Nick Rogness , "Jason L. Schwab" , Pete Fritchman , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, 20 is low, but don't forget he was on a dialup... a dialup connection can't handle that much. I was only saying for his purposes. for a t1+ 100-200 limit is about right On Fri, 11 Jun 1999, matt wrote: > On Fri, 11 Jun 1999, freebsd wrote: > > : I suggest installing ICMP_BANDLIM into the kernel (gret LINT) and setting > : it to about 20... sysctl -w net.inet.icmp.icmplim=20 > > I use both patches, they work nicely, however, I set the limits at 200 for > both on bootup with sysctl.. I think the default of 100 is a lil low, and > 20 lord. a portscan would trip that off like crazy. Course, I run > portsentry with ipfw to handle those *grin* .. Still though, 20 might be > a bit low... > > : Also for syn floods, i suggest going to geek-girl.com and getting the new > : syn protection patch for FreeBSD, it works, you also set it via sysctl... > > [...] > > Matt > > -- > DISCLAIMER: Anyone sending me unsolicited commercial electronic mail > automatically agrees to be held to the following legal terms: > > US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the > definition of a telephone fax machine. By Sec.227(b)(1)(C), it is > unlawful to send any unsolicited advertisement to such equipment. By > Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable > by action to recover actual monetary loss, or $500, whichever is greater, > for each violation. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 17:21:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from fantasy.netreach.net (fantasy.netreach.net [205.197.101.219]) by hub.freebsd.org (Postfix) with ESMTP id 77A5A14C3C for ; Fri, 11 Jun 1999 17:21:08 -0700 (PDT) (envelope-from petef@netreach.net) Received: from static-petef.netreach.net (static-petef.netreach.net [209.116.208.124]) by fantasy.netreach.net (8.9.3/8.9.0) with SMTP id UAA24706; Fri, 11 Jun 1999 20:21:15 -0400 (EDT) Date: Fri, 11 Jun 1999 20:23:19 -0400 (EDT) From: Pete Fritchman To: Ruslan Ermilov Cc: "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: <19990612004633.A29090@relay.ucb.crimea.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did it before and it worked fine. -------------------- [ Pete Fritchman ] [ Systems Engineer ] [petef@netreach.net] -------------------- On Sat, 12 Jun 1999, Ruslan Ermilov wrote: > Date: Sat, 12 Jun 1999 00:46:33 +0300 > From: Ruslan Ermilov > To: Pete Fritchman > Cc: "Jason L. Schwab" , ghandi@mindless.com, > freebsd-security@FreeBSD.ORG > Subject: Re: firewalls > > On Fri, Jun 11, 1999 at 05:15:07PM -0400, Pete Fritchman wrote: > > You probably just want to deny all icmp to your dialup. > > > > ipfw add deny icmp from any to any > > > > -------------------- > > [ Pete Fritchman ] > > [ Systems Engineer ] > > [petef@netreach.net] > > -------------------- > > > Don't do it!!! It will broke Path MTU discovery: > http://www.worldgate.com/~marcs/mtu/ > > Instead, use ICMP_BANDLIM option: > > * Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option > * is specified in kernel config, icmplim defaults to 100 pps. Setting it > * to 0 will disable the feature. This feature limits ICMP error responses > * for packets sent to bad tcp or udp ports, which does a lot to help the > * machine handle network D.O.S. attacks. > * > * The kernel will report packet rates that exceed the limit at a rate of > * one kernel printf per second. There is one issue in regards to the > * 'tail end' of an attack... the kernel will not output the last report > * until some unrelated and valid icmp error packet is return at some > * point after the attack is over. This is a minor reporting issue only. > > > Cheers, > -- > Ruslan Ermilov Sysadmin and DBA of the > ru@ucb.crimea.ua United Commercial Bank > +380.652.247.647 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 17:54:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 9D3231503E for ; Fri, 11 Jun 1999 17:54:20 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id DAA73046; Sat, 12 Jun 1999 03:52:37 +0300 (EEST) (envelope-from ru) Date: Sat, 12 Jun 1999 03:52:36 +0300 From: Ruslan Ermilov To: Pete Fritchman Cc: "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls Message-ID: <19990612035236.A65868@relay.ucb.crimea.ua> Mail-Followup-To: Pete Fritchman , "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG References: <19990612004633.A29090@relay.ucb.crimea.