From owner-freebsd-security Sun Jun 13 3: 6:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1539A14C80 for ; Sun, 13 Jun 1999 03:06:35 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA20725; Sun, 13 Jun 1999 12:06:25 +0200 (CEST) (envelope-from des) To: Nicholas Brawn Cc: Dag-Erling Smorgrav , Richard Childers , Dmitriy Bokiy , freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd References: From: Dag-Erling Smorgrav Date: 13 Jun 1999 12:06:25 +0200 In-Reply-To: Nicholas Brawn's message of "Sat, 12 Jun 1999 13:20:21 +1000 (EST)" Message-ID: Lines: 26 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Brawn writes: > *************** > *** 484,490 **** > strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); > > printf("redirect dst %s to %s\n", > ! buf, inet_ntoa(icp->icmp_gwaddr)); > } > #endif > icmpsrc.sin_addr = icp->icmp_ip.ip_dst; > --- 496,502 ---- > strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); > > printf("redirect dst %s to %s\n", > ! buf, inet_ntoa(icp->icmp_gwaddr)); > } > #endif > icmpsrc.sin_addr = icp->icmp_ip.ip_dst; Whitespace diff. I'll commit the rest of it. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 3:50:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 898F414D72 for ; Sun, 13 Jun 1999 03:50:15 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA21681; Sun, 13 Jun 1999 12:50:07 +0200 (CEST) (envelope-from des) To: Nicholas Brawn Cc: Dag-Erling Smorgrav , Richard Childers , Dmitriy Bokiy , freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd References: From: Dag-Erling Smorgrav Date: 13 Jun 1999 12:50:06 +0200 In-Reply-To: Nicholas Brawn's message of "Sat, 12 Jun 1999 13:20:21 +1000 (EST)" Message-ID: Lines: 89 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Brawn writes: > For those interested, here is a patch to /sys/netinet/ip_icmp.c that will > enable the dropping of icmp redirects without requiring the use of IPFW or > IPFilter (although it's a good idea to run either one of them). Here's a better patch: Index: src/sys/netinet/ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.34 diff -u -r1.34 ip_icmp.c --- ip_icmp.c 1999/03/06 23:10:42 1.34 +++ ip_icmp.c 1999/06/13 10:41:47 @@ -69,6 +69,14 @@ SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); +static int logredirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, logredirect, CTLFLAG_RW, + &logredirect, 0, ""); + +static int dropredirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirect, CTLFLAG_RW, + &dropredirect, 0, ""); + #ifdef ICMP_BANDLIM /* @@ -462,6 +470,15 @@ return; case ICMP_REDIRECT: + if (logredirect) { + char from[4 * sizeof "123"], dst[4 * sizeof "123"]; + strcpy(from, inet_ntoa(icp->ip_src)); + strcpy(dst, inet_ntoa(icp->icmp_ip.ip_dst)); + printf("icmp_redirect from %s: %s => %s\n", + from, dst, inet_ntoa(icp->icmp_gwaddr)); + } + if (dropredirect) + break; if (code > 3) goto badcode; if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || Index: src/etc/rc.network =================================================================== RCS file: /home/ncvs/src/etc/rc.network,v retrieving revision 1.47 diff -u -r1.47 rc.network --- rc.network 1999/06/08 13:00:30 1.47 +++ rc.network 1999/06/13 10:48:08 @@ -164,6 +164,16 @@ echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_dropredirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.dropredirect=1 >/dev/null + fi + + if [ "X$icmp_logredirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.logredirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' Index: src/etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.10 diff -u -r1.10 rc.conf --- rc.conf 1999/06/05 05:45:57 1.10 +++ rc.conf 1999/06/13 10:44:09 @@ -42,6 +42,8 @@ tcp_extensions="NO" # Set to Yes to turn on RFC1323 extensions. log_in_vain="NO" # Disallow bad connection logging (or YES). tcp_keepalive="YES" # Kill dead TCP connections (or NO). +icmp_dropredirect="NO" # Set to YES to ignore ICMP REDIRECT packets +icmp_logredirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 8:32:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from serveri.netti.fi (serveri.netti.fi [195.16.192.130]) by hub.freebsd.org (Postfix) with ESMTP id DF93D14DCB for ; Sun, 13 Jun 1999 08:32:25 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-0-127.tku.netti.fi [195.16.223.128]) by serveri.netti.fi (8.8.8/8.8.3) with ESMTP id SAA23308; Sun, 13 Jun 1999 18:30:58 +0300 Message-ID: <3763CE7F.C8EC4A2A@ispro.net.tr> Date: Sun, 13 Jun 1999 18:30:07 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Nick Rogness Cc: Gregory Carvalho , "freebsd-security@FreeBSD.ORG" Subject: Re: ports and applications References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you can give a different directive for the ip address of that machine which allows telnet from port 80, if there is just one machine this would not be a big problem I guess... Evren Nick Rogness wrote: > On Thu, 10 Jun 1999, Gregory Carvalho wrote: > > > Using ipfw I am allowing port 80 through the wall (could you imagine if > > I denied the good people of Gotham their web fix). Suppose I deny > > telnet, but some external server has its telnet server configured for > > port 80. Is there a method to prevent the telnet session from operating? > > Why would anyone run telnet on port 80? > > Is this an incoming or outgoing telnet session? I'm assuming > outoing telnet sessions. The only thing I can think of is running > the machines through a proxy server. > > > > > FreeBSD 3.1-Release off the CDROM. > > > > Cordially, > > Gregory Carvalho GregoryC@stcinc.com > > Simplified Technology Company http://www.stcinc.com > > In God I Trust! > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ******************************************************************* > Nick Rogness "Never settle with words what > System Administrator can be accomplished with a > RapidNet, INC flame-thrower" > nick@rapidnet.com > ******************************************************************* > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 10:26:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (Postfix) with ESMTP id 762661519C for ; Sun, 13 Jun 1999 10:26:26 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (MailHost/Current) with UUCP id MAA61831 for security@FreeBSD.ORG; Sun, 13 Jun 1999 12:26:25 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.9.3/8.9.2) with ESMTP id MAA00686 for ; Sun, 13 Jun 1999 12:25:47 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 13 Jun 1999 12:25:47 -0500 (CDT) From: Jay Nelson To: security@FreeBSD.ORG Subject: Connection attempts to port 7 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Recently, I've been getting _many_ attempts to connect to the echo service (which I have disabled) -- mostly non-resolvable addresses that disappear somewhere behind doubleclick.net. Does anyone know of a legitimate reason why they would do this? -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 10:33:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E712514FA4 for ; Sun, 13 Jun 1999 10:33:26 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id TAA30798; Sun, 13 Jun 1999 19:33:21 +0200 (CEST) (envelope-from des) To: Jay Nelson Cc: security@FreeBSD.ORG Subject: Re: Connection attempts to port 7 References: From: Dag-Erling Smorgrav Date: 13 Jun 1999 19:33:21 +0200 In-Reply-To: Jay Nelson's message of "Sun, 13 Jun 1999 12:25:47 -0500 (CDT)" Message-ID: Lines: 19 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Nelson writes: > Recently, I've been getting _many_ attempts to connect to the echo > service (which I have disabled) -- mostly non-resolvable addresses > that disappear somewhere behind doubleclick.net. If the source address is spoofed, it's not a connection attempt, but a syn flood. Set up a firewall to drop connection attempts to all ports except those you want to keep open. This won't help if the attacker finds out and switches to a port you want to keep open; if that happens, install the SYN rate limiting patch which was posted here a while ago (search the BUGTRAQ archives on www.geek-girl.com). > Does anyone know of a legitimate reason why they would do this? No. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 10:56: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from molten.r0ck.com (HARD.R0CK.COM [208.32.99.249]) by hub.freebsd.org (Postfix) with ESMTP id BFE741514A for ; Sun, 13 Jun 1999 10:55:00 -0700 (PDT) (envelope-from lst@molten.r0ck.com) Received: from localhost (localhost [[UNIX: localhost]]) by molten.r0ck.com (8.9.3/8.8.7) id MAA02665; Sun, 13 Jun 1999 12:49:55 -0500 From: "Ed P." To: Jay Nelson Subject: Fwd: [linux-security] Re: Port 7 scan Date: Sun, 13 Jun 1999 12:29:50 -0500 X-Mailer: KMail [version 1.0.20] Content-Type: text/plain Cc: security@FreeBSD.ORG MIME-Version: 1.0 Message-Id: <99061312495500.02641@MOLTEN.R0CK.COM> Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -------- - It seems that on Thu, 10 Jun 1999 Richard Day said....=20 ---------- Subject: [linux-security] Re: Port 7 scan Date: Wed, 9 Jun 1999 23:36:03 -0700 (PDT) From: Richard Day Juha, The "scans" you are seeing are in response to a DNS lookup being initiate= d from your site for ad.doubleclick.net. More then likely it is a web browser some were in your site, or more then likely many that initiate th= e lookup. The content that the browser is requesting is available from many sites of DoubleClicks at many different locations on the Internet. The connect back to your DNS server is to find which of these sites is best for you in terms of latency. This information, along with the current loa= d on the servers at each site is used to determine which IP to return to yo= u so that you go to the fastest site. The "scans" will not happen with out = a request from your side. The information that is received is cached for a period and reused to reduce the total amount of connections. In most situations the group of connections back to your machine will be utilized by many out bound requests from your end. Hope this clears up your questions, drop me an email if not. rich =09~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =09Richard Day Technical Support Manager =09Resonate, Inc. =09385 Moffett Park Drive =09Suite 205 =09Sunnyvale, CA 94089 =09Main 408 548.5500 =09Direct =09 408 548.5648 =09Fax =09 408 548.5679 =09Support 408 548.5600 =09~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Thu, 10 Jun 1999, Juha Virtanen wrote: > From: EW1 Coral J. Cook 9.6.1999 21:10: >=20 >=20 > >Over the last several day, we've been getting pretty regular scans fro= m a > >non-existant host on our port 7. Any idea what they are looking for/wh= at are > >some of vulnerabilites with echo? >=20 >=20 > I've seen the same and I issued incident tickets on major US service > providers. >=20 > I got the following information quoted below: >=20 > > From: Ng, Alex [SMTP:ang@doubleclick.net] > > Sent: Monday, June 07, 1999 11:05 AM > > Subject: RE: Probable attack from your domain > > > > Dear Sir, > > > > We are currently using the product GlobalDispatch from Resonate Inc. > > for our Wide Area > > Data Distribution. Please see letter below for a detail explaination= on > > this product. Thanks. > > > > Sincerely, > > > > Alex Ng > > > > > > -------------------- > > > > Hello Sir, > > > > Alex at Doubleclick asked us to work with you regarding this ticket. > > > > We have reason to believe that the reports you've received regarding > > these three machines being compromised is a misunderstanding as a res= ult > > of our enterprise traffic management software: Global Dispatch. Glob= al > > Dispatch is a WAN-based scheduler that makes it easy to place content > > close to geographically dispersed users and and intelligently directs > > requests > > to the best-suited Point of Presence (POP). > > > > In the course of determining the best suited POP, Global Dispatch pre= forms > > a > > latency measurement. This latency measurement is done by making a > > connection > > to the client DNS server on TCP port 7 and then dropping the connecti= on. > > After > > the latency measurement has been done, the latency values are cached,= and > > the > > IP of the most responsive POP is returned to the requesting machine. > > > > I hope this help clear up the confusion. We are looking into other wa= ys to > > preform this latency mesurment, and hope we have not caused you any > > inconvenience. > > > > -- > > Resonate Technical Support > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Richard Day Call Center Manager > > > > Resonate, Inc. > > 465 Fairchild Drive > > Suite 115 > > Mountain View, CA 94040 > > > > Main Phone 650 967.6500 > > Fax 650 967.6561 > > Support Line 650 967.4800 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >=20 >=20 > Regards, > Juha >=20 >=20 >=20 --=20 ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- ---///-///-///-/-//----///-///-/////--Ed Porter secure @ r0ck.com --/---/-/-/---///-----/---/-/-/-/-/--1306 P R 820 Mingus TX 76463 -/---///-///-/-//-//-///-///-/---/--254.968.5199 Fax 254.968.6504 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 12:30:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (Postfix) with ESMTP id 4B6A314C02 for ; Sun, 13 Jun 1999 12:30:14 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (MailHost/Current) with UUCP id OAA62001; Sun, 13 Jun 1999 14:30:08 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.9.3/8.9.2) with ESMTP id OAA00872; Sun, 13 Jun 1999 14:24:50 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 13 Jun 1999 14:24:50 -0500 (CDT) From: Jay Nelson To: "Ed P." Cc: security@FreeBSD.ORG Subject: Re: Fwd: [linux-security] Re: Port 7 scan In-Reply-To: <99061312495500.02641@MOLTEN.R0CK.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This explains what is going on. Thank you. It does, though, raise a couple of other questions: The echo service is, AFIK, a peculiarly Unix service. Why do you suppose they chose echo for the latency test as opposed to a simple ping? Nearly everything with an ethernet card will respond to a ping returning, I would think, more useful latency information than a refused connect. Since echo is Unixcentric and most new admins leave echo open, echo will reveal far more about a machine than a ping. Could it be that this is the intent? Sorry for the paranoia. -- Jay [snip] > In the course of determining the best suited POP, Global Dispatch preforms > a latency measurement. This latency measurement is done by making a > connection to the client DNS server on TCP port 7 and then dropping > the connection. > > After the latency measurement has been done, the latency values are > cached, and the IP of the most responsive POP is returned to the > requesting machine. > > I hope this help clear up the confusion. We are looking into other ways to > preform this latency mesurment, and hope we have not caused you any > inconvenience. > > -- > Resonate Technical Support > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Richard Day Call Center Manager > > Resonate, Inc. > 465 Fairchild Drive > Suite 115 > Mountain View, CA 94040 > > Main Phone 650 967.6500 > Fax 650 967.6561 > Support Line 650 967.4800 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >> Regards, >> Juha >> >> >> > >-- >---------------------------------------------------------------------- >Please refer to the information about this list as well as general >information about Linux security at http://www.aoy.com/Linux/Security. >---------------------------------------------------------------------- > >---///-///-///-/-//----///-///-/////--Ed Porter secure @ r0ck.com >--/---/-/-/---///-----/---/-/-/-/-/--1306 P R 820 Mingus TX 76463 >-/---///-///-/-//-//-///-///-/---/--254.968.5199 Fax 254.968.6504 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 12:48:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (Postfix) with ESMTP id 3B0F414BE6 for ; Sun, 13 Jun 1999 12:48:29 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (MailHost/Current) with UUCP id OAA62022; Sun, 13 Jun 1999 14:48:26 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.9.3/8.9.2) with ESMTP id OAA00902; Sun, 13 Jun 1999 14:47:12 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 13 Jun 1999 14:47:12 -0500 (CDT) From: Jay Nelson To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: Connection attempts to port 7 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 13 Jun 1999, Dag-Erling Smorgrav wrote: >If the source address is spoofed, it's not a connection attempt, but a >syn flood. Set up a firewall to drop connection attempts to all ports [snip] It doesn't appear to be a syn flood. The machine is firewalled and the refused connections, I don't think, reveal any more than necessary about the platform. I think the answer from Ed Porter probably explains what is happening, but glosses over the ramifications of the information gathered. I hate to be so suspicious, but this concerns me. Thanks for the reply. -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 13:29: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id 4DD1214EB1 for ; Sun, 13 Jun 1999 13:29:00 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id QAA27002; Sun, 13 Jun 1999 16:28:52 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14180.5252.211630.750974@trooper.velocet.ca> Date: Sun, 13 Jun 1999 16:28:52 -0400 (EDT) To: Jay Nelson Cc: "Ed P." , security@FreeBSD.ORG Subject: Re: Fwd: [linux-security] Re: Port 7 scan In-Reply-To: References: <99061312495500.02641@MOLTEN.R0CK.COM> X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Jay" == Jay Nelson writes: Jay> This explains what is going on. Thank you. It does, though, raise Jay> a couple of other questions: Jay> The echo service is, AFIK, a peculiarly Unix service. Why do you Jay> suppose they chose echo for the latency test as opposed to a Jay> simple ping? Nearly everything with an ethernet card will respond Jay> to a ping returning, I would think, more useful latency Jay> information than a refused connect. Jay> Since echo is Unixcentric and most new admins leave echo open, Jay> echo will reveal far more about a machine than a ping. Could it Jay> be that this is the intent? Actually, this is probably caused by a desire to subvert an 'optimization' made at major routers on the net. In general, most busy routers 'de-prioritize' ping traffic. This is largely due to the face that the worse the network gets, the higher the amount of ping traffic (coming from people who wonder why it's slow). So the latency from a ping connection isn't as accurate as trying to open a tcp connection. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 13:48:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop02.globecomm.net (pop02.globecomm.net [206.253.129.186]) by hub.freebsd.org (Postfix) with ESMTP id E1E9414EDB; Sun, 13 Jun 1999 13:48:26 -0700 (PDT) (envelope-from jschwab@royal.net) Received: from usr15-dialup41.mix1.Irving.cw.net (usr15-dialup41.mix1.Irving.cw.net [166.62.215.41]) by pop02.globecomm.net (8.9.0/8.8.0) with ESMTP id QAA22422; Sun, 13 Jun 1999 16:51:15 -0400 (EDT) Date: Sun, 13 Jun 1999 14:46:37 -0600 (MDT) From: "Jason L. Schwab" X-Sender: jschwab@fkr.dynip.com To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: reading files. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I heard that there is a way to read any file on a freebsd system as a normal non-root user.. is this true? if so can some one give me some info on this? thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 13:51: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 93C5A14EDB for ; Sun, 13 Jun 1999 13:51:02 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 27920 invoked by uid 1001); 13 Jun 1999 20:51:00 +0000 (GMT) To: dgilbert@velocet.ca Cc: jdn@acp.qiv.com, secure@r0ck.com, security@FreeBSD.ORG Subject: Re: Fwd: [linux-security] Re: Port 7 scan From: sthaug@nethelp.no In-Reply-To: Your message of "Sun, 13 Jun 1999 16:28:52 -0400 (EDT)" References: <14180.5252.211630.750974@trooper.velocet.ca> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 13 Jun 1999 22:51:00 +0200 Message-ID: <27918.929307060@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Jay> Since echo is Unixcentric and most new admins leave echo open, > Jay> echo will reveal far more about a machine than a ping. Could it > Jay> be that this is the intent? > > Actually, this is probably caused by a desire to subvert an > 'optimization' made at major routers on the net. In general, most > busy routers 'de-prioritize' ping traffic. This is true for Cisco routers *if* the ICMPs are for the router itself (one of its interfaces). As long as the ICMPs are not for the router itself, it is just like any other traffic, and is not 'de-prioritized' in any way. > This is largely due to the > face that the worse the network gets, the higher the amount of ping > traffic (coming from people who wonder why it's slow). So the latency > from a ping connection isn't as accurate as trying to open a tcp > connection. It's probably at least as accurate if you're trying to ping the hosts and not just the routers along the way. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 13:52:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4733715182; Sun, 13 Jun 1999 13:52:38 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id WAA35221; Sun, 13 Jun 1999 22:52:36 +0200 (CEST) (envelope-from des) To: "Jason L. Schwab" Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: reading files. References: From: Dag-Erling Smorgrav Date: 13 Jun 1999 22:52:35 +0200 In-Reply-To: "Jason L. Schwab"'s message of "Sun, 13 Jun 1999 14:46:37 -0600 (MDT)" Message-ID: Lines: 19 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jason L. Schwab" writes: > I heard that there is a way to read any file on a freebsd system as a > normal non-root user.. is this true? if so can some one give me some info > on this? thanks. Not that we know of, but it's damn hard to say anything without more information. For instance, if you su'ed to root and typed: # chmod u+s /bin/cat then your statement ("there is a way to read any file on a freebsd system as a normal non-root user") would be true of that particular machine. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 14:54: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from noop.colo.erols.net (noop.colo.erols.net [207.96.1.150]) by hub.freebsd.org (Postfix) with ESMTP id 5FEBB14E2C for ; Sun, 13 Jun 1999 14:53:56 -0700 (PDT) (envelope-from gjp@noop.colo.erols.net) Received: from localhost ([127.0.0.1] helo=noop.colo.erols.net) by noop.colo.erols.net with esmtp (Exim 2.12 #1) id 10tICk-0008rk-00; Sun, 13 Jun 1999 17:54:14 -0400 To: Jay Nelson Cc: "Ed P." , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Fwd: [linux-security] Re: Port 7 scan In-reply-to: Your message of "Sun, 13 Jun 1999 14:24:50 CDT." Date: Sun, 13 Jun 1999 17:54:06 -0400 Message-ID: <34083.929310846@noop.colo.erols.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Nelson wrote in message ID : > The echo service is, AFIK, a peculiarly Unix service. Why do you > suppose they chose echo for the latency test as opposed to a simple > ping? Nearly everything with an ethernet card will respond to a ping > returning, I would think, more useful latency information than a > refused connect. No, not everything. Most of the systems at work can't be pinged (with some exceptions). 'Course, you can't get to their echo port either. > Since echo is Unixcentric and most new admins leave echo open, echo > will reveal far more about a machine than a ping. Could it be that > this is the intent? Having talked to Resonate about their distributed load balancing stuff, apparently some customers asked for echo port queries rather than ICMP (from memory ... the meeting was a couple of months ago). I think many many people are blocking ICMP at their borders to protect from smurfs. Basically, if you didn't understand the previous reply (or need more info) Resonate make a couple of DNS based load balancing solutions, one for replacing DNS round robin in a single datacenter environment, one for distributing load across multiple datacenters, with traffic being sent to the `closest' one. Their distributed DNS system works by having a system at each of the datacenters `ping' (somehow) the DNS server doing the lookup. The one with the lowest latency (generally, although load at the datacenter, and local preferences, can also weigh in) will be chosen, and an A record for ad.doubleclick.net will be returned pointing at that datacenter. Generally, that A record will be pointing at their local load balacing solution, which is an entire other story. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 19: 0:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (Postfix) with ESMTP id C83B214E92 for ; Sun, 13 Jun 1999 19:00:26 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (MailHost/Current) with UUCP id VAA62470; Sun, 13 Jun 1999 21:00:24 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.9.3/8.9.2) with ESMTP id UAA01313; Sun, 13 Jun 1999 20:40:35 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 13 Jun 1999 20:40:35 -0500 (CDT) From: Jay Nelson To: Gary Palmer Cc: security@FreeBSD.ORG Subject: Re: Fwd: [linux-security] Re: Port 7 scan In-Reply-To: <34083.929310846@noop.colo.erols.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 13 Jun 1999, Gary Palmer wrote: >Basically, if you didn't understand the previous reply (or need more >info) Resonate make a couple of DNS based load balancing solutions, I understood the reply and understand why latency is central to their solution. The answer, though, raised the question of why a port that can identify a host platform -- for that matter, why not port 25, which, at worst, yields the same lack of response? Logging? >one for replacing DNS round robin in a single datacenter environment, >one for distributing load across multiple datacenters, with traffic >being sent to the `closest' one. Their distributed DNS system works >by having a system at each of the datacenters `ping' (somehow) the DNS >server doing the lookup. The one with the lowest latency (generally, >although load at the datacenter, and local preferences, can also weigh >in) will be chosen, and an A record for ad.doubleclick.net will be >returned pointing at that datacenter. Generally, that A record will be >pointing at their local load balacing solution, which is an entire >other story. I agree that there may be another story, here. The answer is sufficient to re-evaluate our security policy. Particularly in light of the fact that others have been able to implement similar solutions, without the invasion. Thank you all for your answers. -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 13 20:49:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from fiend.securesys.com.au (fiend.securesys.com.au [203.38.213.195]) by hub.freebsd.org (Postfix) with ESMTP id 69FB514C1C; Sun, 13 Jun 1999 20:49:24 -0700 (PDT) (envelope-from john@fiend.securesys.com.au) Received: (from john@localhost) by fiend.securesys.com.au (8.8.8/8.8.8) id VAA06078; Mon, 14 Jun 1999 21:17:02 +0930 (CST) From: John Message-Id: <199906141147.VAA06078@fiend.securesys.com.au> Subject: Re: reading files. To: jschwab@royal.net (Jason L. Schwab) Date: Mon, 14 Jun 1999 21:17:02 +0930 (CST) Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: from "Jason L. Schwab" at Jun 13, 99 02:46:37 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I heard that there is a way to read any file on a freebsd system as a > normal non-root user.. is this true? if so can some one give me some info > on this? thanks. If the raw device file for the filesystem were world readable, you could 'read' any file as a non-root user... J. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 3:29:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8113C14E33; Mon, 14 Jun 1999 03:29:30 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA62259; Mon, 14 Jun 1999 12:29:15 +0200 (CEST) (envelope-from des) To: John Cc: jschwab@royal.net (Jason L. Schwab), freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: reading files. References: <199906141147.VAA06078@fiend.securesys.com.au> From: Dag-Erling Smorgrav Date: 14 Jun 1999 12:29:14 +0200 In-Reply-To: John's message of "Mon, 14 Jun 1999 21:17:02 +0930 (CST)" Message-ID: Lines: 23 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John writes: > > I heard that there is a way to read any file on a freebsd system as a > > normal non-root user.. is this true? if so can some one give me some info > > on this? thanks. > > If the raw device file for the filesystem were world readable, > you could 'read' any file as a non-root user... This is academic, since raw disk devices are created with owner root, group operator and mode 640. You'd have to *make* the device nodes world-readable (or add everybody to group operator) for this to work. There is no known way for a normal user to read a file to which he or she does not normally have access without first gaining root privileges - either by somehow obtaining the root password or physical access to the console, or by exploiting a misconfiguration or a security hole in third-party software. (disclaimer: I am not a FreeBSD security officer) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 8:22:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from sol (cs1-gw.cs.binghamton.edu [128.226.171.72]) by hub.freebsd.org (Postfix) with SMTP id 1D56D14BD8; Mon, 14 Jun 1999 08:22:25 -0700 (PDT) (envelope-from zzhang@cs.binghamton.edu) Received: from localhost (zzhang@localhost) by sol (SMI-8.6/8.6.9) with SMTP id LAA07837; Mon, 14 Jun 1999 11:10:49 -0400 Date: Mon, 14 Jun 1999 11:10:48 -0400 (EDT) From: Zhihui Zhang To: "Jason L. Schwab" Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: reading files. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 13 Jun 1999, Jason L. Schwab wrote: > > I heard that there is a way to read any file on a freebsd system as a > normal non-root user.. is this true? if so can some one give me some info > on this? thanks. Unless you are root or has somehow gotten the root password. Or you may steal the hard drive and examine it elsewhere. BTW, I know Windows-NT has a feature that does not allow the Administrator (known as root in Unix) to access the file of a normal user. I wonder if this feature can be added to FreeBSD easily. -Zhihui To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 10:45:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from exchange.quest.com (unknown [192.77.210.14]) by hub.freebsd.org (Postfix) with ESMTP id 55B4B15333; Mon, 14 Jun 1999 10:45:32 -0700 (PDT) (envelope-from SBenjamin@quest.com) Received: by exchange.quests.com with Internet Mail Service (5.5.2232.9) id ; Mon, 14 Jun 1999 10:45:17 -0700 Message-ID: <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.com> From: Scott Benjamin To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Security Docs? Help? Date: Mon, 14 Jun 1999 10:45:16 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Could someone point me in the right direction for securing a FreeBSD box? I'm looking for some documentation and such in helping me make sure I hit all of the angles so that someone else doesn't =). thanks in advance, Scott ---- "Any sufficiently advanced bug is indistinguishable from a feature" -- Rich Kulawiec To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 10:56:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mobil.surnet.ru (mobil.surnet.ru [195.54.2.7]) by hub.freebsd.org (Postfix) with ESMTP id ADBD31511B; Mon, 14 Jun 1999 10:56:11 -0700 (PDT) (envelope-from ilia@cgilh.chel.su) Received: (from uucgilh@localhost) by mobil.surnet.ru (8.9.1a/8.9.1) with UUCP id XAA24061; Mon, 14 Jun 1999 23:53:44 +0600 (UDT) Received: (from uucp@localhost) by cgilh.chel.su (8.8.7/8.8.7) with UUCP id WAA06460; Mon, 14 Jun 1999 22:21:16 +0600 Received: from localhost (ilia@localhost) by localhost.cgu.chel.su (8.9.2/8.9.2) with ESMTP id WAA00619; Mon, 14 Jun 1999 22:19:34 +0600 (ESS) (envelope-from ilia@cgilh.chel.su) X-Authentication-Warning: localhost.cgu.chel.su: ilia owned process doing -bs Date: Mon, 14 Jun 1999 22:19:34 +0600 (ESS) From: Ilia Chipitsine X-Sender: ilia@localhost.cgu.chel.su To: Zhihui Zhang Cc: "Jason L. Schwab" , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: reading files. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Jun 1999, Zhihui Zhang wrote: > > On Sun, 13 Jun 1999, Jason L. Schwab wrote: > > > > > I heard that there is a way to read any file on a freebsd system as a > > normal non-root user.. is this true? if so can some one give me some info > > on this? thanks. > > Unless you are root or has somehow gotten the root password. Or you may > steal the hard drive and examine it elsewhere. BTW, I know Windows-NT has > a feature that does not allow the Administrator (known as root in Unix) to > access the file of a normal user. I wonder if this feature can be added > to FreeBSD easily. it can be added easily, use PGP, that was the how i prevented my account at my school to be examined by root. > > -Zhihui > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 11: 1:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from geocities.com (mail10.geocities.com [209.1.224.138]) by hub.freebsd.org (Postfix) with ESMTP id A917415578 for ; Mon, 14 Jun 1999 11:01:15 -0700 (PDT) (envelope-from sylvarnes@geocities.com) Received: from hsf2510 ([158.37.10.109]) by geocities.com (8.9.3/8.9.3) with SMTP id LAA15558; Mon, 14 Jun 1999 11:01:12 -0700 (PDT) Message-Id: <3.0.6.32.19990614200106.007a17f0@mail.geocities.com> X-Sender: sylvarnes@mail.geocities.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Mon, 14 Jun 1999 20:01:06 +0200 To: Scott Benjamin From: "Stein B. Sylvarnes" Subject: Re: Security Docs? Help? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.c om> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Scott Benjamin wrote: >Could someone point me in the right direction for securing a FreeBSD box? >I'm looking for some documentation and such in helping me make sure I hit >all of the angles so that someone else doesn't =). > >thanks in advance, > >Scott Sysadmin has an article you might find interesting, it is located at http://www.samag.com/archive/0705/feature.shtml Hope this help Stein B. Sylvarnes www.{Free, Net, Open}BSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 11:29:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from sol (cs1-gw.cs.binghamton.edu [128.226.171.72]) by hub.freebsd.org (Postfix) with SMTP id 1A22214D54; Mon, 14 Jun 1999 11:29:07 -0700 (PDT) (envelope-from zzhang@cs.binghamton.edu) Received: from localhost (zzhang@localhost) by sol (SMI-8.6/8.6.9) with SMTP id OAA08591; Mon, 14 Jun 1999 14:06:18 -0400 Date: Mon, 14 Jun 1999 14:06:17 -0400 (EDT) From: Zhihui Zhang To: Ilia Chipitsine Cc: "Jason L. Schwab" , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: reading files. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Jun 1999, Ilia Chipitsine wrote: > > Unless you are root or has somehow gotten the root password. Or you may > > steal the hard drive and examine it elsewhere. BTW, I know Windows-NT has > > a feature that does not allow the Administrator (known as root in Unix) to > > access the file of a normal user. I wonder if this feature can be added > > to FreeBSD easily. > > it can be added easily, use PGP, that was the how i prevented my > account at my school to be examined by root. > Pretty Good Privacy? Can you show me how to do it in FreeBSD or give me any pointers? Thanks. -Zhihui To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 11:37:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from claude.akamai.com (access.akamai.com [4.17.143.9]) by hub.freebsd.org (Postfix) with ESMTP id 3F76E15331 for ; Mon, 14 Jun 1999 11:37:17 -0700 (PDT) (envelope-from dshaw@akamai.com) Received: (from dshaw@localhost) by claude.akamai.com (8.8.7/8.8.7) id OAA05451 for freebsd-security@FreeBSD.ORG; Mon, 14 Jun 1999 14:37:34 -0400 Date: Mon, 14 Jun 1999 14:37:34 -0400 From: David Shaw To: freebsd-security@FreeBSD.ORG Subject: Re: reading files. Message-ID: <19990614143734.B4439@jabberwocky.com> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: ; from Zhihui Zhang on Mon, Jun 14, 1999 at 11:10:48AM -0400 X-PGP-Fingerprint: 3CB3B415/2048/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Crescent (2% of Full) X-Current-Email-Backlog: 336 X-Pointless-Random-Number: 132 X-Silly-Header: It sure is. X-Time-Til-Y2K: 28 weeks, 4 days, 10 hours, 24 minutes, 33 seconds Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 14, 1999 at 11:10:48AM -0400, Zhihui Zhang wrote: > > On Sun, 13 Jun 1999, Jason L. Schwab wrote: > > > > > I heard that there is a way to read any file on a freebsd system as a > > normal non-root user.. is this true? if so can some one give me some info > > on this? thanks. > > Unless you are root or has somehow gotten the root password. Or you may > steal the hard drive and examine it elsewhere. BTW, I know Windows-NT has > a feature that does not allow the Administrator (known as root in Unix) to > access the file of a normal user. I wonder if this feature can be added > to FreeBSD easily. It's true that the NT Administrator can't read files that he doesn't have permission for, but since Administrator controls the ACLs, if he can't read something, he can trivially just change the permissions and give himself access! David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:13:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from corinth.bossig.com (corinth.bossig.com [208.26.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 9CA2715228; Mon, 14 Jun 1999 12:10:07 -0700 (PDT) (envelope-from kstewart@3-cities.com) Received: from revolution.3-cities.com (revolution.3-cities.com [204.203.224.155]) by corinth.bossig.com (Rockliffe SMTPRA 3.3.1) with ESMTP id ; Mon, 14 Jun 1999 12:11:59 -0700 Received: from 3-cities.com (kenn1181.bossig.com [208.26.241.181]) by revolution.3-cities.com (8.9.3/8.9.3) with ESMTP id MAA21917; Mon, 14 Jun 1999 12:09:51 -0700 (PDT) Message-ID: <3765537B.6D0BC801@3-cities.com> Date: Mon, 14 Jun 1999 12:09:47 -0700 From: Kent Stewart Reply-To: kstewart@3-cities.com Organization: Columbia Basin Virtual Community Project X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Zhihui Zhang Cc: Ilia Chipitsine , "Jason L. Schwab" , freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: reading files. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Zhihui Zhang wrote: > > On Mon, 14 Jun 1999, Ilia Chipitsine wrote: > > > > Unless you are root or has somehow gotten the root password. Or you may > > > steal the hard drive and examine it elsewhere. BTW, I know Windows-NT has > > > a feature that does not allow the Administrator (known as root in Unix) to > > > access the file of a normal user. I wonder if this feature can be added > > > to FreeBSD easily. > > > > it can be added easily, use PGP, that was the how i prevented my > > account at my school to be examined by root. > > > > Pretty Good Privacy? Can you show me how to do it in FreeBSD or give me > any pointers? I think something like PGP is the only way. The way I remember administrator priviledges with NT is that you can't keep me from accessing a file. I just have to take ownership of the user's directories and then change the ownership of the file I want to look at. When I get through, I would have to change the ownership of everything I changed back to the user. I also think this would leave many tracks behind, which isn't a quiet way like su'ing to the user from root. As a backup operator, I think I could backup your files and restore them on a different system. Then you wouldn't know I have accessed your files. I've never backed up a user's files on one system and restored them to another system but I have never seen anything that would prevent me from doing that. I may have to add the user to that system but then I would know the password and it would be trivial. The problem with PGP is that by the time you have a pretty good key it will be easy to forget and then you have lost access to your file. Kent > > Thanks. > > -Zhihui > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kstewart@3-cities.com http://www.3-cities.com/~kstewart/index.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:24:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id 7147B14D1A for ; Mon, 14 Jun 1999 12:24:13 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Mon, 14 Jun 99 12:23:45 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA2DD7; Mon, 14 Jun 1999 15:24:11 -0400 Message-ID: <376557C2.3230DC3B@hamquist.com> Date: Mon, 14 Jun 1999 12:28:02 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Cc: Subject: Re: reading files. References: <3765537B.6D0BC801@3-cities.com> X-WSS-ID: 1B7B894B192839-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don't forget that PGP is exactly as secure as the filesystem on which your key(s) reside ... -- richard Richard Childers Senior UNIX Systems Administrator & Chief Bottle Washer Hambrecht & Quist, LLC (415) 439-3838 Kent Stewart wrote: > > As a backup operator, I think I could backup your files and restore them > on a different system. Then you wouldn't know I have accessed your > files. I've never backed up a user's files on one system and restored > them to another system but I have never seen anything that would prevent > me from doing that. I may have to add the user to that system but then I > would know the password and it would be trivial. > > The problem with PGP is that by the time you have a pretty good key it > will be easy to forget and then you have lost access to your file. > > Kent > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:31:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from office.omc.net (office.omc.net [195.185.142.22]) by hub.freebsd.org (Postfix) with ESMTP id 81396150A6 for ; Mon, 14 Jun 1999 12:31:01 -0700 (PDT) (envelope-from LutzRab@omc.net) Received: from lutz (lutz.omc.net [195.185.142.3]) by office.omc.net (8.9.3/8.9.3) with SMTP id VAA14403 for ; Mon, 14 Jun 1999 21:30:58 +0200 (CEST) Message-Id: <199906141930.VAA14403@office.omc.net> From: "Lutz Rabing" Organization: OMCnet IS GmbH To: security@FreeBSD.ORG Date: Mon, 14 Jun 1999 21:30:58 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: New Attack via sendmail? Reply-To: LutzRab@omc.net X-mailer: Pegasus Mail for Win32 (v3.11) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've seen some pretty strange lines in syslog of one of our webservers. The box is running 2.2.8 with sendmail 8.9.3 and has never been out of swap space before, in fact it's not using swap space at all under normal conditions. Lutz Rabing -OMCnet- ------------------------------------------------------------------------ Jun 14 14:11:48 meg /kernel: swap_pager: out of swap space Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: /etc/spwd.db Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: OAA14935 Jun 14 14:12:00 meg /kernel: swap_pager: out of swap space Jun 14 14:12:00 meg /kernel: pid 14964 (perl5.00404), uid 0: exited on signal 11 Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db Jun 14 14:12:01 meg /kernel: pid 14963 (sh), uid 0: exited on signal 11 Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: /etc/spwd.db Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: NOQUEUE Jun 14 14:12:07 meg Jun 14 14:12:07sendmail[: NOQUEUE Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: out of memory Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: lost Jun 14 14:12:11 meg Jun 14 14:12:11sendmail[: NOQUEUE Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: /etc/spwd.db Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: NOQUEUE Jun 14 14:12:14 meg Jun 14 14:12:14sendmail[: NOQUEUE Jun 14 14:12:17 meg /kernel: swap_pager: out of swap space Jun 14 14:12:19 meg last message repeated 2 times Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: /etc/spwd.db Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: NOQUEUE Jun 14 14:12:19 meg last message repeated 8 times Jun 14 14:12:20 meg /kernel: swap_pager: out of swap space Jun 14 14:12:23 meg /kernel: pid 14974 (mail.local), uid 0: exited on signal 11 Jun 14 14:12:23 meg sendmail[14973]: OAA14972: SYSERR(UID0): mailer local died with signal 13 Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: out of memory Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: lost Jun 14 14:12:35 meg Jun 14 14:12:35sendmail[: NOQUEUE Jun 14 14:12:45 meg Jun 14 14:12:45sendmail[: NOQUEUE Jun 14 14:12:58 meg /kernel: swap_pager: out of swap space Jun 14 14:13:00 meg /kernel: pid 16699 (sh), uid 0: exited on signal 11 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:35:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from gerpa.ru (gerpa.ru [212.24.32.162]) by hub.freebsd.org (Postfix) with ESMTP id 196FC154ED; Mon, 14 Jun 1999 12:35:03 -0700 (PDT) (envelope-from matrix@gerpa.ru) Received: from m1 (p125.pol.ru [212.24.38.125]) by gerpa.ru (8.9.3/8.9.3) with SMTP id XAA07016; Mon, 14 Jun 1999 23:40:09 +0400 (MSD) Message-ID: <008801beb69c$b1ff3b00$0100a8c0@m1> From: "Artem Koutchine" To: "Zhihui Zhang" , "Jason L. Schwab" Cc: , Subject: Re: reading files. Date: Mon, 14 Jun 1999 23:30:19 +0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Sun, 13 Jun 1999, Jason L. Schwab wrote: >Unless you are root or has somehow gotten the root password. Or you may >steal the hard drive and examine it elsewhere. That's right. Once i deleted my files (about 300K of perl scripts) and restored ALL of the in Norton Disk Editor. >BTW, I know Windows-NT has >a feature that does not allow the Administrator (known as root in Unix) to >access the file of a normal user. I wonder if this feature can be added >to FreeBSD easily. Look at the CFS port in security dir. I am using Scrypt FS for awhile now and fully satisfied with it. However. it does not work with Interbase, but that's interbase's fault :( Artem Koutchine (????? ?????) Sys/Net/Web Admin, Web Designer, Programmer E-Mail addresses in order of preference: matrix@norilsk.ru matrix@chat.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:39:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id DC95714EE3 for ; Mon, 14 Jun 1999 12:39:45 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id NAA16146; Mon, 14 Jun 1999 13:39:42 -0600 (MDT) Date: Mon, 14 Jun 1999 13:39:42 -0600 (MDT) From: Nick Rogness To: Lutz Rabing Cc: security@FreeBSD.ORG Subject: Re: New Attack via sendmail? In-Reply-To: <199906141930.VAA14403@office.omc.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Jun 1999, Lutz Rabing wrote: > > I've seen some pretty strange lines in syslog of one of our webservers. > > The box is running 2.2.8 with sendmail 8.9.3 and has never been out of > swap space before, in fact it's not using swap space at all under normal > conditions. What do your other logs say? (/var/log/maillog) What about your access_log from apache, where you getting hit hard on the web side? The reason I ask is I see a perl exit in the log below. > > Lutz Rabing > -OMCnet- > > ------------------------------------------------------------------------ > Jun 14 14:11:48 meg /kernel: swap_pager: out of swap space > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: /etc/spwd.db > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: OAA14935 > Jun 14 14:12:00 meg /kernel: swap_pager: out of swap space > Jun 14 14:12:00 meg /kernel: pid 14964 (perl5.00404), uid 0: exited on signal 11 > Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db > Jun 14 14:12:01 meg /kernel: pid 14963 (sh), uid 0: exited on signal 11 > Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db > Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: /etc/spwd.db > Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: NOQUEUE > Jun 14 14:12:07 meg Jun 14 14:12:07sendmail[: NOQUEUE > Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: out of memory > Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: lost > Jun 14 14:12:11 meg Jun 14 14:12:11sendmail[: NOQUEUE > Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: /etc/spwd.db > Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: NOQUEUE > Jun 14 14:12:14 meg Jun 14 14:12:14sendmail[: NOQUEUE > Jun 14 14:12:17 meg /kernel: swap_pager: out of swap space > Jun 14 14:12:19 meg last message repeated 2 times > Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: /etc/spwd.db > Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: NOQUEUE > Jun 14 14:12:19 meg last message repeated 8 times > Jun 14 14:12:20 meg /kernel: swap_pager: out of swap space > Jun 14 14:12:23 meg /kernel: pid 14974 (mail.local), uid 0: exited on signal 11 > Jun 14 14:12:23 meg sendmail[14973]: OAA14972: SYSERR(UID0): mailer local died with signal 13 > Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: out of memory > Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: lost > Jun 14 14:12:35 meg Jun 14 14:12:35sendmail[: NOQUEUE > Jun 14 14:12:45 meg Jun 14 14:12:45sendmail[: NOQUEUE > Jun 14 14:12:58 meg /kernel: swap_pager: out of swap space > Jun 14 14:13:00 meg /kernel: pid 16699 (sh), uid 0: exited on signal 11 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ******************************************************************* Nick Rogness "Never settle with words what System Administrator can be accomplished with a RapidNet, INC flame-thrower" nick@rapidnet.com ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:41:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from osgroup.com (unknown [38.229.41.6]) by hub.freebsd.org (Postfix) with ESMTP id 06D60155FF; Mon, 14 Jun 1999 12:41:41 -0700 (PDT) (envelope-from stan@osgroup.com) Received: from stan166 ([38.229.41.237]) by osgroup.com (8.7.6/8.6.12) with SMTP id OAA11453; Mon, 14 Jun 1999 14:30:28 -0500 Received: by localhost with Microsoft MAPI; Mon, 14 Jun 1999 14:43:13 -0500 Message-ID: <01BEB674.3B233FE0.stan@osgroup.com> From: Constantine Shkolnyy Reply-To: "stan@osgroup.com" To: "freebsd-questions@FreeBSD.ORG" , "freebsd-security@FreeBSD.ORG" Subject: RE: reading files. Date: Mon, 14 Jun 1999 14:43:12 -0500 Organization: Ashley Laurent, Inc. X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I think something like PGP is the only way. The way I remember > administrator priviledges with NT is that you can't keep me from > accessing a file. I just have to take ownership of the user's > directories and then change the ownership of the file I want to look at. > When I get through, I would have to change the ownership of everything I > changed back to the user. I also think this would leave many tracks > behind, which isn't a quiet way like su'ing to the user from root. My recollection is that after you took ownership in NT, you _can't_ change it back. You will have to explain the user why you needed to do that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:42:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from corinth.bossig.com (corinth.bossig.com [208.26.