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Pete Fritchman on Fri, Jun 11, 1999 at 08:23:19PM -0400 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 11, 1999 at 08:23:19PM -0400, Pete Fritchman wrote: > I did it before and it worked fine. > Well, it worked fine for you(!) because almost every site in a today's world has a link with MTU >= 1500. The first symptom of this misconfiguration is the mail delivery problems. Some time ago we had a SLIP link with MTU=552. I had problems receiving mail from hosts which totally block ICMP. First time it happened with hub.FreeBSD.ORG, when crl.net (their provider) started to block ICMP. I've tired to explain sysadmins that blocking ICMP breaks PMTU discovery and could cause mail delivery problems. Now I have MTU=1500 and don't suffer from the ignorance of stupid sysadmins :-) P.S. Try to set your link's MTU to something greater that 1500 (if you can), then totally block ICMP and see how it goes. > On Sat, 12 Jun 1999, Ruslan Ermilov wrote: > > > Date: Sat, 12 Jun 1999 00:46:33 +0300 > > From: Ruslan Ermilov > > To: Pete Fritchman > > Cc: "Jason L. Schwab" , ghandi@mindless.com, > > freebsd-security@FreeBSD.ORG > > Subject: Re: firewalls > > > > On Fri, Jun 11, 1999 at 05:15:07PM -0400, Pete Fritchman wrote: > > > You probably just want to deny all icmp to your dialup. > > > > > > ipfw add deny icmp from any to any > > > > > > -------------------- > > > [ Pete Fritchman ] > > > [ Systems Engineer ] > > > [petef@netreach.net] > > > -------------------- > > > > > Don't do it!!! It will broke Path MTU discovery: > > http://www.worldgate.com/~marcs/mtu/ > > > > Instead, use ICMP_BANDLIM option: > > > > * Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option > > * is specified in kernel config, icmplim defaults to 100 pps. Setting it > > * to 0 will disable the feature. This feature limits ICMP error responses > > * for packets sent to bad tcp or udp ports, which does a lot to help the > > * machine handle network D.O.S. attacks. > > * > > * The kernel will report packet rates that exceed the limit at a rate of > > * one kernel printf per second. There is one issue in regards to the > > * 'tail end' of an attack... the kernel will not output the last report > > * until some unrelated and valid icmp error packet is return at some > > * point after the attack is over. This is a minor reporting issue only. > > -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 20:20:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id E666B14F02 for ; Fri, 11 Jun 1999 20:20:23 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id NAA08258; Sat, 12 Jun 1999 13:20:23 +1000 Date: Sat, 12 Jun 1999 13:20:21 +1000 (EST) From: Nicholas Brawn To: Dag-Erling Smorgrav Cc: Richard Childers , Dmitriy Bokiy , freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 11 Jun 1999, Dag-Erling Smorgrav wrote: > will give you the name of the source file where the variable is > defined (ip_input.c, which I or any other kernel hacker could've told > you without even needing grep). A quick scan of that file would show > you that this sysctl variable controls *sending* redirects. As for > receiving them, incoming ICMP packets are handled in ip_icmp.c (also > in /sys/netinet). They are always honored, and the only way to avoid > honoring them is to run a firewall. A good rule is to block all ICMP > except types 0,3,8,11. The paranoid will want to block 0 and 8 as > well. Blocking 11 prevents traceroute(8) from working, but should not > have any adverse effects on performance (I don't know of any place on > the globe with is more than 64 hops away from me). Blocking 3 > (UNREACH) is usually a bad idea. For those interested, here is a patch to /sys/netinet/ip_icmp.c that will enable the dropping of icmp redirects without requiring the use of IPFW or IPFilter (although it's a good idea to run either one of them). *** ip_icmp.c.orig Wed Jun 2 15:06:02 1999 --- ip_icmp.c Wed Jun 2 15:23:51 1999 *************** *** 42,47 **** --- 42,48 ---- #include #include #include + #include #include #include *************** *** 69,74 **** --- 70,79 ---- SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); + static int dropredirects = 0; + SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirects, CTLFLAG_RW, + &dropredirects, 0, ""); + #ifdef ICMP_BANDLIM /* *************** *** 462,467 **** --- 467,479 ---- return; case ICMP_REDIRECT: + if (dropredirect) { + char buf[4 * sizeof "123"]; + strncpy(buf, inet_ntoa(icp->icmp_ip.ip_dst),sizeof(buf)); + log(LOG_INFO,"Received icmp redirect => dst %s to %s\n", + buf, inet_ntoa(icp->icmp_gwaddr)); + break; + } if (code > 3) goto badcode; if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || *************** *** 484,490 **** strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); printf("redirect dst %s to %s\n", ! buf, inet_ntoa(icp->icmp_gwaddr)); } #endif icmpsrc.sin_addr = icp->icmp_ip.ip_dst; --- 496,502 ---- strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); printf("redirect dst %s to %s\n", ! buf, inet_ntoa(icp->icmp_gwaddr)); } #endif icmpsrc.sin_addr = icp->icmp_ip.ip_dst; Cheers, Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 20:48:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id B981815152 for ; Fri, 11 Jun 1999 20:48:44 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1182 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 11 Jun 1999 22:19:33 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Fri, 11 Jun 1999 22:19:07 -0500 (CDT) From: James Wyatt To: Ruslan Ermilov Cc: Pete Fritchman , "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: <19990612004633.A29090@relay.ucb.crimea.