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 18C731551C for ; Mon, 14 Jun 1999 12:41:55 -0700 (PDT) (envelope-from kstewart@3-cities.com) Received: from revolution.3-cities.com (revolution.3-cities.com [204.203.224.155]) by corinth.bossig.com (Rockliffe SMTPRA 3.3.1) with ESMTP id ; Mon, 14 Jun 1999 12:43:54 -0700 Received: from 3-cities.com (kenn1181.bossig.com [208.26.241.181]) by revolution.3-cities.com (8.9.3/8.9.3) with ESMTP id MAA25918; Mon, 14 Jun 1999 12:41:52 -0700 (PDT) Message-ID: <37655AFC.D58D456F@3-cities.com> Date: Mon, 14 Jun 1999 12:41:48 -0700 From: Kent Stewart Reply-To: kstewart@3-cities.com Organization: Columbia Basin Virtual Community Project X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Richard Childers Cc: freebsd-security@freebsd.org Subject: Re: reading files. References: <3765537B.6D0BC801@3-cities.com> <376557C2.3230DC3B@hamquist.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Richard Childers wrote: > > Don't forget that PGP is exactly as secure as the filesystem on which > your key(s) reside ... That was really my whole point on PGP. When you have the key somewhere besides memory, someone else can find it and a 128-bit key is really hard to remember and enter properly. I think a Jaz 2GB that you store in a guarded, locked safe is my idea of file security. Kent > > -- richard > > Richard Childers > Senior UNIX Systems Administrator & Chief Bottle Washer > Hambrecht & Quist, LLC > (415) 439-3838 > > Kent Stewart wrote: > > > > As a backup operator, I think I could backup your files and restore them > > on a different system. Then you wouldn't know I have accessed your > > files. I've never backed up a user's files on one system and restored > > them to another system but I have never seen anything that would prevent > > me from doing that. I may have to add the user to that system but then I > > would know the password and it would be trivial. > > > > The problem with PGP is that by the time you have a pretty good key it > > will be easy to forget and then you have lost access to your file. > > > > Kent > > -- Kent Stewart Richland, WA mailto:kstewart@3-cities.com http://www.3-cities.com/~kstewart/index.html Hunting Archibald Stewart, b 1802 in Ballymena, Antrim Co., NIR http://www.3-cities.com/~kstewart/genealogy/archibald_stewart.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 12:52:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from office.omc.net (office.omc.net [195.185.142.22]) by hub.freebsd.org (Postfix) with ESMTP id 8D7C414C38 for ; Mon, 14 Jun 1999 12:52:34 -0700 (PDT) (envelope-from LutzRab@omc.net) Received: from lutz (lutz.omc.net [195.185.142.3]) by office.omc.net (8.9.3/8.9.3) with SMTP id VAA14960; Mon, 14 Jun 1999 21:52:22 +0200 (CEST) Message-Id: <199906141952.VAA14960@office.omc.net> From: "Lutz Rabing" Organization: OMCnet IS GmbH To: Nick Rogness Date: Mon, 14 Jun 1999 21:52:21 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: New Attack via sendmail? Reply-To: LutzRab@omc.net Cc: security@FreeBSD.ORG References: <199906141930.VAA14403@office.omc.net> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.11) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > I've seen some pretty strange lines in syslog of one of our webservers. > > > > The box is running 2.2.8 with sendmail 8.9.3 and has never been out of > > swap space before, in fact it's not using swap space at all under normal > > conditions. > > > What do your other logs say? (/var/log/maillog) > > What about your access_log from apache, where you getting > hit hard on the web side? The reason I ask is I see a perl > exit in the log below. There is nothing in "maillog" at that time and also nothing unusual in the apache log (just around 10 hits per second for a PIII-450 should be Ok) Thanks, Lutz > > > > > Lutz Rabing > > -OMCnet- > > > > ------------------------------------------------------------------------ > > Jun 14 14:11:48 meg /kernel: swap_pager: out of swap space > > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: /etc/spwd.db > > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: OAA14935 > > Jun 14 14:12:00 meg /kernel: swap_pager: out of swap space > > Jun 14 14:12:00 meg /kernel: pid 14964 (perl5.00404), uid 0: exited on signal 11 > > Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db > > Jun 14 14:12:01 meg /kernel: pid 14963 (sh), uid 0: exited on signal 11 > > Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db > > Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: /etc/spwd.db > > Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: NOQUEUE > > Jun 14 14:12:07 meg Jun 14 14:12:07sendmail[: NOQUEUE > > Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: out of memory > > Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: lost > > Jun 14 14:12:11 meg Jun 14 14:12:11sendmail[: NOQUEUE > > Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: /etc/spwd.db > > Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: NOQUEUE > > Jun 14 14:12:14 meg Jun 14 14:12:14sendmail[: NOQUEUE > > Jun 14 14:12:17 meg /kernel: swap_pager: out of swap space > > Jun 14 14:12:19 meg last message repeated 2 times > > Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: /etc/spwd.db > > Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: NOQUEUE > > Jun 14 14:12:19 meg last message repeated 8 times > > Jun 14 14:12:20 meg /kernel: swap_pager: out of swap space > > Jun 14 14:12:23 meg /kernel: pid 14974 (mail.local), uid 0: exited on signal 11 > > Jun 14 14:12:23 meg sendmail[14973]: OAA14972: SYSERR(UID0): mailer local died with signal 13 > > Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: out of memory > > Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: lost > > Jun 14 14:12:35 meg Jun 14 14:12:35sendmail[: NOQUEUE > > Jun 14 14:12:45 meg Jun 14 14:12:45sendmail[: NOQUEUE > > Jun 14 14:12:58 meg /kernel: swap_pager: out of swap space > > Jun 14 14:13:00 meg /kernel: pid 16699 (sh), uid 0: exited on signal 11 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ******************************************************************* > Nick Rogness "Never settle with words what > System Administrator can be accomplished with a > RapidNet, INC flame-thrower" > nick@rapidnet.com > ******************************************************************* > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > Mit freundlichen Gruessen, Lutz Rabing -OMCnet- -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 13:58: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from corinth.bossig.com (corinth.bossig.com [208.26.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 1621515168; Mon, 14 Jun 1999 13:57:47 -0700 (PDT) (envelope-from kstewart@3-cities.com) Received: from revolution.3-cities.com (revolution.3-cities.com [204.203.224.155]) by corinth.bossig.com (Rockliffe SMTPRA 3.3.1) with ESMTP id ; Mon, 14 Jun 1999 13:59:45 -0700 Received: from 3-cities.com (kenn2077.bossig.com [208.26.242.77]) by revolution.3-cities.com (8.9.3/8.9.3) with ESMTP id NAA04917; Mon, 14 Jun 1999 13:57:41 -0700 (PDT) Message-ID: <37656CC0.BDE49087@3-cities.com> Date: Mon, 14 Jun 1999 13:57:36 -0700 From: Kent Stewart Reply-To: kstewart@3-cities.com Organization: Columbia Basin Virtual Community Project X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "stan@osgroup.com" Cc: "freebsd-questions@FreeBSD.ORG" , "freebsd-security@FreeBSD.ORG" Subject: Re: reading files. References: <01BEB674.3B233FE0.stan@osgroup.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Constantine Shkolnyy wrote: > > > I think something like PGP is the only way. The way I remember > > administrator priviledges with NT is that you can't keep me from > > accessing a file. I just have to take ownership of the user's > > directories and then change the ownership of the file I want to look at. > > When I get through, I would have to change the ownership of everything I > > changed back to the user. I also think this would leave many tracks > > behind, which isn't a quiet way like su'ing to the user from root. > > My recollection is that after you took ownership in NT, you _can't_ > change it back. You will have to explain the user why you needed to > do that. Once you mentioned it, that was the way I remembered it; however, from what I have seen today that isn't completely true. I have two user names with administrator priviledges. I created a directory as administrator. When I wanted to change ownership of the directory logged in as the second user, I was presented with both names in the administrator group as choices. I don't know what the interaction with real user files would be. I don't have any on my development server. It had been a long time since I had to change ownership. The usual time is when I want to do a clean install without a disk wipe. I had a directory \wints4b2 that I wanted to remove and there were all of these files that were owned by the other system. You could change ownership and rights and then you could delete the directory. It was slow and a pain but it worked. Kent > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kstewart@3-cities.com http://www.3-cities.com/~kstewart/index.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 14: 3:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id 3A3F9155CA for ; Mon, 14 Jun 1999 14:03:10 -0700 (PDT) (envelope-from carol@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma012152; Mon Jun 14 15:48:29 1999 Received: by localhost (8.8.8/8.8.8) id PAA11681; Mon, 14 Jun 1999 15:58:07 -0500 (CDT) Message-ID: <37656D82.19B57AC1@tinker.com> Date: Mon, 14 Jun 1999 16:00:50 -0500 From: Carol Deihl Organization: Shrier and Deihl X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: LutzRab@omc.net Cc: security@FreeBSD.ORG Subject: Re: New Attack via sendmail? References: <199906141930.VAA14403@office.omc.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lutz Rabing wrote: > > I've seen some pretty strange lines in syslog of one of our webservers. > > The box is running 2.2.8 with sendmail 8.9.3 and has never been out of > swap space before, in fact it's not using swap space at all under normal > conditions. > > Lutz Rabing > -OMCnet- > > ------------------------------------------------------------------------ > Jun 14 14:11:48 meg /kernel: swap_pager: out of swap space > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: /etc/spwd.db > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: OAA14935 [snip] Are you running a Netscape browser on the box? A couple of months ago I had a similar problem, on a non-public box. It looks like the Netscape browser (Communicator 4.5) has a memory leak (especially in JavaScript processing), and eventually it would eat all the swap and cause something else to choke. I raised the (soft) ulimits for data and stack in my .profile, and I exit Netscape every couple of days (or whenever it starts getting slow). I'm not really sure if this was the problem, but it has not reoccurred since I up'ed the ulimits. Carol -- Carol Deihl - carol@tinker.com Shrier and Deihl - Unix Network Admin and Internet Software Development To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 14:34:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from toxic.magnesium.net (toxic.magnesium.net [204.188.6.238]) by hub.freebsd.org (Postfix) with SMTP id C3769153FC for ; Mon, 14 Jun 1999 14:34:22 -0700 (PDT) (envelope-from unfurl@toxic.magnesium.net) Received: (qmail 33757 invoked by uid 1001); 14 Jun 1999 21:34:20 -0000 Date: 14 Jun 1999 14:34:20 -0700 Date: Mon, 14 Jun 1999 14:34:20 -0700 From: Bill Swingle To: Scott Benjamin Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Security Docs? Help? Message-ID: <19990614143420.E33571@dub.net> References: <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.com>; from Scott Benjamin on Mon, Jun 14, 1999 at 10:45:16AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 14, 1999 at 10:45:16AM -0700, Scott Benjamin wrote: > Could someone point me in the right direction for securing a FreeBSD box? > I'm looking for some documentation and such in helping me make sure I hit > all of the angles so that someone else doesn't =). Try the FreeBSD Security How-To at: http://www.freebsd.org/~jkb/howto.html -Bill -- -=| Bill Swingle - unfurl@dub.net - unfurl@freebsd.org - bill@cdrom.com -=| "Computers are useless. They can only give you answers" Pablo Picasso To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 16:33:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from tesla.i-pi.com (tesla.i-pi.com [198.49.217.4]) by hub.freebsd.org (Postfix) with ESMTP id EEFD114C1F for ; Mon, 14 Jun 1999 16:33:08 -0700 (PDT) (envelope-from ingham@tesla.i-pi.com) Received: (from ingham@localhost) by tesla.i-pi.com (8.9.1/8.9.1) id RAA14972; Mon, 14 Jun 1999 17:33:00 -0600 (MDT) Message-ID: <19990614173259.33286@i-pi.com> Date: Mon, 14 Jun 1999 17:32:59 -0600 From: Kenneth Ingham To: LutzRab@omc.net Cc: security@FreeBSD.ORG Subject: Re: New Attack via sendmail? References: <199906141930.VAA14403@office.omc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e In-Reply-To: <199906141930.VAA14403@office.omc.net>; from Lutz Rabing on Mon, Jun 14, 1999 at 09:30:58PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 14, 1999 at 09:30:58PM +0200, Lutz Rabing wrote: > > I've seen some pretty strange lines in syslog of one of our webservers. > > The box is running 2.2.8 with sendmail 8.9.3 and has never been out of > swap space before, in fact it's not using swap space at all under normal > conditions. [log deleted] I've seen the exact same thing on a 2.2.6 system running sendmail 8.9.1 with procmail as a local delivery agent when a really large email message (one which was around 1/3 - 1/2 of total swap space) was moving through. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 16:38:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from mercurio.nar.ufv.br (mercurio.nar.ufv.br [200.18.130.84]) by hub.freebsd.org (Postfix) with SMTP id EF2C414E3E for ; Mon, 14 Jun 1999 16:38:13 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: (qmail 437 invoked from network); 14 Jun 1999 23:32:31 -0000 Received: from mercurio.nar.ufv.br (HELO tdnet.com.br) (200.18.130.84) by mercurio.nar.ufv.br with SMTP; 14 Jun 1999 23:32:31 -0000 Message-ID: <3765910F.86DB16B9@tdnet.com.br> Date: Mon, 14 Jun 1999 20:32:31 -0300 From: Gustavo V G C Rios X-Mailer: Mozilla 4.51 [en] (X11; I; SunOS 5.5.1 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: nmap needs bfp ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does nmap need bfp ? I was running it on my 3.2 system! Suddenly it stop working, complaining it needs bfp, but did it happen? I did not rebuild my kernel, the kernel is the same, i did no changes to the kernel! thank you a lot! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 16:52: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from ivory.lm.com (ivory.telerama.com [205.201.1.20]) by hub.freebsd.org (Postfix) with ESMTP id AC7A814CB4; Mon, 14 Jun 1999 16:52:04 -0700 (PDT) (envelope-from evs@telerama.com) Received: from mvehpc (d15-12.dyn.telerama.com [205.201.42.76]) by ivory.lm.com (8.8.5/8.6.12) with SMTP id TAA17396; Mon, 14 Jun 1999 19:50:38 -0400 (EDT) Message-ID: <006301beb6c0$802ab090$6f27abcd@mvehpc.evs.slip.lm.com> Reply-To: "Mikhail V. Evstiounin" From: "Mikhail V. Evstiounin" To: "Zhihui Zhang" , "Jason L. Schwab" Cc: , Subject: Re: reading files. Date: Mon, 14 Jun 1999 19:49:09 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Zhihui Zhang > >On Sun, 13 Jun 1999, Jason L. Schwab wrote: > >> >> I heard that there is a way to read any file on a freebsd system as a >> normal non-root user.. is this true? if so can some one give me some info >> on this? thanks. > >Unless you are root or has somehow gotten the root password. Or you may >steal the hard drive and examine it elsewhere. BTW, I know Windows-NT has >a feature that does not allow the Administrator (known as root in Unix) to ???????? It allows to see ownership, take it and read a file, then you can reassign ownership back - this is not very convinient, but... >access the file of a normal user. I wonder if this feature can be added >to FreeBSD easily. > >-Zhihui > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 17:24:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from trixie.teamspirit.com (trixie.teamspirit.com [204.94.66.2]) by hub.freebsd.org (Postfix) with ESMTP id 7C70214CF9 for ; Mon, 14 Jun 1999 17:24:09 -0700 (PDT) (envelope-from preeper@cts.com) Received: from sgt361.teamspirit.com (dt2-blk1-hfc-0251-d1db0ca7.rdc1.sdca.coxatwork.com [209.219.12.167]) by trixie.teamspirit.com (8.9.2/8.9.1) with SMTP id RAA20712; Mon, 14 Jun 1999 17:49:18 -0700 (PDT) Message-Id: <3.0.5.32.19990614172328.041c7970@crash.cts.com> X-Sender: preeper@crash.cts.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 14 Jun 1999 17:23:28 -0700 To: Kenneth Ingham , LutzRab@omc.net From: Jerry Preeper Subject: Re: New Attack via sendmail? Cc: security@FreeBSD.ORG In-Reply-To: <19990614173259.33286@i-pi.com> References: <199906141930.VAA14403@office.omc.net> <199906141930.VAA14403@office.omc.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've had this similar thing hit me with 2.2.8-Stable and procmail 3.11.pre7 I think. It has a problem that apparently has been fixed in 3.13 so if your'e using procmail, time to upgrade. Someone sent us a 30MB email (40+MB after encoding) that just couldn't get through my procmail recipes without killing the machine. I have since upgraded procmail, although I haven't yet tested it with this large of an email yet. First it eats up all the swap space trying to match all the conditions, then all sorts of services just start dying until the whole machine is pretty much dead. Jerry >> >> I've seen some pretty strange lines in syslog of one of our webservers. >> >> The box is running 2.2.8 with sendmail 8.9.3 and has never been out of >> swap space before, in fact it's not using swap space at all under normal >> conditions. >[log deleted] > >I've seen the exact same thing on a 2.2.6 system running sendmail >8.9.1 with procmail as a local delivery agent when a really large >email message (one which was around 1/3 - 1/2 of total swap space) >was moving through. > >Kenneth > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 19:43:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from uni03mr.unity.ncsu.edu (uni03mr.unity.ncsu.edu [152.1.1.166]) by hub.freebsd.org (Postfix) with ESMTP id 0D5BE14E4B for ; Mon, 14 Jun 1999 19:43:18 -0700 (PDT) (envelope-from pjspycha@unity.ncsu.edu) Received: from unity.ncsu.edu (vts-ral2-S17.vnet.net [166.82.100.57]) by uni03mr.unity.ncsu.edu (8.8.8/8.8.8/UR01Feb99) with ESMTP id WAA23675 for ; Mon, 14 Jun 1999 22:47:04 -0400 (EDT) Message-ID: <3765BE28.882F44B5@unity.ncsu.edu> Date: Mon, 14 Jun 1999 22:44:56 -0400 From: "Mr. P" X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: subscribe freebsd-security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 19:50: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from web105.yahoomail.com (web105.yahoomail.com [205.180.60.71]) by hub.freebsd.org (Postfix) with SMTP id 80EE214E4B for ; Mon, 14 Jun 1999 19:50:02 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <19990615025002.24925.rocketmail@web105.yahoomail.com> Received: from [209.191.62.61] by web105.yahoomail.com; Mon, 14 Jun 1999 19:50:02 PDT Date: Mon, 14 Jun 1999 19:50:02 -0700 (PDT) From: Holtor Subject: DES & MD5? To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello guys. I've been using DES on all my servers but i'm thinking of converting to MD5 since it seems to be more secure? I know that its not an easy change, probably even an impossible one...can anyone point me in a good direction? Also any input on which is better and why would be appreciated aswell. Thanks, Holt _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 20:29:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id 1B82A14DBF for ; Mon, 14 Jun 1999 20:29:38 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 2320 invoked by uid 1000); 15 Jun 1999 03:29:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 1999 03:29:12 -0000 Date: Mon, 14 Jun 1999 23:29:12 -0400 (EDT) From: Barrett Richardson To: Holtor Cc: freebsd-security@freebsd.org Subject: Re: DES & MD5? In-Reply-To: <19990615025002.24925.rocketmail@web105.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Jun 1999, Holtor wrote: > > Hello guys. I've been using DES on all my servers > but i'm thinking of converting to MD5 since it > seems to be more secure? > The key space is much larger. If users were forced to require passwords at least nine characters in length that would make it tougher on password cracking programs. > I know that its not an easy change, probably even > an impossible one...can anyone point me in a good > direction? You might could change the name of crypt in libdes.a to something like crypt_des() and then hack crypt() to fall back to crypt_des() if it does not get fed a salt beginning with "$1$". > > Also any input on which is better and why would > be appreciated aswell. > > Thanks, > Holt > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 20:42: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy3.ba.best.com (proxy3.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id 43415153B1 for ; Mon, 14 Jun 1999 20:42:03 -0700 (PDT) (envelope-from GregoryC@stcinc.com) Received: from stcinc.com (gw-covad768k-cognitivetech.ncal.verio.com [207.20.238.29] (may be forged)) by proxy3.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id UAA25029; Mon, 14 Jun 1999 20:39:58 -0700 (PDT) Message-ID: <3765224B.2AD29CD6@stcinc.com> Date: Mon, 14 Jun 1999 08:39:55 -0700 From: Gregory Carvalho X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.1-RELEASE i386) MIME-Version: 1.0 To: Scott Benjamin Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Security Docs? Help? References: <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A fine page on securing a FreeBSD system is at http://www.freebsd.org/~jkb/howto.html Scott Benjamin wrote: > > Could someone point me in the right direction for securing a FreeBSD box? > I'm looking for some documentation and such in helping me make sure I hit > all of the angles so that someone else doesn't =). > > thanks in advance, > > Scott > > ---- > "Any sufficiently advanced bug is indistinguishable from a feature" > -- Rich Kulawiec > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Cordially, Gregory Carvalho GregoryC@stcinc.com Simplified Technology Company http://www.stcinc.com In God I Trust! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 21:18:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from is2.nyu.edu (IS2.NYU.EDU [128.122.253.135]) by hub.freebsd.org (Postfix) with ESMTP id 32FB115205; Mon, 14 Jun 1999 21:18:20 -0700 (PDT) (envelope-from hqy2446@is2.nyu.edu) Received: from localhost (hqy2446@localhost) by is2.nyu.edu (8.8.8/8.8.7) with SMTP id AAA22808; Tue, 15 Jun 1999 00:18:20 -0400 (EDT) Date: Tue, 15 Jun 1999 00:18:20 -0400 (EDT) From: hqy2446 To: questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: installing pgp262s Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At ../../../src, invoking "make" doesn't work. Without "make" displays , but there is no "freebsd". There is 386bsd, bsd, bsdgcc, netbsd, though. How could the "make" be working and install pgp262s? (I tried all bsd* related arguments, but all caused '*** Error code 1'. Ps. I download pgp262s from MIT's web site. It seems they have Linux version of pgp5, but FreeBSD and other UNIX implementations. -Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 21:24:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from bogon.kjsl.com (bogon.kjsl.com [205.179.23.2]) by hub.freebsd.org (Postfix) with ESMTP id 401ED14DAE; Mon, 14 Jun 1999 21:24:23 -0700 (PDT) (envelope-from javier@bogon.kjsl.com) Received: (from javier@localhost) by bogon.kjsl.com (8.9.3/8.9.3) id VAA12078; Mon, 14 Jun 1999 21:24:16 -0700 (PDT) From: Javier Henderson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14181.54639.978399.404820@bogon.kjsl.com> Date: Mon, 14 Jun 1999 21:24:15 -0700 (PDT) To: hqy2446 Cc: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: installing pgp262s In-Reply-To: References: X-Mailer: VM 6.63 under Emacs 19.34.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hqy2446 writes: > At ../../../src, invoking "make" doesn't work. Without "make" > displays , but there is no "freebsd". There is 386bsd, bsd, > bsdgcc, netbsd, though. How could the "make" be working and install > pgp262s? (I tried all bsd* related arguments, but all caused '*** Error > code 1'. > > Ps. I download pgp262s from MIT's web site. It seems they have Linux > version of pgp5, but FreeBSD and other UNIX implementations. cd /usr/ports/security/pgp make all -jav To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:24:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E6F9B14D90; Mon, 14 Jun 1999 23:24:39 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA46341; Tue, 15 Jun 1999 00:24:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA90467; Tue, 15 Jun 1999 00:24:22 -0600 (MDT) Message-Id: <199906150624.AAA90467@harmony.village.org> To: "Jason L. Schwab" Subject: Re: reading files. Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 13 Jun 1999 14:46:37 MDT." References: Date: Tue, 15 Jun 1999 00:24:21 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Jason L. Schwab" writes: : I heard that there is a way to read any file on a freebsd system as a : normal non-root user.. is this true? if so can some one give me some info : on this? thanks. To the best of my knowledge, this is not correct in the current versions of FreeBSD. There have been bugs in prior versions which might allow this to happen. I don't think there are any in 2.2.8 even. Some of these bugs were very specific and required another user to do something and a race to be lost. Others required a sloppily programmed setuid program, with or without the same races. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:25:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 38C2914D90; Mon, 14 Jun 1999 23:25:35 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA46349; Tue, 15 Jun 1999 00:25:31 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA90483; Tue, 15 Jun 1999 00:25:15 -0600 (MDT) Message-Id: <199906150625.AAA90483@harmony.village.org> To: Zhihui Zhang Subject: Re: reading files. Cc: "Jason L. Schwab" , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 14 Jun 1999 11:10:48 EDT." References: Date: Tue, 15 Jun 1999 00:25:15 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Zhihui Zhang writes: : I wonder if this feature can be added : to FreeBSD easily. dump reads the raw devices, so I don't think this would be easy. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:26:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 551DA15290; Mon, 14 Jun 1999 23:26:47 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA46356; Tue, 15 Jun 1999 00:26:46 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA90513; Tue, 15 Jun 1999 00:26:30 -0600 (MDT) Message-Id: <199906150626.AAA90513@harmony.village.org> To: Scott Benjamin Subject: Re: Security Docs? Help? Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG In-reply-to: Your message of "Mon, 14 Jun 1999 10:45:16 PDT." <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.com> References: <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.com> Date: Tue, 15 Jun 1999 00:26:30 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <1D7D0A00F0E8D111A26600104B873E4C01783DAB@exchange.quests.com> Scott Benjamin writes: : Could someone point me in the right direction for securing a FreeBSD box? : I'm looking for some documentation and such in helping me make sure I hit : all of the angles so that someone else doesn't =). You can look in the FreeBSD handbook for some of this information. For the most part, disable all those services you aren't explicitly using. If you are running programs that aren't part of freebsd proper, make sure you have the latest version. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:30:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 3E92B15290 for ; Mon, 14 Jun 1999 23:30:50 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA46373; Tue, 15 Jun 1999 00:30:49 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA90548; Tue, 15 Jun 1999 00:30:33 -0600 (MDT) Message-Id: <199906150630.AAA90548@harmony.village.org> To: LutzRab@omc.net Subject: Re: New Attack via sendmail? Cc: security@FreeBSD.ORG In-reply-to: Your message of "Mon, 14 Jun 1999 21:30:58 +0200." <199906141930.VAA14403@office.omc.net> References: <199906141930.VAA14403@office.omc.net> Date: Tue, 15 Jun 1999 00:30:33 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906141930.VAA14403@office.omc.net> "Lutz Rabing" writes: : I've seen some pretty strange lines in syslog of one of our webservers. : : The box is running 2.2.8 with sendmail 8.9.3 and has never been out of : swap space before, in fact it's not using swap space at all under normal : conditions. Have you used gdb to get a traceback sendmail.core? Have you considered building sendmail from sources and installing that binary if you have the stripped binary installed? I've not heard of attack like this recently. Also, I'd take a look at cucipop. It may be the case that it, or something else, is eating all the memory, causing problems for sendmail, et al. 'ps auxww' should help next time this happens. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:43:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 1BA9A14F0C for ; Mon, 14 Jun 1999 23:43:40 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA46401; Tue, 15 Jun 1999 00:43:39 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA90605; Tue, 15 Jun 1999 00:43:23 -0600 (MDT) Message-Id: <199906150643.AAA90605@harmony.village.org> To: Holtor Subject: Re: DES & MD5? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 14 Jun 1999 19:50:02 PDT." <19990615025002.24925.rocketmail@web105.yahoomail.com> References: <19990615025002.24925.rocketmail@web105.yahoomail.com> Date: Tue, 15 Jun 1999 00:43:23 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990615025002.24925.rocketmail@web105.yahoomail.com> Holtor writes: : Hello guys. I've been using DES on all my servers : but i'm thinking of converting to MD5 since it : seems to be more secure? Are you using yp? If not, then there likely isn't much difference between the two. MD5 was used as a replacement for DES when the des routines were export controlled. Since no one but root can grab the encrypted passwords, you'll gain nothing by moving from one to the other. If you are using yp, then someone who is listening to the network can still run a directory attack on the encrypted passwords. If you are sending passwords in the clear over the net, then the attacker can grab them like that... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:50: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 8297B14F0C for ; Mon, 14 Jun 1999 23:49:59 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id IAA05184; Tue, 15 Jun 1999 08:49:05 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Warner Losh Cc: Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "Tue, 15 Jun 1999 00:43:23 MDT." <199906150643.AAA90605@harmony.village.org> Date: Tue, 15 Jun 1999 08:49:04 +0200 Message-ID: <5182.929429344@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906150643.AAA90605@harmony.village.org>, Warner Losh writes: >In message <19990615025002.24925.rocketmail@web105.yahoomail.com> >Holtor writes: >: Hello guys. I've been using DES on all my servers >: but i'm thinking of converting to MD5 since it >: seems to be more secure? > >Are you using yp? If not, then there likely isn't much difference >between the two. MD5 was used as a replacement for DES when the des >routines were export controlled. Since no one but root can grab the >encrypted passwords, you'll gain nothing by moving from one to the >other. Uhm, sorry Warner, but that is not true. A brute force attack on MD5 is many orders of magnitude slower than on DES. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:56:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id CB82514F0C for ; Mon, 14 Jun 1999 23:56:23 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id QAA26936; Tue, 15 Jun 1999 16:26:19 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA23438; Tue, 15 Jun 1999 16:27:31 +0930 Date: Tue, 15 Jun 1999 16:27:30 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Barrett Richardson Cc: Holtor , freebsd-security@freebsd.org Subject: Re: DES & MD5? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Jun 1999, Barrett Richardson wrote: > > Hello guys. I've been using DES on all my servers > > but i'm thinking of converting to MD5 since it > > seems to be more secure? MD5 passwords are believed to be much stronger than DES passwords: not only is the keyspace larger (DES passwords only accept up to 8 characters, MD5 up to 2^64-1 characters :) but the algorithm itself is more resistant to attack. You might have heard of the EFF's budget DES-cracking hardware they debuted last year, which is capable of brute-forcing DES keys at a phenomenal rate, and exhaustively searching the keyspace in a matter of a few days. It's generally believed that MD5 passwords are much more resistant to attack, although a weakness in the algorithm cannot be ruled out. > > I know that its not an easy change, probably even > > an impossible one...can anyone point me in a good > > direction? > > You might could change the name of crypt in libdes.a to something > like crypt_des() and then hack crypt() to fall back to crypt_des() > if it does not get fed a salt beginning with "$1$". Unfortunately, with the current crypt code it's not possible to have MD5 passwords when you have the DES libraries installed unless you hack crypt() in libcrypt (if crypt() sees the availability of DES code it will use that in preference to MD5). It's not hard to hack this to default the other way, though. Then it would be a matter of expiring all your user passwords, and the new ones they choose will be MD5 instead of DES. I have some patches I'm working on with Mark Murray (based on some earlier work by Brandon Gillespie) which provide 'unified' SHA-1/MD5/DES/Blowfish password support, and can be configured to use different ciphers based on login classes, but these are not quite ready for prime-time. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 14 23:58:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id D88281546D for ; Mon, 14 Jun 1999 23:58:29 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA46439; Tue, 15 Jun 1999 00:58:27 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA90712; Tue, 15 Jun 1999 00:58:11 -0600 (MDT) Message-Id: <199906150658.AAA90712@harmony.village.org> To: Poul-Henning Kamp Subject: Re: DES & MD5? Cc: Holtor , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 15 Jun 1999 08:49:04 +0200." <5182.929429344@critter.freebsd.dk> References: <5182.929429344@critter.freebsd.dk> Date: Tue, 15 Jun 1999 00:58:11 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <5182.929429344@critter.freebsd.dk> Poul-Henning Kamp writes: : Uhm, sorry Warner, but that is not true. A brute force attack on : MD5 is many orders of magnitude slower than on DES. Wouldn't that cause lots of messages to be logged about failed login attempts? I was talking about the case where no one can get the encrypted passwords. I do suppose this assumes that all the programs that do login verification do syslogs failures... I agree that MD5 is better when the possibility of disclosure of the encrypted passwords exists... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0: 0:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id CCD9915434 for ; Tue, 15 Jun 1999 00:00:09 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id QAA27062; Tue, 15 Jun 1999 16:30:08 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA09054; Tue, 15 Jun 1999 16:31:23 +0930 Date: Tue, 15 Jun 1999 16:31:22 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Poul-Henning Kamp Cc: Warner Losh , Holtor , freebsd-security@freebsd.org Subject: Re: DES & MD5? In-Reply-To: <5182.929429344@critter.freebsd.dk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Poul-Henning Kamp wrote: > >Are you using yp? If not, then there likely isn't much difference > >between the two. MD5 was used as a replacement for DES when the des > >routines were export controlled. Since no one but root can grab the > >encrypted passwords, you'll gain nothing by moving from one to the > >other. > > Uhm, sorry Warner, but that is not true. A brute force attack on > MD5 is many orders of magnitude slower than on DES. Warner's point, I believe, was that without using YP there's no easy way to get at the encrypted passwords and thereby brute-force them. With YP (or equivalently, some other bug/exploit which exposes the password file) then the properties of your hash function does matter. In reality of course, it's better to be safe and use strong password methods even when they 'should' not be needed by virtue of the password file being hidden. Kris > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0: 4:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 61B1714BE1 for ; Tue, 15 Jun 1999 00:04:23 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id BAA46478; Tue, 15 Jun 1999 01:04:22 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id BAA90853; Tue, 15 Jun 1999 01:04:07 -0600 (MDT) Message-Id: <199906150704.BAA90853@harmony.village.org> To: Kris Kennaway Subject: Re: DES & MD5? Cc: Holtor , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 15 Jun 1999 16:31:22 +0930." References: Date: Tue, 15 Jun 1999 01:04:06 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : In reality of course, it's better to be safe and use strong password methods : even when they 'should' not be needed by virtue of the password file being : hidden. This is of course true. However, IIRC, the pain to do this is high. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0: 5:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 220A515487 for ; Tue, 15 Jun 1999 00:05:20 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id JAA05246; Tue, 15 Jun 1999 09:04:33 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Warner Losh Cc: Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "Tue, 15 Jun 1999 00:58:11 MDT." <199906150658.AAA90712@harmony.village.org> Date: Tue, 15 Jun 1999 09:04:33 +0200 Message-ID: <5244.929430273@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906150658.AAA90712@harmony.village.org>, Warner Losh writes: >In message <5182.929429344@critter.freebsd.dk> Poul-Henning Kamp writes: >: Uhm, sorry Warner, but that is not true. A brute force attack on >: MD5 is many orders of magnitude slower than on DES. > >Wouldn't that cause lots of messages to be logged about failed login >attempts? I was talking about the case where no one can get the >encrypted passwords. I do suppose this assumes that all the programs >that do login verification do syslogs failures... Which I must admit I have never verified that they do. I don't think a brute force attack without the scrambled passwords is sufficiently feasible to be attempted, for one thing you reveal your source-IP or tty/terminal identity, but even so, MD5 takes longer to computer than DES. >I agree that MD5 is better when the possibility of disclosure of the >encrypted passwords exists... Which it always does, it's only a matter of at which probability. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0: 9:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 6D8C014CF3 for ; Tue, 15 Jun 1999 00:09:40 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id QAA27175; Tue, 15 Jun 1999 16:39:39 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA26137; Tue, 15 Jun 1999 16:40:54 +0930 Date: Tue, 15 Jun 1999 16:40:54 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Warner Losh Cc: Holtor , freebsd-security@freebsd.org Subject: Re: DES & MD5? In-Reply-To: <199906150704.BAA90853@harmony.village.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Warner Losh wrote: > : In reality of course, it's better to be safe and use strong password methods > : even when they 'should' not be needed by virtue of the password file being > : hidden. > > This is of course true. > > However, IIRC, the pain to do this is high. Where does it hurt? I can imagine if you were trying to share your password files between e.g. Suns, but if you want to have MD5 passwords when you have the DES sources installed it's just a simple hack to crypt.c AFAIK. Kris > > Warner > ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0:14:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B02F814CF3 for ; Tue, 15 Jun 1999 00:14:26 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA28186; Tue, 15 Jun 1999 09:13:09 +0200 (CEST) (envelope-from des) To: "Richard Childers" Cc: , Subject: Re: reading files. References: <3765537B.6D0BC801@3-cities.com> <376557C2.3230DC3B@hamquist.com> From: Dag-Erling Smorgrav Date: 15 Jun 1999 09:13:08 +0200 In-Reply-To: "Richard Childers"'s message of "Mon, 14 Jun 1999 12:28:02 -0700" Message-ID: Lines: 9 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Richard Childers" writes: > Don't forget that PGP is exactly as secure as the filesystem on which > your key(s) reside ... One word: passphrase. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0:19:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DC82814DAE for ; Tue, 15 Jun 1999 00:19:34 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA28367; Tue, 15 Jun 1999 09:19:27 +0200 (CEST) (envelope-from des) To: Gustavo V G C Rios Cc: security@FreeBSD.ORG Subject: Re: nmap needs bfp ? References: <3765910F.86DB16B9@tdnet.com.br> From: Dag-Erling Smorgrav Date: 15 Jun 1999 09:19:26 +0200 In-Reply-To: Gustavo V G C Rios's message of "Mon, 14 Jun 1999 20:32:31 -0300" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gustavo V G C Rios writes: > Does nmap need bfp ? BPF. Yes. > I was running it on my 3.2 system! > Suddenly it stop working, complaining it needs bfp, but did it happen? > I did not rebuild my kernel, the kernel is the same, i did no changes to > the kernel! Then it works just the same as it did before, doesn't it? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0:22:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 63DF114D62 for ; Tue, 15 Jun 1999 00:22:54 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA28428; Tue, 15 Jun 1999 09:22:09 +0200 (CEST) (envelope-from des) To: Kris Kennaway Cc: Poul-Henning Kamp , Warner Losh , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? References: From: Dag-Erling Smorgrav Date: 15 Jun 1999 09:22:08 +0200 In-Reply-To: Kris Kennaway's message of "Tue, 15 Jun 1999 16:31:22 +0930 (CST)" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway writes: > Warner's point, I believe, was that without using YP there's no easy way to > get at the encrypted passwords and thereby brute-force them. With YP (or > equivalently, some other bug/exploit which exposes the password file) then the > properties of your hash function does matter. Always assume the bad guys have your password files. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0:23:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4BA2915428; Tue, 15 Jun 1999 00:23:19 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA28450; Tue, 15 Jun 1999 09:23:00 +0200 (CEST) (envelope-from des) To: Javier Henderson Cc: hqy2446 , questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: installing pgp262s References: <14181.54639.978399.404820@bogon.kjsl.com> From: Dag-Erling Smorgrav Date: 15 Jun 1999 09:22:59 +0200 In-Reply-To: Javier Henderson's message of "Mon, 14 Jun 1999 21:24:15 -0700 (PDT)" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Javier Henderson writes: > cd /usr/ports/security/pgp > make all You mean: # cd /usr/ports/security/pgp # make install && make clean DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0:34:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E91D714DF1 for ; Tue, 15 Jun 1999 00:34:31 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id BAA46566; Tue, 15 Jun 1999 01:34:30 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id BAA91097; Tue, 15 Jun 1999 01:34:14 -0600 (MDT) Message-Id: <199906150734.BAA91097@harmony.village.org> To: Dag-Erling Smorgrav Subject: Re: DES & MD5? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "15 Jun 1999 09:22:08 +0200." References: Date: Tue, 15 Jun 1999 01:34:14 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Dag-Erling Smorgrav writes: : Always assume the bad guys have your password files. While this is a good assumption for planning purpose, it has limits. If your password file can be disclosed, chances are very good that any other file on your system can be disclosed. Generally speaking, this is a really bad thing, almost as bad as being able to replace any file in the system. This line of reasoning does implicitly assume that the files aren't shared via a non-encrypted channel. This does point out the limits of "secret" passwords. Public key/private key authentication systems can make things more secure. However, they are ill suited to hardwired terminals since people are generally not as good at computers as computing signatures needed for this sort of thing. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 0:59:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id F3DD314D6E for ; Tue, 15 Jun 1999 00:59:37 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 16516 invoked by uid 1000); 15 Jun 1999 07:59:36 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 1999 07:59:36 -0000 Date: Tue, 15 Jun 1999 02:59:36 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: Dag-Erling Smorgrav Cc: Richard Childers , kstewart@3-cities.com, freebsd-security@FreeBSD.ORG Subject: Re: reading files. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav, at 09:13 on 15 Jun 1999, wrote: > One word: passphrase. Erm a couple more words. Trojaned PGP and tty snoop. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 1:11:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from prioris (prioris.im.pw.edu.pl [148.81.80.7]) by hub.freebsd.org (Postfix) with ESMTP id 718E61543C for ; Tue, 15 Jun 1999 01:11:22 -0700 (PDT) (envelope-from zaks@im.pw.edu.pl) Received: from pd221.warszawa.ppp.tpnet.pl ([212.160.55.221]:260 "EHLO medievalist.org" ident: "NO-IDENT-SERVICE[2]") by prioris.im.pw.edu.pl with ESMTP id <216150-22979>; Tue, 15 Jun 1999 10:12:54 +0200 Received: from zaks by medievalist.org with local (Exim 2.05 #1 (Debian)) id 10tb43-0000Dt-00; Mon, 14 Jun 1999 20:02:31 +0200 To: security@freebsd.org Subject: Re: reading files. References: X-Face: "3b!R>Sf7)ugP#u*CLpx>CI,1>0U6sh\"@JU>Z>]XWC:A]=-=+V@;:E_^,)E,#tz4T~.u\[ OD|X6X4!4z}$TcTL@ZY9!"sWcK7oc6O#!,QzR]+sStos%9:HiSZL;_~GV[X^)lz8Zd1t7O5o!dZ(y`_a{06-ZiC)s|;3PZ From: zaks@prioris.im.pw.edu.pl (Slawek Zak) Date: 14 Jun 1999 20:02:31 +0200 In-Reply-To: Zhihui Zhang's message of "Mon, 14 Jun 1999 11:10:48 -0400 (EDT)" Message-ID: <87674qhd8o.fsf@medievalist.org> Lines: 19 User-Agent: Gnus/5.070085 (Pterodactyl Gnus v0.85) XEmacs/21.1 (20 Minutes to Nikko) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ** Zhihui Zhang wrote: [...] Zhihui> I know Windows-NT has a feature that does not allow the Zhihui> Administrator (known as root in Unix) to access the file of a Zhihui> normal user. I wonder if this feature can be added to FreeBSD Zhihui> easily. What for if I may ask you. Capabilities are good for programs, but often harmful for #user. Don't tell me that it's useful for mail spool, I won't believe ;) Reading lusers' mail is one of BOFHen spare time duties. On NT, there are many more things people don't know of, or have no means to control. We "lose" in this field badly. /S -- * Suavek Zak (Systems Administrator) * email: zaks@im.pw.edu.pl voice: +48 (0) 22 674 66 79 * PGP v2.6: 2048/9A7CBF71, finger://zaks@prioris.im.pw.edu.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 1:29: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from shaper.fast.net.uk (shaper.fast.net.uk [194.207.104.25]) by hub.freebsd.org (Postfix) with ESMTP id 51E8014D98 for ; Tue, 15 Jun 1999 01:28:56 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from office0 ([192.168.0.110]) by shaper.fast.net.uk (8.8.8/8.8.7) with SMTP id JAA26698 for ; Tue, 15 Jun 1999 09:39:58 +0100 (BST) Message-Id: <3.0.6.32.19990615092904.00943210@192.168.0.100> X-Sender: netadmi@192.168.0.100 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Tue, 15 Jun 1999 09:29:04 +0100 To: security@FreeBSD.ORG From: FastNet Admin Subject: Re: New Attack via sendmail? In-Reply-To: <199906141930.VAA14403@office.omc.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, At 21:30 14/06/99 +0200, Lutz Rabing wrote: > >I've seen some pretty strange lines in syslog of one of our webservers. > >The box is running 2.2.8 with sendmail 8.9.3 and has never been out of >swap space before, in fact it's not using swap space at all under normal >conditions. > I saw something like this and it appeared to be caused by a process called procmail that was spawning across the system using huge amounts of memory and processor capability. Though I never got totally to the bottom of this it appeared as if stupidly large emails being delivered locally invoked procmail. Procmail then swallowed all the resources till the system eventually crashed with out of swap errors. This happened several times. It appears as if a log file being mailed to a user account was the cause of the problem and I have stopped this routine from happening. If I get the same thing again I'll set an email size limit of something like 30MB. Regards Ian Robertson FastNet International Ltd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 2:17:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from www.babel.dk (slut.babel.dk [194.255.106.129]) by hub.freebsd.org (Postfix) with ESMTP id 9EF9B14E16 for ; Tue, 15 Jun 1999 02:17:15 -0700 (PDT) (envelope-from vader@vader.dk) Received: from localhost (vader@localhost) by www.babel.dk (8.9.3/8.9.3) with SMTP id LAA18220; Tue, 15 Jun 1999 11:17:06 +0200 (CEST) Date: Tue, 15 Jun 1999 11:17:06 +0200 (CEST) From: Chris Larsen X-Sender: vader@www.babel.dk To: Gustavo V G C Rios Cc: security@FreeBSD.ORG Subject: Re: nmap needs bfp ? In-Reply-To: <3765910F.86DB16B9@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Jun 1999, Gustavo V G C Rios wrote: >=20 > Does nmap need bfp ? > I was running it on my 3.2 system! > Suddenly it stop working, complaining it needs bfp, but did it happen? > I did not rebuild my kernel, the kernel is the same, i did no changes to > the kernel! >=20 How many BPF devices do you have configured ? Did you install something else that could have the BPF device open (dhcps, trafshow, iptraf, arpwatch etc etc.), You must have enough BPF devices configured to satisfy all programs who want to have BPF open at the same time. re. darth@vader.dk | Internet Caf=E9 : Babel vader@babel.dk | Frederiksborggade 33 Chris Larsen | Phone # +45 33 33 93 38 System Manager | Open: 14-23 Mon - Sat PGP-key id: 0x137993A5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 3:37:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from web128.yahoomail.com (web128.yahoomail.com [205.180.60.197]) by hub.freebsd.org (Postfix) with SMTP id 798C514D1D for ; Tue, 15 Jun 1999 03:37:45 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <19990615104334.23910.rocketmail@web128.yahoomail.com> Received: from [209.191.62.61] by web128.yahoomail.com; Tue, 15 Jun 1999 03:43:34 PDT Date: Tue, 15 Jun 1999 03:43:34 -0700 (PDT) From: Holtor Subject: Re: DES & MD5? To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So there really is no easy way to convert. I just wanted to move everything to MD5. Then just go in, and change each users password and e-mail them all. I'm really not an expert with hacking source code, i know i'd probably screw it up horribly. My original intent was that if someone broke in, I figure MD5 passwords would be harder to break. Holt --- Poul-Henning Kamp wrote: > In message > <199906150658.AAA90712@harmony.village.org>, Warner > Losh writes: > >In message <5182.929429344@critter.freebsd.dk> > Poul-Henning Kamp writes: > >: Uhm, sorry Warner, but that is not true. A brute > force attack on > >: MD5 is many orders of magnitude slower than on > DES. > > > >Wouldn't that cause lots of messages to be logged > about failed login > >attempts? I was talking about the case where no > one can get the > >encrypted passwords. I do suppose this assumes > that all the programs > >that do login verification do syslogs failures... > > Which I must admit I have never verified that they > do. I don't > think a brute force attack without the scrambled > passwords is > sufficiently feasible to be attempted, for one thing > you reveal > your source-IP or tty/terminal identity, but even > so, MD5 takes > longer to computer than DES. > > >I agree that MD5 is better when the possibility of > disclosure of the > >encrypted passwords exists... > > Which it always does, it's only a matter of at which > probability. > > -- > Poul-Henning Kamp FreeBSD coreteam > member > phk@FreeBSD.ORG "Real hackers run > -current on their laptop." > FreeBSD -- It will take a long time before progress > goes too far! > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 6:25:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from retribution.net (retribution.net [207.96.1.17]) by hub.freebsd.org (Postfix) with ESMTP id 2AA5015583 for ; Tue, 15 Jun 1999 06:25:54 -0700 (PDT) (envelope-from mjoseff@retribution.net) Received: from retribution.net (retribution.net [207.96.1.17]) by retribution.net (8.9.3/8.9.1) with ESMTP id JAA20224 for ; Tue, 15 Jun 1999 09:25:56 -0500 (EST) Date: Tue, 15 Jun 1999 09:25:56 -0500 (EST) From: Matthew Joseff To: freebsd-security@FreeBSD.ORG Subject: /var/log/messages Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Found this in my "messages" this morning: Jun 15 07:18:51 retribution rshd[19891]: connection from 193.221.47.155 on illegal port 1574 Jun 15 07:18:51 retribution rlogind[19890]: Connection from 193.221.47.155 on illegal port questions: 1) What can I do to avoid this? 2) Can any *real* damage be done from someone connecting like this? 3) What liabilities does this open the "offending" party's company to? -- Matthew Joseff, Sr. Web Developer RCN Corp. 703-321-2410 www.rcn.com NASDAQ: RCNC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 6:37:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id 6E8B414C2D for ; Tue, 15 Jun 1999 06:37:16 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Tue, 15 Jun 99 06:36:48 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA28B2; Tue, 15 Jun 1999 09:37:15 -0400 Message-ID: <376657F1.C34C96A1@hamquist.com> Date: Tue, 15 Jun 1999 06:41:05 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Matthew Joseff" Cc: Subject: Re: /var/log/messages References: X-WSS-ID: 1B78897A256711-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "1) What can I do to avoid this?" Install tcp_wrappers and configure it to deny connections from this subnet (if you care). Alternatively, you might prefer to continue to collect information, the better to analyze the situation. "2) Can any *real* damage be done from someone connecting like this?" Yes, if (a) their intention is malicious, and (b) their attempts to exploit your system's possible vulnerabilities are successful. Otherwise, no. "3) What liabilities does this open the "offending" party's company to?" What damages have you suffered ? Furthermore, establishing the actual source of the packets can be problematic; this is where collecting additional information becomes of use. -- richard Richard Childers Senior UNIX Systems Administrator Hambrecht & Quist, LLC (415) 439-3838 Matthew Joseff wrote: > > Found this in my "messages" this morning: > > Jun 15 07:18:51 retribution rshd[19891]: connection from 193.221.47.155 on > illegal port 1574 > Jun 15 07:18:51 retribution rlogind[19890]: Connection from 193.221.47.155 > on illegal port > > questions: > > 1) What can I do to avoid this? > 2) Can any *real* damage be done from someone connecting like this? > 3) What liabilities does this open the "offending" party's company to? > > -- > Matthew Joseff, Sr. Web Developer > RCN Corp. 703-321-2410 > www.rcn.com NASDAQ: RCNC > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 6:45:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 6CF7115217 for ; Tue, 15 Jun 1999 06:45:38 -0700 (PDT) (envelope-from ilmar@ws-ilmar.ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [194.67.173.16]) by ints.ru (8.9.2/8.9.2) with ESMTP id RAA19550; Tue, 15 Jun 1999 17:45:32 +0400 (MSD) Received: (from uucp@localhost) by ws-ilmar.ints.ru (8.9.2/8.9.1) id RAA92256; Tue, 15 Jun 1999 17:45:30 +0400 (MSD) Received: from localhost(127.0.0.1) via SMTP by localhost, id smtpds92254; Tue Jun 15 17:45:26 1999 Date: Tue, 15 Jun 1999 17:45:26 +0400 (MSD) From: "Ilmar S. Habibulin" To: Gustavo V G C Rios Cc: security@FreeBSD.ORG Subject: Re: nmap needs bfp ? In-Reply-To: <3765910F.86DB16B9@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Jun 1999, Gustavo V G C Rios wrote: > > Does nmap need bfp ? > I was running it on my 3.2 system! > Suddenly it stop working, complaining it needs bfp, but did it happen? > I did not rebuild my kernel, the kernel is the same, i did no changes to > the kernel! Maybe there is another app, that uses bpf. trafshow, ntop are using bpf. If so simply increase amount of bpf devices in kernel config file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 6:55:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from yucca.daewoo.lublin.pl (yucca.daewoo.lublin.pl [195.205.71.11]) by hub.freebsd.org (Postfix) with ESMTP id 6728C15217 for ; Tue, 15 Jun 1999 06:55:16 -0700 (PDT) (envelope-from raf@yucca.daewoo.lublin.pl) Received: from localhost (raf@localhost) by yucca.daewoo.lublin.pl (GetMail 1.2/sliffka0.3) with SMTP id PAA03228; Tue, 15 Jun 1999 15:55:11 +0200 (CEST) Date: Tue, 15 Jun 1999 15:55:10 +0200 (CEST) From: Rafal Banaszkiewicz To: Matthew Joseff Cc: freebsd-security@FreeBSD.ORG Subject: Re: /var/log/messages In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Use tcp wrappers package .. it's included by default in 3.2 Release .. or you can install it via ports collection .. r* services are unsafe services ... (the .rhosts "feature") /* Rafal Banaszkiewicz | mailto:raf@yucca.daewoo.lublin.pl , #lublin UIN : 35053919 | http://www.no-web.page.pl , [RaF] on IrcNet */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 7:55:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id D38E515068 for ; Tue, 15 Jun 1999 07:55:52 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id IAA03556; Tue, 15 Jun 1999 08:55:51 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by lal.cs.utah.edu (8.8.8/8.8.8) id IAA19354; Tue, 15 Jun 1999 08:55:49 -0600 (MDT) Message-Id: <199906151455.IAA19354@lal.cs.utah.edu> Subject: Re: /var/log/messages To: mjoseff@retribution.net (Matthew Joseff) Date: Tue, 15 Jun 1999 08:55:49 -0600 (MDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Matthew Joseff" at Jun 15, 99 09:25:56 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since nobody has pointed it out yet, just FYI, this is typically an indication that you're being portscanned by the host 193.221.47.155. You might also want to check for telnet connections, NOQUEUE messages from sendmail, etc., to get a better idea of what they scanned. Then, contact postmaster@molnycke.se about it (or, if that fails, they list their domain contact as hostmaster@sgn.sca.se). -Dave Lo and behold, Matthew Joseff once said: > > > Found this in my "messages" this morning: > > Jun 15 07:18:51 retribution rshd[19891]: connection from 193.221.47.155 on > illegal port 1574 > Jun 15 07:18:51 retribution rlogind[19890]: Connection from 193.221.47.155 > on illegal port > > questions: > > 1) What can I do to avoid this? > 2) Can any *real* damage be done from someone connecting like this? > 3) What liabilities does this open the "offending" party's company to? > > -- > Matthew Joseff, Sr. Web Developer > RCN Corp. 703-321-2410 > www.rcn.com NASDAQ: RCNC > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 7:57:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tellique.de (big-gw.tellique.de [195.126.133.179]) by hub.freebsd.org (Postfix) with ESMTP id 9CC8E15627 for ; Tue, 15 Jun 1999 07:57:19 -0700 (PDT) (envelope-from ni@tellique.de) Received: from tellique.de (nolde.tellique.de [62.144.106.52]) by mail.tellique.de (8.8.7/8.8.8) with ESMTP id QAA05519; Tue, 15 Jun 1999 16:56:49 +0200 Message-ID: <376669B1.F7E6A746@tellique.de> Date: Tue, 15 Jun 1999 16:56:49 +0200 From: Juergen Nickelsen Organization: Tellique Kommunikationstechnik GmbH, Germany X-Mailer: Mozilla 4.6 [en] (WinNT; U) X-Accept-Language: de,en MIME-Version: 1.0 To: sporkl@ix.netcom.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewalls References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Spike wrote: > Which are appropriate to block? On my own firewall, I let pass the ICMP types 0 Echo Reply [RFC792] 3 Destination Unreachable [RFC792] 4 Source Quench [RFC792] 8 Echo [RFC792] 11 Time Exceeded [RFC792] 12 Parameter Problem [RFC792] 13 Timestamp [RFC792] 14 Timestamp Reply [RFC792] 15 Information Request [RFC792] 16 Information Reply [RFC792] 17 Address Mask Request [RFC950] 18 Address Mask Reply [RFC950] 30 Traceroute [RFC1393] 31 Datagram Conversion Error [RFC1475] (excerpted from RFC 1700) For completeness, these are the other types that are blocked: 1 Unassigned [JBP] 2 Unassigned [JBP] 5 Redirect [RFC792] 6 Alternate Host Address [JBP] 7 Unassigned [JBP] 9 Router Advertisement [RFC1256] 10 Router Selection [RFC1256] 19 Reserved (for Security) [Solo] 20-29 Reserved (for Robustness Experiment) [ZSu] 32 Mobile Host Redirect [David Johnson] 33 IPv6 Where-Are-You [Bill Simpson] 34 IPv6 I-Am-Here [Bill Simpson] 35 Mobile Registration Request [Bill Simpson] 36 Mobile Registration Reply [Bill Simpson] 37-255 Reserved [JBP] I am not *really* sure if this is all ok, and I would appreciate a more authoritative response. Greetings, Juergen. -- Juergen Nickelsen Tellique Kommunikationstechnik GmbH Gustav-Meyer-Allee 25, 13355 Berlin, Germany Tel. +49 30 46307-552 / Fax +49 30 46307-579 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 8:18: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tellique.de (big-gw.tellique.de [195.126.133.179]) by hub.freebsd.org (Postfix) with ESMTP id B447514F88 for ; Tue, 15 Jun 1999 08:18:05 -0700 (PDT) (envelope-from ni@tellique.de) Received: from tellique.de (nolde.tellique.de [62.144.106.52]) by mail.tellique.de (8.8.7/8.8.8) with ESMTP id RAA05646; Tue, 15 Jun 1999 17:17:46 +0200 Message-ID: <37666E9A.33FB34F9@tellique.de> Date: Tue, 15 Jun 1999 17:17:46 +0200 From: Juergen Nickelsen Organization: Tellique Kommunikationstechnik GmbH, Germany X-Mailer: Mozilla 4.6 [en] (WinNT; U) X-Accept-Language: de,en MIME-Version: 1.0 To: David Shaw Cc: freebsd-security@FreeBSD.ORG Subject: Re: reading files. References: <19990614143734.B4439@jabberwocky.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Shaw wrote on freebsd-security: > It's true that the NT Administrator can't read files that he doesn't > have permission for, but since Administrator controls the ACLs, if he > can't read something, he can trivially just change the permissions and > give himself access! He can't without taking over the ownership of the file, i. e. he can, but the original owner can tell afterwards. Greetings, Juergen. -- Juergen Nickelsen Tellique Kommunikationstechnik GmbH Gustav-Meyer-Allee 25, 13355 Berlin, Germany Tel. +49 30 46307-552 / Fax +49 30 46307-579 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 8:26: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from ideaglobal.com (ultra2.ideaglobal.com [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 9692214A2F for ; Tue, 15 Jun 1999 08:25:59 -0700 (PDT) (envelope-from kiril@ideaglobal.com) Received: (from kiril@localhost) by ideaglobal.com (8.9.2/8.9.2) id QAA25879; Tue, 15 Jun 1999 16:19:42 +0100 (BST) From: Kiril Mitev Message-Id: <199906151519.QAA25879@ideaglobal.com> Subject: Re: reading files. To: ni@tellique.de (Juergen Nickelsen) Date: Tue, 15 Jun 1999 16:19:41 +0100 (BST) Cc: dshaw@jabberwocky.com, freebsd-security@FreeBSD.ORG In-Reply-To: <37666E9A.33FB34F9@tellique.de> from "Juergen Nickelsen" at Jun 15, 99 05:17:46 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > David Shaw wrote on freebsd-security: > > > It's true that the NT Administrator can't read files that he doesn't > > have permission for, but since Administrator controls the ACLs, if he > > can't read something, he can trivially just change the permissions and > > give himself access! > > He can't without taking over the ownership of the file, i. e. he can, > but the original owner can tell afterwards. How many people have the habit of checking whether they still are the owner of their files? the check itself is far from point-and-click (regardless of M$ marketing info), and as long as access is allowed (trivial for an admin, once they know how to take over a file), the chances of people spotting it are close to nil. Furthermore, if the files are on an NT server accessed from a 95/98 client, the user cannot see the ACL's (although they still apply on the server side). 'nuff said Did anyone _expect_ VMS in a visual environment w/M$ networking to really work ?????????????? Kiril > > Greetings, Juergen. > > -- > Juergen Nickelsen > Tellique Kommunikationstechnik GmbH > Gustav-Meyer-Allee 25, 13355 Berlin, Germany > Tel. +49 30 46307-552 / Fax +49 30 46307-579 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 8:43: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from retribution.net (retribution.net [207.96.1.17]) by hub.freebsd.org (Postfix) with ESMTP id A3CA714FDB for ; Tue, 15 Jun 1999 08:43:02 -0700 (PDT) (envelope-from mjoseff@retribution.net) Received: from retribution.net (retribution.net [207.96.1.17]) by retribution.net (8.9.3/8.9.1) with ESMTP id LAA23727; Tue, 15 Jun 1999 11:42:59 -0500 (EST) Date: Tue, 15 Jun 1999 11:42:59 -0500 (EST) From: Matthew Joseff To: David G Andersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: /var/log/messages In-Reply-To: <199906151455.IAA19354@lal.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, David G Andersen wrote: }Since nobody has pointed it out yet, just FYI, this is typically an }indication that you're being portscanned by the host 193.221.47.155. }You might also want to check for telnet connections, NOQUEUE messages from }sendmail, etc., to get a better idea of what they scanned. }Then, contact postmaster@molnycke.se about it (or, if that fails, they }list their domain contact as hostmaster@sgn.sca.se). Thanks, I've disabled telnet, rsh, and rlogin, and installed tcp_wrappers (via /usr/ports . . . ). No "NOQUEUE"s in /var/log/mailog . . . Thanks for the help. -- Matthew Joseff, Sr. Web Developer RCN Corp. 703-321-2410 www.rcn.com NASDAQ: RCNC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 9: 3:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E1E0A14C2D for ; Tue, 15 Jun 1999 09:03:55 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id SAA40154; Tue, 15 Jun 1999 18:03:48 +0200 (CEST) (envelope-from des) To: Juergen Nickelsen Cc: sporkl@ix.netcom.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls References: <376669B1.F7E6A746@tellique.de> From: Dag-Erling Smorgrav Date: 15 Jun 1999 18:03:48 +0200 In-Reply-To: Juergen Nickelsen's message of "Tue, 15 Jun 1999 16:56:49 +0200" Message-ID: Lines: 45 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Juergen Nickelsen writes: > Spike wrote: > > Which are appropriate to block? > On my own firewall, I let pass the ICMP types > [...] Block everything except 0,3,8,11. You don't need anything else. > 0 Echo Reply [RFC792] > 3 Destination Unreachable [RFC792] You want these. > 4 Source Quench [RFC792] Source quench is so obviously abusable (and useless if your TCP/IP stack has proper congestion control, which BSD practically pioneered) that there is no sense in letting it through. > 8 Echo [RFC792] > 11 Time Exceeded [RFC792] You want these. > 12 Parameter Problem [RFC792] > 13 Timestamp [RFC792] > 14 Timestamp Reply [RFC792] > 15 Information Request [RFC792] > 16 Information Reply [RFC792] > 17 Address Mask Request [RFC950] > 18 Address Mask Reply [RFC950] None of these are useful. > 30 Traceroute [RFC1393] This is only useful if you want to use ICMP instead of UDP or TCP for traceroute. The remaining ICMP types range from 'not useful' to 'can and will be exploited by black hats to fuck up your network'. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 9:10:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 64ED9155DF for ; Tue, 15 Jun 1999 09:10:28 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id KAA05852; Tue, 15 Jun 1999 10:07:01 -0600 (MDT) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.3/8.9.1) id KAA01671; Tue, 15 Jun 1999 10:07:01 -0600 (MDT) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Tue, 15 Jun 1999 10:07:01 -0600 (MDT) From: "David G. Andersen" To: Dag-Erling Smorgrav Cc: Juergen Nickelsen , sporkl@ix.netcom.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: Dag-Erling Smorgrav's message of , June 15 1999 References: <376669B1.F7E6A746@tellique.de> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14182.31150.906360.944872@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and Behold, Dag-Erling Smorgrav said: > > 13 Timestamp [RFC792] > > 14 Timestamp Reply [RFC792] > > 17 Address Mask Request [RFC950] > > 18 Address Mask Reply [RFC950] > > None of these are useful. And, in fact, can potentially leak information you don't want leaked; many hosts will incorrectly respond to address mask requests, which you can use in some situations to perform better network mapping, etc., of a target site. Block 'em! :) (I include timestamp in there because sometimes it's really nice to see which machines are the "black sheep" of the network; e.g. those which aren't time-synched in a sea of otherwise conformant machines. They're often not up to date on security issues either). -Dave -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 9:13:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (Postfix) with ESMTP id 8CC0B1537B for ; Tue, 15 Jun 1999 09:13:43 -0700 (PDT) (envelope-from root@socrates.i-pi.com) Received: (from root@localhost) by socrates.i-pi.com (8.9.3/8.9.3) id MAA01337; Mon, 14 Jun 1999 12:49:55 -0600 Date: Mon, 14 Jun 1999 12:49:55 -0600 From: root To: Gregory Carvalho Cc: Kenneth Ingham , "freebsd-security@FreeBSD.ORG" Subject: Re: fwtk and delegate Message-ID: <19990614124955.B1321@socrates.i-pi.com> References: <375F9924.CB665E53@stcinc.com> <19990611103457.A2500@socrates.i-pi.com> <3760BF76.FA304E6E@stcinc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4us In-Reply-To: <3760BF76.FA304E6E@stcinc.com>; from Gregory Carvalho on Fri, Jun 11, 1999 at 12:49:10AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 11, 1999 at 12:49:10AM -0700, Gregory Carvalho wrote: > Are you using delegate 5.7.2 on FreeBSD 3.1? I haven't yet upgraded the machine from 2.2.8. The version of delegate is 5.7.2 though. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 9:17:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from serveri.netti.fi (serveri.netti.fi [195.16.192.130]) by hub.freebsd.org (Postfix) with ESMTP id 8E6B6155D3 for ; Tue, 15 Jun 1999 09:16:59 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-1-069.tku.netti.fi [195.16.222.70]) by serveri.netti.fi (8.8.8/8.8.3) with ESMTP id TAA03788; Tue, 15 Jun 1999 19:16:42 +0300 Message-ID: <37667C35.68E9E594@ispro.net.tr> Date: Tue, 15 Jun 1999 19:15:50 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Holtor Cc: freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? References: <19990615104334.23910.rocketmail@web128.yahoomail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I think when you use MD5 or DES you can still have different kind of passwords in your password file. I have found this when I accidentally changed from DES to MD5 at an installation and it was working (we did not even understand the difference till we saw the long passwords in the password file!) but I do not know if it would work on your system, or if you are using special programs which may get effected from the change... let me give you a MD5 string for you to try. $1$kBCe/$LdWM8ViTcI4PTPTUJ5aCF1 the password is md5test just create a user and use chfn to set user details chfn username put this string into the password field when you get into user details then you can try to login using the password md5test and you will see that it will work even though when you are using DES your system can handle MD5 encryption algorithm. there is some information about DES and MD5 http://www.freebsd.org/handbook/security.html#CRYPT ---------------------------------------------------------------- For example, on a system using the DES versions: % ls -l /usr/lib/libcrypt* lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -> libdescrypt.a lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0 lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.a On a system using the MD5-based libraries, the same links will be present, but the target will be libscrypt rather than libdescrypt. ---------------------------------------------------------------- according to this text if you just change the links your system will start to produce MD5 passwords on new accounts (but I think if you change the password of an account it still produces DES if the previous encryption algorithm was DES, if the account had an MD5 password it will still have an MD5 password after you change the password with passwd.) Holtor wrote: > So there really is no easy way to convert. > I just wanted to move everything to MD5. > Then just go in, and change each users password > and e-mail them all. I'm really not an expert > with hacking source code, i know i'd probably screw > it up horribly. My original intent was that if someone > broke in, I figure MD5 passwords would be harder > to break. > > Holt > > --- Poul-Henning Kamp wrote: > > In message > > <199906150658.AAA90712@harmony.village.org>, Warner > > Losh writes: > > >In message <5182.929429344@critter.freebsd.dk> > > Poul-Henning Kamp writes: > > >: Uhm, sorry Warner, but that is not true. A brute > > force attack on > > >: MD5 is many orders of magnitude slower than on > > DES. > > > > > >Wouldn't that cause lots of messages to be logged > > about failed login > > >attempts? I was talking about the case where no > > one can get the > > >encrypted passwords. I do suppose this assumes > > that all the programs > > >that do login verification do syslogs failures... > > > > Which I must admit I have never verified that they > > do. I don't > > think a brute force attack without the scrambled > > passwords is > > sufficiently feasible to be attempted, for one thing > > you reveal > > your source-IP or tty/terminal identity, but even > > so, MD5 takes > > longer to computer than DES. > > > > >I agree that MD5 is better when the possibility of > > disclosure of the > > >encrypted passwords exists... > > > > Which it always does, it's only a matter of at which > > probability. > > > > -- > > Poul-Henning Kamp FreeBSD coreteam > > member > > phk@FreeBSD.ORG "Real hackers run > > -current on their laptop." > > FreeBSD -- It will take a long time before progress > > goes too far! > > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 10:13: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id 76AAD15130 for ; Tue, 15 Jun 1999 10:13:03 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 12231 invoked by uid 1000); 15 Jun 1999 17:12:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 1999 17:12:33 -0000 Date: Tue, 15 Jun 1999 13:12:33 -0400 (EDT) From: Barrett Richardson To: Evren Yurtesen Cc: Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-Reply-To: <37667C35.68E9E594@ispro.net.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Evren Yurtesen wrote: > Hello, > I think when you use MD5 or DES you can still have different kind of > passwords in your password file. > I have found this when I accidentally changed from DES to MD5 at an > installation and it was working (we did not even understand the > difference > > Some of my colleagues here claimed they dropped an MD5 master.passwd file onto a machine on which a DES master.passwd had previously been and they said it worked. I didn't believe them at the time. - Barrett Richardson barrett@phoenix.aye.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 10:20:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id D919815374 for ; Tue, 15 Jun 1999 10:20:44 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 14200 invoked by uid 1000); 15 Jun 1999 17:20:13 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 1999 17:20:13 -0000 Date: Tue, 15 Jun 1999 13:20:13 -0400 (EDT) From: Barrett Richardson To: Juergen Nickelsen Cc: David Shaw , freebsd-security@FreeBSD.ORG Subject: Re: reading files. In-Reply-To: <37666E9A.33FB34F9@tellique.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Juergen Nickelsen wrote: > David Shaw wrote on freebsd-security: > > > It's true that the NT Administrator can't read files that he doesn't > > have permission for, but since Administrator controls the ACLs, if he > > can't read something, he can trivially just change the permissions and > > give himself access! > > He can't without taking over the ownership of the file, i. e. he can, > but the original owner can tell afterwards. > Out of curiosity, can the owner's files be backed up via tape or some other means? If so, couldn't an admin achieve the same access via an API or some other mechanism? -- Barrett Richardson barrett@phoenix.aye.net > Greetings, Juergen. > > -- > Juergen Nickelsen > Tellique Kommunikationstechnik GmbH > Gustav-Meyer-Allee 25, 13355 Berlin, Germany > Tel. +49 30 46307-552 / Fax +49 30 46307-579 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 10:25:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id EE5D014C18 for ; Tue, 15 Jun 1999 10:25:24 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id TAA06936; Tue, 15 Jun 1999 19:23:38 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Barrett Richardson Cc: Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "Tue, 15 Jun 1999 13:12:33 EDT." Date: Tue, 15 Jun 1999 19:23:38 +0200 Message-ID: <6934.929467418@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I belive it works that way, but not the other way around, unless you have the DES kit installed. In message , Barrett R ichardson writes: > > >Some of my colleagues here claimed they dropped an MD5 master.passwd >file onto a machine on which a DES master.passwd had previously been >and they said it worked. I didn't believe them at the time. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 10:40:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id C6ED7150BE for ; Tue, 15 Jun 1999 10:40:40 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id LAA32370; Tue, 15 Jun 1999 11:36:11 -0600 (MDT) Date: Tue, 15 Jun 1999 11:36:11 -0600 (MDT) From: Nick Rogness To: Poul-Henning Kamp Cc: Barrett Richardson , Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-Reply-To: <6934.929467418@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Poul-Henning Kamp wrote: > > I belive it works that way, but not the other way around, unless you > have the DES kit installed. I believe you are right. But with the DES kit, I still don't think it would work. We have had this problem in the past with upgrades...I can't remember though. > > In message , Barrett R > ichardson writes: > > > > > >Some of my colleagues here claimed they dropped an MD5 master.passwd > >file onto a machine on which a DES master.passwd had previously been > >and they said it worked. I didn't believe them at the time. > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ******************************************************************* Nick Rogness "Never settle with words what System Administrator can be accomplished with a RapidNet, INC flame-thrower" nick@rapidnet.com ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 10:58: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 9931914DDD for ; Tue, 15 Jun 1999 10:57:58 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 75697 invoked by uid 1001); 15 Jun 1999 17:57:57 +0000 (GMT) To: phk@critter.freebsd.dk Cc: freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? From: sthaug@nethelp.no In-Reply-To: Your message of "Tue, 15 Jun 1999 19:23:38 +0200" References: <6934.929467418@critter.freebsd.dk> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 15 Jun 1999 19:57:57 +0200 Message-ID: <75695.929469477@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I belive it works that way, but not the other way around, unless you > have the DES kit installed. > > In message , Barrett R > ichardson writes: > > > > > >Some of my colleagues here claimed they dropped an MD5 master.passwd > >file onto a machine on which a DES master.passwd had previously been > >and they said it worked. I didn't believe them at the time. I have a machine with mixed MD5/DES passwords, and it works just fine. (Yes, libcrypt is a symlink to libdescrypt.) Unfortunately new users get DES passwords. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 11: 7:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 1BCDC15601 for ; Tue, 15 Jun 1999 11:07:51 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id MAA38973; Tue, 15 Jun 1999 12:07:32 -0600 (MDT) Date: Tue, 15 Jun 1999 12:07:32 -0600 (MDT) From: Nick Rogness To: Warner Losh Cc: LutzRab@omc.net, security@FreeBSD.ORG Subject: Re: New Attack via sendmail? In-Reply-To: <199906150630.AAA90548@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Warner Losh wrote: > In message <199906141930.VAA14403@office.omc.net> "Lutz Rabing" writes: > : I've seen some pretty strange lines in syslog of one of our webservers. > : > : The box is running 2.2.8 with sendmail 8.9.3 and has never been out of > : swap space before, in fact it's not using swap space at all under normal > : conditions. > > Have you used gdb to get a traceback sendmail.core? Have you > considered building sendmail from sources and installing that binary > if you have the stripped binary installed? > > I've not heard of attack like this recently. > > Also, I'd take a look at cucipop. It may be the case that it, or > something else, is eating all the memory, causing problems for > sendmail, et al. 'ps auxww' should help next time this happens. Or even 'top' shows a bit more detail than ps -auxww does. But either one should help ya see what is going on. Problem is you have to be on the server when this happens. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ******************************************************************* Nick Rogness "Never settle with words what System Administrator can be accomplished with a RapidNet, INC flame-thrower" nick@rapidnet.com ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 11:11:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 6A8F5155C8 for ; Tue, 15 Jun 1999 11:11:22 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA48216; Tue, 15 Jun 1999 12:11:20 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA93541; Tue, 15 Jun 1999 12:11:10 -0600 (MDT) Message-Id: <199906151811.MAA93541@harmony.village.org> To: Nick Rogness Subject: Re: New Attack via sendmail? Cc: LutzRab@omc.net, security@FreeBSD.ORG In-reply-to: Your message of "Tue, 15 Jun 1999 12:07:32 MDT." References: Date: Tue, 15 Jun 1999 12:11:10 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Nick Rogness writes: : Or even 'top' shows a bit more detail than ps -auxww does. : But either one should help ya see what is going on. Problem is : you have to be on the server when this happens. True. It looked from the logs like it was happening often, so looking at the server in a most-mortum fassion may also be a benefit. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 12:18: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 505301567B for ; Tue, 15 Jun 1999 12:17:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA48383; Tue, 15 Jun 1999 13:17:53 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA94653; Tue, 15 Jun 1999 13:17:43 -0600 (MDT) Message-Id: <199906151917.NAA94653@harmony.village.org> To: Matthew Joseff Subject: Re: /var/log/messages Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 15 Jun 1999 09:25:56 CDT." References: Date: Tue, 15 Jun 1999 13:17:42 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Matthew Joseff writes: : 1) What can I do to avoid this? : 2) Can any *real* damage be done from someone connecting like this? : 3) What liabilities does this open the "offending" party's company to? These messages mean that something very *BAD* is going on. It means that someone is trying to connect to your rsh/rlogin ports from an unprivileged port. Either they are connecting using telnet and just trying see if there is connectivity to those ports on your machine, or they are hoping that they can use their own rsh/rlogin clients to get access that you would otherwise not see. I'd say that unless you have seen a whole lot of these, I'd ignore the off one or two. They indicate that rsh/rlogin properly denied access to your machine and let you know that it was a very suspicious about how the requests came in. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 12:45:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (unknown [203.96.92.1]) by hub.freebsd.org (Postfix) with ESMTP id 7671D15602 for ; Tue, 15 Jun 1999 12:45:32 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.36]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990615194828.ZOVN93999.mta1-rme@wocker> for ; Wed, 16 Jun 1999 07:48:28 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: security@freebsd.org Date: Wed, 16 Jun 1999 07:45:31 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: named timeouts Reply-To: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990615194828.ZOVN93999.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On my main machine, which is also running named, the daily security check always has lots of these types of entries. Typically there are about 50 a day. I think it's because a dns request has been started, but by the time the reply arrives, the firewall has terminated that port connection (I'm running ipfilter). Would it make sense to slightly increase the time such connections are held to see if the nummber of such log entries decreases? If so, how? cheers. > Connection attempt to UDP 127.0.0.1:3282 from 127.0.0.1:53 > Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:3363 > Connection attempt to UDP 127.0.0.1:3373 from 127.0.0.1:53 > Connection attempt to UDP 127.0.0.1:3378 from 127.0.0.1:53 > Connection attempt to UDP 127.0.0.1:3380 from 127.0.0.1:53 -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 13:30:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc.nsysu.edu.tw (mail.cc.nsysu.edu.tw [140.117.11.16]) by hub.freebsd.org (Postfix) with SMTP id D9B8D14F83 for ; Tue, 15 Jun 1999 13:30:45 -0700 (PDT) (envelope-from wing@cc.nsysu.edu.tw) Received: (qmail 14826 invoked by uid 0); 16 Jun 1999 04:29:52 +0800 Received: from wing.cc.nsysu.edu.tw (HELO wing) (140.117.12.77) by mail.cc.nsysu.edu.tw with SMTP; 15 Jun 1999 20:29:52 -0000 From: "Tony Lynn" To: Subject: RE: nmap needs bfp ? Date: Wed, 16 Jun 1999 04:28:59 +0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org DQoJd2VsbCAsIEkgdGhpbmsgaGUgZGlkbid0IHJ1biBubWFwIHdpdGggcm9vdCBwcml2aWxlZGdl Lg0KDQo+ID4gRG9lcyBubWFwIG5lZWQgYmZwID8NCj4gPiBJIHdhcyBydW5uaW5nIGl0IG9uIG15 IDMuMiBzeXN0ZW0hDQo+ID4gU3VkZGVubHkgaXQgc3RvcCB3b3JraW5nLCBjb21wbGFpbmluZyBp dCBuZWVkcyBiZnAsIGJ1dCBkaWQgaXQgaGFwcGVuPw0KPiA+IEkgZGlkIG5vdCByZWJ1aWxkIG15 IGtlcm5lbCwgdGhlIGtlcm5lbCBpcyB0aGUgc2FtZSwgaSBkaWQgbm8gY2hhbmdlcyB0bw0KPiA+ IHRoZSBrZXJuZWwhDQo+IE1heWJlIHRoZXJlIGlzIGFub3RoZXIgYXBwLCB0aGF0IHVzZXMgYnBm LiB0cmFmc2hvdywgbnRvcCBhcmUgdXNpbmcgYnBmLg0KPiBJZiBzbyBzaW1wbHkgaW5jcmVhc2Ug YW1vdW50IG9mIGJwZiBkZXZpY2VzIGluIGtlcm5lbCBjb25maWcgZmlsZS4= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 13:55:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from 001101.zer0.org (001101.zer0.org [206.24.105.163]) by hub.freebsd.org (Postfix) with ESMTP id DBAF9155D3 for ; Tue, 15 Jun 1999 13:55:16 -0700 (PDT) (envelope-from gsutter@001101.zer0.org) Received: (from gsutter@localhost) by 001101.zer0.org (8.9.2/8.9.2) id NAA75476; Tue, 15 Jun 1999 13:50:03 -0700 (PDT) (envelope-from gsutter) Date: Tue, 15 Jun 1999 13:50:03 -0700 From: Gregory Sutter To: Poul-Henning Kamp Cc: Warner Losh , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? Message-ID: <19990615135003.U37775@001101.zer0.org> References: <199906150643.AAA90605@harmony.village.org> <5182.929429344@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <5182.929429344@critter.freebsd.dk>; from Poul-Henning Kamp on Tue, Jun 15, 1999 at 08:49:04AM +0200 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 15, 1999 at 08:49:04AM +0200, Poul-Henning Kamp wrote: > > Uhm, sorry Warner, but that is not true. A brute force attack on > MD5 is many orders of magnitude slower than on DES. At USENIX, Niels Provos and David Mazieres presented a paper entitled "A Future-Adaptable Password Scheme", in which they described two algorithms with adaptable cost, including a block cipher _eksblowfish_ and _bcrypt_, a related hash function. In the paper, they have a comparison graph of traditional/bitsliced DES, MD5, and bcrypt (Figure 5). In summary, the graph shows bcrypt to be over 10^1 times slower than MD5 and many orders of magnitude slower than DES. MD5 is itself many orders of magnitude slower than DES, but has a fixed cost. FTR, bcrypt supports a variable number of rounds so that it will be adaptable and secure as hardware speeds increase. I left the presentation very impressed with the work. Greg -- Gregory S. Sutter If ignorance is bliss, you must be orgasmic. mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 14:15:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 7809714C4C for ; Tue, 15 Jun 1999 14:15:18 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id XAA07663; Tue, 15 Jun 1999 23:12:12 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Gregory Sutter Cc: Warner Losh , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "Tue, 15 Jun 1999 13:50:03 PDT." <19990615135003.U37775@001101.zer0.org> Date: Tue, 15 Jun 1999 23:12:11 +0200 Message-ID: <7661.929481131@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990615135003.U37775@001101.zer0.org>, Gregory Sutter writes: >On Tue, Jun 15, 1999 at 08:49:04AM +0200, Poul-Henning Kamp wrote: >> >> Uhm, sorry Warner, but that is not true. A brute force attack on >> MD5 is many orders of magnitude slower than on DES. > >At USENIX, Niels Provos and David Mazieres presented a paper entitled >"A Future-Adaptable Password Scheme", in which they described two >algorithms with adaptable cost, I've seen it. I think they're missing the >real< point by a large margin, (or at least they did in the version I read). In my opinion the most important thing is to realize that scrambled passwords are cheap to replace, and therefore a "kleenex" principle can be applied to the protection. If the MD5 seems to be under attack, we'll just change to something else, and if that comes under attack, we change again, and so on. That said I'm sure their algorithm is at least as good, and quite likely much better than the MD5 based one that I wrote, but the important thing is the '$1$' at the front of the password which will allow us to change the entire thing at moments notice: Install new libcrypt ("$2$", or "$3$" or whatever) Set all passwords to expire in 1hour/day/week/month/year Tell your users that they havn't changed their password for too long And any threat to you password scrambling is eliminated... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 14:33:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from 001101.zer0.org (001101.zer0.org [206.24.105.163]) by hub.freebsd.org (Postfix) with ESMTP id 87976156EA for ; Tue, 15 Jun 1999 14:33:51 -0700 (PDT) (envelope-from gsutter@001101.zer0.org) Received: (from gsutter@localhost) by 001101.zer0.org (8.9.2/8.9.2) id OAA77035; Tue, 15 Jun 1999 14:29:10 -0700 (PDT) (envelope-from gsutter) Date: Tue, 15 Jun 1999 14:29:10 -0700 From: Gregory Sutter To: Poul-Henning Kamp Cc: Warner Losh , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? Message-ID: <19990615142910.V37775@001101.zer0.org> References: <19990615135003.U37775@001101.zer0.org> <7661.929481131@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <7661.929481131@critter.freebsd.dk>; from Poul-Henning Kamp on Tue, Jun 15, 1999 at 11:12:11PM +0200 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 15, 1999 at 11:12:11PM +0200, Poul-Henning Kamp wrote: > In message <19990615135003.U37775@001101.zer0.org>, Gregory Sutter writes: > >On Tue, Jun 15, 1999 at 08:49:04AM +0200, Poul-Henning Kamp wrote: > >> > >> Uhm, sorry Warner, but that is not true. A brute force attack on > >> MD5 is many orders of magnitude slower than on DES. > > > >At USENIX, Niels Provos and David Mazieres presented a paper entitled > >"A Future-Adaptable Password Scheme", in which they described two > >algorithms with adaptable cost, > > In my opinion the most important thing is to realize that scrambled > passwords are cheap to replace, and therefore a "kleenex" principle > can be applied to the protection. That may not be the case for every installation, Poul. > That said I'm sure their algorithm is at least as good, and quite > likely much better than the MD5 based one that I wrote, but the > important thing is the '$1$' at the front of the password which > will allow us to change the entire thing at moments notice: > > Install new libcrypt ("$2$", or "$3$" or whatever) > Set all passwords to expire in 1hour/day/week/month/year > Tell your users that they havn't changed their password > for too long This is supported. Under OpenBSD (the only place where bcrypt is currently implemented), the version identifier for bcrypt is "$2a$". Password hashes can still be changed just as easily as with MD5. Greg -- Gregory S. Sutter The best way to accelerate Windows mailto:gsutter@pobox.com is at 9.8 m/s^2. http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 14:51:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from vidnt2.hq.vid-h2o.org (vista2-blk1-hfc-0251-d1db0de8.rdc1.sdca.coxatwork.com [209.219.13.232]) by hub.freebsd.org (Postfix) with ESMTP id EC76F14D84 for ; Tue, 15 Jun 1999 14:51:12 -0700 (PDT) (envelope-from JDoscher@vid-h2o.org) Received: by VIDNT2 with Internet Mail Service (5.5.2232.9) id ; Tue, 15 Jun 1999 14:54:30 -0700 Message-ID: From: Jay Doscher To: 'Tony Lynn' , "'security@FreeBSD.ORG'" Subject: RE: nmap needs bfp ? Date: Tue, 15 Jun 1999 14:53:50 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Normally nmap does not need root priv's. For certain functions sucj as = OS detection however, you must be root. Jay -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Tony Lynn Sent: Tuesday, June 15, 1999 1:29 PM To: security@FreeBSD.ORG Subject: RE: nmap needs bfp ? well , I think he didn't run nmap with root priviledge. > > Does nmap need bfp ? > > I was running it on my 3.2 system! > > Suddenly it stop working, complaining it needs bfp, but did it = happen? > > I did not rebuild my kernel, the kernel is the same, i did no = changes to > > the kernel! > Maybe there is another app, that uses bpf. trafshow, ntop are using = bpf. > If so simply increase amount of bpf devices in kernel config file.N...=B2=E6r=B8z=C7vf-=DAj:v?=16=B7=05 =AE =B6=1B=B2=E6r=B8y=FAy=BB=B1=E7=AE+S{y=BA=CA?...=E9=B2=C6 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 14:52:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [152.160.231.196]) by hub.freebsd.org (Postfix) with ESMTP id 4303115456 for ; Tue, 15 Jun 1999 14:52:11 -0700 (PDT) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id DCE0B23D87; Tue, 15 Jun 1999 17:51:46 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id C70F115CC2; Tue, 15 Jun 1999 17:51:46 -0400 (EDT) Date: Tue, 15 Jun 1999 17:51:46 -0400 (EDT) From: Dug Song To: Poul-Henning Kamp Cc: freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-Reply-To: <7661.929481131@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Poul-Henning Kamp wrote: > That said I'm sure their algorithm is at least as good, and quite > likely much better than the MD5 based one that I wrote, but the > important thing is the '$1$' at the front of the password which > will allow us to change the entire thing at moments notice... OpenBSD's crypt has exactly the same version identifiers: dugsong:$2a$06$S19R7BvVkFxEkKfiYsGOk.RVtuPl5.SmnWU... ^^^^ and they credited you this particular insight their paper (see section 6.1.2, http://www.citi.umich.edu/u/provos/papers/bcrypt.ps.gz): MD5 crypt was written by Poul-Henning Kamp for FreeBSD... The output is the concatenation of the version identifier "$1$", the salt, a "$" separator, and the 128-bit hash output. > I think they're missing the >real< point by a large margin, (or at least > they did in the version I read). what *is* the point, then, if not this? Instead of repeatedly throwing out functions like crypt and MD5 crypt to start over with more expensive but incompatible ones, systems should allow the cost of any password manipulation software to scale gracefully with a tunable parameter. having version identifiers in passwd entries solves only half the problem. -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 16:20: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id D777514C32 for ; Tue, 15 Jun 1999 16:20:00 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id TAA06024; Tue, 15 Jun 1999 19:25:06 -0400 Date: Tue, 15 Jun 1999 19:25:01 -0400 (EDT) From: Mike Nowlin To: Dan Langille Cc: security@FreeBSD.ORG Subject: Re: named timeouts In-Reply-To: <19990615194828.ZOVN93999.