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org btw: So does my DSL bridge. We have to wire the MTU. Doesn't seem to hurt anything else, though. - Jy@ On Sat, 12 Jun 1999, Ruslan Ermilov wrote: > On Fri, Jun 11, 1999 at 05:15:07PM -0400, Pete Fritchman wrote: > > You probably just want to deny all icmp to your dialup. > > > > ipfw add deny icmp from any to any > > > Don't do it!!! It will broke Path MTU discovery: > http://www.worldgate.com/~marcs/mtu/ > > Instead, use ICMP_BANDLIM option: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 11 20:53:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (unknown [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 2808514F26 for ; Fri, 11 Jun 1999 20:53:31 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id VAA01661; Fri, 11 Jun 1999 21:53:07 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id VAA23229; Fri, 11 Jun 1999 21:53:06 -0600 Date: Fri, 11 Jun 1999 21:53:06 -0600 Message-Id: <199906120353.VAA23229@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Pete Fritchman Cc: Ruslan Ermilov , "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: References: <19990612004633.A29090@relay.ucb.crimea.ua> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ blocking all ICMP packets ] > I did it before and it worked fine. It will affect people trying to connect to you though. *DON'T* firewall something unless you know the effects of it. Blocking all ICMP is a violation of RFC, and shows that you don't understand how TCP/IP works. *MOST* of the ICMP types can be blocked, but not all of them. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 12 8:18: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from dfw-ix10.ix.netcom.com (dfw-ix10.ix.netcom.com [206.214.98.10]) by hub.freebsd.org (Postfix) with ESMTP id 1B95514DF9 for ; Sat, 12 Jun 1999 08:17:55 -0700 (PDT) (envelope-from spork@narcissus.net) Received: (from smap@localhost) by dfw-ix10.ix.netcom.com (8.8.4/8.8.4) id KAA09093; Sat, 12 Jun 1999 10:13:50 -0500 (CDT) Received: from nyc-ny68-21.ix.netcom.com(209.109.225.213) by dfw-ix10.ix.netcom.com via smap (V1.3) id rma008972; Sat Jun 12 10:13:19 1999 Date: Sat, 12 Jun 1999 11:13:03 -0400 (EDT) From: Spike X-Sender: spork@pigstuy.penguinpowered.com Reply-To: sporkl@ix.netcom.com To: Nate Williams Cc: Pete Fritchman , Ruslan Ermilov , "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: <199906120353.VAA23229@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Jun 1999, Nate Williams wrote: > [ blocking all ICMP packets ] > > I did it before and it worked fine. > > It will affect people trying to connect to you though. *DON'T* firewall > something unless you know the effects of it. Blocking all ICMP is a > violation of RFC, and shows that you don't understand how TCP/IP works. > > *MOST* of the ICMP types can be blocked, but not all of them. Which are appropriate to block? > > > > Nate > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -Spike Gronim sporkl@ix.netcom.com Finger gronimw@shell.stuy.edu for PGP public key. The majority only rules those who let them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 12 9:15: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (Postfix) with ESMTP id 9C2B814CA5 for ; Sat, 12 Jun 1999 09:15:01 -0700 (PDT) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.1a/8.9.1) with ESMTP id SAA19536 for ; Sat, 12 Jun 1999 18:14:58 +0200 (CEST) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m10sqnF-000Ve0C; Sat, 12 Jun 1999 18:38:05 +0200 (CEST) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id LAA10750 for freebsd-security@freebsd.org; Sat, 12 Jun 1999 11:43:41 +0200 (CEST) (envelope-from ripley) Date: Sat, 12 Jun 1999 11:42:25 +0200 From: "H. Eckert" To: Richard Childers Subject: Re: Newbie questions: DoS & xinetd Message-ID: <19990612114225.A10695@nortobor.nostromo.in-berlin.de> References: <18819.990610@cityline.ru> <37600E33.9A11E641@hamquist.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.3i In-Reply-To: <37600E33.9A11E641@hamquist.com>; from Richard Childers on Thu, Jun 10, 1999 at 12:12:51PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Richard Childers (rchilders@hamquist.com): > (Think of it as reinventing 'man -k', or 'apropos'; and believe me, > sometimes manual pages are not installed, or are not installed in the > "correct" place, or your $MANPATH variable is undefined; find(1) is one I for one would be content for a start if we got rid of the bunches of malformed manpages that clutter up "man -k" output so often. Or even better identify and fix them. Any takers ? Right now I've got doubly no time but in about 6 weeks when one job is done I think I can spare some time to try to do this. Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 12 10:44:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (unknown [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id E5C5414E84 for ; Sat, 12 Jun 1999 10:44:40 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id LAA11129; Sat, 12 Jun 1999 11:44:05 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id LAA24411; Sat, 12 Jun 1999 11:44:04 -0600 Date: Sat, 12 Jun 1999 11:44:04 -0600 Message-Id: <199906121744.LAA24411@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: sporkl@ix.netcom.com Cc: Nate Williams , Pete Fritchman , Ruslan Ermilov , "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: References: <199906120353.VAA23229@mt.sri.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > [ blocking all ICMP packets ] > > > I did it before and it worked fine. > > > > It will affect people trying to connect to you though. *DON'T* firewall > > something unless you know the effects of it. Blocking all ICMP is a > > violation of RFC, and shows that you don't understand how TCP/IP works. > > > > *MOST* of the ICMP types can be blocked, but not all of them. > > Which are appropriate to block? There was a URL posted in the original response that explains most of this. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 12 13:12:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (Postfix) with ESMTP id BA9A414BFA for ; Sat, 12 Jun 1999 13:12:18 -0700 (PDT) (envelope-from GregoryC@stcinc.com) Received: from stcinc.com (gw-covad768k-cognitivetech.ncal.verio.com [207.20.238.29] (may be forged)) by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id NAA03883; Sat, 12 Jun 1999 13:09:13 -0700 (PDT) Message-ID: <37621588.596D3F80@stcinc.com> Date: Sat, 12 Jun 1999 01:08:40 -0700 From: Gregory Carvalho X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.1-RELEASE i386) MIME-Version: 1.0 To: Kenneth Ingham Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: fwtk and delegate References: <375F9924.CB665E53@stcinc.com> <19990611103457.A2500@socrates.i-pi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would you tell me how the directory permission for the cache should be configured? Who should be the user and what group should be used. Kenneth Ingham wrote: > > I am using delegate to set up a simple proxy for telnet. I'm about to > hack the source to change telnet to ssh. It was fairly easy to set up. > The documentation took a little bit to figure out how to do what I > wanted to do because my use seemed to be a little different from how they > expected people to use it. However, I think I spent less than an hour > overall getting it up and running. > > Kenneth > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Cordially, Gregory Carvalho GregoryC@stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 12 19:17:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 8711114C4B for ; Sat, 12 Jun 1999 19:17:26 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id MAA22422; Sun, 13 Jun 1999 12:17:47 +1000 Date: Sun, 13 Jun 1999 12:17:45 +1000 (EST) From: Nicholas Brawn To: Holtor Cc: freebsd-security@FreeBSD.ORG Subject: Re: MOD/CG32 Virus In-Reply-To: <19990609194642.5800.rocketmail@web126.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Jun 1999, Holtor wrote: > Hello, I've heard some stories lately about > this MOD/CG32 virus that infects unix? Right when > I heard it I said "bull". A virus for unix..i don't > think so. But now that a few people have asked/talked > to me about it, i'm trying to get to some answers > about this. > I'm told it can edit BIOS and several things which > I know can't be done really, I hope. ;) > Can someone please give me some input on this? > If this did exist, its not like the user would have > root, so how is it possible to infect a system? > If it was, many systems would be in trouble right > now.. > > Thanks, > Holt Viruses for unix exist and are technically possible. However, due to the multiuser environment the spread of such viruses are not as much of an issue as a Wintel system (DOS/Windows). If a virus gets onto such a system, due the nature of the OS (Single User), the virus can do far more damage. The main rules for avoiding viruses on unix are: Don't run executables from untrusted sources, and execute all programs with the least priviledge required. Ie, if you don't need to be root to run it, don't. Remember that programs like tripwire can alert you to changes in your filesystem, which could potentially be either a stupid user, intruder, or possibly a virus. -Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message