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On my main machine, which is also running named, the daily security check > always has lots of these types of entries. Typically there are about 50 a > day. I think it's because a dns request has been started, but by the time > the reply arrives, the firewall has terminated that port connection (I'm > running ipfilter). > > Would it make sense to slightly increase the time such connections are > held to see if the nummber of such log entries decreases? If so, how? > > cheers. > > > Connection attempt to UDP 127.0.0.1:3282 from 127.0.0.1:53 > > Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:3363 > > Connection attempt to UDP 127.0.0.1:3373 from 127.0.0.1:53 > > Connection attempt to UDP 127.0.0.1:3378 from 127.0.0.1:53 > > Connection attempt to UDP 127.0.0.1:3380 from 127.0.0.1:53 Do you have 127.0.0.1 firewalled off? I've seen people do this before -- it's a no-no. Most (not all) network connections from a machine back into itself use that address, unless you specify otherwise. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 17: 0:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 4A2C4156A7 for ; Tue, 15 Jun 1999 17:00:13 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA01592; Wed, 16 Jun 1999 09:30:09 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA19602; Wed, 16 Jun 1999 09:31:22 +0930 Date: Wed, 16 Jun 1999 09:31:22 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Gregory Sutter Cc: freebsd-security@freebsd.org Subject: Re: DES & MD5? In-Reply-To: <19990615135003.U37775@001101.zer0.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Gregory Sutter wrote: > At USENIX, Niels Provos and David Mazieres presented a paper entitled > "A Future-Adaptable Password Scheme", in which they described two > algorithms with adaptable cost, including a block cipher _eksblowfish_ > and _bcrypt_, a related hash function. In the paper, they have a > comparison graph of traditional/bitsliced DES, MD5, and bcrypt (Figure > 5). In summary, the graph shows bcrypt to be over 10^1 times slower > than MD5 and many orders of magnitude slower than DES. MD5 is itself > many orders of magnitude slower than DES, but has a fixed cost. > > FTR, bcrypt supports a variable number of rounds so that it will be > adaptable and secure as hardware speeds increase. I left the > presentation very impressed with the work. This is the openbsd password hash scheme, isn't it? I've got patches to support this (among other things) almost ready to go. Essentially they just iterate 2^n rounds of cipher, whereas the current MD5 scheme just does 1000 rounds. ISTR hearing of known weaknesses with iterating MD5 large numbers of times, but I don't have a reference handy. Kris > Greg > -- > Gregory S. Sutter If ignorance is bliss, you must be orgasmic. > mailto:gsutter@pobox.com > http://www.pobox.com/~gsutter/ > PGP DSS public key 0x40AE3052 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 17: 5:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 5FCCC1524D for ; Tue, 15 Jun 1999 17:05:54 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA01629; Wed, 16 Jun 1999 09:35:51 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA12455; Wed, 16 Jun 1999 09:36:59 +0930 Date: Wed, 16 Jun 1999 09:36:59 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Evren Yurtesen Cc: Holtor , freebsd-security@freebsd.org Subject: Re: DES & MD5? In-Reply-To: <37667C35.68E9E594@ispro.net.tr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Evren Yurtesen wrote: > I think when you use MD5 or DES you can still have different kind of > passwords in your password file. You can. crypt() checks whether it's being passed a salt of the form $1$...$, and if so, passes it to crypt_md5(), otherwise considers it as a DES salt and sends it to crypt_des() (if DES support is compiled in). So you can mix and match any passwords your crypt() knows how to parse. The only problem is that standrd FreeBSD doesn't have a way to select which password scheme you want: if you install the DES sources, you get DES passwords, otherwise MD5, for your new passwords. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 17:32:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from aic-gw.mlink.net (aic-gw.mlink.net [209.104.118.65]) by hub.freebsd.org (Postfix) with SMTP id 824F41504F for ; Tue, 15 Jun 1999 17:32:18 -0700 (PDT) (envelope-from matt@AIC-GW.MLINK.NET) Received: (qmail 53181 invoked by uid 1000); 16 Jun 1999 00:32:10 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Jun 1999 00:32:10 -0000 Date: Tue, 15 Jun 1999 20:32:10 -0400 (EDT) From: matt To: Kris Kennaway Cc: Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Jun 1999, Kris Kennaway wrote: : On Tue, 15 Jun 1999, Evren Yurtesen wrote: : : > I think when you use MD5 or DES you can still have different kind of : > passwords in your password file. Thankfully Yes.. I'll explain more later on down the mail. : You can. crypt() checks whether it's being passed a salt of the form : $1$...$, and if so, passes it to crypt_md5(), otherwise considers it as a DES : salt and sends it to crypt_des() (if DES support is compiled in). I mistakening installed 3.2 with DES so it was making DES passwords instead of MD5 passwords, I happen to prefere MD5, so I just redid the symlinks on libcrypt* from libdescrypt to libscrypt... etc.. worked nicely back to MD5 : So you can mix and match any passwords your crypt() knows how to parse. The : only problem is that standrd FreeBSD doesn't have a way to select which : password scheme you want: if you install the DES sources, you get DES : passwords, otherwise MD5, for your new passwords. We really should look at something like OpenBSD's password system, they really do have a bloody amazing password and encryption scheme.. : Kris Matt : ----- : "Never criticize anybody until you have walked a mile in their shoes, : because by that time you will be a mile away and have their shoes." : -- Unknown -- matt@AIC-GW.MLINK.NET To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 17:53:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id A553E151EB for ; Tue, 15 Jun 1999 17:53:23 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id RAA05785; Tue, 15 Jun 1999 17:54:05 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Kris Kennaway Cc: Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "Wed, 16 Jun 1999 09:36:59 +0930." Date: Tue, 15 Jun 1999 17:54:05 -0700 Message-ID: <5781.929494445@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So you can mix and match any passwords your crypt() knows how to parse. The > only problem is that standrd FreeBSD doesn't have a way to select which > password scheme you want: if you install the DES sources, you get DES > passwords, otherwise MD5, for your new passwords. > While certainly in the category of "evil temporary hack", I can say that /etc/auth.conf makes the above statement somewhat incorrect. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 17:59:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from 001101.zer0.org (001101.zer0.org [206.24.105.163]) by hub.freebsd.org (Postfix) with ESMTP id A7DB515283 for ; Tue, 15 Jun 1999 17:59:01 -0700 (PDT) (envelope-from gsutter@001101.zer0.org) Received: (from gsutter@localhost) by 001101.zer0.org (8.9.2/8.9.2) id RAA84544; Tue, 15 Jun 1999 17:53:20 -0700 (PDT) (envelope-from gsutter) Date: Tue, 15 Jun 1999 17:53:19 -0700 From: Gregory Sutter To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? Message-ID: <19990615175319.W37775@001101.zer0.org> References: <19990615135003.U37775@001101.zer0.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Kris Kennaway on Wed, Jun 16, 1999 at 09:31:22AM +0930 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jun 16, 1999 at 09:31:22AM +0930, Kris Kennaway wrote: > On Tue, 15 Jun 1999, Gregory Sutter wrote: > > > At USENIX, Niels Provos and David Mazieres presented a paper entitled > > "A Future-Adaptable Password Scheme", in which they described two > > algorithms with adaptable cost, including a block cipher _eksblowfish_ > > and _bcrypt_, a related hash function. In the paper, they have a > > comparison graph of traditional/bitsliced DES, MD5, and bcrypt (Figure > > 5). In summary, the graph shows bcrypt to be over 10^1 times slower > > than MD5 and many orders of magnitude slower than DES. MD5 is itself > > many orders of magnitude slower than DES, but has a fixed cost. > > > > FTR, bcrypt supports a variable number of rounds so that it will be > > adaptable and secure as hardware speeds increase. I left the > > presentation very impressed with the work. > > This is the openbsd password hash scheme, isn't it? It is indeed the OpenBSD password hash scheme. > I've got patches to support this (among other things) almost ready to go. Wow, Kris, that's marvelous news. Congratulations and thanks! Greg -- Gregory S. Sutter "Software is like sex; it's better mailto:gsutter@pobox.com when it's free." -- Linus Torvalds http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 17:59:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 6DF041565E for ; Tue, 15 Jun 1999 17:59:49 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id KAA00915; Wed, 16 Jun 1999 10:29:47 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA04889; Wed, 16 Jun 1999 10:30:48 +0930 Date: Wed, 16 Jun 1999 10:30:48 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: "Jordan K. Hubbard" Cc: Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-Reply-To: <5781.929494445@zippy.cdrom.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Jordan K. Hubbard wrote: > > So you can mix and match any passwords your crypt() knows how to parse. The > > only problem is that standrd FreeBSD doesn't have a way to select which > > password scheme you want: if you install the DES sources, you get DES > > passwords, otherwise MD5, for your new passwords. > > > > While certainly in the category of "evil temporary hack", I can say > that /etc/auth.conf makes the above statement somewhat incorrect. :) This isn't used currently, is it? I thought the support for that was removed when the previous password changes back in January were backed out. My patches I've been talking about add two login.conf capabilities: localcipher and localcipherrounds, which determine the format of new passwords (localcipherrounds is for things like blowfish and "New"-DES passwords which have variable number of rounds. New-DES is the improved version of the DES hashing algorithm which has been in the code forever, but #ifdef'ed out.) So you can have a separate login class for users you want to share passwords with your Sun boxes (old-DES format), have everyone else with SHA-1 passwords and have the root password as 2^10-round blowfish, if you wish. Kris > > - Jordan > ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 18:20:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 77DA7150F6 for ; Tue, 15 Jun 1999 18:20:27 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id SAA05878; Tue, 15 Jun 1999 18:21:41 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Kris Kennaway Cc: Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "Wed, 16 Jun 1999 10:30:48 +0930." Date: Tue, 15 Jun 1999 18:21:41 -0700 Message-ID: <5874.929496101@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It still works, thought a login.conf based scheme would certainly eliminate an extra file. Go for it. :) > On Tue, 15 Jun 1999, Jordan K. Hubbard wrote: > > > > So you can mix and match any passwords your crypt() knows how to parse. T he > > > only problem is that standrd FreeBSD doesn't have a way to select which > > > password scheme you want: if you install the DES sources, you get DES > > > passwords, otherwise MD5, for your new passwords. > > > > > > > While certainly in the category of "evil temporary hack", I can say > > that /etc/auth.conf makes the above statement somewhat incorrect. :) > > This isn't used currently, is it? I thought the support for that was removed > when the previous password changes back in January were backed out. > > My patches I've been talking about add two login.conf capabilities: > localcipher and localcipherrounds, which determine the format of new password s > (localcipherrounds is for things like blowfish and "New"-DES passwords which > have variable number of rounds. New-DES is the improved version of the DES > hashing algorithm which has been in the code forever, but #ifdef'ed out.) > > So you can have a separate login class for users you want to share passwords > with your Sun boxes (old-DES format), have everyone else with SHA-1 passwords > and have the root password as 2^10-round blowfish, if you wish. > > Kris > > > > > - Jordan > > > > ----- > "Never criticize anybody until you have walked a mile in their shoes, > because by that time you will be a mile away and have their shoes." > -- Unknown > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 20:42:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id BA45D1546E for ; Tue, 15 Jun 1999 20:42:31 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id UAA25101; Tue, 15 Jun 1999 20:41:32 -0700 (PDT) Message-ID: <19990615204132.C22999@best.com> Date: Tue, 15 Jun 1999 20:41:32 -0700 From: "Jan B. Koum " To: Frank Tobin , Dag-Erling Smorgrav Cc: Richard Childers , kstewart@3-cities.com, freebsd-security@FreeBSD.ORG Subject: Re: reading files. References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Frank Tobin on Tue, Jun 15, 1999 at 02:59:36AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 15, 1999 at 02:59:36AM -0500, Frank Tobin wrote: > Dag-Erling Smorgrav, at 09:13 on 15 Jun 1999, wrote: > > > One word: passphrase. > > Erm a couple more words. Trojaned PGP and tty snoop. To make the story short: if you dont' trust the machine, don't log into it. Period. End of story. Paranoia never ends.. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 15 20:54:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id A7261154AA for ; Tue, 15 Jun 1999 20:54:17 -0700 (PDT) (envelope-from kernel@tdnet.com.br.) Received: from tdnet.com.br. [200.236.148.199] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A2B719C0132; Wed, 16 Jun 1999 01:06:15 -0300 Message-ID: <37671FA7.E3D87FB4@tdnet.com.br.> Date: Wed, 16 Jun 1999 00:53:11 -0300 From: Unknow User X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: some nice advice.... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In shell server environment, which kind of security tools, should i use frequently ? Do i really need to have bfp, i don't enjoy such device in my kernel, but there some security tools that don't run without it. Should i build a kernel with bfp enabled or give up using the tool! Thanks a lot for your advices. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 0:15:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1372814FF9 for ; Wed, 16 Jun 1999 00:15:39 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA76217; Wed, 16 Jun 1999 09:14:23 +0200 (CEST) (envelope-from des) To: Barrett Richardson Cc: Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? References: From: Dag-Erling Smorgrav Date: 16 Jun 1999 09:14:22 +0200 In-Reply-To: Barrett Richardson's message of "Tue, 15 Jun 1999 13:12:33 -0400 (EDT)" Message-ID: Lines: 10 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson writes: > Some of my colleagues here claimed they dropped an MD5 master.passwd > file onto a machine on which a DES master.passwd had previously been > and they said it worked. I didn't believe them at the time. Of course it works. MD5 hashing is always available; DES hashing is optional. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 0:53: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3C79915171; Wed, 16 Jun 1999 00:53:00 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA77150; Wed, 16 Jun 1999 09:52:55 +0200 (CEST) (envelope-from des) To: Warner Losh Cc: chat@FreeBSD.ORG Subject: Re: New Attack via sendmail? References: <199906151811.MAA93541@harmony.village.org> From: Dag-Erling Smorgrav Date: 16 Jun 1999 09:52:54 +0200 In-Reply-To: Warner Losh's message of "Tue, 15 Jun 1999 12:11:10 -0600" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [from -security] Warner Losh writes: > True. It looked from the logs like it was happening often, so looking > at the server in a most-mortum fassion may also be a benefit. ------------------- Don't type with food in your mouth! :) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 0:58: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1EED615682 for ; Wed, 16 Jun 1999 00:58:06 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA77284; Wed, 16 Jun 1999 09:58:00 +0200 (CEST) (envelope-from des) To: junkmale@xtra.co.nz Cc: security@FreeBSD.ORG Subject: Re: named timeouts References: <19990615194828.ZOVN93999.mta1-rme@wocker> From: Dag-Erling Smorgrav Date: 16 Jun 1999 09:57:59 +0200 In-Reply-To: "Dan Langille"'s message of "Wed, 16 Jun 1999 07:45:31 +1200" Message-ID: Lines: 30 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Dan Langille" writes: > On my main machine, which is also running named, the daily security check > always has lots of these types of entries. Typically there are about 50 a > day. I think it's because a dns request has been started, but by the time > the reply arrives, the firewall has terminated that port connection (I'm > running ipfilter). No, I don't think these messages come from named. I think they're log messages from ipfilter telling you you didn't set up your firewall correctly. You should have rules permitting all UDP traffic to and *from* port 53. Actually, you should have a rule permitting all traffic across lo0 no matter what. > > Connection attempt to UDP 127.0.0.1:3282 from 127.0.0.1:53 This is named trying to reply to a query. > > Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:3363 This looks like comsat talking to biff. > > Connection attempt to UDP 127.0.0.1:3373 from 127.0.0.1:53 > > Connection attempt to UDP 127.0.0.1:3378 from 127.0.0.1:53 > > Connection attempt to UDP 127.0.0.1:3380 from 127.0.0.1:53 This is named trying to reply to queries. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 1: 6:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 44E681531A for ; Wed, 16 Jun 1999 01:06:25 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id KAA77466; Wed, 16 Jun 1999 10:06:16 +0200 (CEST) (envelope-from des) To: Unknow User Cc: security@FreeBSD.ORG Subject: Re: some nice advice.... References: <37671FA7.E3D87FB4@tdnet.com.br.> From: Dag-Erling Smorgrav Date: 16 Jun 1999 10:06:16 +0200 In-Reply-To: Unknow User's message of "Wed, 16 Jun 1999 00:53:11 -0300" Message-ID: Lines: 13 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unknow User writes: > Do i really need to have bfp, i don't enjoy such device in my kernel, > but there some security tools that don't run without it. Should i build > a kernel with bfp enabled or give up using the tool! Why don't you want BPF in your kernel? It is extremely useful, and has a minimal impact on performance when it's not in use. As long as you make sure the permissions on the device node are right (so regular users can't gain access to BPF), it's not even a security risk. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 1:13: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 415CF1531A for ; Wed, 16 Jun 1999 01:12:59 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id KAA77617; Wed, 16 Jun 1999 10:12:54 +0200 (CEST) (envelope-from des) To: "Jordan K. Hubbard" Cc: Kris Kennaway , Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? References: <5874.929496101@zippy.cdrom.com> From: Dag-Erling Smorgrav Date: 16 Jun 1999 10:12:53 +0200 In-Reply-To: "Jordan K. Hubbard"'s message of "Tue, 15 Jun 1999 18:21:41 -0700" Message-ID: Lines: 31 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jordan K. Hubbard" writes: > It still works, thought a login.conf based scheme would certainly > eliminate an extra file. Go for it. :) Umm, actually, the part that matters in auth.conf (auth_default, which sets the default password hashing scheme) isn't used: des@des ~% current auth_getval src/bin/rcp/rcp.c: k = auth_getval("auth_list"); src/lib/libutil/Makefile: MLINKS+= auth.3 auth_getval.3 src/lib/libutil/auth.3: .Dt auth_getval 3 src/lib/libutil/auth.3: .Nm auth_getval src/lib/libutil/auth.3: .Fn auth_getval "const char *name" src/lib/libutil/auth.3: .Fn auth_getval src/lib/libutil/auth.3: .Fn auth_getval . src/lib/libutil/auth.c: auth_getval(const char *name) src/lib/libutil/auth.conf.5: .Xr auth_getval 3 src/lib/libutil/libutil.h: char *auth_getval __P((const char *name)); src/lib/libutil/property.3: .Xr auth_getval 3 src/usr.bin/passwd/passwd.c: k = auth_getval("auth_list"); src/usr.bin/rlogin/rlogin.c: k = auth_getval("auth_list"); src/usr.bin/rsh/rsh.c: k = auth_getval("auth_list"); src/usr.bin/su/su.c: k = auth_getval("auth_list"); des@des ~% current auth_default src/etc/auth.conf: # auth_default = des That's it. No reference to auth_default outside of auth.conf. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 1:21:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 2C4A2156BA for ; Wed, 16 Jun 1999 01:21:09 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id BAA06859; Wed, 16 Jun 1999 01:21:11 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Dag-Erling Smorgrav Cc: Kris Kennaway , Evren Yurtesen , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? In-reply-to: Your message of "16 Jun 1999 10:12:53 +0200." Date: Wed, 16 Jun 1999 01:21:10 -0700 Message-ID: <6855.929521270@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmmm. Well, it was certainly *meant* to happen at some point. Does that count? :-) I guess we got less far with this than I thought. No big loss. - Jordan > "Jordan K. Hubbard" writes: > > It still works, thought a login.conf based scheme would certainly > > eliminate an extra file. Go for it. :) > > Umm, actually, the part that matters in auth.conf (auth_default, which > sets the default password hashing scheme) isn't used: > > des@des ~% current auth_getval > src/bin/rcp/rcp.c: k = auth_getval("auth_list"); > src/lib/libutil/Makefile: MLINKS+= auth.3 auth_getval.3 > src/lib/libutil/auth.3: .Dt auth_getval 3 > src/lib/libutil/auth.3: .Nm auth_getval > src/lib/libutil/auth.3: .Fn auth_getval "const char *name" > src/lib/libutil/auth.3: .Fn auth_getval > src/lib/libutil/auth.3: .Fn auth_getval . > src/lib/libutil/auth.c: auth_getval(const char *name) > src/lib/libutil/auth.conf.5: .Xr auth_getval 3 > src/lib/libutil/libutil.h: char *auth_getval __P((const char *name)); > src/lib/libutil/property.3: .Xr auth_getval 3 > src/usr.bin/passwd/passwd.c: k = auth_getval("auth_list"); > src/usr.bin/rlogin/rlogin.c: k = auth_getval("auth_list"); > src/usr.bin/rsh/rsh.c: k = auth_getval("auth_list"); > src/usr.bin/su/su.c: k = auth_getval("auth_list"); > des@des ~% current auth_default > src/etc/auth.conf: # auth_default = des > > That's it. No reference to auth_default outside of auth.conf. > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 2:42: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id E668915616 for ; Wed, 16 Jun 1999 02:41:57 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 20265 invoked by uid 1000); 16 Jun 1999 09:41:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Jun 1999 09:41:23 -0000 Date: Wed, 16 Jun 1999 05:41:23 -0400 (EDT) From: Barrett Richardson To: Dag-Erling Smorgrav Cc: Unknow User , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 1999, Dag-Erling Smorgrav wrote: > Unknow User writes: > > Do i really need to have bfp, i don't enjoy such device in my kernel, > > but there some security tools that don't run without it. Should i build > > a kernel with bfp enabled or give up using the tool! > > Why don't you want BPF in your kernel? It is extremely useful, and has > a minimal impact on performance when it's not in use. As long as you > make sure the permissions on the device node are right (so regular > users can't gain access to BPF), it's not even a security risk. > It can be some risk. If a machine with bpf enabled gets compromised the attacker can use it as a network sniffer. > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 3: 0:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (unknown [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id 9EB2C14C59 for ; Wed, 16 Jun 1999 03:00:20 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.36]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990616100254.GZCQ311284.mta2-rme@wocker>; Wed, 16 Jun 1999 22:02:54 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: Dag-Erling Smorgrav Date: Wed, 16 Jun 1999 22:00:18 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: named timeouts Reply-To: junkmale@xtra.co.nz Cc: security@FreeBSD.ORG, Mike Nowlin References: "Dan Langille"'s message of "Wed, 16 Jun 1999 07:45:31 +1200" In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990616100254.GZCQ311284.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 99, at 9:57, Dag-Erling Smorgrav wrote: > "Dan Langille" writes: > > On my main machine, which is also running named, the daily security > > check always has lots of these types of entries. Typically there are > > about 50 a day. I think it's because a dns request has been started, > > but by the time the reply arrives, the firewall has terminated that port > > connection (I'm running ipfilter). > > No, I don't think these messages come from named. I think they're log > messages from ipfilter telling you you didn't set up your firewall > correctly. You should have rules permitting all UDP traffic to and *from* > port 53. Actually, you should have a rule permitting all traffic across > lo0 no matter what. Well, I just checked: # ipfstat -hio | grep lo0 566 pass out quick on lo0 from any to any 1132 pass in quick on lo0 from any to any And verified via: # grep lo0 /etc/ipfrules pass in quick on lo0 all pass out quick on lo0 all Looks to me like they are allowed. There messages aren't from ipfilter. I believe they are from my kernel.log. I apologise for not pointing that out in the first place: $ tail kernel.log Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 from 127.0.0.1:53 Jun 16 09:17:02 ns /kernel: Connection attempt to UDP 127.0.0.1:1393 from 127.0.0.1:53 Jun 16 10:46:43 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1598 Jun 16 11:32:39 ns /kernel: Connection attempt to UDP 127.0.0.1:1704 from 127.0.0.1:53 Jun 16 12:37:18 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1872 Jun 16 13:22:40 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2026 Jun 16 17:29:47 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2521 Jun 16 18:45:20 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2730 Jun 16 21:12:36 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:3029 Jun 16 21:17:48 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:3138 does this make things any clearer? -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 3:20:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from buddy.sovlink.ru (buddy.sovlink.ru [194.186.12.9]) by hub.freebsd.org (Postfix) with ESMTP id F2FD314EE2 for ; Wed, 16 Jun 1999 03:20:38 -0700 (PDT) (envelope-from alla@sovlink.ru) Received: from sovlink.ru (punk.sovlink.ru [194.186.12.133]) by buddy.sovlink.ru (8.9.1/8.9.1) with ESMTP id OAA01201; Wed, 16 Jun 1999 14:28:08 +0400 (MSD) Message-ID: <37677A12.D26816C3@sovlink.ru> Date: Wed, 16 Jun 1999 14:18:58 +0400 From: Alla Bezroutchko X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: Barrett Richardson Cc: freebsd-security@FreeBSD.ORG Subject: Re: reading files. References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson wrote: > On Tue, 15 Jun 1999, Juergen Nickelsen wrote: > > David Shaw wrote on freebsd-security: > > > It's true that the NT Administrator can't read files that he doesn't > > > have permission for, but since Administrator controls the ACLs, if he > > > can't read something, he can trivially just change the permissions and > > > give himself access! > > He can't without taking over the ownership of the file, i. e. he can, > > but the original owner can tell afterwards. > Out of curiosity, can the owner's files be backed up via tape or some > other means? If so, couldn't an admin achieve the same access via an > API or some other mechanism? Yes they can. There is a system wide user right called "Back up files and directories". That means that user account that has been granted this right can circumvent permissions using some API call. Supposedly ntbackup uses this feature, but it looks like it is broken (I was unable to use it properly). -- Alla Bezroutchko Sovlink LLC Systems Administrator Moscow, Russia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 3:59:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B413714CBB for ; Wed, 16 Jun 1999 03:59:56 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA81346; Wed, 16 Jun 1999 12:59:38 +0200 (CEST) (envelope-from des) To: junkmale@xtra.co.nz Cc: Dag-Erling Smorgrav , security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts References: "Dan Langille"'s message of "Wed, 16 Jun 1999 07:45:31 +1200" <19990616100254.GZCQ311284.mta2-rme@wocker> From: Dag-Erling Smorgrav Date: 16 Jun 1999 12:59:38 +0200 In-Reply-To: "Dan Langille"'s message of "Wed, 16 Jun 1999 22:00:18 +1200" Message-ID: Lines: 16 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Dan Langille" writes: > There messages aren't from ipfilter. I believe they are from my > kernel.log. I apologise for not pointing that out in the first place: > > $ tail kernel.log > Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 from 127.0.0.1:53 > Jun 16 09:17:02 ns /kernel: Connection attempt to UDP 127.0.0.1:1393 from 127.0.0.1:53 Ah, these are log_in_vain messages. What they mean is that named isn't listening on 127.0.0.1. You need to add localhost or localnets to the allow-query clause in named.conf (either in the options section or in each zone). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 4:12:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from metis.host4u.net (metis.host4u.net [209.150.128.22]) by hub.freebsd.org (Postfix) with ESMTP id 25EDF14D09 for ; Wed, 16 Jun 1999 04:12:35 -0700 (PDT) (envelope-from dan.langille@dvl-software.com) Received: from wocker (210-55-152-36.ipnets.xtra.co.nz [210.55.152.36]) by metis.host4u.net (8.8.5/8.8.5) with SMTP id GAA26982; Wed, 16 Jun 1999 06:12:00 -0500 Message-Id: <199906161112.GAA26982@metis.host4u.net> From: "Dan Langille" Organization: DVL Software Limited To: Dag-Erling Smorgrav Date: Wed, 16 Jun 1999 23:12:21 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: named timeouts Reply-To: dan.langille@dvl-software.com Cc: security@FreeBSD.ORG, Mike Nowlin References: "Dan Langille"'s message of "Wed, 16 Jun 1999 22:00:18 +1200" In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 99, at 12:59, Dag-Erling Smorgrav wrote: > "Dan Langille" writes: > > There messages aren't from ipfilter. I believe they are from my > > kernel.log. I apologise for not pointing that out in the first place: > > > > $ tail kernel.log > > Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 > > from 127.0.0.1:53 Jun 16 09:17:02 ns /kernel: Connection attempt to UDP > > 127.0.0.1:1393 from 127.0.0.1:53 > > Ah, these are log_in_vain messages. What they mean is that named isn't > listening on 127.0.0.1. You need to add localhost or localnets to the > allow-query clause in named.conf (either in the options section or in each > zone). This is sounding better. I just checked named.conf. At present, I don't have any allow-query statements. According to p250 of DNS and BIND, I could just add the following: options { allow-query { 127.0.0.1/32; } } But would that prevent everyone else from getting in? -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 4:17:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 60B6B14E45 for ; Wed, 16 Jun 1999 04:17:41 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id NAA10183; Wed, 16 Jun 1999 13:17:01 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: dan.langille@dvl-software.com Cc: Dag-Erling Smorgrav , security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts In-reply-to: Your message of "Wed, 16 Jun 1999 23:12:21 +1200." <199906161112.GAA26982@metis.host4u.net> Date: Wed, 16 Jun 1999 13:17:01 +0200 Message-ID: <10181.929531821@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906161112.GAA26982@metis.host4u.net>, "Dan Langille" writes: >> > $ tail kernel.log >> > Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 >> > from 127.0.0.1:53 Jun 16 09:17:02 ns /kernel: Connection attempt to UDP >> > 127.0.0.1:1393 from 127.0.0.1:53 >> >> Ah, these are log_in_vain messages. What they mean is that named isn't >> listening on 127.0.0.1. You need to add localhost or localnets to the >> allow-query clause in named.conf (either in the options section or in each >> zone). Actually it doesnt, it means that the client closed his socket before named got to answer... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 4:21:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.softec.sk (gw.softec.sk [194.196.214.57]) by hub.freebsd.org (Postfix) with ESMTP id 3B50F14E45 for ; Wed, 16 Jun 1999 04:21:35 -0700 (PDT) (envelope-from viera@softec.sk) Received: (from mail@localhost) by gw.softec.sk (8.8.7/8.8.7) id NAA07554 for ; Wed, 16 Jun 1999 13:21:34 +0200 (CEST) Received: from softec.softec.sk(193.87.236.1) by gw.softec.sk via smap (V2.0) id xma007547; Wed, 16 Jun 99 13:21:08 +0200 Received: from cleopatra.softec.sk by softec.softec.sk id aa00362; 16 Jun 99 13:41 CET Received: by cleopatra.softec.sk with Internet Mail Service (5.5.1960.3) id ; Wed, 16 Jun 1999 13:24:49 +0200 Message-ID: <51980C349B51D21196A10060087D04073A654F@cleopatra.softec.sk> From: "Uhrinova, Viera" To: freebsd-security@freebsd.org Subject: Date: Wed, 16 Jun 1999 13:24:47 +0200 X-Mailer: Internet Mail Service (5.5.1960.3) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 8a3ee831 unsubscribe freebsd-security viera@softec.sk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 4:27:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (unknown [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id 8F42714E45 for ; Wed, 16 Jun 1999 04:27:45 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.36]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990616113019.HOKO311284.mta2-rme@wocker>; Wed, 16 Jun 1999 23:30:19 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: security@FreeBSD.ORG Date: Wed, 16 Jun 1999 23:27:43 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: named timeouts Reply-To: junkmale@xtra.co.nz Cc: Dag-Erling Smorgrav , Poul-Henning Kamp References: Your message of "Wed, 16 Jun 1999 23:12:21 +1200." <199906161112.GAA26982@metis.host4u.net> In-reply-to: <10181.929531821@critter.freebsd.dk> X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990616113019.HOKO311284.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 99, at 13:17, Poul-Henning Kamp wrote: > In message <199906161112.GAA26982@metis.host4u.net>, "Dan Langille" > writes: > > >> > $ tail kernel.log > >> > Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 > >> > from 127.0.0.1:53 Jun 16 09:17:02 ns /kernel: Connection attempt to > >> > UDP 127.0.0.1:1393 from 127.0.0.1:53 > >> > >> Ah, these are log_in_vain messages. What they mean is that named isn't > >> listening on 127.0.0.1. You need to add localhost or localnets to the > >> allow-query clause in named.conf (either in the options section or in > >> each zone). > > Actually it doesnt, it means that the client closed his socket before > named got to answer... OK. Now we're back to my initial theory. How do I increase the time the client keeps the socket open? Or is that something possible to configure? -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 4:41:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 0ECF414BD5 for ; Wed, 16 Jun 1999 04:41:52 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id NAA10264; Wed, 16 Jun 1999 13:41:40 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: junkmale@xtra.co.nz Cc: security@FreeBSD.ORG, Dag-Erling Smorgrav Subject: Re: named timeouts In-reply-to: Your message of "Wed, 16 Jun 1999 23:27:43 +1200." <19990616113019.HOKO311284.mta2-rme@wocker> Date: Wed, 16 Jun 1999 13:41:40 +0200 Message-ID: <10262.929533300@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990616113019.HOKO311284.mta2-rme@wocker>, "Dan Langille" writes: >On 16 Jun 99, at 13:17, Poul-Henning Kamp wrote: >> Actually it doesnt, it means that the client closed his socket before >> named got to answer... > >OK. Now we're back to my initial theory. How do I increase the time the >client keeps the socket open? Or is that something possible to configure? My guess is that the following happens: Client Named create socket send request-------------------> search through the entire world for answer, this takes send request------------------->quite some time, in fact very long time before we find the answer and receive answer<---------------- respond close socket handle next request (from cache) log_in_vain...<---------------- respond -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 4:59:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D5CD01523B for ; Wed, 16 Jun 1999 04:59:50 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id NAA82599; Wed, 16 Jun 1999 13:56:43 +0200 (CEST) (envelope-from des) To: Poul-Henning Kamp Cc: dan.langille@dvl-software.com, Dag-Erling Smorgrav , security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts References: <10181.929531821@critter.freebsd.dk> From: Dag-Erling Smorgrav Date: 16 Jun 1999 13:56:42 +0200 In-Reply-To: Poul-Henning Kamp's message of "Wed, 16 Jun 1999 13:17:01 +0200" Message-ID: Lines: 16 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp writes: > > > > Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 from 127.0.0.1:53 > > > > Jun 16 09:17:02 ns /kernel: Connection attempt to UDP 127.0.0.1:1393 from 127.0.0.1:53 > > > Ah, these are log_in_vain messages. What they mean is that named isn't > > > listening on 127.0.0.1. You need to add localhost or localnets to the > > > allow-query clause in named.conf (either in the options section or in each > > > zone). > Actually it doesnt, it means that the client closed his socket before > named got to answer... Doh! I inverted 'to' and 'from' in my head. Am I the only one to expect 'from' to come before 'to'? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 5:45:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 70DE015226 for ; Wed, 16 Jun 1999 05:45:14 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.196] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id AF2AF20110; Wed, 16 Jun 1999 09:57:14 -0300 Message-ID: <376771EF.5A3B620B@tdnet.com.br> Date: Wed, 16 Jun 1999 09:44:15 +0000 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: security@freebsd.org Subject: The complete FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe, this questions is not related to security, but where can i download (if possible) this great book. -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 5:52:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id 5317215402 for ; Wed, 16 Jun 1999 05:52:31 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id IAA03827; Wed, 16 Jun 1999 08:50:41 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Wed, 16 Jun 1999 08:50:41 -0400 (EDT) From: Bill Fumerola To: Dag-Erling Smorgrav Cc: Poul-Henning Kamp , dan.langille@dvl-software.com, security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 1999, Dag-Erling Smorgrav wrote: > Doh! I inverted 'to' and 'from' in my head. Am I the only one to > expect 'from' to come before 'to'? I expect it this way too, just like PR reports... 'State-Changed: Open->Closed' From->To just makes sense. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 5:54: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id C072F150B7 for ; Wed, 16 Jun 1999 05:54:02 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id OAA10511; Wed, 16 Jun 1999 14:53:06 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Dag-Erling Smorgrav Cc: dan.langille@dvl-software.com, security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts In-reply-to: Your message of "16 Jun 1999 13:56:42 +0200." Date: Wed, 16 Jun 1999 14:53:06 +0200 Message-ID: <10509.929537586@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dag-Erling Smorgrav writes: >> Actually it doesnt, it means that the client closed his socket before >> named got to answer... > >Doh! I inverted 'to' and 'from' in my head. Am I the only one to >expect 'from' to come before 'to'? AHA!!! You never owned a HP calculator! Clearly a math weenie with a TI style "just type it as it is written" attitude :-) -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 5:57:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id 138E8150B7 for ; Wed, 16 Jun 1999 05:57:49 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.2/8.8.8) id NAA50539; Wed, 16 Jun 1999 13:57:38 +0100 (BST) (envelope-from joe) Date: Wed, 16 Jun 1999 13:57:38 +0100 From: Josef Karthauser To: Unknow User Cc: security@FreeBSD.ORG Subject: Re: The complete FreeBSD Message-ID: <19990616135738.F29934@pavilion.net> References: <376771EF.5A3B620B@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <376771EF.5A3B620B@tdnet.com.br>; from Unknow User on Wed, Jun 16, 1999 at 09:44:15AM +0000 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jun 16, 1999 at 09:44:15AM +0000, Unknow User wrote: > Maybe, this questions is not related to security, but where can i > download (if possible) this great book. I believe that it is buy only. You can get it from www.cdrom.com. It's worth buying - bear in mind that whilst you pay for the book, the FreeBSD community gives loads of free support and the operating system is free also. :) Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 6: 1:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [206.67.97.83]) by hub.freebsd.org (Postfix) with ESMTP id DC3CC1540F for ; Wed, 16 Jun 1999 06:01:27 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: from localhost (billf@localhost) by jade.chc-chimes.com (8.8.8/8.8.8) with SMTP id JAA09008; Wed, 16 Jun 1999 09:00:48 -0400 (EDT) (envelope-from billf@jade.chc-chimes.com) Date: Wed, 16 Jun 1999 09:00:48 -0400 (EDT) From: Bill Fumerola To: Poul-Henning Kamp Cc: Dag-Erling Smorgrav , dan.langille@dvl-software.com, security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts In-Reply-To: <10509.929537586@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Jun 1999, Poul-Henning Kamp wrote: > AHA!!! You never owned a HP calculator! Clearly a math weenie with > a TI style "just type it as it is written" attitude :-) There is a constant T1-8x vs. HP-48 battle at my office. It's fun to watch the people who are used to HP-48s try and work the Windows Calculator. - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 6: 5:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 2B71D14E37 for ; Wed, 16 Jun 1999 06:05:39 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id PAA10640; Wed, 16 Jun 1999 15:04:24 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Bill Fumerola Cc: Dag-Erling Smorgrav , dan.langille@dvl-software.com, security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts In-reply-to: Your message of "Wed, 16 Jun 1999 09:00:48 EDT." Date: Wed, 16 Jun 1999 15:04:24 +0200 Message-ID: <10638.929538264@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Bill Fumerola writ es: >On Wed, 16 Jun 1999, Poul-Henning Kamp wrote: > >> AHA!!! You never owned a HP calculator! Clearly a math weenie with >> a TI style "just type it as it is written" attitude :-) > >There is a constant T1-8x vs. HP-48 battle at my office. It's fun to watch >the people who are used to HP-48s try and work the Windows Calculator. One of my old friends is a teacher. He got annoyed when the kids would borrow his calculator all the time, so I gave him my old HP15. He told me it only took about two days for the rumour to run through the school that he "was so good at math that his calculator didn't have an equal sign on it!" :-) -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 6: 8:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id AC4DA15417 for ; Wed, 16 Jun 1999 06:08:30 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id KAA09820; Wed, 16 Jun 1999 10:08:56 -0300 (GMT) Message-Id: <199906161308.KAA09820@ns1.sminter.com.ar> Subject: Re: The complete FreeBSD In-Reply-To: <376771EF.5A3B620B@tdnet.com.br> from Unknow User at "Jun 16, 99 09:44:15 am" To: kernel@tdnet.com.br (Unknow User) Date: Wed, 16 Jun 1999 10:08:55 -0300 (GMT) Cc: security@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Unknow User escribió: > Maybe, this questions is not related to security, but where can i > download (if possible) this great book. Isn't it included in the CD-ROM (on / I think). Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 6:31: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 788A3154F8 for ; Wed, 16 Jun 1999 06:30:55 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id PAA84833; Wed, 16 Jun 1999 15:27:48 +0200 (CEST) (envelope-from des) To: Poul-Henning Kamp Cc: Dag-Erling Smorgrav , dan.langille@dvl-software.com, security@FreeBSD.ORG, Mike Nowlin Subject: Re: named timeouts References: <10509.929537586@critter.freebsd.dk> From: Dag-Erling Smorgrav Date: 16 Jun 1999 15:27:48 +0200 In-Reply-To: Poul-Henning Kamp's message of "Wed, 16 Jun 1999 14:53:06 +0200" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp writes: > In message , Dag-Erling Smorgrav writes: > > > Actually it doesnt, it means that the client closed his socket before > > > named got to answer... > > Doh! I inverted 'to' and 'from' in my head. Am I the only one to > > expect 'from' to come before 'to'? > AHA!!! You never owned a HP calculator! Clearly a math weenie with > a TI style "just type it as it is written" attitude :-) Wrong :) I have an HP20S and an HP48G. I had a TI53 a long time ago, though. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 7:12:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from madcap.apk.net (madcap.apk.net [207.54.158.16]) by hub.freebsd.org (Postfix) with ESMTP id 35EE314F77 for ; Wed, 16 Jun 1999 07:12:36 -0700 (PDT) (envelope-from stuart@apk.net) Received: from junior.apk.net (stuart@junior.apk.net [207.54.158.20]) by madcap.apk.net (8.9.3/8.9.3/apk.981124) with ESMTP id JAA27201; Wed, 16 Jun 1999 09:41:41 -0400 (EDT) Received: from localhost by junior.apk.net (8.9.3/8.9.3) with ESMTP id JAA03046; Wed, 16 Jun 1999 09:42:24 -0400 (EDT) Date: Wed, 16 Jun 1999 09:42:24 -0400 (EDT) From: Stuart Krivis To: Unknow User Cc: security@FreeBSD.ORG Subject: Re: The complete FreeBSD In-Reply-To: <376771EF.5A3B620B@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Jun 1999, Unknow User wrote: > Maybe, this questions is not related to security, but where can i > download (if possible) this great book. It's not free. But I highly recommend buying a copy. :-) I got mine from www.bookpool.com -- Stuart Krivis stuart@krivis.com Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 7:35:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B03CA15005 for ; Wed, 16 Jun 1999 07:35:20 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id QAA87070; Wed, 16 Jun 1999 16:33:37 +0200 (CEST) (envelope-from des) To: Fernando Schapachnik Cc: kernel@tdnet.com.br (Unknow User), security@FreeBSD.ORG Subject: Re: The complete FreeBSD References: <199906161308.KAA09820@ns1.sminter.com.ar> From: Dag-Erling Smorgrav Date: 16 Jun 1999 16:33:37 +0200 In-Reply-To: Fernando Schapachnik's message of "Wed, 16 Jun 1999 10:08:55 -0300 (GMT)" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik writes: > En un mensaje anterior, Unknow User escribió: > > Maybe, this questions is not related to security, but where can i > > download (if possible) this great book. > Isn't it included in the CD-ROM (on / I think). Only on the CD-ROM set that comes with the book. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 8:24:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from serveri.netti.fi (serveri.netti.fi [195.16.192.130]) by hub.freebsd.org (Postfix) with ESMTP id 88518156B0 for ; Wed, 16 Jun 1999 08:24:37 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-4-163.tku.netti.fi [195.16.219.164]) by serveri.netti.fi (8.8.8/8.8.3) with ESMTP id SAA05706; Wed, 16 Jun 1999 18:22:55 +0300 Message-ID: <3767C100.FC79A42D@ispro.net.tr> Date: Wed, 16 Jun 1999 18:21:37 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: sthaug@nethelp.no Cc: phk@critter.freebsd.dk, freebsd-security@FreeBSD.ORG Subject: Re: DES & MD5? References: <6934.929467418@critter.freebsd.dk> <75695.929469477@verdi.nethelp.no> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org if you do ot link libcrypt to libdescrypt you would get MD5 passwords for the new users, Evren sthaug@nethelp.no wrote: > > I belive it works that way, but not the other way around, unless you > > have the DES kit installed. > > > > In message , Barrett R > > ichardson writes: > > > > > > > > >Some of my colleagues here claimed they dropped an MD5 master.passwd > > >file onto a machine on which a DES master.passwd had previously been > > >and they said it worked. I didn't believe them at the time. > > I have a machine with mixed MD5/DES passwords, and it works just fine. > (Yes, libcrypt is a symlink to libdescrypt.) > > Unfortunately new users get DES passwords. > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 9:38:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8EF7A155C1 for ; Wed, 16 Jun 1999 09:35:50 -0700 (PDT) (envelope-from rgrimes@gndrsh.aac.dev.com) Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.9.3/8.9.3) id JAA57891; Wed, 16 Jun 1999 09:28:20 -0700 (PDT) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199906161628.JAA57891@gndrsh.aac.dev.com> Subject: Re: named timeouts In-Reply-To: from Dag-Erling Smorgrav at "Jun 16, 1999 01:56:42 pm" To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Date: Wed, 16 Jun 1999 16:28:20 +0000 (GMT) Cc: phk@critter.freebsd.dk (Poul-Henning Kamp), dan.langille@dvl-software.com, security@FreeBSD.ORG, mike@argos.org (Mike Nowlin) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Poul-Henning Kamp writes: > > > > > Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 from 127.0.0.1:53 > > > > > Jun 16 09:17:02 ns /kernel: Connection attempt to UDP 127.0.0.1:1393 from 127.0.0.1:53 > > > > Ah, these are log_in_vain messages. What they mean is that named isn't > > > > listening on 127.0.0.1. You need to add localhost or localnets to the > > > > allow-query clause in named.conf (either in the options section or in each > > > > zone). > > Actually it doesnt, it means that the client closed his socket before > > named got to answer... > > Doh! I inverted 'to' and 'from' in my head. Am I the only one to > expect 'from' to come before 'to'? No, infact I meant to ask that this be changed a long time ago, but I ended up turing of log_in_vain messages so I forgot to ever get it fixed. Could someone please make the necessary commits to -current and -stable... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 12:11: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 697E1155D5 for ; Wed, 16 Jun 1999 12:11:01 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA51611; Wed, 16 Jun 1999 13:10:59 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA00908; Wed, 16 Jun 1999 13:11:01 -0600 (MDT) Message-Id: <199906161911.NAA00908@harmony.village.org> To: junkmale@xtra.co.nz Subject: Re: named timeouts Cc: security@FreeBSD.ORG In-reply-to: Your message of "Wed, 16 Jun 1999 07:45:31 +1200." <19990615194828.ZOVN93999.mta1-rme@wocker> References: <19990615194828.ZOVN93999.mta1-rme@wocker> Date: Wed, 16 Jun 1999 13:11:01 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990615194828.ZOVN93999.mta1-rme@wocker> "Dan Langille" writes: : On my main machine, which is also running named, the daily security check : always has lots of these types of entries. Typically there are about 50 a : day. I think it's because a dns request has been started, but by the time : the reply arrives, the firewall has terminated that port connection (I'm : running ipfilter). I've seen similar messages, and I'm not running ipfilter. These are caused by answers arriving after the DNS client has timed out. I just ignore the 20 or so I get each day. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 12:13: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id B1AF4156F4 for ; Wed, 16 Jun 1999 12:12:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA51618; Wed, 16 Jun 1999 13:12:53 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA00921; Wed, 16 Jun 1999 13:12:55 -0600 (MDT) Message-Id: <199906161912.NAA00921@harmony.village.org> To: "Jan B. Koum " Subject: Re: reading files. Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 15 Jun 1999 20:41:32 PDT." <19990615204132.C22999@best.com> References: <19990615204132.C22999@best.com> Date: Wed, 16 Jun 1999 13:12:55 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990615204132.C22999@best.com> "Jan B. Koum " writes: : To make the story short: if you dont' trust the machine, don't : log into it. Period. End of story. Paranoia never ends.. Steve Wahl's law of anti-paranoia: Just because you aren't paranoid doesn't mean that the whole world isn't out to get you... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 12:18:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 43B23154F4 for ; Wed, 16 Jun 1999 12:18:09 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA51647; Wed, 16 Jun 1999 13:18:03 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA01012; Wed, 16 Jun 1999 13:18:03 -0600 (MDT) Message-Id: <199906161918.NAA01012@harmony.village.org> To: Barrett Richardson Subject: Re: some nice advice.... Cc: Unknow User , security@FreeBSD.ORG In-reply-to: Your message of "Wed, 16 Jun 1999 05:41:23 EDT." References: Date: Wed, 16 Jun 1999 13:18:03 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Barrett Richardson writes: : [bpf] can be some risk. If a machine with bpf enabled gets compromised : the attacker can use it as a network sniffer. That's the biggest reason that I do not enable it on most of my machines if I can at all help it. However, one could argue that if a machine gets compromized, then an attacker could, on the next reboot, cause arbitrary code to run via the rc mechanism.... This 'hold' is hard to plug, but is plugable if you are running with an elevated secure level... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 12:21: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8DD2314C59 for ; Wed, 16 Jun 1999 12:21:03 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA51660; Wed, 16 Jun 1999 13:20:55 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA01054; Wed, 16 Jun 1999 13:20:52 -0600 (MDT) Message-Id: <199906161920.NAA01054@harmony.village.org> To: Dag-Erling Smorgrav Subject: Re: named timeouts Cc: junkmale@xtra.co.nz, security@FreeBSD.ORG, Mike Nowlin In-reply-to: Your message of "16 Jun 1999 12:59:38 +0200." References: "Dan Langille"'s message of "Wed, 16 Jun 1999 07:45:31 +1200" <19990616100254.GZCQ311284.mta2-rme@wocker> Date: Wed, 16 Jun 1999 13:20:52 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Dag-Erling Smorgrav writes: : Ah, these are log_in_vain messages. What they mean is that named isn't : listening on 127.0.0.1. You need to add localhost or localnets to the : allow-query clause in named.conf (either in the options section or in : each zone). This is not necessarily correct. I have log in vain set on my machine and I get them sometimes. I've been able to recreate this problem by looking up a previously unknown DNS entry. This causes a query to go out to the big bad internet. In the mean while, the DNS client times out and closes the socket it was listening for its answer on. A short time later, the answer comes back. The packet is tossed and logged. When the client and server are the same machine, this can cause confusion. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 12:23: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id EBA8214F39 for ; Wed, 16 Jun 1999 12:22:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA51664; Wed, 16 Jun 1999 13:22:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA01067; Wed, 16 Jun 1999 13:22:39 -0600 (MDT) Message-Id: <199906161922.NAA01067@harmony.village.org> To: Poul-Henning Kamp Subject: Re: named timeouts Cc: dan.langille@dvl-software.com, Dag-Erling Smorgrav , security@FreeBSD.ORG, Mike Nowlin In-reply-to: Your message of "Wed, 16 Jun 1999 13:17:01 +0200." <10181.929531821@critter.freebsd.dk> References: <10181.929531821@critter.freebsd.dk> Date: Wed, 16 Jun 1999 13:22:39 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <10181.929531821@critter.freebsd.dk> Poul-Henning Kamp writes: : Actually it doesnt, it means that the client closed his socket before : named got to answer... Yes. These messages have nothing to do with the name SERVER, but rather the name CLIENT. I get them on the machine I'm typing on all the time (10-30 per day) and it isn't even running a name server. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 12:33:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E8D0B15286 for ; Wed, 16 Jun 1999 12:33:16 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA51702; Wed, 16 Jun 1999 13:33:15 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA01189; Wed, 16 Jun 1999 13:33:17 -0600 (MDT) Message-Id: <199906161933.NAA01189@harmony.village.org> To: Poul-Henning Kamp Subject: Re: named timeouts Cc: security@FreeBSD.ORG In-reply-to: Your message of "Wed, 16 Jun 1999 13:41:40 +0200." <10262.929533300@critter.freebsd.dk> References: <10262.929533300@critter.freebsd.dk> Date: Wed, 16 Jun 1999 13:33:17 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <10262.929533300@critter.freebsd.dk> Poul-Henning Kamp writes: : My guess is that the following happens: I don't think it is even that complex. I was able to recreate it just now. First the packet trace: 13:28:45.613210 harmony.4302 > rover.domain: 29085+ A? slow.com. (26) 13:28:45.952766 rover.domain > harmony.4302: 29085* 1/2/2 (117) 13:28:45.952997 harmony > rover: icmp: harmony. udp port 4302 unreachable And in my /var/log/messages (slightly edited) 13:28:45 harmony /k: Connection attempt to UDP 10.0.0.6:4302 from 10.0.0.1:53 And in another X term: % nslookup Default Server: rover Address: 10.0.0.1 > slow.com Server: rover.village.org Address: 10.0.0.1 ^C # Typed quickly > There weren't multiple packets involved, just that the listening socket closed before the answer came back... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 13:33:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from madcap.apk.net (madcap.apk.net [207.54.158.16]) by hub.freebsd.org (Postfix) with ESMTP id 4D45B14CEB for ; Wed, 16 Jun 1999 13:33:47 -0700 (PDT) (envelope-from stuart@apk.net) Received: from junior.apk.net (stuart@junior.apk.net [207.54.158.20]) by madcap.apk.net (8.9.3/8.9.3/apk.981124) with ESMTP id QAA21951 for ; Wed, 16 Jun 1999 16:19:00 -0400 (EDT) Received: from localhost by junior.apk.net (8.9.3/8.9.3) with ESMTP id QAA10555 for ; Wed, 16 Jun 1999 16:19:44 -0400 (EDT) X-Real-To: Date: Wed, 16 Jun 1999 16:19:43 -0400 (EDT) From: Stuart Krivis To: security@FreeBSD.ORG Subject: correction on Greg's Book Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org www.bookpool.com does not have it listed. However, www.amazon.com does. www.linuxmall.com has it also, but only with the CDs. I still don't know what this has to do with security. :-) -- Stuart Krivis stuart@krivis.com Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 15: 4:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.welearn.com.au (phoenix.welearn.com.au [139.130.44.81]) by hub.freebsd.org (Postfix) with ESMTP id 14C5814CB5 for ; Wed, 16 Jun 1999 15:03:56 -0700 (PDT) (envelope-from sue@phoenix.welearn.com.au) Received: (from sue@localhost) by phoenix.welearn.com.au (8.9.1/8.9.0) id IAA04194; Thu, 17 Jun 1999 08:03:40 +1000 (EST) Message-ID: <19990617080335.32595@welearn.com.au> Date: Thu, 17 Jun 1999 08:03:35 +1000 From: Sue Blake To: Stuart Krivis Cc: security@FreeBSD.ORG Subject: Re: correction on Greg's Book References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Stuart Krivis on Wed, Jun 16, 1999 at 04:19:43PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jun 16, 1999 at 04:19:43PM -0400, Stuart Krivis wrote: > > www.bookpool.com does not have it listed. However, www.amazon.com does. > > www.linuxmall.com has it also, but only with the CDs. Why are you looking there? Get it from Walnut Creek or FreeBSD Mall (there's a link on the FreeBSD web site). Be sure to get the third edition which has just come out. -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 15: 4:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id E5B4814CB5 for ; Wed, 16 Jun 1999 15:04:24 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id PAA00095; Wed, 16 Jun 1999 15:03:38 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id PAA29554; Wed, 16 Jun 1999 15:03:38 -0700 Received: from softweyr.com (dyn2.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA07975; Wed, 16 Jun 99 15:03:35 PDT Message-Id: <37681F36.88214550@softweyr.com> Date: Wed, 16 Jun 1999 16:03:34 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Stuart Krivis Cc: Unknow User , security@FreeBSD.ORG Subject: Re: The complete FreeBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stuart Krivis wrote: > > On Wed, 16 Jun 1999, Unknow User wrote: > > > Maybe, this questions is not related to security, but where can i > > download (if possible) this great book. > > It's not free. But I highly recommend buying a copy. :-) > > I got mine from www.bookpool.com According the flyer that came with my 3.2 subscription, FreeBSD Mall is selling the NEW version. I don't know if it has gotten out to the "other" bookstores yet or not. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 15:20:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from fantasy.netreach.net (fantasy.netreach.net [205.197.101.219]) by hub.freebsd.org (Postfix) with ESMTP id B6B8914D59 for ; Wed, 16 Jun 1999 15:20:34 -0700 (PDT) (envelope-from petef@netreach.net) Received: from static-petef.netreach.net (static-petef.netreach.net [209.116.208.124]) by fantasy.netreach.net (8.9.3/8.9.0) with SMTP id SAA17819; Wed, 16 Jun 1999 18:21:29 -0400 (EDT) Date: Wed, 16 Jun 1999 18:23:13 -0400 (EDT) From: Pete Fritchman To: Warner Losh Cc: Barrett Richardson , Unknow User , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: <199906161918.NAA01012@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you get compromised, why does it matter? The attacker compiles a new kernel, waits for you to reboot, boom. It's kind of hard/stupid to think about something in terms of "what if you get compromised" - he'll have root and be able to do whatever you are thinking about doing (equal privelages) just my two cents. -------------------- [ Pete Fritchman ] [ Systems Engineer ] [petef@netreach.net] -------------------- On Wed, 16 Jun 1999, Warner Losh wrote: > Date: Wed, 16 Jun 1999 13:18:03 -0600 > From: Warner Losh > To: Barrett Richardson > Cc: Unknow User , security@FreeBSD.ORG > Subject: Re: some nice advice.... > > In message > Barrett Richardson writes: > : [bpf] can be some risk. If a machine with bpf enabled gets compromised > : the attacker can use it as a network sniffer. > > That's the biggest reason that I do not enable it on most of my > machines if I can at all help it. > > However, one could argue that if a machine gets compromized, then an > attacker could, on the next reboot, cause arbitrary code to run via > the rc mechanism.... This 'hold' is hard to plug, but is plugable if > you are running with an elevated secure level... > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 15:39:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 6139714D7C for ; Wed, 16 Jun 1999 15:39:34 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 49018 invoked from network); 16 Jun 1999 22:39:34 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 16 Jun 1999 22:39:34 -0000 Received: from localhost (dscheidt@localhost) by shell-2.enteract.com (8.9.3/8.9.2) with SMTP id RAA76236; Wed, 16 Jun 1999 17:39:32 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-2.enteract.com: dscheidt owned process doing -bs Date: Wed, 16 Jun 1999 17:39:32 -0500 (CDT) From: David Scheidt To: Pete Fritchman Cc: Warner Losh , Barrett Richardson , Unknow User , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Jun 1999, Pete Fritchman wrote: > If you get compromised, why does it matter? > The attacker compiles a new kernel, waits for you to reboot, boom. Because my production machine never got rebooted, except for hardware or for new kernels. Anything else would be investigated. If you got root on the box, you likely wouldn't have it past a reboot, so not habing a sniffable interface would be an advantage. I don't think it is that big a deal though. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 15:53:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id F34BA14DC9 for ; Wed, 16 Jun 1999 15:53:43 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA52264 for ; Wed, 16 Jun 1999 16:53:42 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA02435; Wed, 16 Jun 1999 16:24:46 -0600 (MDT) Message-Id: <199906162224.QAA02435@harmony.village.org> To: Pete Fritchman Subject: Re: some nice advice.... Cc: Barrett Richardson , Unknow User , security@FreeBSD.ORG In-reply-to: Your message of "Wed, 16 Jun 1999 18:23:13 EDT." References: Date: Wed, 16 Jun 1999 16:24:45 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Pete Fritchman writes: : If you get compromised, why does it matter? : The attacker compiles a new kernel, waits for you to reboot, boom. Nope. My kernel is set schg and i run at a high secure level so you can't replace my kernel. : It's kind of hard/stupid to think about something in terms of "what if you : get compromised" - he'll have root and be able to do whatever you are : thinking about doing (equal privelages) No it isn't. You can minimize the damage with some careful planning. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 16:33:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from zerlargal.humbug.org.au (zerlargal.humbug.org.au [203.18.94.159]) by hub.freebsd.org (Postfix) with ESMTP id 048A014CB9 for ; Wed, 16 Jun 1999 16:33:17 -0700 (PDT) (envelope-from bc@thehub.com.au) Received: from localhost ([127.0.0.1] helo=zerlargal.humbug.org.au) by zerlargal.humbug.org.au with smtp (Exim 2.12 #2) id 10uP8z-0008hE-00 for security@FreeBSD.ORG; Thu, 17 Jun 1999 09:30:57 +1000 Date: Thu, 17 Jun 1999 09:30:57 +1000 (EST) From: Bruce Campbell X-Sender: bc@zerlargal.humbug.org.au To: security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: <199906162224.QAA02435@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Jun 1999, Warner Losh wrote: > In message Pete Fritchman writes: > : If you get compromised, why does it matter? > : The attacker compiles a new kernel, waits for you to reboot, boom. > > Nope. My kernel is set schg and i run at a high secure level so you > can't replace my kernel. Cue burning your own bootable CD and booting from that. --==-- Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 20: 8:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id C431C14EE0 for ; Wed, 16 Jun 1999 20:08:36 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 13814 invoked by uid 1000); 17 Jun 1999 03:07:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Jun 1999 03:07:57 -0000 Date: Wed, 16 Jun 1999 23:07:57 -0400 (EDT) From: Barrett Richardson To: Pete Fritchman Cc: Warner Losh , Unknow User , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Jun 1999, Pete Fritchman wrote: > If you get compromised, why does it matter? > The attacker compiles a new kernel, waits for you to reboot, boom. > If he waited for me to reboot, he would be waiting for me to do an upgrade. A machine reboot around here (other than the squid boxes) gets EVERYBODY out of bed. > It's kind of hard/stupid to think about something in terms of "what if you > get compromised" - he'll have root and be able to do whatever you are > thinking about doing (equal privelages) On one machine, yes. If he had tcpdump one breach could turn into many. I agree its hard, and it may be stupid -- I don't care -- system breaches are embarrassing and costly. > > just my two cents. > > -------------------- > [ Pete Fritchman ] > [ Systems Engineer ] > [petef@netreach.net] > -------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 22:37:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from Tele.TM.Odessa.UA (Tele.TM.Odessa.UA [195.66.200.100]) by hub.freebsd.org (Postfix) with ESMTP id 3006114C34 for ; Wed, 16 Jun 1999 22:36:54 -0700 (PDT) (envelope-from arkadia@odessa.net) Organization: S&PE Telematika Received: from transe.tm.odessa.ua (TransE.TM.Odessa.UA [195.66.198.9]) by Tele.TM.Odessa.UA (8.9.3/8.9.3/TM-Mail-2.5) with ESMTP id IAA24077 for ; Thu, 17 Jun 1999 08:36:51 +0300 (EEST) Received: from odessa.net (TransE.TM.Odessa.UA [195.66.198.9]) by transe.tm.odessa.ua (8.8.8/8.8.7) with ESMTP id IAA10738 for ; Thu, 17 Jun 1999 08:37:53 +0300 (EEST) (envelope-from arkadia@odessa.net) Message-ID: <376889B0.ADBD05D2@odessa.net> Date: Thu, 17 Jun 1999 08:37:52 +0300 From: Dmitry X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: The complete FreeBSD References: <376771EF.5A3B620B@tdnet.com.br> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unknow User wrote: > Maybe, this questions is not related to security, but where can i > download (if possible) this great book. > > -- > "The box said 'Requires Windows 98, NT, Linux or better' so I > installed FreeBSD." May be someone who has this book on CD put it on some webserver for all FreeBSD community. I think that it'll help to train more professional users and admins. I think it's rather good to allow this book for free , because FreeBSD is free OS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 16 22:57:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id E8BE014C59 for ; Wed, 16 Jun 1999 22:57:43 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.3/8.7) id PAA64582; Thu, 17 Jun 1999 15:25:26 +0930 (CST) From: Mark Newton Message-Id: <199906170555.PAA64582@atdot.dotat.org> Subject: Re: The complete FreeBSD To: arkadia@odessa.net (Dmitry) Date: Thu, 17 Jun 1999 15:25:26 +0930 (CST) Cc: security@FreeBSD.ORG In-Reply-To: <376889B0.ADBD05D2@odessa.net> from "Dmitry" at Jun 17, 99 08:37:52 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dmitry wrote: > May be someone who has this book on CD put it on some webserver for all > FreeBSD community. Err, that would be a bad idea. > I think that it'll help to train more professional users and admins. > I think it's rather good to allow this book for free , because FreeBSD > is free OS I think the book should continue to cost money, because a major FreeBSD developer earns part of his personal income from sales of the book. Yeesh. - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 3:18:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (unknown [203.96.92.1]) by hub.freebsd.org (Postfix) with ESMTP id 6557F150C6 for ; Thu, 17 Jun 1999 03:18:14 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.36]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990617102112.SUIB404633.mta1-rme@wocker>; Thu, 17 Jun 1999 22:21:12 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: Dmitry Date: Thu, 17 Jun 1999 22:18:13 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: The complete FreeBSD Reply-To: junkmale@xtra.co.nz Cc: security@FreeBSD.ORG In-reply-to: <376889B0.ADBD05D2@odessa.net> X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990617102112.SUIB404633.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17 Jun 99, at 8:37, Dmitry wrote: > May be someone who has this book on CD put it on some webserver for all > FreeBSD community. I think that it'll help to train more professional > users and admins. I think it's rather good to allow this book for free , > because FreeBSD is free OS Ummm, no. Books are quite different to software. How many free Linux books do you know of? If you want the book, buy it. I also suspect putting the book html online is a violation of copyright not to mention bad taste. -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 4:12: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from pinto.unsyiah.ac.id (pinto.unsyiah.ac.id [167.205.153.82]) by hub.freebsd.org (Postfix) with ESMTP id CE6FB15067 for ; Thu, 17 Jun 1999 04:11:20 -0700 (PDT) (envelope-from arie@pinto.unsyiah.ac.id) Received: from localhost (arie@localhost) by pinto.unsyiah.ac.id with ESMTP id SAA11451; Thu, 17 Jun 1999 18:16:51 GMT (envelope-from arie@pinto.unsyiah.ac.id) Date: Thu, 17 Jun 1999 18:16:51 +0000 (GMT) From: Arie Budiansyah To: Unknow User Cc: security@FreeBSD.ORG Subject: Re: The complete FreeBSD In-Reply-To: <376771EF.5A3B620B@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org are you looking freebsd instalation ? - try this URL : www..freebsd.org - www.linux.org - your sicerenly On Wed, 16 Jun 1999, Unknow User wrote: > Maybe, this questions is not related to security, but where can i > download (if possible) this great book. > > > -- > "The box said 'Requires Windows 98, NT, Linux or better' so I > installed FreeBSD." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 5:25:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id D9ED714C81 for ; Thu, 17 Jun 1999 05:25:17 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA05850; Thu, 17 Jun 1999 09:25:07 -0300 (GMT) Message-Id: <199906171225.JAA05850@ns1.sminter.com.ar> Subject: Re: The complete FreeBSD In-Reply-To: from Dag-Erling Smorgrav at "Jun 16, 99 04:33:37 pm" To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Date: Thu, 17 Jun 1999 09:25:07 -0300 (GMT) Cc: fpscha@via-net-works.net.ar, kernel@tdnet.com.br, security@FreeBSD.ORG From: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Dag-Erling Smorgrav escribió: > Fernando Schapachnik writes: > > En un mensaje anterior, Unknow User escribió: > > > Maybe, this questions is not related to security, but where can i > > > download (if possible) this great book. > > Isn't it included in the CD-ROM (on / I think). > > Only on the CD-ROM set that comes with the book. From my 2.2.8 Walnut Creek subscription CD: Introduction to the text version This document is the complete text of ``The Complete FreeBSD'', including all updates as of 24 July 1998. It does not include the man pages, which you can view more conveniently using the man program, but they are included in the table of contents so that there are page numbers for the cross references. Don't use these cross reference numbers: they are different from the page num- bers in the printed book. This text also includes a list of the Ports Collec- tion as of 24 July 1998. [...] It's in /cdrom/book/book.txt Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 5:43:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id 424261526A for ; Thu, 17 Jun 1999 05:43:56 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Thu, 17 Jun 99 05:43:27 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA1474; Thu, 17 Jun 1999 08:43:54 -0400 Message-ID: <3768EE6F.EEE2706F@hamquist.com> Date: Thu, 17 Jun 1999 05:47:43 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Warner Losh" Cc: "Pete Fritchman" , "Barrett Richardson" , "Unknow User" , Subject: Re: some nice advice.... References: <199906162224.QAA02435@harmony.village.org> X-WSS-ID: 1B7632E5461580-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "My kernel is set schg ..." Could you please expand on this ? -- richard Warner Losh wrote: > > In message Pete Fritchman writes: > : If you get compromised, why does it matter? > : The attacker compiles a new kernel, waits for you to reboot, boom. > > Nope. My kernel is set schg and i run at a high secure level so you > can't replace my kernel. > > : It's kind of hard/stupid to think about something in terms of "what if you > : get compromised" - he'll have root and be able to do whatever you are > : thinking about doing (equal privelages) > > No it isn't. You can minimize the damage with some careful planning. > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 5:48: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.confusion.net (euphoria.confusion.net [209.63.19.10]) by hub.freebsd.org (Postfix) with ESMTP id B039515480 for ; Thu, 17 Jun 1999 05:47:59 -0700 (PDT) (envelope-from stuyman@euphoria.confusion.net) Received: from euphoria.confusion.net (euphoria.confusion.net [209.63.19.10]) by euphoria.confusion.net (8.9.3/8.9.2) with SMTP id FAA12900; Thu, 17 Jun 1999 05:47:29 -0700 (PDT) Date: Thu, 17 Jun 1999 05:47:29 -0700 (PDT) From: Larry Berland To: Dmitry Cc: security@FreeBSD.ORG Subject: Re: The complete FreeBSD In-Reply-To: <376889B0.ADBD05D2@odessa.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That would be illegal. The book is copyrighted, and furthermore I doubt Greg wrote it to see it given away. We all have to make money. Free OS != free book. I wasn't aware the book was on CD at all anyway. My 2.2.x all have the book on them, none of the 3.x do. On Thu, 17 Jun 1999, Dmitry wrote: > Unknow User wrote: > > > Maybe, this questions is not related to security, but where can i > > download (if possible) this great book. > > > > -- > > "The box said 'Requires Windows 98, NT, Linux or better' so I > > installed FreeBSD." > > May be someone who has this book on CD put it on some webserver for all > FreeBSD community. > I think that it'll help to train more professional users and admins. > I think it's rather good to allow this book for free , because FreeBSD > is free OS > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 5:49: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.prime.net.ua (mail.prime.net.ua [195.64.229.2]) by hub.freebsd.org (Postfix) with ESMTP id D75B615400 for ; Thu, 17 Jun 1999 05:48:59 -0700 (PDT) (envelope-from andyo@mail.prime.net.ua) Received: from localhost (andyo@localhost) by mail.prime.net.ua (8.9.3/8.9.3) with SMTP id PAA16431; Thu, 17 Jun 1999 15:47:45 +0300 (EEST) Date: Thu, 17 Jun 1999 15:47:44 +0300 (EEST) From: "Andy V. Oleynik" To: Richard Childers Cc: security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: <3768EE6F.EEE2706F@hamquist.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org chflags schg /kernel On Thu, 17 Jun 1999, Richard Childers wrote: > > "My kernel is set schg ..." > > Could you please expand on this ? > > > -- richard > > > > Warner Losh wrote: > > > > In message Pete Fritchman writes: > > : If you get compromised, why does it matter? > > : The attacker compiles a new kernel, waits for you to reboot, boom. > > > > Nope. My kernel is set schg and i run at a high secure level so you > > can't replace my kernel. > > > > : It's kind of hard/stupid to think about something in terms of "what if you > > : get compromised" - he'll have root and be able to do whatever you are > > : thinking about doing (equal privelages) > > > > No it isn't. You can minimize the damage with some careful planning. > > > > Warner > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 6: 2:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id DFF1215459 for ; Thu, 17 Jun 1999 06:02:23 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Thu, 17 Jun 99 06:01:54 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA185F; Thu, 17 Jun 1999 09:02:22 -0400 Message-ID: <3768F2C2.B8C340BB@hamquist.com> Date: Thu, 17 Jun 1999 06:06:10 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Bruce Campbell" Cc: Subject: Re: some nice advice.... References: X-WSS-ID: 1B762E4B463842-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Cue burning your own bootable CD and booting from that." I've been wondering when this would happen, myself, also. It seems to me that CDs have been fast enough for quite a while; regrettably, as devices get faster and faster, peoples' expectations seem to get higher and higher. I have speculated about building a system with a vast amount of RAM, setting the sticky bit on selected executables to make them memory-resident, moving the operating system to a bootable CDROM and making everything that needs to be writeable in /var, which, of course, would be a normal read-write magnetic drive. I don't mind saying that I was really excited to see that Nokia's IP400 firewalls (which run a derivative of FreeBSD, BTW) have their filesystems arranged in precisely this fashion; regrettably, this is only so that those filesystems can be mounted read-only; the only filesystem which is mounted read-write is /var, much as was described in the previous paragraph. It may be speculated that the engineer(s) whom came up with this rearrangement of filesystem mount permissions (and the slight changes to administrative files in /etc which needed to be moved to /var/etc) were intending to implement precisely this arrangement of devices (bootable CDROM, that is) ... and that this plan was interrupted when Ipsilon (the company that was developing the Ipsilon IP400 series of firewalls) was purchased by Nokia - which marketed the devices as was. Or maybe they just haven't thought about sticky bits and are driven by considerations of speed of response. (-: Whatever the case, Nokia's implementation of the FreeBSD paradigm is poised to move into this niche when the conditions are right for it to happen; perhaps others better informed as to the low-level issues related to device response time might care to summarize why no one has done this yet. My discussions with peers indicate that this seems like a perfectly good product, lacking only someone funded or otherwise organized to achieve this goal; it occurs to me that the FreeBSD organization itself might wish to undertake such an option, as an extension to already existing hooks for operation as a firewall. (In compliance with the GNU-derived licensing requirements, Nokia has published certain elements of their code; I'm not sure what, exactly, perhaps it is no more than the devices drivers used for the 4-port, 100mbps ethernet, and other devices; but I think I forwarded this URL to JKH last December, for his information; if there is interest, I can dig it up again. Nokia's URL is http://www.iprg.nokia.com .) -- richard Bruce Campbell wrote: > > On Wed, 16 Jun 1999, Warner Losh wrote: > > > In message Pete Fritchman writes: > > : If you get compromised, why does it matter? > > : The attacker compiles a new kernel, waits for you to reboot, boom. > > > > Nope. My kernel is set schg and i run at a high secure level so you > > can't replace my kernel. > > Cue burning your own bootable CD and booting from that. > > --==-- > Bruce. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 6:29:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 9780E14D6A for ; Thu, 17 Jun 1999 06:29:32 -0700 (PDT) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id JAA15614; Thu, 17 Jun 1999 09:28:52 -0400 (EDT) (envelope-from matt@zigg.com) Date: Thu, 17 Jun 1999 09:28:51 -0400 (EDT) From: Matt Behrens Reply-To: chat@FreeBSD.ORG To: Dan Langille Cc: Dmitry , security@FreeBSD.ORG Subject: Re: The complete FreeBSD In-Reply-To: <19990617102112.SUIB404633.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Moving this thread to -chat.] On Thu, 17 Jun 1999, Dan Langille wrote: : On 17 Jun 99, at 8:37, Dmitry wrote: : > May be someone who has this book on CD put it on some webserver for all : > FreeBSD community. I think that it'll help to train more professional : > users and admins. I think it's rather good to allow this book for free , : > because FreeBSD is free OS : Ummm, no. Books are quite different to software. How many free Linux : books do you know of? Actually, there has recently been a few by O'Reilly (not Linux books specifically) that are being released as "open source books". DocBook: The Definitive Guide, I think, is one. Personally, I think the idea of everyone working and improving on a book's source doesn't make as much sense as software. However, it is a neat way to go. : If you want the book, buy it. I also suspect putting the book html online : is a violation of copyright not to mention bad taste. I do agree wholeheartedly with this sentiment. Greg and the publishers have an agreement and are using the copyright how they see fit here. Going around them is illegal and wrong. Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 7:22:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 891DC15325 for ; Thu, 17 Jun 1999 07:22:53 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1688 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 17 Jun 1999 08:57:43 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 17 Jun 1999 08:57:28 -0500 (CDT) From: James Wyatt To: Dmitry Cc: security@FreeBSD.ORG Subject: Re: The complete FreeBSD In-Reply-To: <376889B0.ADBD05D2@odessa.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Jun 1999, Dmitry wrote: > Unknow User wrote: > > Maybe, this questions is not related to security, but where can i > > download (if possible) this great book. > > May be someone who has this book on CD put it on some webserver for all > FreeBSD community. > I think that it'll help to train more professional users and admins. > I think it's rather good to allow this book for free , because FreeBSD > is free OS I think I should get a free computer, because I will run FreeBSD on it so it should be free too. 8{) Uh, the CD is *cheap* and *good*, a rare combination we should be proud of and support. While I don't buy every release on CD, I buy every couple so FreeBSD.org, cdrom.com, et. al make some money and continue helping us all. I don't object to cdrom.com putting it on a web server as an adjunct, because I know a bunch of folks will still buy it. My buying of FreeBSD and Linux CDROMs was *caused* by my being able to access it free. I either wanted to 'give something back', needed a timeless archive of it, or didn't want to stress our connection and their servers. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 7:35:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 32BB514ED2 for ; Thu, 17 Jun 1999 07:35:13 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1) id 10udG4-000MTp-00 for security@FreeBSD.ORG; Thu, 17 Jun 1999 16:35:12 +0200 From: Sheldon Hearn To: security@FreeBSD.ORG Subject: Re: The complete FreeBSD In-reply-to: Your message of "Thu, 17 Jun 1999 08:57:28 EST." Date: Thu, 17 Jun 1999 16:35:12 +0200 Message-ID: <86416.929630112@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the context of the freebsd-security mailing list, this conversation is particularly stupid. Please move to chat or neverland. Thanks, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 7:53:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 84EC714F26 for ; Thu, 17 Jun 1999 07:53:39 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1418 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 17 Jun 1999 09:45:30 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 17 Jun 1999 09:45:20 -0500 (CDT) From: James Wyatt To: "Andy V. Oleynik" Cc: Richard Childers , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Jun 1999, Andy V. Oleynik wrote: > chflags schg /kernel > > On Thu, 17 Jun 1999, Richard Childers wrote: > > "My kernel is set schg ..." > > > > Could you please expand on this ? I would think 'expand' would result in more text than the quited original. Something like: "man chflags would tell you what schg means" btw: 'apropos schg' returns 'schg: nothing appropriate' Ugh! The 'schg' (system immutable) flag can be set by root to prevent *anyone* from changing a file, including root. It takes effect when you run at a more secure 'syslevel' and enhances security while running. It usually does not cover stuff buried in rc.* scripts on reboot, though. I suppose that you could set 'schg' on the rc.files and directories as well... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 7:56:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id 1FB2114F26 for ; Thu, 17 Jun 1999 07:56:16 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 22514 invoked by uid 1000); 17 Jun 1999 14:55:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Jun 1999 14:55:34 -0000 Date: Thu, 17 Jun 1999 10:55:33 -0400 (EDT) From: Barrett Richardson To: Richard Childers Cc: Warner Losh , Pete Fritchman , Unknow User , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: <3768EE6F.EEE2706F@hamquist.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try "rm /kernel", "ls > /kernel", "ls >> /kernel" if it is schg those are no-ops. - Barrett Richardson barrett@phoenix.aye.net On Thu, 17 Jun 1999, Richard Childers wrote: > > "My kernel is set schg ..." > > Could you please expand on this ? > > > -- richard > > > > Warner Losh wrote: > > > > In message Pete Fritchman writes: > > : If you get compromised, why does it matter? > > : The attacker compiles a new kernel, waits for you to reboot, boom. > > > > Nope. My kernel is set schg and i run at a high secure level so you > > can't replace my kernel. > > > > : It's kind of hard/stupid to think about something in terms of "what if you > > : get compromised" - he'll have root and be able to do whatever you are > > : thinking about doing (equal privelages) > > > > No it isn't. You can minimize the damage with some careful planning. > > > > Warner > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 8: 9:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 17E2514F26 for ; Thu, 17 Jun 1999 08:09:34 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1) id 10udmP-000Mtk-00; Thu, 17 Jun 1999 17:08:37 +0200 From: Sheldon Hearn To: James Wyatt Cc: "Andy V. Oleynik" , Richard Childers , security@FreeBSD.ORG Subject: Re: some nice advice.... In-reply-to: Your message of "Thu, 17 Jun 1999 09:45:20 EST." Date: Thu, 17 Jun 1999 17:08:37 +0200 Message-ID: <88023.929632117@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Jun 1999 09:45:20 EST, James Wyatt wrote: > The 'schg' (system immutable) flag can be set by root to prevent *anyone* > from changing a file, including root. It takes effect when you run at a > more secure 'syslevel' and enhances security while running. For the record: Schg is always "in effect". At non-zero securelevels (not syslevels), nobody can remove the schg flag. Effectively, the same thing as what you said, but the difference is worth explaining. And the manpage to refer people to is init(8). Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 9: 7:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 4D07D14DCA for ; Thu, 17 Jun 1999 09:07:30 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id KAA54209; Thu, 17 Jun 1999 10:07:29 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id KAA06017; Thu, 17 Jun 1999 10:07:41 -0600 (MDT) Message-Id: <199906171607.KAA06017@harmony.village.org> To: "Richard Childers" Subject: Re: some nice advice.... Cc: security@FreeBSD.ORG In-reply-to: Your message of "Thu, 17 Jun 1999 05:47:43 PDT." <3768EE6F.EEE2706F@hamquist.com> References: <3768EE6F.EEE2706F@hamquist.com> <199906162224.QAA02435@harmony.village.org> Date: Thu, 17 Jun 1999 10:07:41 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3768EE6F.EEE2706F@hamquist.com> "Richard Childers" writes: : "My kernel is set schg ..." : Could you please expand on this ? chflags schg /kernel The system won't even let root change /kernel. When the secure level is elevated, even root can't remvoe the schg bit. Set it on all files required to boot, and go to elevated secure level quickly and things will be impossible to override... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 10:11:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 229EC1555E for ; Thu, 17 Jun 1999 10:11:10 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id TAA24214; Thu, 17 Jun 1999 19:11:07 +0200 (CEST) (envelope-from des) To: "Richard Childers" Cc: "Bruce Campbell" , Subject: Re: some nice advice.... References: <3768F2C2.B8C340BB@hamquist.com> From: Dag-Erling Smorgrav Date: 17 Jun 1999 19:11:07 +0200 In-Reply-To: "Richard Childers"'s message of "Thu, 17 Jun 1999 06:06:10 -0700" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Richard Childers" writes: > It seems to me that CDs have been fast enough for quite a while; > regrettably, as devices get faster and faster, peoples' expectations > seem to get higher and higher. Modern CD-ROMs are fast, but have very bad latency, which really kills random access performance. The only manufcaturer I know of which makes CD-ROM drives with acceptable latency is Pioneer. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 11:16:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id BAD0A14CAE for ; Thu, 17 Jun 1999 11:16:08 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 99215 invoked from network); 17 Jun 1999 18:16:07 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 17 Jun 1999 18:16:07 -0000 Received: from localhost (dscheidt@localhost) by shell-2.enteract.com (8.9.3/8.9.2) with SMTP id NAA16709; Thu, 17 Jun 1999 13:16:06 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-2.enteract.com: dscheidt owned process doing -bs Date: Thu, 17 Jun 1999 13:16:05 -0500 (CDT) From: David Scheidt To: Dag-Erling Smorgrav Cc: Richard Childers , Bruce Campbell , security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17 Jun 1999, Dag-Erling Smorgrav wrote: > Modern CD-ROMs are fast, but have very bad latency, which really kills > random access performance. The only manufcaturer I know of which makes > CD-ROM drives with acceptable latency is Pioneer. A fair number of disks have a write protect mode. The ST-11950W I use as a paper weight, has jumper one as Write Protect Enable. It isn't too difficult to bring this out as a switch. Fixed disks are fast, and have low latency. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 11:28:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 5392B14BD0 for ; Thu, 17 Jun 1999 11:28:36 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Thu, 17 Jun 1999 12:28:36 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma003272; Thu, 17 Jun 99 12:28:16 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id MAA00907; Thu, 17 Jun 1999 12:27:44 -0600 (MDT) Date: Thu, 17 Jun 1999 12:27:44 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Richard Childers Cc: security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: <3768F2C2.B8C340BB@hamquist.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Jun 1999, Richard Childers wrote: > I have speculated about building a system with a vast amount of RAM, > setting the sticky bit on selected executables to make them > memory-resident, I might be wrong, but with the advent of sophisticated virtual memory systems, aren't sticky bits on executables essentially ignored these days? I thought that good VM systems made sticky bits on executables basically useless now. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 11:55:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 1005D14DA6 for ; Thu, 17 Jun 1999 11:55:56 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id NAA73439; Thu, 17 Jun 1999 13:55:54 -0500 (CDT) From: Joe Greco Message-Id: <199906171855.NAA73439@aurora.sol.net> Subject: Re: some nice advice.... To: security@freebsd.org Date: Thu, 17 Jun 1999 13:55:53 -0500 (CDT) Cc: imp@harmony.village.org, rchilders@hamquist.com X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The system won't even let root change /kernel. When the secure level > is elevated, even root can't remvoe the schg bit. Set it on all files > required to boot, and go to elevated secure level quickly and things > will be impossible to override... > > Warner A starting point... this is customized heavily towards my standard installs and my own needs, however it should make it a real bloody pain for somebody to mess with your system. This is acceptable around here since most "upgrades" are done via replacement; I rarely do in-place upgrades anymore and even if I did, all you do is remove the schg bit in single-user mode. #! /bin/sh # SUID or SGID stuff. Most of it - we don't want chmod 111 /usr/local/bin/ospf_monitor chmod 111 /usr/local/bin/gdc chmod 111 /usr/local/bin/ssh1 chmod 111 /usr/local/libexec/amanda/calcsize chmod 111 /usr/local/libexec/amanda/killpgrp chmod 111 /usr/local/libexec/amanda/rundump chmod 111 /usr/local/libexec/amanda/runtar chmod 111 /usr/local/libexec/amanda/dumper chmod 111 /usr/local/libexec/amanda/planner chmod 111 /usr/local/sbin/amcheck # /usr/bin/cu chmod 111 /usr/bin/uucp chmod 111 /usr/bin/uuname chmod 111 /usr/bin/uustat chmod 111 /usr/bin/uux chmod 111 /usr/bin/man chmod 111 /usr/bin/suidperl chmod 111 /usr/bin/sperl4.036 chmod 111 /usr/bin/at chmod 111 /usr/bin/atq chmod 111 /usr/bin/atrm chmod 111 /usr/bin/batch # /usr/bin/chpass # /usr/bin/chfn # /usr/bin/chsh chmod 111 /usr/bin/ypchpass chmod 111 /usr/bin/ypchfn chmod 111 /usr/bin/ypchsh chmod 111 /usr/bin/fstat chmod 111 /usr/bin/ipcs chmod 111 /usr/bin/keyinfo chmod 111 /usr/bin/keyinit # /usr/bin/lock # /usr/bin/login chmod 111 /usr/bin/netstat chmod 111 /usr/bin/nfsstat # /usr/bin/passwd chmod 111 /usr/bin/yppasswd chmod 111 /usr/bin/quota chmod 111 /usr/bin/rlogin chmod 111 /usr/bin/rsh # /usr/bin/su # /usr/bin/top # /usr/bin/w # /usr/bin/uptime chmod 111 /usr/bin/wall chmod 111 /usr/bin/write chmod 111 /usr/bin/systat chmod 111 /usr/bin/vmstat chmod 111 /usr/bin/crontab chmod 111 /usr/bin/lpq chmod 111 /usr/bin/lpr chmod 111 /usr/bin/lprm chmod 111 /usr/bin/newaliases chmod 111 /usr/bin/mailq chmod 111 /usr/bin/hoststat chmod 111 /usr/libexec/uucp/uucico chmod 111 /usr/libexec/uucp/uuxqt chmod 111 /usr/libexec/mail.local chmod 111 /usr/sbin/lpc chmod 111 /usr/sbin/mrinfo chmod 111 /usr/sbin/mtrace chmod 111 /usr/sbin/pppd chmod 111 /usr/sbin/pstat chmod 111 /usr/sbin/swapinfo chmod 111 /usr/sbin/sendmail chmod 111 /usr/sbin/purgestat chmod 111 /usr/sbin/sliplogin chmod 111 /usr/sbin/timedc # /usr/sbin/traceroute chmod 111 /usr/sbin/trpt chmod 111 /usr/sbin/iostat chmod 111 /usr/sbin/ncrcontrol chmod 111 /usr/sbin/ppp # /bin/df # /bin/ps chmod 111 /bin/rcp chmod 111 /sbin/ccdconfig # /sbin/dmesg chmod 111 /sbin/dump chmod 111 /sbin/rdump chmod 111 /sbin/ping chmod 111 /sbin/restore chmod 111 /sbin/rrestore chmod 111 /sbin/route chmod 111 /sbin/shutdown # Protect files. chflags schg / chflags -RP schg /.profile /.cshrc chflags -RP schg /bin chflags -RP schg /boot chflags -RP schg /etc chflags noschg /etc/motd /etc/ntp.drift chflags noschg /etc chflags schg /kernel* chflags -RP schg /lkm chflags -RP schg /modules chflags -RP schg /root/.[a-z]* chflags schg /root chflags -RP schg /sbin chflags -RP schg /stand chflags -RP schg /sys/. chflags -RP schg /usr chflags noschg /usr/local/etc/ssh_host_key Depending on specifics, you might choose to remove the suid bits from the remaining executables. When you are done, you will have a rather hardened system that simply demands to run at securelevel 2 or 3. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 12:26:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from sfmailrelay.hamquist.com (sfmailrelay2.hamquist.com [199.108.89.15]) by hub.freebsd.org (Postfix) with SMTP id B324815024 for ; Thu, 17 Jun 1999 12:26:10 -0700 (PDT) (envelope-from rchilders@hamquist.com) Received: from 172.19.6.48 by sfmailrelay.hamquist.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v3.2 SR1); Thu, 17 Jun 99 12:25:40 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: from hamquist.com ([172.19.6.230]) by sfmail.hamquist.com ( Netscape Messaging Server 3.6) with ESMTP id AAA45E4; Thu, 17 Jun 1999 15:26:09 -0400 Message-ID: <37694CB5.9619C283@hamquist.com> Date: Thu, 17 Jun 1999 12:29:57 -0700 From: "Richard Childers" Organization: hambrecht & quist, llc X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Paul Hart" Cc: Subject: Re: some nice advice.... References: X-WSS-ID: 1B77943E508483-01-02 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paul Hart suggests: "I might be wrong, but with the advent of sophisticated virtual memory systems, aren't sticky bits on executables essentially ignored these days? I thought that good VM systems made sticky bits on executables basically useless now." I wonder the same question; this was an idea I came up with a few years ago, but I see that BSD 4.4 introduced a few new things that, frankly, I am only beginning to hear about now. (For example, chflags(2).) -- richard Paul Hart wrote: > > On Thu, 17 Jun 1999, Richard Childers wrote: > > > I have speculated about building a system with a vast amount of RAM, > > setting the sticky bit on selected executables to make them > > memory-resident, > > I might be wrong, but with the advent of sophisticated virtual memory > systems, aren't sticky bits on executables essentially ignored these days? > I thought that good VM systems made sticky bits on executables basically > useless now. > > Paul Hart > > -- > Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. > hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 14:35:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.program-products.co.uk (samson.program-products.co.uk [212.240.242.226]) by hub.freebsd.org (Postfix) with ESMTP id 8E6E114D66 for ; Thu, 17 Jun 1999 14:35:03 -0700 (PDT) (envelope-from terry@program-products.co.uk) Received: by mailgate.program-products.co.uk via smap (V2.1) id xma001109; Thu, 17 Jun 99 22:34:37 +0100 To: jgreco@ns.sol.net (Joe Greco) Cc: security@freebsd.org Subject: Re: some nice advice.... References: <199906171855.NAA73439@aurora.sol.net> From: Terry Glanfield Date: 17 Jun 1999 22:34:34 +0100 In-Reply-To: jgreco@ns.sol.net's message of "17 Jun 1999 19:57:33 +0100" Message-Id: Lines: 12 X-Mailer: Gnus v5.6.44/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jgreco@ns.sol.net (Joe Greco) writes: > chmod 111 /usr/bin/uucp > ... > chmod 111 /usr/bin/at > ... > chmod 111 /usr/bin/ypchpass etc. What not "chmod 0" most of these and be done with it? Terry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 16:24:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id F0BBF14BD4 for ; Thu, 17 Jun 1999 16:24:03 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id QAA16235; Thu, 17 Jun 1999 16:22:19 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id QAA09855; Thu, 17 Jun 1999 16:22:19 -0700 Received: from softweyr.com ([198.206.184.77]) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA18949; Thu, 17 Jun 99 16:22:11 PDT Message-Id: <37698322.BB93D2D@softweyr.com> Date: Thu, 17 Jun 1999 17:22:10 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Mark Newton Cc: Dmitry , security@FreeBSD.ORG Subject: Re: The complete FreeBSD References: <199906170555.PAA64582@atdot.dotat.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Newton wrote: > > Dmitry wrote: > > > May be someone who has this book on CD put it on some webserver for all > > FreeBSD community. > > Err, that would be a bad idea. > > > I think that it'll help to train more professional users and admins. > > I think it's rather good to allow this book for free , because FreeBSD > > is free OS > > I think the book should continue to cost money, because a major FreeBSD > developer earns part of his personal income from sales of the book. And the ongoing royalties from sales of the book are a (small) part of why he can dedicate time to FreeBSD. > Yeesh. Yeah. > -------------------------------------------------------------------- > I tried an internal modem, newton@atdot.dotat.org > but it hurt when I walked. Mark Newton Are you sure you put it in the right port? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 16:36: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id 4908514E43 for ; Thu, 17 Jun 1999 16:35:39 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id RAA00665 for freebsd-security@freebsd.org; Thu, 17 Jun 1999 17:35:36 -0600 (MDT) Date: Thu, 17 Jun 1999 17:35:36 -0600 (MDT) From: Brendan Conoboy Message-Id: <199906172335.RAA00665@kitsune.swcp.com> To: freebsd-security@freebsd.org Subject: ipf howto, tada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Everybody. I know it's been a while since I said I'd put this out, but I'm easily distracted and prone to switching character. Here's my alpha-release ipf-howto. It's somewhere between a firewall howto and an ipf howto. Think of it is a guide to setting up an ipf-based firewall. It has some theory, some caveats, some typos, bad spelling, poor grammar, anthropomorphism, person shifts, so and so forth. If Dr Seuss were here, I would implore him to invent 5 letters before alpha to describe it. In any case, here it is. Please send me lots of questions, comments, additions, retractions, and offers to be an editor. Thanks, -Brendan (synk@swcp.com) ----------------------------------------------------------------------- IP Filter is a neat little firewall package. It does just about everything other free firewalls (ipfwadm, ipchains, ipfw) do, but it's also portable and does neat stuff the others don't. This document is intended to make some cohesive sense of the sparse documentation presently available for ipfilter. Some prior familiarity with packet filtering will be useful (too much familiarity may make this document a waste of your time). There's probably numerous books on the subject that would be beneficial to read. I used TCP/IP illustrated, myself. On we go. Part 1 - Config File Dynamics, Order and Precedence IPF (IP Filter) has a config file (as opposed to say, running some command again and again for each new rule). The config file drips with Unix: There's one rule per line, the "#" mark denotes a comment, and you can have a rule and a comment on the same line. Extranious whitespace is allowed, I use it to keep my rules readable. The rules are read from top to bottom, each one appended after another. This quite simply means that if the entirety of your config file is: block in all pass in all The computer sees it as: block in all pass in all Which is to say that when a packet comes in, the first thing IPF applies is: block in all Should IPF deem it necessary to move on to the next rule, it would then apply the second rule: pass in all At this point, you might want to ask yourself "would IPF move on to the second rule?" If you're familiar with ipfwadm or ipfw, you probably won't ask yourself this. Shortly after, you will become bewildered at the weird way packets are always getting denied or passed when they shouldn't. Many packet filters stop comparing packets to rulesets the moment the first match is made- IPF is not one of them. Unlike the other packet filters, ipf keeps a flag on whether or not it's going to pass the packet. Unless you interrupt it, it'll go through the entire ruleset, making its decision on whether or not to pass or drop the packet based on the last matching rule. The scene: IP Filter's on duty. It's been been scheduled a slice of CPU time. It has a checkpoint clipboard that reads: block in all pass in all A packet comes in the gateway and it's time to go to work. It takes a look at the packet, it takes a look at the first rule: block in all "So far I think I will block this packet" says IPF. It takes a look at the second rule: "So far I think I will pass this packet" says IPF. It takes a look at a third rule. There is no third rule (a null pointer is dereferenced, signal 12, kernel panic- AIiiyyee!), so it goes with what its last motivation was, to pass the packet onward. It's a good time to point out that even if the ruleset had been block in all block in all block in all block in all pass in all that the packet still would have gone through. There is no cumulative effect. The last matching rule always takes precedence. I'm sure there's a good use for this method of layout, but I must confess that I don't yet grasp it. It has some horrible aspects in the area of portability and speed. Imagine converting your old filters to this format, Imagine if you had 100 rules and most of the applicable ones were the first 10. There would be a terrible overhead for every packet coming in to go through 100 rules every time. Fortunately, there's a simple keyword you can add to any rule that makes it take action at that match. The keyword is "quick." Here's a modified copy of the original ruleset using the quick keyword: block in quick all pass in all In this case, IPF looks at the first rule: block in quick all The packet matchs and the search is over. The packet is expunged without a peep. There are no notices, no logs, no memorial service. Cake will not be served. So what about the next rule? pass in all This rule is never encountered. It could just as easily not be in the config file at all. The sweeping match of "all" and the terminal keyword "quick" from the previous rule make certain that no rules are followed afterward. Having half a config file laid to waste is rarely a desirable state. On the other hand, IPF is here to block packets and as configured, it's doing a heck of a good job. Nonetheless, IPF is also here to let *some* packets through, so a change to the ruleset to make this possible is called for. IPF will match packets on numerous criteria. The one that we most commonly think of is the IP address. There are some blocks of address from which we should never get traffic. One such block are the unroutable networks such as 192.168.0.0/16 (/16 being a netmask. Perhaps you are more familiar with the wordier version of 255.255.0.0). If you wanted to block 192.168.0.0/16, this is one way to do it: block in quick from 192.168.0.0/16 to any pass in all Now we have a less stringent ruleset that actually does something for us. Lets imagine a packet comes in from 1.2.3.4. The first rule is applied: block in quick from 192.168.0.0/16 to any The packet is from 1.2.3.4, not 192.168.*.*, so there is no match. The second rule is applied: pass in all The packet from 1.2.3.4 is definitely a part of all, so the packet is sent to wherever it happened to be going. On the other hand, suppose we have a packet that comes in from 192.168.1.2. The first rule is applied: block in quick from 192.168.0.0/16 to any There's a match, the packet is dropped, and that's the end. Again, it doesn't move to the second rule because the first rule matches and contains the "quick" keyword. Every packet you recieve comes from a network interface. From a modem speaking PPP to ethernet cards talking 10 base-T, there's an interface involved. Say your machine has 3 interfaces, lo0 (loopback), xl0 (3com ethernet), and tun0 (FreeBSD's generic tunnel interface that ppp uses), but you don't want packets coming in on the tun0 interface? block in quick on tun0 pass in all In this case, the "on" keyword means that that data is coming in on the named interface. If a packet comes in on tun0, the first rule will block it. If a packet comes in on lo0 or xl0, the first rule will not match, the second rule will, the packet will be passed. It's an odd state of affairs when one decides it best to have the tun0 interface up, but not allow any data to be recieved from it. The more criterea the firewall matches against, the tighter (or looser) the firewall can become. Maybe you want data from tun0, but not from 192.168.0.0/16? This is the start of a powerful firewall. block in quick on tun0 from 192.168.0.0/16 to any pass in all A packet from 192.168.1.1 on the xl0 interface will get passed. A packet from 1.2.3.4 on the tun0 interface will get passed. Infact, every packet from everywhere will be allowed in, except for packets from 192.160.0.0/16 on tun0. At this point you can build a fairly extensive set of definitive addresses which are passed or blocked. Since we've already started blocking private address space from entering tun0, lets take care of the rest of it: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any pass in all The first three address blocks are the unroutable IP space. The fourth is a largely wasted class-A network used for loopback. Much software communicates with itself on 127.0.0.1 so blocking it from external entrance is a good idea. It seems very frequent that companies have internal networks before they want a link to the outside world. I'd even go so far as to say that's the main reason people consider firewalls in the first place, though they're just as important for a single machine as for an office network. The machine that bridges the outside world to the inside world and vice versa is the router. What separates the router from any other machine is simple: It has two interfaces. We'll call them tun0 for the external link and xl0 for the internal link. There's a very important principle in packet filtering which has only been alluded to with the private network blocking and that is this: When you know there's certain types of data that only comes from certain places, you setup the system to only allow that kind of data from those places. In the case of the unroutable addresses, you know that nothing from 10.0.0.0/8 should be arriving on tun0 because you have no way to reply to it. It's an illegitimate packet. The same goes for the other unroutables as well as 127.0.0.0/8. Many pieces of software do all their authentication based upon the packet's originating IP address. When you have an internal network, say 200.200.200.0/24, you know that the only traffic for that internal network is going to come off the local ethernet. Should a packet from 200.200.200.0/24 arrive over a PPP dialup, it's perfectly reasonable to drop it on the floor, or put it in a dark room for interrogation. It should by no means be allowed to get to its final destination. You can accomplish this particularly easily with what you already know of IPF. The new ruleset would be: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 200.200.200.0/24 to any pass in all Up to this point, all blocked and passed packets have been silently blocked and silently passed. Usually you want to know if you're being attacked rather than wonder if that firewall is really buying you any added benefits. While I wouldn't want to log every passed packet, and in some cases every blocked packet, I would want to know about the blocked packets from 200.200.200.0/24. To do this, we add the "log" keyword: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any pass in all [a month passes while I become fascinated with thingamajigs, gadgets and other non-ipf related gadgets] There's a couple other things you may need to do, too. If you're running FreeBSD, you'll need to have IPFILTER_LOG compiled into your kernel. Second, ipf requires ipmon to log, no matter what OS you're using. I prefer to run ipmon with as "ipmon -s" so it syslogs logged packets instead of having them dump to stdout. So far, our firewall is pretty good at blocking packets coming to it from suspect places, but there's still more to be done. For one thing, we're accepting packets destined anywhere. One thing we ought to do is make sure packes to 200.200.200.0/32 and 200.200.200.255/32 get dropped on the floor. To do otherwise opens the internal network for a smurf attack. These two lines would prevent our hypothetical network from being used as a smurf relay: block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 This brings our total ruleset to look something like this: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass in all Denial of Service attacks are almost as rampant as buffer overflows. Many denial of service attacks rely on glitches in the OS's TCP/IP stack. Frequently, this has come in the form of ICMP packets. Why not block them entirely? block in log quick on tun0 proto icmp from any to any Now any icmp traffic coming in from tun0 will be logged and discarded. Of course, this isn't really an ideal situation. Why not drop all ICMP? Well, because it's useful. So maybe you want to keep some types of ICMP traffic. If you want ping and traceroute to work, you need to let in icmp types 8 and 11. Strictly speaking, this might not be a good idea, but if you need to weigh security verses convenience, ipf lets you do it. pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 Remeber that ruleset order is important. Since we're doing everything "quick" we must have our passes before our blocks, so we really want the last three rules in this order: pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 block in log quick on tun0 proto icmp from any to any Now to put it all together: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 block in log quick on tun0 proto icmp from any to any pass in all Please note the location of the icmp rules. They're intentionally placed behind the first 7 blocking rules because we don't want to accidentally pass some icmp traffic that would have been dropped by the anti-spoofing and anti-smurfing rules. It's very important to keep a close eye on what you "pass" before all the relevent "block" rules are run. Now that we've started blocking packets based on protocol, we can start blocking packets based on protocol ports. Services such as rsh, rlogin, and telnet are all very convenient to have. They're also hidiously insecure against network sniffing and spoofing. One great compromise is to only allow the services to run internally, then block them externally. Both rlogin, rsh, and telnet use specific TCP ports (513, 514, and 23 respectively). Creating rules to block them is easy: block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 513 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 514 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 23 Make sure all 3 are before the "pass in all" and those ports are good to not go: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 block in log quick on tun0 proto icmp from any to any block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 513 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 514 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 23 pass in all You might also want to block udp/111 (portmap), tcp/515 (lpd), tcp/udp (2049), tcp/6000 (X) and so on and so forth. You can get a complete listing of the ports being listed to by using "netstat -a" or lsof, if you have it installed. Blocking udp is the same as tcp. The rule for portmap would be: block in quick on tun0 proto udp from any to 200.200.200.0/24 port = 111 There's a big problem with blocking services by the port: sometimes they move. RPC based programs are terrible about this, lockd, statd, even nfsd listens places other than 2049. It's awfully hard to predict, and even worse to automate adjusting all the time. What if you miss a service? Instead of dealing with all that hassle, lets start over with a clean slate. The current ruleset looks like this: Yes, we really are starting over. The first rule we're going to use is this: block in quick No network traffic gets through. None. Not a peep. You're rather secure with this setup. Not terribly useful, but quite secure. The great thing is that it doesn't take much more to make your box rather secure, yet useful too. Lets say the machine this is running on is a web server, nothing more, nothing less. It doesn't even do DNS lookups. It just wants to take connections on tcp/80 and that's it. We can do that. We can do that with a eecond rule, and you already know how: pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 block in quick on ed0 This machine will pass in port 80 traffic for 200.200.200.1, and deny everything else. Perhaps this is all one needs? Well, I usually find myself needing more. I want to be able to telnet out over the ed0 interface. I want convenience and security in one. Lots of people seem to, that's why ciscos have an "established" clause that lets established tcp sessions go through. Ipfw has established. Ipfwadm has setup/established. They all have this feature, but the name is very misleading. When I first saw it, I thought it meant my packet filter was keeping track of what was going on, that it knew if a connection was really established or not. The fact is, they're all taking the packet's word for it. That's why they only support established TCP connections, that's the only protocol that has flags which the router can extrapolate the established state of the connection. Anybody who can create a packet with bogus flags can get by such a firewall. Where does IPF come in to play here, you ask? Well, unlike the other firewalls, ipf really can keep track of whether or not a connection is established. And it'll do it with udp and icmp, not just tcp. The only problem is this: the way it does it is non-intuitive. Ipf calls it "keeping state". The keyword for the ruleset is "keep state" (There is also "keep frags", which is advisable as well). Keeping state's setup is weird. Normally, we know that when we want a packet to come in, we used "pass in" and when we want one coming in to be blocked we use "block in.". State is different in that, if you want a packet to come in, you say "pass out". By passing the packet out, a reciprical rule is created that allows a reply to come back in the other direction. Lets show this as an actual rule: pass out quick proto tcp from 200.200.200.1/32 to any keep state Thought it doesn't say so, you must imagine there being an auxillery rule that exists in the same place in line that reads: pass in quick proto tco from ThatIpISentTo to 200.200.20.1/32 There is no way to express the previous line, don't even try putting it in there, it won't work. The "keep state" option makes it implicit. Here's what our ruleset looks like now: pass out quick in ed0 proto tcp from 200.200.200.1/32 to any keep state pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 block in quick on ed0 The workings of the keep state ruleset is much like the workings of the saying "do not speak until spoken to." It's just not permitted (except on port 80:-). Actually, lets keep state on udp and icmp packets as well: pass out quick in ed0 proto tcp/udp from 200.200.200.1/32 to any keep state pass out quick in ed0 proto icmp from 200.200.200.1/32 to any keep state pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 block in quick on ed0 Ipf has a tcp/udp shorthand. It's actually two rules, but you can write it as one. Now we're keeping state on tcp, udp, icmp. That means we can make outgoing connections with ease. Nothing is denied to us, but the outside world can only send packets to our port 80 with any sort of freedom. Lets take a look at what happens, rule by rule, if I ping to www.3com.com: First, a DNS packet is generated, because I don't know the IP address of www.whitehouse.gov. DNS uses UDP, so the first rule matches, the packet is passed, and ipf lets my nameserver's IP reply back to me (since I spoke to it before it spoke to me). It told me www.3com.com is at 192.156.136.22. Now I send an icmp packet to 192.156.136.22. The second rule matches this since it's an icmp packet. The packet goes out, an exception is made for a reply to come back, the reply comes back, the exception is removed. This is very handy because there's no need to track down what ports we're listening to, only the ports we want people to be able to get to. For added scrutiny, we might consider changing pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 to: pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 flags S keep frags This will only let packets through to port 80 if they have a Syn flag. This is handy in detecting Fin scans (where the Fin flag is set). So now we have a pretty tight firewall: But it can still be tighter. Some of the original ruleset we wiped clean is actually very useful. I'd suggest bringing back all the anti-spoofing stuff. This leaves us with: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass out quick in ed0 proto tcp/udp from 200.200.200.1/32 to any keep state pass out quick in ed0 proto icmp from 200.200.200.1/32 to any keep state pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 flags S keep frags block in quick on ed0 Now we're looking pretty good. ------------------------------------------------------------------------------ Copyright 1999 Brendan Conoboy (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 16:42:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id 1C2B214BD0 for ; Thu, 17 Jun 1999 16:42:16 -0700 (PDT) (envelope-from Stanley.Hopcroft@ipaustralia.gov.au) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.1/8.9.1) id JAA26918 for ; Fri, 18 Jun 1999 09:42:15 +1000 (EST) X-Authentication-Warning: pericles.IPAustralia.gov.au: smap set sender to using -f Received: from noteshub01.aipo.gov.au(10.0.100.21) by pericles.IPAustralia.gov.au via smap (V2.0) id xmaa26766; Fri, 18 Jun 99 09:42:00 +1000 Received: by noteshub01.aipo.gov.au(Lotus SMTP MTA v4.6.3 (778.2 1-4-1999)) id 4A256793.0082516E ; Fri, 18 Jun 1999 09:43:25 +1000 X-Lotus-FromDomain: IP_AUSTRALIA From: Stanley.Hopcroft@ipaustralia.gov.au To: security@FreeBSD.ORG Message-ID: <4A256793.008250B6.00@noteshub01.aipo.gov.au> Date: Fri, 18 Jun 1999 09:40:50 +1000 Subject: Re: the Complete FreeBSD Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To: security@FreeBSD.ORG cc: Dear Ladies and Gentlemen, FWIW "the Complete FreeBSD" is superb. I am quite happy to pay for - and have for first and second & as soon as Cetus Tech advertise it's availability, the third - for any writing of such a superb author. A book is always easier for me to read than a computer screen and a good book, such as this, is simply so entertainingand comforting. It's not only a mine of answers to questions and yes precious information that I can exploit, its also the company of another persons deep and careful attempt to help others manage some aspects of their lives. Yes, man pages can be good reading too, but this is better. Thank you, Yours sincerely. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 19:47:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 3AEB0155D7 for ; Thu, 17 Jun 1999 19:47:55 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id VAA06621; Thu, 17 Jun 1999 21:47:51 -0500 (CDT) From: Joe Greco Message-Id: <199906180247.VAA06621@aurora.sol.net> Subject: Re: some nice advice.... In-Reply-To: from Terry Glanfield at "Jun 17, 1999 10:34:34 pm" To: terry@program-products.co.uk (Terry Glanfield) Date: Thu, 17 Jun 1999 21:47:51 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > jgreco@ns.sol.net (Joe Greco) writes: > > chmod 111 /usr/bin/uucp > > ... > > chmod 111 /usr/bin/at > > ... > > chmod 111 /usr/bin/ypchpass > etc. > > What not "chmod 0" most of these and be done with it? There is little point in chmod'ding an executable to 0 on a free OS where the executables can be retrieved from any convenient FTP site. In fact, some utilities may retain their usefulness in some lesser manner... or you may wish to run them as root... or for example, doing a chmod 0 on /usr/bin/login may not be too slick. You want to remove the privilege. That's all, really. Otherwise you get into the slippery slope of "why don't you chmod 0 this other random non-suid executable that nobody on this system will ever need", and that wasn't the point. The point was to remove likely security holes opened by suid or sgid executables on application-server-platform class machines where no "normal user" would lose by being unable to run them, and then applying some really mean-ass schg flags. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 20:31:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id 32BC414C9C for ; Thu, 17 Jun 1999 20:31:52 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id VAA03462 for security@FreeBSD.ORG; Thu, 17 Jun 1999 21:31:51 -0600 (MDT) Date: Thu, 17 Jun 1999 21:31:51 -0600 (MDT) From: Brendan Conoboy Message-Id: <199906180331.VAA03462@kitsune.swcp.com> To: security@FreeBSD.ORG Subject: make world clobbers (was Re: some nice advice....) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: Joe Greco > Subject: Re: some nice advice.... > To: terry@program-products.co.uk (Terry Glanfield) > Cc: security@FreeBSD.ORG > There is little point in chmod'ding an executable to 0 on a free OS where > the executables can be retrieved from any convenient FTP site. In fact, > some utilities may retain their usefulness in some lesser manner... or > you may wish to run them as root... or for example, doing a chmod 0 on > /usr/bin/login may not be too slick. > > You want to remove the privilege. That's all, really. > > Otherwise you get into the slippery slope of "why don't you chmod 0 this > other random non-suid executable that nobody on this system will ever need", > and that wasn't the point. The point was to remove likely security holes > opened by suid or sgid executables on application-server-platform class > machines where no "normal user" would lose by being unable to run them, > and then applying some really mean-ass schg flags. The main reason I'd chmod 0 an executable is to remove it from the path entirely. Unless I'm mistaken, root can execute a mode 0000 file anyway. On a related question, what do you all do about make world overwriting all your chmod changes? I'm constantly plagued by this and other things like sendmail overwriting qmail's sendmail symlink. Is the only answer to write a custom fixit script? -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 21:52:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 72DBF14C9C for ; Thu, 17 Jun 1999 21:52:35 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id XAA15397; Thu, 17 Jun 1999 23:52:27 -0500 (CDT) From: Joe Greco Message-Id: <199906180452.XAA15397@aurora.sol.net> Subject: make world clobbers (was Re: some nice advice...) To: synk@swcp.com Date: Thu, 17 Jun 1999 23:52:27 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > There is little point in chmod'ding an executable to 0 on a free OS where > > the executables can be retrieved from any convenient FTP site. In fact, > > some utilities may retain their usefulness in some lesser manner... or > > you may wish to run them as root... or for example, doing a chmod 0 on > > /usr/bin/login may not be too slick. > > > > You want to remove the privilege. That's all, really. > > > > Otherwise you get into the slippery slope of "why don't you chmod 0 this > > other random non-suid executable that nobody on this system will ever need", > > and that wasn't the point. The point was to remove likely security holes > > opened by suid or sgid executables on application-server-platform class > > machines where no "normal user" would lose by being unable to run them, > > and then applying some really mean-ass schg flags. > > The main reason I'd chmod 0 an executable is to remove it from the path > entirely. Unless I'm mistaken, root can execute a mode 0000 file anyway. You are mistaken. Thankfully. Root had better damn well never execute anything if there is the slightest amount of doubt. > On a related question, what do you all do about make world overwriting all > your chmod changes? I'm constantly plagued by this and other things like > sendmail overwriting qmail's sendmail symlink. Is the only answer to write > a custom fixit script? By definition, one isn't too interested in running "make world" on an application-server-platform class machine. You're looking for a platform on which to run some application, and about the only thing you'll ever need to patch would be the kernel. Anything else (bugs in userland) is merely an annoyance that you can live with because you didn't need any of that stuff anyways. And if you _do_ need to upgrade, you'll do it from a binary distribution, not from source, because you can't really afford to have your application server offline for the unnecessary luxury of building the world. But to answer the question you're sort of asking, yes. If I make more than half a dozen custom changes to any system, I have to ask myself what the hell I'm doing wrong. I have a set of scripts that I run to do things such as baseline customizations (addition of admin accounts, basic rc.conf configuration, nameserver setup, ntp setup, inetd setup, etc), standard port installation (shells, utils, etc), and several other things. Since things such as firewalls and fileprotections need to be negotiated on a per-application basis, these take a little more work. Another script to install the service in question, and all should be done... with zero manual piddling around. If I have to diddle with a system, there's a good chance that I might not do it the same way next time, and that's a bad thing. So I work very hard to minimize any such efforts. If I do need to upgrade a system, though, I remove the schg flags in single user, install the new distribution, and then re-run all my system building scripts, all of which should do the right thing for whatever situation they find themselves in. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 22:11:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id BC88C14D67 for ; Thu, 17 Jun 1999 22:11:22 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id XAA15842; Thu, 17 Jun 1999 23:11:06 -0600 (MDT) Date: Thu, 17 Jun 1999 23:11:06 -0600 (MDT) From: Brendan Conoboy Message-Id: <199906180511.XAA15842@kitsune.swcp.com> To: jgreco@ns.sol.net Subject: Re: make world clobbers (was Re: some nice advice...) Cc: security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > You are mistaken. Thankfully. Root had better damn well never execute > anything if there is the slightest amount of doubt. Ah quite right, I misremembered. Root can run shell scripts that're mode 0, but only by sayign "sh this" or "perl that". > By definition, one isn't too interested in running "make world" on an > application-server-platform class machine. You're looking for a platform > on which to run some application, and about the only thing you'll ever > need to patch would be the kernel. Anything else (bugs in userland) is > merely an annoyance that you can live with because you didn't need any of > that stuff anyways. And if you _do_ need to upgrade, you'll do it from > a binary distribution, not from source, because you can't really afford > to have your application server offline for the unnecessary luxury of > building the world. Er, don't you upgrade from source when there's a security problem in userland but no new binary distribution? I do. > the same way next time, and that's a bad thing. So I work very hard > to minimize any such efforts. Sigh, was afraid of that. I did get a suggestion to update /etc/make.conf from Dino A. Dai Zovi, which I am thankful for. > If I do need to upgrade a system, though, I remove the schg flags in > single user, install the new distribution, and then re-run all my > system building scripts, all of which should do the right thing for > whatever situation they find themselves in. -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 22:17:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 31D7F14D67 for ; Thu, 17 Jun 1999 22:17:24 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 80174 invoked from network); 18 Jun 1999 05:17:24 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 18 Jun 1999 05:17:24 -0000 Received: from localhost (dscheidt@localhost) by shell-2.enteract.com (8.9.3/8.9.2) with SMTP id AAA56604; Fri, 18 Jun 1999 00:17:23 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-2.enteract.com: dscheidt owned process doing -bs Date: Fri, 18 Jun 1999 00:17:23 -0500 (CDT) From: David Scheidt To: Brendan Conoboy Cc: jgreco@ns.sol.net, security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: <199906180511.XAA15842@kitsune.swcp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 17 Jun 1999, Brendan Conoboy wrote: > Er, don't you upgrade from source when there's a security problem in > userland but no new binary distribution? I do. Build the world on different machine, and install from that. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 22:48: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from icon.iconomic.com (iconomic.com [194.191.122.98]) by hub.freebsd.org (Postfix) with ESMTP id 0141814E06 for ; Thu, 17 Jun 1999 22:48:03 -0700 (PDT) (envelope-from ast@marabu.ch) Received: (from uucp@localhost) by icon.iconomic.com (8.9.2/8.9.2/ast-19990501) with UUCP id HAA10884; Fri, 18 Jun 1999 07:48:01 +0200 (MEST) Received: (from uucp@localhost) by hawk.marabu.ch (8.8.8/8.8.8) with UUCP id HAA18437; Fri, 18 Jun 1999 07:41:02 +0200 (MEST) (envelope-from ast@marabu.ch) Received: by marabu.marabu.ch (8.7.5/990131-ast-8.0) id HAA23430; Fri, 18 Jun 1999 07:36:13 +0200 (CEST) Message-Id: <199906180536.HAA23430@marabu.marabu.ch> Content-Type: text/plain MIME-Version: 1.0 (NeXT Mail 3.3 v118.2) X-Nextstep-Mailer: Mail 3.3 (Enhance 2.0b6) Received: by NeXT.Mailer (1.118.2) From: Adrian Steinmann Date: Fri, 18 Jun 99 07:36:11 +0200 To: security@FreeBSD.ORG Subject: Re: some nice advice.... X-Organization: Steinmann Consulting, Apollostrasse 21, 8032 Zurich X-Phone-Numbers: Switzerland, Tel +41 1 380 30 83 Fax +41 1 380 30 85 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh responded to Pete Fritchman: : If you get compromised, why does it matter? : The attacker compiles a new kernel, waits for you to reboot, boom. Nope. My kernel is set schg and i run at a high secure level so you can't replace my kernel. Make sure /boot.config is schg as well, otherwise echo "wd(0,a)/evil_kernel" > /boot.config && reboot can circumvent your measures [you could also make / schg, I guess]. A high secure mode will also stop a determined hacker from rewriting your boot blocks because it disables writing to disk except through the mounted filesystems ;-) Adrian Steinmann _________________________________________________________________________ Dr. Adrian Steinmann Steinmann Consulting Apollostrasse 21 8032 Zurich Tel +41 1 380 30 83 Fax +41 1 380 30 85 Mailto:ast@styx.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 23:10: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 4386214E2F for ; Thu, 17 Jun 1999 23:09:57 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA56666; Fri, 18 Jun 1999 00:09:53 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA73351; Fri, 18 Jun 1999 00:10:12 -0600 (MDT) Message-Id: <199906180610.AAA73351@harmony.village.org> To: Adrian Steinmann Subject: Re: some nice advice.... Cc: security@FreeBSD.ORG In-reply-to: Your message of "Fri, 18 Jun 1999 07:36:11 +0200." <199906180536.HAA23430@marabu.marabu.ch> References: <199906180536.HAA23430@marabu.marabu.ch> Date: Fri, 18 Jun 1999 00:10:12 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199906180536.HAA23430@marabu.marabu.ch> Adrian Steinmann writes: : Make sure /boot.config is schg as well, otherwise : echo "wd(0,a)/evil_kernel" > /boot.config && reboot : can circumvent your measures [you could also make / schg, I guess]. Yes. You also need to make sure all scripts, executables and shared images that are touched or potentially touched before the secure level is increased, as well as all programs that run as root or could be run by root. Also, any programs that are run by any users on your system. Gotta love that transitive property of security. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 23:16:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id 6E61814E2F for ; Thu, 17 Jun 1999 23:16:57 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id CAA16785 for ; Fri, 18 Jun 1999 02:22:04 -0400 Date: Fri, 18 Jun 1999 02:21:58 -0400 (EDT) From: Mike Nowlin To: freebsd-security@freebsd.org Subject: securelevel descr Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dumb question -- can't find it around, but I know I've seen it somewhere.... What are the various secure levels, and what does each one do? mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 23:20:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 1F0DA14E2F for ; Thu, 17 Jun 1999 23:20:39 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 88720 invoked from network); 18 Jun 1999 06:20:39 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 18 Jun 1999 06:20:39 -0000 Received: from localhost (dscheidt@localhost) by shell-2.enteract.com (8.9.3/8.9.2) with SMTP id BAA56760; Fri, 18 Jun 1999 01:20:39 -0500 (CDT) (envelope-from dscheidt@enteract.com) X-Authentication-Warning: shell-2.enteract.com: dscheidt owned process doing -bs Date: Fri, 18 Jun 1999 01:20:39 -0500 (CDT) From: David Scheidt To: Mike Nowlin Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Mike Nowlin wrote: > Dumb question -- can't find it around, but I know I've seen it > somewhere.... > > What are the various secure levels, and what does each one do? > man 8 init To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 17 23:35:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (unknown [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id 1157D14E2F for ; Thu, 17 Jun 1999 23:35:50 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 50783 invoked by uid 1000); 18 Jun 1999 06:35:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 06:35:49 -0000 Date: Fri, 18 Jun 1999 01:35:49 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu Cc: freebsd-security@freebsd.org Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin, at 02:21 on Fri, 18 Jun 1999, wrote: > What are the various secure levels, and what does each one do? Read man init(8). Nice descriptions. I was talking over something with friends today, and we were trying to come with ideas for securelevels that would disable as much meaning out of being root, to limit the spread of being root if a box is 'rooted'. Specifically, we came to the conclusions that with most of /etc, /usr (with the notable exceptions of /etc/passwd, catman, /usr/local) could be chflagged simmutable, and a securelevel of 3 could really strengthen a box. Of course, one additional thing that no secure level does that would be _really_ nice is that it would prevent more secure ports from being opened. This would be extremely advantageous, as it would eliminate _any_ possibility of a trojan daemon being opened on a secure port for devious means, such as password-gathering. Since the daemon itself would be simmutable, and would open its ports before the securelevel is raised, there would be no way to trojan the process, since it can't be replaced, and can't be killed/restarted, and its memory can't be written to. Of course, putting such a thing into the securelevels would create a need for the network daemons to start up in a different order, sooner. For example, sshd couldn't be in /usr/local/etc/rc.d, but started up before the raised securelevel. Or this could actually instead be done with a securelevel of 4 (no secure ports opened), which is raised to after all startup scripts have ended. This would be preferable because it could start the sshd under a securelevel of 3, protecting the filesystem from a buggy sshd. Of course, your daemon better not die in this scenario, or you have to be running inetd. Your inetdn't should really be dying though :) I feel this addition to the securelevels would be a GREAT enhancement to the ability of an administrator to 'lock down' a box. I really do wish I had the expertise to implement it. I would be most appreciative if I saw this change added to FreeBSD. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 0:45:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from hq.leontief.ru (gw-lc.sut.ru [195.19.221.38]) by hub.freebsd.org (Postfix) with ESMTP id 1126D14E87 for ; Fri, 18 Jun 1999 00:45:51 -0700 (PDT) (envelope-from slash@leontief.net) Received: from MirStation.leontief.nw.ru (root@100Mbs-S0.leontief.nw.ru [194.190.151.253]) by hq.leontief.ru (8.8.7/8.8.7) with ESMTP id MAA15400 for ; Fri, 18 Jun 1999 12:04:03 +0400 (MSD) (envelope-from slash@leontief.net) Received: from MirStation.leontief.nw.ru (slash@localhost [127.0.0.1]) by MirStation.leontief.nw.ru (8.8.7/8.8.7) with SMTP id LAA05546 for ; Fri, 18 Jun 1999 11:47:28 +0400 From: Kirill Nosov Reply-To: slash@leontief.net Subject: Re: securelevel descr Date: Fri, 18 Jun 1999 11:40:31 +0400 X-Mailer: KMail [version 1.0.17] Content-Type: text/plain References: MIME-Version: 1.0 Message-Id: <99061811465300.10975@MirStation.leontief.nw.ru> Content-Transfer-Encoding: 8bit To: freebsd-security@FreeBSD.ORG X-KMail-Mark: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Frank Tobin wrote: >I was talking over something with friends today, and we were trying to >come with ideas for securelevels that would disable as much meaning out >of being root, to limit the spread of being root if a box is 'rooted'. >Specifically, we came to the conclusions that with most of /etc, /usr >(with the notable exceptions of /etc/passwd, catman, /usr/local) could be >chflagged simmutable, and a securelevel of 3 could really strengthen a >box. Of course, one additional thing that no secure level does that would >be _really_ nice is that it would prevent more secure ports from being >opened. > As far as i remeber there was a discussion about implementing the dependence between uid and port you are able to open - to eliminate the 'priveleged ports' concept. That was a great idea from my point of view. If it will be iimplemented in future FreeBSD versions ? As far as i see it is possible to be done w/o any changes in '3rd party software' , just by means of FreeBSD core. --- ... I want to perform cranial activities with Tuesday Weld!! /Slash. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 0:56:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1D648151AB for ; Fri, 18 Jun 1999 00:56:54 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id JAA44627; Fri, 18 Jun 1999 09:56:51 +0200 (CEST) (envelope-from des) To: Brendan Conoboy Cc: security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice....) References: <199906180331.VAA03462@kitsune.swcp.com> From: Dag-Erling Smorgrav Date: 18 Jun 1999 09:56:50 +0200 In-Reply-To: Brendan Conoboy's message of "Thu, 17 Jun 1999 21:31:51 -0600 (MDT)" Message-ID: Lines: 11 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brendan Conoboy writes: > On a related question, what do you all do about make world overwriting all > your chmod changes? I'm constantly plagued by this and other things like > sendmail overwriting qmail's sendmail symlink. Is the only answer to write > a custom fixit script? For sendmail / qmail, simply define NO_SENDMAIL=true in /etc/make.conf. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 1: 2:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id C280A14FE0 for ; Fri, 18 Jun 1999 01:02:47 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 55815 invoked by uid 1000); 18 Jun 1999 08:02:45 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 08:02:45 -0000 Date: Fri, 18 Jun 1999 03:02:45 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: Kirill Nosov Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: <99061811465300.10975@MirStation.leontief.nw.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kirill Nosov, at 11:40 on Fri, 18 Jun 1999, wrote: > As far as i remeber there was a discussion about implementing the > dependence between uid and port you are able to open - to eliminate > the 'priveleged ports' concept. That was a great idea from my point of > view. If it will be iimplemented in future FreeBSD versions ? As far > as i see it is possible to be done w/o any changes in '3rd party > software' , just by means of FreeBSD core. Well, the privileged ports concept is actually something that is a good thing, if you can guarantee that only the trusted application X is bound to that port, and not a trojaned version setup by an ordinary user. This can be achieved by means of simmutable flags all over the place, and a securelevel that doesn't allow any service to open a secure port. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 1:16: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from hq.leontief.ru (gw-lc.sut.ru [195.19.221.38]) by hub.freebsd.org (Postfix) with ESMTP id BBA5D14EDD for ; Fri, 18 Jun 1999 01:15:59 -0700 (PDT) (envelope-from slash@leontief.net) Received: from MirStation.leontief.nw.ru (root@100Mbs-S0.leontief.nw.ru [194.190.151.253]) by hq.leontief.ru (8.8.7/8.8.7) with ESMTP id MAA15704; Fri, 18 Jun 1999 12:34:12 +0400 (MSD) (envelope-from slash@leontief.net) Received: from MirStation.leontief.nw.ru (slash@localhost [127.0.0.1]) by MirStation.leontief.nw.ru (8.8.7/8.8.7) with SMTP id MAA06861; Fri, 18 Jun 1999 12:17:42 +0400 From: Kirill Nosov Reply-To: slash@leontief.net To: Frank Tobin Subject: Re: securelevel descr Date: Fri, 18 Jun 1999 12:08:25 +0400 X-Mailer: KMail [version 1.0.17] Content-Type: text/plain References: Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Message-Id: <99061812174202.10975@MirStation.leontief.nw.ru> Content-Transfer-Encoding: 8bit X-KMail-Mark: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Frank Tobin wrote: >Kirill Nosov, at 11:40 on Fri, 18 Jun 1999, wrote: > >Well, the privileged ports concept is actually something that is a good >thing, if you can guarantee that only the trusted application X is bound >to that port, and not a trojaned version setup by an ordinary user. This >can be achieved by means of simmutable flags all over the place, and a >securelevel that doesn't allow any service to open a secure port. > But the idea discussed will allow to run daemons on priveleged ports under non-root priveleges. So you will create a user sendmail with 25 uid and only it will be able to bind to 25 port. That will allow to lower the probability of remote ( and local) root compromises. For sure this is a non-trivial configuration probl;em concerning to files ownership and groups formation but it looks like that result will be good. (But perhaps that will create another problem with 'priveleged uids' :) -- One possible reason that things aren't going according to plan is that there never was a plan in the first place. /Slash. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 1:34:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id 3E4A614F6F for ; Fri, 18 Jun 1999 01:34:54 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 55924 invoked by uid 1000); 18 Jun 1999 08:34:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 08:34:52 -0000 Date: Fri, 18 Jun 1999 03:34:52 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: Kirill Nosov Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: <99061812174202.10975@MirStation.leontief.nw.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kirill Nosov, at 12:08 on Fri, 18 Jun 1999, wrote: > But the idea discussed will allow to run daemons on priveleged ports > under non-root priveleges. So you will create a user sendmail with 25 > uid and only it will be able to bind to 25 port. That will allow to > lower the probability of remote ( and local) root compromises. For > sure this is a non-trivial configuration probl;em concerning to files > ownership and groups formation but it looks like that result will be > good. (But perhaps that will create another problem with 'priveleged > uids' :) Hrm, that is a excellent idea could be added as an extra securelevel, such as -2. During this time, any user can open a port. rc scripts can then start up standard daemons, such as sshd, and then have them bind to normally-privileged ports, with non-root privileges (well, sshd needs to be root anyways). Then, when the rc scripts are done, the securelevel can be raised to 4, which would allow noone, even root, to bind to securelevels anymore. By doing both of these, we've accomplished less root-privileged binaries _and_ trusted ports. Additionally, even if sshd was compromised as it ran as root, and the attacker gained root access, he could do virtually nothing damaging (except possibly some DOS) to the system, being in a high securelevel state. This includes killing the current sshd, and starting a new one to sniff passwords, as, as stated, the proposed securelevel would be set to not allow the opening of trusted ports. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 3:12:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 303F814FA2 for ; Fri, 18 Jun 1999 03:12:40 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA47802; Fri, 18 Jun 1999 12:12:37 +0200 (CEST) (envelope-from des) To: Frank Tobin Cc: Kirill Nosov , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr References: From: Dag-Erling Smorgrav Date: 18 Jun 1999 12:12:36 +0200 In-Reply-To: Frank Tobin's message of "Fri, 18 Jun 1999 03:34:52 -0500 (CDT)" Message-ID: Lines: 10 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Frank Tobin writes: > Hrm, that is a excellent idea could be added as an extra securelevel, such > as -2. -2? Why -2? Securelevels are numbered upwards from 0, in increasing order of paranoia. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 3:28:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from hq.leontief.ru (gw-lc.sut.ru [195.19.221.38]) by hub.freebsd.org (Postfix) with ESMTP id EA71614F19 for ; Fri, 18 Jun 1999 03:28:12 -0700 (PDT) (envelope-from slash@leontief.net) Received: from MirStation.leontief.nw.ru (root@100Mbs-S0.leontief.nw.ru [194.190.151.253]) by hq.leontief.ru (8.8.7/8.8.7) with ESMTP id NAA16379; Fri, 18 Jun 1999 13:44:46 +0400 (MSD) (envelope-from slash@leontief.net) Received: from MirStation.leontief.nw.ru (slash@localhost [127.0.0.1]) by MirStation.leontief.nw.ru (8.8.7/8.8.7) with SMTP id NAA09997; Fri, 18 Jun 1999 13:27:06 +0400 From: Kirill Nosov Reply-To: slash@leontief.net To: Frank Tobin Subject: Re: securelevel descr Date: Fri, 18 Jun 1999 13:05:31 +0400 X-Mailer: KMail [version 1.0.17] Content-Type: text/plain References: Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Message-Id: <99061813270605.10975@MirStation.leontief.nw.ru> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, you wrote: >Hrm, that is a excellent idea could be added as an extra securelevel, such >as -2. During this time, any user can open a port. > rc scripts can then >start up standard daemons, such as sshd, and then have them bind to >normally-privileged ports, with non-root privileges (well, sshd needs to >be root anyways). Then, when the rc scripts are done, the securelevel can >be raised to 4, which would allow noone, even root, to bind to >securelevels anymore. By doing both of these, we've accomplished less >root-privileged binaries _and_ trusted ports. Yep, perhaps this is one of possible solutions. >Additionally, even if sshd was compromised as it ran as root, and the >attacker gained root access, he could do virtually nothing damaging >(except possibly some DOS) to the system, being in a high securelevel >state. Compromising for example sendmail will lead to non-root compromise at all. > This includes killing the current sshd, and starting a new one to >sniff passwords, as, as stated, the proposed securelevel would be set to >not allow the opening of trusted ports. I think that creating needed patch is not an evil task. -- In the beginning there was data. The data was without form and null, and darkness was upon the face of the console; and the Spirit of IBM was moving over the face of the market. And DEC said, "Let there be registers"; and there were registers. And DEC saw that they carried; and DEC separated the data from the instructions. DEC called the data Stack, and the instructions they called Code. And there was evening and there was morning, one interrupt. -- Rico Tudor, "The Story of Creation or, The Myth of Urk" /Slash. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 3:39:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 3AD0A1530F for ; Fri, 18 Jun 1999 03:39:33 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id UAA22257; Fri, 18 Jun 1999 20:39:36 +1000 (EST) From: Darren Reed Message-Id: <199906181039.UAA22257@cheops.anu.edu.au> Subject: Re: ipf howto, tada To: synk@swcp.com (Brendan Conoboy) Date: Fri, 18 Jun 1999 20:39:35 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199906172335.RAA00665@kitsune.swcp.com> from "Brendan Conoboy" at Jun 17, 99 05:35:36 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Let me add some comments which hopefully will enrich your document. [...] > I'm sure there's a good use for this method of layout, but I must confess > that I don't yet grasp it. It allows you to specify the policy at the top or bottom of the ruleset. Whilst you can set this when compiling it as an LKM/into the kernel, I prefer to include the rule to enforce the same in the configuration file anyway, for clarity. Last match also allows for some more complex interactions of rules and their results. [...hmm, I think your examples are a tad backwards, with "pass in all" being the `default'...] [...] > I prefer to run ipmon with as "ipmon -s" so it > syslogs logged packets instead of having them dump to stdout. "ipmon /var/log/iplog" will save log entries direct to that file. ipmon also handles SIGHUP as you would expect, closing and re-opening the log file to allow for rotation. With newsyslog, this should be possible without too much hassle. FWIW, you might like to mention the "log-or-block" option where it will block a packet to be pass'd and logged if it cannot log it due to the log buffer being too full. i.e. pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state Here we say only log the first packet for this connection as recorded by "keep state", but if it can't be logged, then block it. (you can use /bin/cat to save log information from IP Filter with cat /dev/ipf > /var/log/ipflog but it saves binary log data that you need to run ipmon to convert to english). > pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 > block in quick on ed0 > > This machine will pass in port 80 traffic for 200.200.200.1, and deny > everything else. Perhaps this is all one needs? You should be setting policies (i.e. block in quick all) for each interface and each direction (both in and out) if you want to do it by interface. [...] > Lots of people seem to, that's why ciscos have an "established" clause > that lets established tcp sessions go through. Ipfw has established. > Ipfwadm has setup/established. They all have this feature, but the > name is very misleading. Indeed :-) > pass out quick proto tcp from 200.200.200.1/32 to any keep state This can be in or out...essentially when the packet first crosses your perimeter. If it is a locally made connection going out then the above is correct. If it is from another host on your LAN going through your IP Filter firewall, then it should be "pass in" on the LAN interface. > pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 flags S keep frags you should *always* qualify "flags" in a rule properly, such as "flags S/SA" or "flags S/S". I don't know if this is too much for your document, but saying "flags S/SA" is *only* going to match the initial connection request (which is all you need with "keep state:). btw, home page for IP Filter is: http://coombs.anu.edu.au/ipfilter Cheers, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 3:45:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id AF6D314F19 for ; Fri, 18 Jun 1999 03:45:49 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA48579; Fri, 18 Jun 1999 12:45:43 +0200 (CEST) (envelope-from des) To: slash@leontief.net Cc: Frank Tobin , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr References: <99061812174202.10975@MirStation.leontief.nw.ru> From: Dag-Erling Smorgrav Date: 18 Jun 1999 12:45:42 +0200 In-Reply-To: Kirill Nosov's message of "Fri, 18 Jun 1999 12:08:25 +0400" Message-ID: Lines: 13 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kirill Nosov writes: > But the idea discussed will allow to run daemons on priveleged ports under > non-root priveleges. So you will create a user sendmail with 25 uid and only it > will be able to bind to 25 port. That will allow to lower the probability of > remote ( and local) root compromises. This can possibly be achieved by extending portalfs to allow wiring down hostname/port pairs and support chown / chmod on wired-down sockets. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 4:36:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id C01BD14F6F for ; Fri, 18 Jun 1999 04:36:24 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id GAA43699; Fri, 18 Jun 1999 06:36:22 -0500 (CDT) From: Joe Greco Message-Id: <199906181136.GAA43699@aurora.sol.net> Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: <199906180511.XAA15842@kitsune.swcp.com> from Brendan Conoboy at "Jun 17, 1999 11:11: 6 pm" To: synk@swcp.com (Brendan Conoboy) Date: Fri, 18 Jun 1999 06:36:22 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > By definition, one isn't too interested in running "make world" on an > > application-server-platform class machine. You're looking for a platform > > on which to run some application, and about the only thing you'll ever > > need to patch would be the kernel. Anything else (bugs in userland) is > > merely an annoyance that you can live with because you didn't need any of > > that stuff anyways. And if you _do_ need to upgrade, you'll do it from > > a binary distribution, not from source, because you can't really afford > > to have your application server offline for the unnecessary luxury of > > building the world. > > Er, don't you upgrade from source when there's a security problem in > userland but no new binary distribution? I do. No. There are few such issues that can matter in a properly secured system (you can't exploit suid programs that are missing the suid bit, for example) and almost every other problem has some other trivial workaround. I can't think of a case in recent times where this isn't true... ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 6: 0:29 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id B972415314; Fri, 18 Jun 1999 06:00:22 -0700 (PDT) Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id 4908514E43 for ; Thu, 17 Jun 1999 16:35:39 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id RAA00665 for freebsd-security@freebsd.org; Thu, 17 Jun 1999 17:35:36 -0600 (MDT) Date: Thu, 17 Jun 1999 17:35:36 -0600 (MDT) From: Brendan Conoboy Message-Id: <199906172335.RAA00665@kitsune.swcp.com> To: freebsd-security@freebsd.org Subject: ipf howto, tada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Everybody. I know it's been a while since I said I'd put this out, but I'm easily distracted and prone to switching character. Here's my alpha-release ipf-howto. It's somewhere between a firewall howto and an ipf howto. Think of it is a guide to setting up an ipf-based firewall. It has some theory, some caveats, some typos, bad spelling, poor grammar, anthropomorphism, person shifts, so and so forth. If Dr Seuss were here, I would implore him to invent 5 letters before alpha to describe it. In any case, here it is. Please send me lots of questions, comments, additions, retractions, and offers to be an editor. Thanks, -Brendan (synk@swcp.com) ----------------------------------------------------------------------- IP Filter is a neat little firewall package. It does just about everything other free firewalls (ipfwadm, ipchains, ipfw) do, but it's also portable and does neat stuff the others don't. This document is intended to make some cohesive sense of the sparse documentation presently available for ipfilter. Some prior familiarity with packet filtering will be useful (too much familiarity may make this document a waste of your time). There's probably numerous books on the subject that would be beneficial to read. I used TCP/IP illustrated, myself. On we go. Part 1 - Config File Dynamics, Order and Precedence IPF (IP Filter) has a config file (as opposed to say, running some command again and again for each new rule). The config file drips with Unix: There's one rule per line, the "#" mark denotes a comment, and you can have a rule and a comment on the same line. Extranious whitespace is allowed, I use it to keep my rules readable. The rules are read from top to bottom, each one appended after another. This quite simply means that if the entirety of your config file is: block in all pass in all The computer sees it as: block in all pass in all Which is to say that when a packet comes in, the first thing IPF applies is: block in all Should IPF deem it necessary to move on to the next rule, it would then apply the second rule: pass in all At this point, you might want to ask yourself "would IPF move on to the second rule?" If you're familiar with ipfwadm or ipfw, you probably won't ask yourself this. Shortly after, you will become bewildered at the weird way packets are always getting denied or passed when they shouldn't. Many packet filters stop comparing packets to rulesets the moment the first match is made- IPF is not one of them. Unlike the other packet filters, ipf keeps a flag on whether or not it's going to pass the packet. Unless you interrupt it, it'll go through the entire ruleset, making its decision on whether or not to pass or drop the packet based on the last matching rule. The scene: IP Filter's on duty. It's been been scheduled a slice of CPU time. It has a checkpoint clipboard that reads: block in all pass in all A packet comes in the gateway and it's time to go to work. It takes a look at the packet, it takes a look at the first rule: block in all "So far I think I will block this packet" says IPF. It takes a look at the second rule: "So far I think I will pass this packet" says IPF. It takes a look at a third rule. There is no third rule (a null pointer is dereferenced, signal 12, kernel panic- AIiiyyee!), so it goes with what its last motivation was, to pass the packet onward. It's a good time to point out that even if the ruleset had been block in all block in all block in all block in all pass in all that the packet still would have gone through. There is no cumulative effect. The last matching rule always takes precedence. I'm sure there's a good use for this method of layout, but I must confess that I don't yet grasp it. It has some horrible aspects in the area of portability and speed. Imagine converting your old filters to this format, Imagine if you had 100 rules and most of the applicable ones were the first 10. There would be a terrible overhead for every packet coming in to go through 100 rules every time. Fortunately, there's a simple keyword you can add to any rule that makes it take action at that match. The keyword is "quick." Here's a modified copy of the original ruleset using the quick keyword: block in quick all pass in all In this case, IPF looks at the first rule: block in quick all The packet matchs and the search is over. The packet is expunged without a peep. There are no notices, no logs, no memorial service. Cake will not be served. So what about the next rule? pass in all This rule is never encountered. It could just as easily not be in the config file at all. The sweeping match of "all" and the terminal keyword "quick" from the previous rule make certain that no rules are followed afterward. Having half a config file laid to waste is rarely a desirable state. On the other hand, IPF is here to block packets and as configured, it's doing a heck of a good job. Nonetheless, IPF is also here to let *some* packets through, so a change to the ruleset to make this possible is called for. IPF will match packets on numerous criteria. The one that we most commonly think of is the IP address. There are some blocks of address from which we should never get traffic. One such block are the unroutable networks such as 192.168.0.0/16 (/16 being a netmask. Perhaps you are more familiar with the wordier version of 255.255.0.0). If you wanted to block 192.168.0.0/16, this is one way to do it: block in quick from 192.168.0.0/16 to any pass in all Now we have a less stringent ruleset that actually does something for us. Lets imagine a packet comes in from 1.2.3.4. The first rule is applied: block in quick from 192.168.0.0/16 to any The packet is from 1.2.3.4, not 192.168.*.*, so there is no match. The second rule is applied: pass in all The packet from 1.2.3.4 is definitely a part of all, so the packet is sent to wherever it happened to be going. On the other hand, suppose we have a packet that comes in from 192.168.1.2. The first rule is applied: block in quick from 192.168.0.0/16 to any There's a match, the packet is dropped, and that's the end. Again, it doesn't move to the second rule because the first rule matches and contains the "quick" keyword. Every packet you recieve comes from a network interface. >From a modem speaking PPP to ethernet cards talking 10 base-T, there's an interface involved. Say your machine has 3 interfaces, lo0 (loopback), xl0 (3com ethernet), and tun0 (FreeBSD's generic tunnel interface that ppp uses), but you don't want packets coming in on the tun0 interface? block in quick on tun0 pass in all In this case, the "on" keyword means that that data is coming in on the named interface. If a packet comes in on tun0, the first rule will block it. If a packet comes in on lo0 or xl0, the first rule will not match, the second rule will, the packet will be passed. It's an odd state of affairs when one decides it best to have the tun0 interface up, but not allow any data to be recieved from it. The more criterea the firewall matches against, the tighter (or looser) the firewall can become. Maybe you want data from tun0, but not from 192.168.0.0/16? This is the start of a powerful firewall. block in quick on tun0 from 192.168.0.0/16 to any pass in all A packet from 192.168.1.1 on the xl0 interface will get passed. A packet from 1.2.3.4 on the tun0 interface will get passed. Infact, every packet from everywhere will be allowed in, except for packets from 192.160.0.0/16 on tun0. At this point you can build a fairly extensive set of definitive addresses which are passed or blocked. Since we've already started blocking private address space from entering tun0, lets take care of the rest of it: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any pass in all The first three address blocks are the unroutable IP space. The fourth is a largely wasted class-A network used for loopback. Much software communicates with itself on 127.0.0.1 so blocking it from external entrance is a good idea. It seems very frequent that companies have internal networks before they want a link to the outside world. I'd even go so far as to say that's the main reason people consider firewalls in the first place, though they're just as important for a single machine as for an office network. The machine that bridges the outside world to the inside world and vice versa is the router. What separates the router from any other machine is simple: It has two interfaces. We'll call them tun0 for the external link and xl0 for the internal link. There's a very important principle in packet filtering which has only been alluded to with the private network blocking and that is this: When you know there's certain types of data that only comes from certain places, you setup the system to only allow that kind of data from those places. In the case of the unroutable addresses, you know that nothing from 10.0.0.0/8 should be arriving on tun0 because you have no way to reply to it. It's an illegitimate packet. The same goes for the other unroutables as well as 127.0.0.0/8. Many pieces of software do all their authentication based upon the packet's originating IP address. When you have an internal network, say 200.200.200.0/24, you know that the only traffic for that internal network is going to come off the local ethernet. Should a packet from 200.200.200.0/24 arrive over a PPP dialup, it's perfectly reasonable to drop it on the floor, or put it in a dark room for interrogation. It should by no means be allowed to get to its final destination. You can accomplish this particularly easily with what you already know of IPF. The new ruleset would be: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 200.200.200.0/24 to any pass in all Up to this point, all blocked and passed packets have been silently blocked and silently passed. Usually you want to know if you're being attacked rather than wonder if that firewall is really buying you any added benefits. While I wouldn't want to log every passed packet, and in some cases every blocked packet, I would want to know about the blocked packets from 200.200.200.0/24. To do this, we add the "log" keyword: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any pass in all [a month passes while I become fascinated with thingamajigs, gadgets and other non-ipf related gadgets] There's a couple other things you may need to do, too. If you're running FreeBSD, you'll need to have IPFILTER_LOG compiled into your kernel. Second, ipf requires ipmon to log, no matter what OS you're using. I prefer to run ipmon with as "ipmon -s" so it syslogs logged packets instead of having them dump to stdout. So far, our firewall is pretty good at blocking packets coming to it from suspect places, but there's still more to be done. For one thing, we're accepting packets destined anywhere. One thing we ought to do is make sure packes to 200.200.200.0/32 and 200.200.200.255/32 get dropped on the floor. To do otherwise opens the internal network for a smurf attack. These two lines would prevent our hypothetical network from being used as a smurf relay: block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 This brings our total ruleset to look something like this: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass in all Denial of Service attacks are almost as rampant as buffer overflows. Many denial of service attacks rely on glitches in the OS's TCP/IP stack. Frequently, this has come in the form of ICMP packets. Why not block them entirely? block in log quick on tun0 proto icmp from any to any Now any icmp traffic coming in from tun0 will be logged and discarded. Of course, this isn't really an ideal situation. Why not drop all ICMP? Well, because it's useful. So maybe you want to keep some types of ICMP traffic. If you want ping and traceroute to work, you need to let in icmp types 8 and 11. Strictly speaking, this might not be a good idea, but if you need to weigh security verses convenience, ipf lets you do it. pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 Remeber that ruleset order is important. Since we're doing everything "quick" we must have our passes before our blocks, so we really want the last three rules in this order: pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 block in log quick on tun0 proto icmp from any to any Now to put it all together: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 block in log quick on tun0 proto icmp from any to any pass in all Please note the location of the icmp rules. They're intentionally placed behind the first 7 blocking rules because we don't want to accidentally pass some icmp traffic that would have been dropped by the anti-spoofing and anti-smurfing rules. It's very important to keep a close eye on what you "pass" before all the relevent "block" rules are run. Now that we've started blocking packets based on protocol, we can start blocking packets based on protocol ports. Services such as rsh, rlogin, and telnet are all very convenient to have. They're also hidiously insecure against network sniffing and spoofing. One great compromise is to only allow the services to run internally, then block them externally. Both rlogin, rsh, and telnet use specific TCP ports (513, 514, and 23 respectively). Creating rules to block them is easy: block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 513 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 514 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 23 Make sure all 3 are before the "pass in all" and those ports are good to not go: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 8 pass in quick on tun0 proto icmp from any to 200.200.200.0/24 icmp-type 11 block in log quick on tun0 proto icmp from any to any block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 513 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 514 block in quick on tun0 proto tcp from any to 200.200.200.0/24 port = 23 pass in all You might also want to block udp/111 (portmap), tcp/515 (lpd), tcp/udp (2049), tcp/6000 (X) and so on and so forth. You can get a complete listing of the ports being listed to by using "netstat -a" or lsof, if you have it installed. Blocking udp is the same as tcp. The rule for portmap would be: block in quick on tun0 proto udp from any to 200.200.200.0/24 port = 111 There's a big problem with blocking services by the port: sometimes they move. RPC based programs are terrible about this, lockd, statd, even nfsd listens places other than 2049. It's awfully hard to predict, and even worse to automate adjusting all the time. What if you miss a service? Instead of dealing with all that hassle, lets start over with a clean slate. The current ruleset looks like this: Yes, we really are starting over. The first rule we're going to use is this: block in quick No network traffic gets through. None. Not a peep. You're rather secure with this setup. Not terribly useful, but quite secure. The great thing is that it doesn't take much more to make your box rather secure, yet useful too. Lets say the machine this is running on is a web server, nothing more, nothing less. It doesn't even do DNS lookups. It just wants to take connections on tcp/80 and that's it. We can do that. We can do that with a eecond rule, and you already know how: pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 block in quick on ed0 This machine will pass in port 80 traffic for 200.200.200.1, and deny everything else. Perhaps this is all one needs? Well, I usually find myself needing more. I want to be able to telnet out over the ed0 interface. I want convenience and security in one. Lots of people seem to, that's why ciscos have an "established" clause that lets established tcp sessions go through. Ipfw has established. Ipfwadm has setup/established. They all have this feature, but the name is very misleading. When I first saw it, I thought it meant my packet filter was keeping track of what was going on, that it knew if a connection was really established or not. The fact is, they're all taking the packet's word for it. That's why they only support established TCP connections, that's the only protocol that has flags which the router can extrapolate the established state of the connection. Anybody who can create a packet with bogus flags can get by such a firewall. Where does IPF come in to play here, you ask? Well, unlike the other firewalls, ipf really can keep track of whether or not a connection is established. And it'll do it with udp and icmp, not just tcp. The only problem is this: the way it does it is non-intuitive. Ipf calls it "keeping state". The keyword for the ruleset is "keep state" (There is also "keep frags", which is advisable as well). Keeping state's setup is weird. Normally, we know that when we want a packet to come in, we used "pass in" and when we want one coming in to be blocked we use "block in.". State is different in that, if you want a packet to come in, you say "pass out". By passing the packet out, a reciprical rule is created that allows a reply to come back in the other direction. Lets show this as an actual rule: pass out quick proto tcp from 200.200.200.1/32 to any keep state Thought it doesn't say so, you must imagine there being an auxillery rule that exists in the same place in line that reads: pass in quick proto tco from ThatIpISentTo to 200.200.20.1/32 There is no way to express the previous line, don't even try putting it in there, it won't work. The "keep state" option makes it implicit. Here's what our ruleset looks like now: pass out quick in ed0 proto tcp from 200.200.200.1/32 to any keep state pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 block in quick on ed0 The workings of the keep state ruleset is much like the workings of the saying "do not speak until spoken to." It's just not permitted (except on port 80:-). Actually, lets keep state on udp and icmp packets as well: pass out quick in ed0 proto tcp/udp from 200.200.200.1/32 to any keep state pass out quick in ed0 proto icmp from 200.200.200.1/32 to any keep state pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 block in quick on ed0 Ipf has a tcp/udp shorthand. It's actually two rules, but you can write it as one. Now we're keeping state on tcp, udp, icmp. That means we can make outgoing connections with ease. Nothing is denied to us, but the outside world can only send packets to our port 80 with any sort of freedom. Lets take a look at what happens, rule by rule, if I ping to www.3com.com: First, a DNS packet is generated, because I don't know the IP address of www.whitehouse.gov. DNS uses UDP, so the first rule matches, the packet is passed, and ipf lets my nameserver's IP reply back to me (since I spoke to it before it spoke to me). It told me www.3com.com is at 192.156.136.22. Now I send an icmp packet to 192.156.136.22. The second rule matches this since it's an icmp packet. The packet goes out, an exception is made for a reply to come back, the reply comes back, the exception is removed. This is very handy because there's no need to track down what ports we're listening to, only the ports we want people to be able to get to. For added scrutiny, we might consider changing pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 to: pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 flags S ke ep frags This will only let packets through to port 80 if they have a Syn flag. This is handy in detecting Fin scans (where the Fin flag is set). So now we have a pretty tight firewall: But it can still be tighter. Some of the original ruleset we wiped clean is actually very useful. I'd suggest bringing back all the anti-spoofing stuff. This leaves us with: block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 200.200.200.0/24 to any block in log quick on tun0 from any to 200.200.200.0/32 block in log quick on tun0 from any to 200.200.200.255/32 pass out quick in ed0 proto tcp/udp from 200.200.200.1/32 to any keep state pass out quick in ed0 proto icmp from 200.200.200.1/32 to any keep state pass in quick on ed0 proto tcp from any to 200.200.200.1/32 port = 80 flags S k eep frags block in quick on ed0 Now we're looking pretty good. ------------------------------------------------------------------------------ Copyright 1999 Brendan Conoboy (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 7:52:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id C234614FCB for ; Fri, 18 Jun 1999 07:52:48 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (820 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 18 Jun 1999 09:25:52 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Fri, 18 Jun 1999 09:25:51 -0500 (CDT) From: James Wyatt To: Adrian Steinmann Cc: security@FreeBSD.ORG Subject: Re: some nice advice.... In-Reply-To: <199906180536.HAA23430@marabu.marabu.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Adrian Steinmann wrote: > Make sure /boot.config is schg as well, otherwise > > echo "wd(0,a)/evil_kernel" > /boot.config && reboot > > can circumvent your measures [you could also make / schg, I guess]. Uh, why wouldn't you schg /boot.config? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 8: 6:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id 0133614FCB for ; Fri, 18 Jun 1999 08:06:06 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 56750 invoked by uid 1000); 18 Jun 1999 15:06:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 15:06:05 -0000 Date: Fri, 18 Jun 1999 10:06:05 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu Cc: FreeBSD-security Mailing List Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav, at 12:12 on 18 Jun 1999, wrote: > > Hrm, that is a excellent idea could be added as an extra securelevel, such > > as -2. > > -2? Why -2? Securelevels are numbered upwards from 0, in increasing > order of paranoia. The reason for this is that it would be a more _insecure_ mode, one that allows any user to start a process which could take control of a secure port. This would allow someone to run daemons that normally do not need to run under root but generally run under a reserved port. For example, inetd would be a good example. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 8:18:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from Samizdat.uucom.com (samizdat.uucom.com [198.202.217.54]) by hub.freebsd.org (Postfix) with ESMTP id 6681214FCB for ; Fri, 18 Jun 1999 08:18:03 -0700 (PDT) (envelope-from cshenton@uucom.com) Received: (from cshenton@localhost) by Samizdat.uucom.com (8.9.3/8.9.3) id LAA08171; Fri, 18 Jun 1999 11:18:02 -0400 (EDT) To: Frank Tobin Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr References: User-Agent: SEMI/1.13.3 (Komaiko) FLIM/1.12.5 (Hirahata) Emacs/20.3 (i386-pc-solaris2.7) MULE/4.0 (HANANOEN) MIME-Version: 1.0 (generated by SEMI 1.13.3 - "Komaiko") Content-Type: text/plain; charset=US-ASCII From: Chris Shenton Date: 18 Jun 1999 11:18:02 -0400 In-Reply-To: Frank Tobin's message of "Fri, 18 Jun 1999 01:35:49 -0500 (CDT)" Message-ID: Lines: 9 X-Mailer: Gnus v5.6.45/Emacs 20.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999 01:35:49 -0500 (CDT), Frank Tobin said: Frank> Of course, your daemon better not die in this scenario, or you Frank> have to be running inetd. Your inetdn't should really be dying Frank> though :) But if inetd can start daemons on priv ports, then a cracker can just modify inetd.conf to start (say) "nc" on the telnet port. Or am I missing something? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 8:23:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 0FA3C14CBF for ; Fri, 18 Jun 1999 08:23:08 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2501 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 18 Jun 1999 09:54:40 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Fri, 18 Jun 1999 09:54:39 -0500 (CDT) From: James Wyatt To: Darren Reed Cc: Brendan Conoboy , freebsd-security@FreeBSD.ORG Subject: Re: ipf howto, tada In-Reply-To: <199906181039.UAA22257@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Darren Reed wrote: [ ... ] > > I prefer to run ipmon with as "ipmon -s" so it > > syslogs logged packets instead of having them dump to stdout. > > "ipmon /var/log/iplog" will save log entries direct to that file. ipmon > also handles SIGHUP as you would expect, closing and re-opening the log > file to allow for rotation. With newsyslog, this should be possible > without too much hassle. Who says you want to syslog to a plain ASCII file? > FWIW, you might like to mention the "log-or-block" option where it will > block a packet to be pass'd and logged if it cannot log it due to the > log buffer being too full. > > i.e. > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > Here we say only log the first packet for this connection as recorded by > "keep state", but if it can't be logged, then block it. Neat trick! Could this easily be used for DOS? I like, this idea, but want to understand it. If you filled the syslogs with dummy attempts, would it block access, preventing you from cycling syslog files? [ ... ] > > pass out quick proto tcp from 200.200.200.1/32 to any keep state > > This can be in or out...essentially when the packet first crosses your > perimeter. If it is a locally made connection going out then the above > is correct. If it is from another host on your LAN going through your > IP Filter firewall, then it should be "pass in" on the LAN interface. I've been considering the value of a 'firewall' interface that could track how long a TCP session was open. If you get in on anything but ssh/rsh and telnet for more than 5 min, it would trip... I've also wondered if it's keeping state, if it could feed start/end time when the session closed? Even if waiting for 5 min to tell you you're hacked wasn't a good idea, it might be nice to have such stats. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 8:30:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id 1AC7214D50 for ; Fri, 18 Jun 1999 08:30:49 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 56882 invoked by uid 1000); 18 Jun 1999 15:30:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 15:30:49 -0000 Date: Fri, 18 Jun 1999 10:30:49 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: Chris Shenton Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris Shenton, at 11:18 on 18 Jun 1999, wrote: > But if inetd can start daemons on priv ports, then a cracker can just > modify inetd.conf to start (say) "nc" on the telnet port. Or am I > missing something? chflags simmutable inetd.conf; Need I say more? :) chflags is a real wonder drug, IMO. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 9:50:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b169.neo.rr.com [24.93.181.169]) by hub.freebsd.org (Postfix) with ESMTP id 8B34D15086 for ; Fri, 18 Jun 1999 09:50:11 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id MAA18932; Fri, 18 Jun 1999 12:55:05 -0400 Date: Fri, 18 Jun 1999 12:55:00 -0400 (EDT) From: Mike Nowlin To: Frank Tobin Cc: Chris Shenton , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > chflags simmutable inetd.conf; Need I say more? :) /usr/sbin/inetd myinetd.conf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 9:54:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id 3F4F614D9B for ; Fri, 18 Jun 1999 09:54:28 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 57116 invoked by uid 1000); 18 Jun 1999 16:54:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 16:54:28 -0000 Date: Fri, 18 Jun 1999 11:54:28 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: Mike Nowlin Cc: Chris Shenton , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin, at 12:55 on Fri, 18 Jun 1999, wrote: > /usr/sbin/inetd myinetd.conf Remember, the whole point of the proposed securelevel 4 is that you _can't_ open secure points while under it. Hence, inetd couldn't open the ports it needs. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 11: 1: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from serveri.netti.fi (serveri.netti.fi [195.16.192.130]) by hub.freebsd.org (Postfix) with ESMTP id 3457814C9C for ; Fri, 18 Jun 1999 11:00:52 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-4-078.tku.netti.fi [195.16.219.79]) by serveri.netti.fi (8.8.8/8.8.3) with ESMTP id VAA23079 for ; Fri, 18 Jun 1999 21:00:50 +0300 Message-ID: <376A887F.B6B23E5B@ispro.net.tr> Date: Fri, 18 Jun 1999 20:57:20 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: SSL Telnet or SSH? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hello, which one is better-> SSL Telnet or SSH? and why? thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 11:28: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id 4C59314EF9 for ; Fri, 18 Jun 1999 11:28:07 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id MAA04041; Fri, 18 Jun 1999 12:28:02 -0600 (MDT) Date: Fri, 18 Jun 1999 12:28:02 -0600 (MDT) From: Brendan Conoboy Message-Id: <199906181828.MAA04041@kitsune.swcp.com> To: avalon@coombs.anu.edu.au, jwyatt@RWSystems.net Subject: Re: ipf howto, tada Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > FWIW, you might like to mention the "log-or-block" option where it will > > block a packet to be pass'd and logged if it cannot log it due to the > > log buffer being too full. > > > > i.e. > > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > > > Here we say only log the first packet for this connection as recorded by > > "keep state", but if it can't be logged, then block it. > > Neat trick! Could this easily be used for DOS? I like, this idea, but want > to understand it. If you filled the syslogs with dummy attempts, would it > block access, preventing you from cycling syslog files? I suspect the idea is to thwart the attack method where the attacker first fills the log drive, then proceeds with the attack, knowing their actions won't be logged. That's what I'm putting in the howto, anyway :-) I'll add the obvious caveat (network can be shutdown by causing log failure), too. -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 12:11:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 5C8531522B for ; Fri, 18 Jun 1999 12:11:42 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id MAA27478; Fri, 18 Jun 1999 12:07:48 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id MAA06410; Fri, 18 Jun 1999 12:07:49 -0700 Received: from softweyr.com (dyn2.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA11923; Fri, 18 Jun 99 12:07:47 PDT Message-Id: <376A9902.6E5094CD@softweyr.com> Date: Fri, 18 Jun 1999 13:07:46 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Brendan Conoboy Cc: jgreco@ns.sol.net, security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice...) References: <199906180511.XAA15842@kitsune.swcp.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brendan Conoboy wrote: > > > By definition, one isn't too interested in running "make world" on an > > application-server-platform class machine. You're looking for a platform > > on which to run some application, and about the only thing you'll ever > > need to patch would be the kernel. Anything else (bugs in userland) is > > merely an annoyance that you can live with because you didn't need any of > > that stuff anyways. And if you _do_ need to upgrade, you'll do it from > > a binary distribution, not from source, because you can't really afford > > to have your application server offline for the unnecessary luxury of > > building the world. > > Er, don't you upgrade from source when there's a security problem in > userland but no new binary distribution? I do. Good grief, no! *IF* the bug is in a service that you are using, you update the source, build and test the new service on an off-line workstation or server, and when you're certain the changes are reliable, move the new binaries to the target server. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 12:37: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id 8494814D7B for ; Fri, 18 Jun 1999 12:36:45 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id NAA17158; Fri, 18 Jun 1999 13:36:23 -0600 (MDT) Date: Fri, 18 Jun 1999 13:36:23 -0600 (MDT) From: Brendan Conoboy Message-Id: <199906181936.NAA17158@kitsune.swcp.com> To: wes@softweyr.com Subject: Re: make world clobbers (was Re: some nice advice...) Cc: jgreco@ns.sol.net, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Er, don't you upgrade from source when there's a security problem in > > userland but no new binary distribution? I do. > > Good grief, no! *IF* the bug is in a service that you are using, > you update the source, build and test the new service on an off-line > workstation or server, and when you're certain the changes are > reliable, move the new binaries to the target server. Oh, I see. We're having a semantical difficulty. I would still call that upgrading from source. I thought the original poster meant that one ought to to wait for 3.2-release to come out when there was a serious bug in 3.1, to essentially leave the source out of it. -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 12:55:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 2B4E014E90 for ; Fri, 18 Jun 1999 12:55:25 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id OAA78685; Fri, 18 Jun 1999 14:55:22 -0500 (CDT) From: Joe Greco Message-Id: <199906181955.OAA78685@aurora.sol.net> Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: <199906181936.NAA17158@kitsune.swcp.com> from Brendan Conoboy at "Jun 18, 1999 1:36:23 pm" To: synk@swcp.com (Brendan Conoboy) Date: Fri, 18 Jun 1999 14:55:22 -0500 (CDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Er, don't you upgrade from source when there's a security problem in > > > userland but no new binary distribution? I do. > > > > Good grief, no! *IF* the bug is in a service that you are using, > > you update the source, build and test the new service on an off-line > > workstation or server, and when you're certain the changes are > > reliable, move the new binaries to the target server. > > Oh, I see. We're having a semantical difficulty. I would still call > that upgrading from source. I thought the original poster meant that > one ought to to wait for 3.2-release to come out when there was a > serious bug in 3.1, to essentially leave the source out of it. The OS includes no useful applications - therefore you are correct when you say that you should wait for 3.2-R to come out. Any server application, be it sendmail, named, ntpd, apache, squid, etc etc etc., needs to be compiled fresh from the vendor. Maintaining this as a secure service is a completely different issue. FreeBSD is highly nonoptimal for this sort of thing, as it comes with everything thrown into /usr/local or whereever the hell else the porter felt it should go. As part of the security paranoia around here, subsystems get top-level mount points (generally on separate disks) so that the service and the server are effectively divorced at the filesystem level. This allows either to be upgraded with a minimum of fuss. For example, Web servers around here are all rooted in /www. The server is /www/sbin/httpd, the configs are in /www/conf, etc. Same for ftp, squid, etc. The idea is that you are creating a platform on which to run a service: make the platform as secure and as low-maintenance as possible. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 13: 5:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id 12DA714F72 for ; Fri, 18 Jun 1999 13:05:50 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id NAA27841; Fri, 18 Jun 1999 13:04:27 -0700 (PDT) (envelope-from mph) Date: Fri, 18 Jun 1999 13:04:27 -0700 From: Matthew Hunt To: Joe Greco Cc: Brendan Conoboy , security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice...) Message-ID: <19990618130426.A27577@wopr.caltech.edu> References: <199906181936.NAA17158@kitsune.swcp.com> <199906181955.OAA78685@aurora.sol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199906181955.OAA78685@aurora.sol.net>; from Joe Greco on Fri, Jun 18, 1999 at 02:55:22PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 18, 1999 at 02:55:22PM -0500, Joe Greco wrote: > secure service is a completely different issue. FreeBSD is highly nonoptimal > for this sort of thing, as it comes with everything thrown into /usr/local > or whereever the hell else the porter felt it should go. This statement is hardly fair. Ports go in $PREFIX, wherever that may be. If something has /usr/local hardcoded, then it's a bug and should be reported. The porters have no freedom in deciding whether this is the case. -- Matthew Hunt * UNIX is a lever for the http://www.pobox.com/~mph/ * intellect. -J.R. Mashey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 13:45:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 7955114BB8 for ; Fri, 18 Jun 1999 13:45:36 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id PAA82206; Fri, 18 Jun 1999 15:45:26 -0500 (CDT) From: Joe Greco Message-Id: <199906182045.PAA82206@aurora.sol.net> Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: <19990618130426.A27577@wopr.caltech.edu> from Matthew Hunt at "Jun 18, 1999 1: 4:27 pm" To: mph@astro.caltech.edu (Matthew Hunt) Date: Fri, 18 Jun 1999 15:45:25 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, Jun 18, 1999 at 02:55:22PM -0500, Joe Greco wrote: > > > secure service is a completely different issue. FreeBSD is highly nonoptimal > > for this sort of thing, as it comes with everything thrown into /usr/local > > or whereever the hell else the porter felt it should go. > > This statement is hardly fair. Ports go in $PREFIX, wherever that > may be. If something has /usr/local hardcoded, then it's a bug and > should be reported. > > The porters have no freedom in deciding whether this is the case. I've never seen that to be true; I have a whole _set_ of patches to make the Apache and Squid ports relocate into a defined prefix, because setting PREFIX=/squid make install doesn't cut it by a long shot. Now, I could give you a step-by-step through the various ports that disprove what you are trying to say, or you and I could just agree that in principle $PREFIX is a reasonable idea but it isn't well-implemented. Oh, what the heck. strings /usr/local/sbin/gated | grep '^/' /var/db/%s.pid /var/run/%s.version /etc/%s.conf I guess one could argue qpage either way; qpage puts its spool over in /var/spool/qpage and there isn't much you can configure about that. I probably wouldn't want that on a dedicated paging server. Fortunately I don't run one. The last time I looked at the INN port it was a nightmare. But I have not looked recently so I guess I won't point to it as a glaring counter- example. Neither Squid nor Apache build a usable configuration if you PREFIX elsewhere. None of this should reflect poorly on the ports people... the ports do what they are meant to and are certainly worthwhile. However, for some purposes you just can't use them. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 16:10:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.andrew.cmu.edu (SMTP1.ANDREW.CMU.EDU [128.2.10.81]) by hub.freebsd.org (Postfix) with ESMTP id DD1B0151C8 for ; Fri, 18 Jun 1999 16:09:58 -0700 (PDT) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix49.andrew.cmu.edu (UNIX49.ANDREW.CMU.EDU [128.2.15.57]) by smtp1.andrew.cmu.edu (8.9.3/8.9.3) with SMTP id TAA13139; Fri, 18 Jun 1999 19:09:24 -0400 (EDT) Date: Fri, 18 Jun 1999 19:09:23 -0400 (EDT) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix49.andrew.cmu.edu To: Frank Tobin Cc: Kirill Nosov , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Frank Tobin wrote: > Kirill Nosov, at 12:08 on Fri, 18 Jun 1999, wrote: > > > But the idea discussed will allow to run daemons on priveleged ports > > under non-root priveleges. So you will create a user sendmail with 25 > > uid and only it will be able to bind to 25 port. That will allow to > > lower the probability of remote ( and local) root compromises. For > > sure this is a non-trivial configuration probl;em concerning to files > > ownership and groups formation but it looks like that result will be > > good. (But perhaps that will create another problem with 'priveleged > > uids' :) > > Hrm, that is a excellent idea could be added as an extra securelevel, such > as -2. During this time, any user can open a port. rc scripts can then > start up standard daemons, such as sshd, and then have them bind to > normally-privileged ports, with non-root privileges (well, sshd needs to > be root anyways). Then, when the rc scripts are done, the securelevel can > be raised to 4, which would allow noone, even root, to bind to > securelevels anymore. By doing both of these, we've accomplished less > root-privileged binaries _and_ trusted ports. > > Additionally, even if sshd was compromised as it ran as root, and the > attacker gained root access, he could do virtually nothing damaging > (except possibly some DOS) to the system, being in a high securelevel > state. This includes killing the current sshd, and starting a new one to > sniff passwords, as, as stated, the proposed securelevel would be set to > not allow the opening of trusted ports. Correct me if I am wrong, but that would make admining a running machine a rather large pain in the ass if every time a daemon stopped and had to be restarted you would have to reboot. [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 16:16:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id 34F6A150FE for ; Fri, 18 Jun 1999 16:16:52 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 58140 invoked by uid 1000); 18 Jun 1999 23:16:50 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jun 1999 23:16:50 -0000 Date: Fri, 18 Jun 1999 18:16:50 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu Cc: FreeBSD-security Mailing List Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Harry M. Leitzell, at 19:09 on Fri, 18 Jun 1999, wrote: > Correct me if I am wrong, but that would make admining a running > machine a rather large pain in the ass if every time a daemon stopped and > had to be restarted you would have to reboot. Well, 1) how often do you have daemons crash? 2) use inetd. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 16:47:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 163C614CE5 for ; Fri, 18 Jun 1999 16:47:41 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id QAA78688; Fri, 18 Jun 1999 16:48:28 -0700 (PDT) Date: Fri, 18 Jun 1999 16:48:28 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While I don't think the pain would be worth it for a general purpose office server, it would have it's place in the embeded world or as a border firewall. Typically these machine change rarely and have very few ports open. You really want this type of box to be secure. I would say something about a shell system here too, but I don't want to give anyone hope of securing a shell system with untrusted users. :) Cliff On Fri, 18 Jun 1999, Frank Tobin wrote: > Harry M. Leitzell, at 19:09 on Fri, 18 Jun 1999, wrote: > > > Correct me if I am wrong, but that would make admining a running > > machine a rather large pain in the ass if every time a daemon stopped and > > had to be restarted you would have to reboot. > > Well, 1) how often do you have daemons crash? 2) use inetd. > > -- > Frank Tobin "To learn what is good and what is to be > http://www.bigfoot.com/~ftobin valued, those truths which cannot be > shaken or changed." Myst: The Book of Atrus > FreeBSD: The Power To Serve > > PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F > http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Cliff Skolnick | "They that can give up essential liberty to obtain Steam Tunnel Operations | a little temporary safety deserve neither liberty cliff@steam.com | nor safety." http://www.steam.com/ | -- Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 17:22: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 8EA6215185 for ; Fri, 18 Jun 1999 17:22:03 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id KAA26497; Sat, 19 Jun 1999 10:21:35 +1000 (EST) From: Darren Reed Message-Id: <199906190021.KAA26497@cheops.anu.edu.au> Subject: Re: ipf howto, tada To: jwyatt@RWSystems.net (James Wyatt) Date: Sat, 19 Jun 1999 10:21:34 +1000 (EST) Cc: synk@swcp.com, freebsd-security@FreeBSD.ORG In-Reply-To: from "James Wyatt" at Jun 18, 99 09:54:39 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from James Wyatt, sie said: > > On Fri, 18 Jun 1999, Darren Reed wrote: [...] > > > pass out quick proto tcp from 200.200.200.1/32 to any keep state > > > > This can be in or out...essentially when the packet first crosses your > > perimeter. If it is a locally made connection going out then the above > > is correct. If it is from another host on your LAN going through your > > IP Filter firewall, then it should be "pass in" on the LAN interface. > > I've been considering the value of a 'firewall' interface that could track > how long a TCP session was open. If you get in on anything but ssh/rsh and > telnet for more than 5 min, it would trip... I've also wondered if it's > keeping state, if it could feed start/end time when the session closed? If you run ipmon as with the "-a" command line option, it will display all log information generated by IP Filter. This includes changes to the state table, changes to the NAT table and of course packets logged according to normal packet filtring rules. For example, an NTP query shows up like this: 23/02/1999 00:00:36.340843 STATE:NEW 1.2.3.4,123 -> 5.6.7.8,123 PR udp 23/02/1999 00:01:36.374508 STATE:CLOSE 1.2.3.4,123 -> 5.6.7.8,123 PR udp Pkts 2 Bytes 152 And a NAT'd scp connection as follows: 28/02/1999 23:46:16.990175 @3 NAT:MAP 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22] 28/02/1999 23:47:03.060326 @3 NAT:EXPIRE 10.1.1.1,1021 <- -> 203.1.1.1,1021 [128.1.1.1,22] Pkts 381 Bytes 117234 Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 17:26: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id E9BE715129 for ; Fri, 18 Jun 1999 17:26:02 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id KAA26533; Sat, 19 Jun 1999 10:26:03 +1000 (EST) From: Darren Reed Message-Id: <199906190026.KAA26533@cheops.anu.edu.au> Subject: Re: ipf howto, tada To: synk@swcp.com (Brendan Conoboy) Date: Sat, 19 Jun 1999 10:26:03 +1000 (EST) Cc: jwyatt@RWSystems.net, freebsd-security@FreeBSD.ORg In-Reply-To: <199906181828.MAA04041@kitsune.swcp.com> from "Brendan Conoboy" at Jun 18, 99 12:28:02 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Brendan Conoboy, sie said: > > > > FWIW, you might like to mention the "log-or-block" option where it will > > > block a packet to be pass'd and logged if it cannot log it due to the > > > log buffer being too full. > > > > > > i.e. > > > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > > > > > Here we say only log the first packet for this connection as recorded by > > > "keep state", but if it can't be logged, then block it. > > > > Neat trick! Could this easily be used for DOS? I like, this idea, but want > > to understand it. If you filled the syslogs with dummy attempts, would it > > block access, preventing you from cycling syslog files? > > I suspect the idea is to thwart the attack method where the attacker > first fills the log drive, then proceeds with the attack, knowing their > actions won't be logged. That's what I'm putting in the howto, anyway :-) Exactly. Actually, the real `problem' is that IP Filter runs at the network level and can generate log entries *very fast*, faster than ipmon can read and handle them. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 20:11:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 8531B14C93 for ; Fri, 18 Jun 1999 20:11:34 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id MAA21495; Sat, 19 Jun 1999 12:41:31 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA15293; Sat, 19 Jun 1999 12:42:48 +0930 Date: Sat, 19 Jun 1999 12:42:47 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Evren Yurtesen Cc: security@freebsd.org Subject: Re: SSL Telnet or SSH? In-Reply-To: <376A887F.B6B23E5B@ispro.net.tr> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Evren Yurtesen wrote: > which one is better-> SSL Telnet or SSH? and why? SSH. Does a whole bunch of other stuff as well as straight "telnet"-style connection. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 20:32:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.andrew.cmu.edu (SMTP2.ANDREW.CMU.EDU [128.2.10.82]) by hub.freebsd.org (Postfix) with ESMTP id BBBB114E10 for ; Fri, 18 Jun 1999 20:32:26 -0700 (PDT) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix5.andrew.cmu.edu (UNIX5.ANDREW.CMU.EDU [128.2.15.9]) by smtp2.andrew.cmu.edu (8.9.3/8.9.3) with SMTP id XAA13997; Fri, 18 Jun 1999 23:31:42 -0400 (EDT) Date: Fri, 18 Jun 1999 23:31:43 -0400 (EDT) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix5.andrew.cmu.edu To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Frank Tobin wrote: > Harry M. Leitzell, at 19:09 on Fri, 18 Jun 1999, wrote: > > > Correct me if I am wrong, but that would make admining a running > > machine a rather large pain in the ass if every time a daemon stopped and > > had to be restarted you would have to reboot. > > Well, 1) how often do you have daemons crash? 2) use inetd. 1) Every so often. There are also times when I accidentally kill one as well. 2) I prefer not to for serveral reasons which are personal. Well, I was just trying to help by poking a hole in your thought for your consideration. [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 22:56:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id BC5EB14C32 for ; Fri, 18 Jun 1999 22:56:22 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 60229 invoked by uid 1000); 19 Jun 1999 05:56:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jun 1999 05:56:19 -0000 Date: Sat, 19 Jun 1999 00:56:19 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: FreeBSD-security Mailing List Subject: proposed secure-level 4 patch Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1016683127-929771779=:60212" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1016683127-929771779=:60212 Content-Type: TEXT/PLAIN; charset=US-ASCII Okay, a good friend of mine Kris Wehner has written a patch to implement the proposed securelevel of 4, which would disallow the opening of secure ports (<1024) while in the securelevel of 4. The patch is against 3.2-STABLE kernel, as of within 12 hours. I'd like to hear more comments before I send it as a send-pr. The patch is attached. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 --0-1016683127-929771779=:60212 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="tcp_patch.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="tcp_patch.diff" KioqIHRjcF91c3JyZXEuYy5vcmlnCUZyaSBKdW4gMTggMTk6MTI6MTggMTk5 OQ0KLS0tIHRjcF91c3JyZXEuYwlGcmkgSnVuIDE4IDE5OjE1OjQ5IDE5OTkN CioqKioqKioqKioqKioqKg0KKioqIDE4NSwxOTAgKioqKg0KLS0tIDE4NSwx OTggLS0tLQ0KICAJCWVycm9yID0gRUFGTk9TVVBQT1JUOw0KICAJCWdvdG8g b3V0Ow0KICAJfQ0KKyAJLyogDQorIAkgKiBEaXNhbGxvdyBiaW5kIGlmIHdl IGFyZSBpbiBzdXBlciBzZWN1cmUgbW9kZSBhbmQgcG9ydCA8PSAxMDI0DQor IAkgKi8NCisgCWlmIChzaW5wLT5zaW5fZmFtaWx5ID09IEFGX0lORVQgJiYg c2lucC0+c2luX3BvcnQgPD0gMTAyNCAmJg0KKyAJICAgIHNlY3VyZWxldmVs ID49IDQpIHsNCisgCSAgZXJyb3IgPSBFQUNDRVM7DQorIAkgIGdvdG8gb3V0 Ow0KKyAJfQ0KICAJZXJyb3IgPSBpbl9wY2JiaW5kKGlucCwgbmFtLCBwKTsN CiAgCWlmIChlcnJvcikNCiAgCQlnb3RvIG91dDsNCg== --0-1016683127-929771779=:60212-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 23: 6: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from beach.silcom.com (beach.silcom.com [199.201.128.19]) by hub.freebsd.org (Postfix) with ESMTP id EE57515236 for ; Fri, 18 Jun 1999 23:06:04 -0700 (PDT) (envelope-from brian@CSUA.Berkeley.EDU) Received: from smarter.than.nu (pm0-8.vpop1.avtel.net [207.71.237.8]) by beach.silcom.com (Postfix) with ESMTP id ACEA9906; Fri, 18 Jun 1999 23:05:46 -0700 (PDT) Date: Fri, 18 Jun 1999 23:05:46 -0700 (PDT) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: proposed secure-level 4 patch In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Jun 1999, Frank Tobin wrote: > Okay, a good friend of mine Kris Wehner has written a patch to implement > the proposed securelevel of 4, which would disallow the opening of > secure ports (<1024) while in the securelevel of 4. The patch is against > 3.2-STABLE kernel, as of within 12 hours. I'd like to hear more comments > before I send it as a send-pr. The patch is attached. Kris's patch blocks binding ports <= 1024, but 1024 is not a secure port. The last one is 1023. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 23:11: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from alice.gba.oz.au (gba-254.tmx.com.au [203.9.155.254]) by hub.freebsd.org (Postfix) with SMTP id F3E4814CA9 for ; Fri, 18 Jun 1999 23:10:53 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 7245 invoked by uid 1001); 19 Jun 1999 14:24:53 +1000 Message-ID: <19990619042453.7244.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Sat, 19 Jun 1999 14:24:52 +1000 From: Greg Black To: Dag-Erling Smorgrav Cc: Frank Tobin , Kirill Nosov , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr References: In-reply-to: of 18 Jun 1999 12:12:36 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Hrm, that is a excellent idea could be added as an extra securelevel, such > > as -2. > > -2? Why -2? Securelevels are numbered upwards from 0, in increasing > order of paranoia. Ah, no, they're not. The init(8) man page is quite clear that that are numbered upwards from -1. For the proposed purpose, the -2 value makes some kind of sense. -- Greg Black -- or Fight censorship in Australia: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 23:19:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id EF09F14CA9 for ; Fri, 18 Jun 1999 23:19:03 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id QAA28681; Sat, 19 Jun 1999 16:19:01 +1000 (EST) From: Darren Reed Message-Id: <199906190619.QAA28681@cheops.anu.edu.au> Subject: Re: proposed secure-level 4 patch To: brian@CSUA.Berkeley.EDU (Brian W. Buchanan) Date: Sat, 19 Jun 1999 16:19:00 +1000 (EST) Cc: ftobin@bigfoot.com, freebsd-security@FreeBSD.ORG In-Reply-To: from "Brian W. Buchanan" at Jun 18, 99 11:05:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Brian W. Buchanan, sie said: > > On Sat, 19 Jun 1999, Frank Tobin wrote: > > > Okay, a good friend of mine Kris Wehner has written a patch to implement > > the proposed securelevel of 4, which would disallow the opening of > > secure ports (<1024) while in the securelevel of 4. The patch is against > > 3.2-STABLE kernel, as of within 12 hours. I'd like to hear more comments > > before I send it as a send-pr. The patch is attached. > > Kris's patch blocks binding ports <= 1024, but 1024 is not a secure port. > The last one is 1023. Sigh, this appears to be a mis-use of "securelevel". As securelevel increases, the system is supposed to be more secure - i.e. more functions are unavailable, even to root. Using a securelevel of -2 for this is `better', but it means your kernel must boot up with a securelevel of -1 (or less), init scripts change it to be >= 0 so that init raises it to (at least) 1 once they're all finished. Really, using this patch without a securelevel > 0 at run-time indicates someone who's really not all that interested in security. Sounds like a sysctl is the knob you're looking for to enable and disable this feature. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 23:26:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id CFF7214CA9 for ; Fri, 18 Jun 1999 23:26:12 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 60385 invoked by uid 1000); 19 Jun 1999 06:26:09 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jun 1999 06:26:09 -0000 Date: Sat, 19 Jun 1999 01:26:09 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu Cc: FreeBSD-security Mailing List Subject: Re: proposed secure-level 4 patch In-Reply-To: <199906190619.QAA28681@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed, at 16:19 on Sat, 19 Jun 1999, wrote: > > Using a securelevel of -2 for this is `better', but it means your kernel > must boot up with a securelevel of -1 (or less), init scripts change it > to be >= 0 so that init raises it to (at least) 1 once they're all finished. Erm, I think you are confusing two separate ideas that were discussed. This would be securelevel 4 (the patch). It allows the non-binding of privileged ports. Secure-level -2 was addressing a totally different system where user-processes could bind to privileged ports without root's help. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 18 23:36: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from beach.silcom.com (beach.silcom.com [199.201.128.19]) by hub.freebsd.org (Postfix) with ESMTP id 7BBC214CA9 for ; Fri, 18 Jun 1999 23:35:58 -0700 (PDT) (envelope-from brian@CSUA.Berkeley.EDU) Received: from smarter.than.nu (pm0-8.vpop1.avtel.net [207.71.237.8]) by beach.silcom.com (Postfix) with ESMTP id 799CF73A; Fri, 18 Jun 1999 23:35:52 -0700 (PDT) Date: Fri, 18 Jun 1999 23:35:52 -0700 (PDT) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: proposed secure-level 4 patch In-Reply-To: <199906190619.QAA28681@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Jun 1999, Darren Reed wrote: > In some mail from Brian W. Buchanan, sie said: > > > > On Sat, 19 Jun 1999, Frank Tobin wrote: > > > > > Okay, a good friend of mine Kris Wehner has written a patch to implement > > > the proposed securelevel of 4, which would disallow the opening of > > > secure ports (<1024) while in the securelevel of 4. The patch is against > > > 3.2-STABLE kernel, as of within 12 hours. I'd like to hear more comments > > > before I send it as a send-pr. The patch is attached. > > > > Kris's patch blocks binding ports <= 1024, but 1024 is not a secure port. > > The last one is 1023. > > Sigh, this appears to be a mis-use of "securelevel". As securelevel > increases, the system is supposed to be more secure - i.e. more functions > are unavailable, even to root. > > Using a securelevel of -2 for this is `better', but it means your kernel > must boot up with a securelevel of -1 (or less), init scripts change it > to be >= 0 so that init raises it to (at least) 1 once they're all finished. Huh? I think you've responded to the wrong post. The silly suggestion about using securelevel -2 to let anyone bind ports was a few messages back. What the original poster was suggesting was to prevent even root from binding privileged ports once securelevel 4 was set. I'd totally agree with you on the -2 issue, but adding securelevel 4 which the system can be raised to after root-owned processes have bound all the privileged ports they need could be a useful thing to have. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 0:15:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell2.ba.best.com (shell2.ba.best.com [206.184.139.133]) by hub.freebsd.org (Postfix) with ESMTP id 444B514CF6 for ; Sat, 19 Jun 1999 00:15:17 -0700 (PDT) (envelope-from asaddi@philosophysw.com) Received: from localhost (asaddi@localhost) by shell2.ba.best.com (8.9.3/8.9.2/best.sh) with ESMTP id AAA22287; Sat, 19 Jun 1999 00:15:15 -0700 (PDT) X-Authentication-Warning: shell2.ba.best.com: asaddi owned process doing -bs Date: Sat, 19 Jun 1999 00:15:15 -0700 (PDT) From: Allan Saddi X-Sender: asaddi@shell2.ba.best.com To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: proposed secure-level 4 patch In-Reply-To: Message-ID: Organization: Philosophy SoftWorks MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1915819991-929776515=:20141" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1915819991-929776515=:20141 Content-Type: TEXT/PLAIN; charset=US-ASCII On Sat, 19 Jun 1999, Frank Tobin wrote: > Okay, a good friend of mine Kris Wehner has written a patch to implement > the proposed securelevel of 4, which would disallow the opening of > secure ports (<1024) while in the securelevel of 4. About the implementation of this feature... shouldn't the function in_pcbbind() in netinet/in_pcb.c be modified instead? This will eliminate having to check whether the protocol in question is IP. Also, it seems like an ideal place for this patch since this is where the priviledge check is made for binding ports <1024. I've included a similar patch which should accomplish the same thing. A caveat though: I did not test this, nor did I even try to compile it. I just created it to serve as a guide. It should be easy to whip it into shape, if needs be... -- Allan Saddi "The Earth is the cradle of mankind, asaddi@philosophysw.com but we cannot live in the cradle http://www.philosophysw.com/asaddi/ forever." - K.E. Tsiolkovsky --0-1915819991-929776515=:20141 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="in_pcb.c.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="in_pcb.c.diff" LS0tIC91c3Ivc3JjL3N5cy9uZXRpbmV0L2luX3BjYi5jCU1vbiBEZWMgIDcg MTM6NTg6MzcgMTk5OA0KKysrIGluX3BjYi5jCVNhdCBKdW4gMTkgMDA6MDM6 NTQgMTk5OQ0KQEAgLTE5NCw5ICsxOTQsMTIgQEANCiAJCQlzdHJ1Y3QgaW5w Y2IgKnQ7DQogDQogCQkJLyogR1JPU1MgKi8NCi0JCQlpZiAobnRvaHMobHBv cnQpIDwgSVBQT1JUX1JFU0VSVkVEICYmIHAgJiYNCi0JCQkgICAgc3VzZXIo cC0+cF91Y3JlZCwgJnAtPnBfYWNmbGFnKSkNCi0JCQkJcmV0dXJuIChFQUND RVMpOw0KKwkJCWlmIChudG9ocyhscG9ydCkgPCBJUFBPUlRfUkVTRVJWRUQp IHsNCisJCQkJaWYgKHNlY3VyZWxldmVsID49IDQpDQorCQkJCQlyZXR1cm4g KEVBQ0NFUyk7DQorCQkJCWlmIChwICYmIHN1c2VyKHAtPnBfdWNyZWQsICZw LT5wX2FjZmxhZykpDQorCQkJCQlyZXR1cm4gKEVBQ0NFUyk7DQorCQkJfQ0K IAkJCWlmIChzby0+c29fdWlkICYmDQogCQkJICAgICFJTl9NVUxUSUNBU1Qo bnRvaGwoc2luLT5zaW5fYWRkci5zX2FkZHIpKSkgew0KIAkJCQl0ID0gaW5f cGNibG9va3VwX2xvY2FsKGlucC0+aW5wX3BjYmluZm8sDQo= --0-1915819991-929776515=:20141-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 0:50:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from beach.silcom.com (beach.silcom.com [199.201.128.19]) by hub.freebsd.org (Postfix) with ESMTP id 2ED8114DD5 for ; Sat, 19 Jun 1999 00:50:32 -0700 (PDT) (envelope-from brian@CSUA.Berkeley.EDU) Received: from smarter.than.nu (pm0-8.vpop1.avtel.net [207.71.237.8]) by beach.silcom.com (Postfix) with ESMTP id 0131F861 for ; Sat, 19 Jun 1999 00:50:28 -0700 (PDT) Date: Sat, 19 Jun 1999 00:50:28 -0700 (PDT) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: freebsd-security@freebsd.org Subject: securelevel and mount_union Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Even on a system well locked-down with schg flags and use of a positive securelevel, it is possible for an attacker who has gained root to replace system binaries and cover his tracks through the use of mount_union. mount_union continues to function normally even on mountpoints with the schg flag set and while the system is running at securelevel 2. (Tested only on -stable, however.) To exploit this, the attacker can simply create his own version of /bin or another directory elesewhere in the filesystem and "mount_union /some/obscure/place /bin". If mount itself is shadowed by a modified version which conceals the union mounts from the usual status report, it is quite likely that this could remain unnoticed for some time. Meanwhile, modified versions of /usr/bin/login, telnet, ssh, etc. are quietly recording local and remote passwords... Tripwire and/or its associated data files could also be shadowed, further reducing the chance of detection. The union mounts will of course disappear upon system shutdown, but even if the attacker cannot modify fstab or place an entry in the real version of any of the system startup scripts, this ruse can be reinstated post-reboot by an entry in root's crontab or login script, or anything else not set immutable that might execute with root permissions sometime shortly after reboot. My suggestion: Either cause a positive securelevel setting to disable the functionality of mount_union and mount -o union, or disable this functionality for mountpoints with the schg flag set. (In the latter case, the sysadmin must be careful to set the schg flag on all parent directories of any directory containing files with schg set, as well as the file's directory) -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 2:32:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D4F68151D9 for ; Sat, 19 Jun 1999 02:31:24 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id LAA81865; Sat, 19 Jun 1999 11:31:15 +0200 (CEST) (envelope-from des) To: Greg Black Cc: Dag-Erling Smorgrav , Frank Tobin , Kirill Nosov , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr References: <19990619042453.7244.qmail@alice.gba.oz.au> From: Dag-Erling Smorgrav Date: 19 Jun 1999 11:31:15 +0200 In-Reply-To: Greg Black's message of "Sat, 19 Jun 1999 14:24:52 +1000" Message-ID: Lines: 16 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Black writes: > > > Hrm, that is a excellent idea could be added as an extra securelevel, such > > > as -2. > > -2? Why -2? Securelevels are numbered upwards from 0, in increasing > > order of paranoia. > Ah, no, they're not. The init(8) man page is quite clear that > that are numbered upwards from -1. For the proposed purpose, > the -2 value makes some kind of sense. -1 is just a magic value that tells init not to raise the securelevel beyond 0. It's not a real securelevel, and is functionally indistinguishable from securelevel 0. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 2:41:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 3886E14A0B for ; Sat, 19 Jun 1999 02:41:11 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from yaksha (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id NAA06212; Sat, 19 Jun 1999 13:40:38 +0400 (MSD) Received: by yaksha (ssmtp TIS-0.5alpha, 19 Oct 1998); Sat, 19 Jun 1999 13:36:42 +0400 Received: from undisclosed-intranet-sender id xma015870; Sat, 19 Jun 99 13:36:29 +0400 From: -=ArkanoiD=- Message-Id: <199906190936.NAA02092@paranoid.eltex.spb.ru> Subject: Re: proposed secure-level 4 patch In-Reply-To: from "Brian W. Buchanan" at "Jun 18, 1999 11:35:52 pm" To: brian@CSUA.Berkeley.EDU (Brian W. Buchanan) Date: Sat, 19 Jun 1999 13:36:51 +0400 (MSD) Cc: avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.ORG Reply-To: ark@eltex.ru X-Mailer: ELM [version 2.4ME+ PL53 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nuqneH, btw do you know your "securelevel 4" will break legacy protocols incl. outbound rsh,rlogin,lp,partially even ssh? An obvious workaround is possible, though. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 4:52:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id 63C0714C84 for ; Sat, 19 Jun 1999 04:52:49 -0700 (PDT) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id HAA21392; Sat, 19 Jun 1999 07:52:35 -0400 (EDT) (envelope-from matt@zigg.com) Date: Sat, 19 Jun 1999 07:52:33 -0400 (EDT) From: Matt Behrens To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: proposed secure-level 4 patch In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Jun 1999, Frank Tobin wrote: : Okay, a good friend of mine Kris Wehner has written a patch to implement : the proposed securelevel of 4, which would disallow the opening of : secure ports (<1024) while in the securelevel of 4. The patch is against : 3.2-STABLE kernel, as of within 12 hours. I'd like to hear more comments : before I send it as a send-pr. The patch is attached. As much as I love seeing contributions, and think this could be a good thing, I believe the proper place to try new functionality like this is against the -current branch. Of course, you are always free to maintain your own patches against -stable, but I and many others wouldn't want this (or any other change similar to it) to officially poke its head into the -stable tree until it had been well-tested in -current and then could be MFC'd. Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 5:25: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D6D7714F00 for ; Sat, 19 Jun 1999 05:25:00 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id OAA85729; Sat, 19 Jun 1999 14:24:57 +0200 (CEST) (envelope-from des) To: ark@eltex.ru Cc: brian@CSUA.Berkeley.EDU (Brian W. Buchanan), avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.ORG Subject: Re: proposed secure-level 4 patch References: <199906190936.NAA02092@paranoid.eltex.spb.ru> From: Dag-Erling Smorgrav Date: 19 Jun 1999 14:24:56 +0200 In-Reply-To: -=ArkanoiD=-'s message of "Sat, 19 Jun 1999 13:36:51 +0400 (MSD)" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -=ArkanoiD=- writes: > btw do you know your "securelevel 4" will break legacy protocols > incl. outbound rsh,rlogin,lp,partially even ssh? So? If you're security-conscious enough to use securelevels, you sure don't allow rsh, rlogin or lp, and ssh doesn't need privileged ports to run. Remove the SUID bit on the ssh binary, or run it with the -P option. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 5:35:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6741014E7A for ; Sat, 19 Jun 1999 05:35:40 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id OAA85929; Sat, 19 Jun 1999 14:34:21 +0200 (CEST) (envelope-from des) To: Joe Greco Cc: synk@swcp.com (Brendan Conoboy), security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice...) References: <199906181955.OAA78685@aurora.sol.net> From: Dag-Erling Smorgrav Date: 19 Jun 1999 14:34:20 +0200 In-Reply-To: Joe Greco's message of "Fri, 18 Jun 1999 14:55:22 -0500 (CDT)" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Joe Greco writes: > Any server application, be it sendmail, named, ntpd, apache, squid, etc etc > etc., needs to be compiled fresh from the vendor. That is complete bullshit. By doing this, you are *introducing* problems rather than solving them. The FreeBSD developers spend a lot of effort fixing bugs, plugging security holes, and adapting software to run optimally on FreeBSD. You shouldn't hand-roll things like sendmail or BIND unless you're prepared to spend a *lot* of time duplicating their work, and making sure you got it right and didn't introduce any bugs of your own in the process. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 5:48:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 0344414E7A for ; Sat, 19 Jun 1999 05:48:46 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 61418 invoked by uid 1001); 19 Jun 1999 12:48:44 +0000 (GMT) To: des@flood.ping.uio.no Cc: jgreco@ns.sol.net, synk@swcp.com, security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice...) From: sthaug@nethelp.no In-Reply-To: Your message of "19 Jun 1999 14:34:20 +0200" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 19 Jun 1999 14:48:44 +0200 Message-ID: <61416.929796524@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Any server application, be it sendmail, named, ntpd, apache, squid, etc etc > > etc., needs to be compiled fresh from the vendor. > > That is complete bullshit. By doing this, you are *introducing* > problems rather than solving them. The FreeBSD developers spend a lot > of effort fixing bugs, plugging security holes, and adapting software > to run optimally on FreeBSD. You shouldn't hand-roll things like > sendmail or BIND unless you're prepared to spend a *lot* of time > duplicating their work, and making sure you got it right and didn't > introduce any bugs of your own in the process. In general I agree about this. However: BIND 8 works just fine out of the box on FreeBSD. Please check the bind8 port - it changes a few paths, changes the man format and not much else. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 5:58: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id C80A114E7A for ; Sat, 19 Jun 1999 05:58:03 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id HAA50422; Sat, 19 Jun 1999 07:57:57 -0500 (CDT) From: Joe Greco Message-Id: <199906191257.HAA50422@aurora.sol.net> Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: from Dag-Erling Smorgrav at "Jun 19, 1999 2:34:20 pm" To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Date: Sat, 19 Jun 1999 07:57:56 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Joe Greco writes: > > Any server application, be it sendmail, named, ntpd, apache, squid, etc etc > > etc., needs to be compiled fresh from the vendor. > > That is complete bullshit. By doing this, you are *introducing* > problems rather than solving them. The FreeBSD developers spend a lot > of effort fixing bugs, plugging security holes, and adapting software > to run optimally on FreeBSD. You shouldn't hand-roll things like > sendmail or BIND unless you're prepared to spend a *lot* of time > duplicating their work, and making sure you got it right and didn't > introduce any bugs of your own in the process. Any FreeBSD developer who spends a lot of effort fixing bugs and plugging security holes without rolling the changes back to the vendor is an idiot and a fool. That would be the "complete bullshit" that you refer to. FreeBSD has a long history of staying a rev or two out-of-date with respect to integrated packages such as Sendmail or BIND. That's fine for the average user, but doesn't cut it in heavy production environments where you often need different compile-time option definitions _anyways_. By keeping the idea of OS and application separate, you make it all that much easier to keep your software up to date and your system secure. This isn't just a FreeBSD thing; it is good policy on _any_ platform (think about something like Solaris for example). When you are doing this professionally for a client and are faced with a client who wants you to make DNS/mail servers out of (1) a Solaris box, (2) an old SGI, and (3) a FreeBSD or Linux box, you can either accept the current lame software that is installed on each and the headaches/dysfunctionality associated, or you can level the playing field and do the professional thing, and tune each of the installs for the client's needs at the same time. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 6:17: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 3681315156 for ; Sat, 19 Jun 1999 06:16:59 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id IAA51771; Sat, 19 Jun 1999 08:16:56 -0500 (CDT) From: Joe Greco Message-Id: <199906191316.IAA51771@aurora.sol.net> Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: <61416.929796524@verdi.nethelp.no> from "sthaug@nethelp.no" at "Jun 19, 1999 2:48:44 pm" To: sthaug@nethelp.no Date: Sat, 19 Jun 1999 08:16:56 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Any server application, be it sendmail, named, ntpd, apache, squid, etc etc > > > etc., needs to be compiled fresh from the vendor. > > > > That is complete bullshit. By doing this, you are *introducing* > > problems rather than solving them. The FreeBSD developers spend a lot > > of effort fixing bugs, plugging security holes, and adapting software > > to run optimally on FreeBSD. You shouldn't hand-roll things like > > sendmail or BIND unless you're prepared to spend a *lot* of time > > duplicating their work, and making sure you got it right and didn't > > introduce any bugs of your own in the process. > > In general I agree about this. However: > > BIND 8 works just fine out of the box on FreeBSD. Please check the bind8 > port - it changes a few paths, changes the man format and not much else. It has been some time since I've seen an application that _didn't_ work fine out of the box on FreeBSD - things like Sendmail come with option files that are set up for FreeBSD, and other things just don't care too much anyways because they aren't tied into the system as deeply as something like Sendmail. Additionally, if you want to go head-to-head about things like security holes, I'll note that _any_ configuration (such as the FreeBSD-supplied one) which runs sendmail as root is inherently more risky than a config which runs sendmail as mail:mail. You'd better make sure that you're introducing fewer bugs than I am and that yours are less exploitable. Me, I'm not too worried since I've been hacking on Sendmail since the '80's and there's not too much risk in a daemon that runs as an unprivileged user. But, then again, that all gets back to what I've been saying all along: there are good reasons for treating these things as applications instead as part of the OS. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 6:28: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.skylink.it (ns.skylink.it [194.177.113.1]) by hub.freebsd.org (Postfix) with ESMTP id 9AD4A14CC9 for ; Sat, 19 Jun 1999 06:28:00 -0700 (PDT) (envelope-from hibma@skylink.it) Received: from heidi.plazza.it (va-140.skylink.it [194.185.55.140]) by ns.skylink.it (8.9.1/8.8.8) with ESMTP id PAA16390; Sat, 19 Jun 1999 15:27:12 +0200 Received: from localhost (localhost.plazza.it [127.0.0.1]) by heidi.plazza.it (8.8.8/8.8.5) with SMTP id PAA03836; Sat, 19 Jun 1999 15:20:03 +0200 (CEST) Date: Sat, 19 Jun 1999 15:20:03 +0200 (CEST) From: Nick Hibma X-Sender: n_hibma@heidi.plazza.it Reply-To: Nick Hibma To: Joe Greco Cc: security@FreeBSD.ORG Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: <199906182045.PAA82206@aurora.sol.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please send me a list of the offending ports and I will fix them. I've fixed /usr/ports/[ab]* up to now. And yes, a lot of ports are broken. But without FreeBSD users saying so, with a send-pr, no FreeBSD user will be fixing it. I am perfectly willing to fix all the ports you require fixing tomorrow if you pay me a 500 Euro and agree that all the work goes into open source with the BSD license on it. Or try freebsd-jobs for someone cheaper. Nick > I've never seen that to be true; I have a whole _set_ of patches to make > the Apache and Squid ports relocate into a defined prefix, because setting > PREFIX=/squid make install doesn't cut it by a long shot. Now, I could > give you a step-by-step through the various ports that disprove what you > are trying to say, or you and I could just agree that in principle $PREFIX > is a reasonable idea but it isn't well-implemented. > > Oh, what the heck. > > strings /usr/local/sbin/gated | grep '^/' > /var/db/%s.pid > /var/run/%s.version > /etc/%s.conf > > I guess one could argue qpage either way; qpage puts its spool over in > /var/spool/qpage and there isn't much you can configure about that. I > probably wouldn't want that on a dedicated paging server. Fortunately > I don't run one. > > The last time I looked at the INN port it was a nightmare. But I have > not looked recently so I guess I won't point to it as a glaring counter- > example. > > Neither Squid nor Apache build a usable configuration if you PREFIX > elsewhere. > > None of this should reflect poorly on the ports people... the ports do > what they are meant to and are certainly worthwhile. However, for some > purposes you just can't use them. > > ... Joe > > ------------------------------------------------------------------------------- > Joe Greco - Systems Administrator jgreco@ns.sol.net > Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- e-Mail: hibma@skylink.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 7:43:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id A2C2F14E0F for ; Sat, 19 Jun 1999 07:43:14 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id JAA57799; Sat, 19 Jun 1999 09:43:11 -0500 (CDT) From: Joe Greco Message-Id: <199906191443.JAA57799@aurora.sol.net> Subject: Re: make world clobbers (was Re: some nice advice...) In-Reply-To: from Nick Hibma at "Jun 19, 1999 3:20: 3 pm" To: hibma@skylink.it Date: Sat, 19 Jun 1999 09:43:11 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Please send me a list of the offending ports and I will fix them. I've > fixed > > /usr/ports/[ab]* > > up to now. > > And yes, a lot of ports are broken. But without FreeBSD users saying so, > with a send-pr, no FreeBSD user will be fixing it. > > I am perfectly willing to fix all the ports you require fixing tomorrow > if you pay me a 500 Euro and agree that all the work goes into open > source with the BSD license on it. Or try freebsd-jobs for someone > cheaper. Nick, read again what I said: "None of this should reflect poorly on the ports people... the ports do what they are meant to and are certainly worthwhile. However, for some purposes you just can't use them." Since I do have commit privs, I could certainly fix them myself if I felt that it was a serious issue that affected lots of people. Since I am probably one of a dozen people on the planet who is even aware of the issue, however, and since I generally compile important stuff direct from the source instead of from a port, I don't see such a need. What I _do_ think would be cool - and will certainly contribute myself, if I happen to get to it before somebody else - would be an addition to the port system that allows you to throw an entire application into phk's jail system. This would be very worthwhile as almost everybody could and should run potentially vulnerable services such as httpd in this manner. A lot of people aren't aware of the security features available in FreeBSD, and it is a shame that nobody is publicizing them. I've shown what I do to secure the OS (in a general sort of way). With some other additions like good firewall rules and jail-ized httpd, it'd be cool to advertise the fact that FreeBSD can do things like hardened, intrusion-resistant web service with a minimum of fuss. I am not trying to say anything bad about the ports system or the work that people have done. I am simply looking at it from the point of view of an engineer who is trying to meet various server design requirements, and noting that the current state of affairs for ports doesn't work well for "secure" environments such as I've been describing. If anyone has any interest in working on jail-ing ports, I'd be happy to: a) discuss ideas, b) possibly offer a (small) bounty for particular ports I'd like to see jail-ized, c) see if I can find anyone else interested in sponsoring the work. Otherwise I'll end up doing it myself at some point, although it isn't really high on my priority list. > > I've never seen that to be true; I have a whole _set_ of patches to make > > the Apache and Squid ports relocate into a defined prefix, because setting > > PREFIX=/squid make install doesn't cut it by a long shot. Now, I could > > give you a step-by-step through the various ports that disprove what you > > are trying to say, or you and I could just agree that in principle $PREFIX > > is a reasonable idea but it isn't well-implemented. > > > > Oh, what the heck. > > > > strings /usr/local/sbin/gated | grep '^/' > > /var/db/%s.pid > > /var/run/%s.version > > /etc/%s.conf > > > > I guess one could argue qpage either way; qpage puts its spool over in > > /var/spool/qpage and there isn't much you can configure about that. I > > probably wouldn't want that on a dedicated paging server. Fortunately > > I don't run one. > > > > The last time I looked at the INN port it was a nightmare. But I have > > not looked recently so I guess I won't point to it as a glaring counter- > > example. > > > > Neither Squid nor Apache build a usable configuration if you PREFIX > > elsewhere. > > > > None of this should reflect poorly on the ports people... the ports do > > what they are meant to and are certainly worthwhile. However, for some > > purposes you just can't use them. > > > > ... Joe > > > > ------------------------------------------------------------------------------- > > Joe Greco - Systems Administrator jgreco@ns.sol.net > > Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > e-Mail: hibma@skylink.it > > -- ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 16:12:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id D8FFC14DE1 for ; Sat, 19 Jun 1999 16:12:25 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from yaksha (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id DAA08229; Sun, 20 Jun 1999 03:03:17 +0400 (MSD) Received: by yaksha (ssmtp TIS-0.5alpha, 19 Oct 1998); Sun, 20 Jun 1999 02:59:22 +0400 Received: from undisclosed-intranet-sender id xma007993; Sun, 20 Jun 99 02:59:09 +0400 From: -=ArkanoiD=- Message-Id: <199906192259.CAA05415@paranoid.eltex.spb.ru> Subject: Re: proposed secure-level 4 patch In-Reply-To: from Dag-Erling Smorgrav at "Jun 19, 1999 02:24:56 pm" To: des@flood.ping.uio.no (Dag-Erling Smorgrav) Date: Sun, 20 Jun 1999 02:59:37 +0400 (MSD) Cc: ark@eltex.ru, brian@CSUA.Berkeley.EDU, avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.ORG Reply-To: ark@eltex.ru X-Mailer: ELM [version 2.4ME+ PL53 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nuqneH, Why are you so sure about _outbound_ services? What's wrong with lp? There are many devices that can't talk ssh yet. So rsh/rlogin has some use too. You can kerberize that services btw. Somebody (maybe you, Dag-Erling Smorgrav) WROTE: > -=ArkanoiD=- writes: > > btw do you know your "securelevel 4" will break legacy protocols > > incl. outbound rsh,rlogin,lp,partially even ssh? > > So? If you're security-conscious enough to use securelevels, you sure > don't allow rsh, rlogin or lp, and ssh doesn't need privileged ports > to run. Remove the SUID bit on the ssh binary, or run it with the -P > option. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 18:30: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from puffer.quadrunner.com (puffer.quadrunner.com [205.166.195.4]) by hub.freebsd.org (Postfix) with ESMTP id 9470A153A9 for ; Sat, 19 Jun 1999 18:29:56 -0700 (PDT) (envelope-from humble@quadrunner.com) Received: from localhost (humble@localhost) by puffer.quadrunner.com (8.9.2/QUAD-2.1) with ESMTP id SAA24090 for ; Sat, 19 Jun 1999 18:29:55 -0700 (PDT) X-Authentication-Warning: puffer.quadrunner.com: humble owned process doing -bs Date: Sat, 19 Jun 1999 18:29:55 -0700 (PDT) From: Richard Steenbergen To: freebsd-security@freebsd.org Subject: SYN Floods, some food for thought Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As much as I would like to work out tested and well reasoned arguements, develop patches, and save the world, I do not have time. So, in the interest of perhaps getting some widely distributed protection, or at least provoke some ideas and discussion (after reviewing some of the fbsd-security archives I realized a lot of the thinking was way off), I present the following. Syn floods. We all know what they are, but in many ways we don't understand how they kill. The first thing that pops into mind is Panix, and low bandwidth syn floods that filled queues and prevented new connections. However, if you've ever tried doing something stupid like run an EFNet IRC Server, the first thing that pops into mind is BladeX (and the like, script kiddies playing with toys they barely understand because it gives them wood to take down people who understand things even less), and SYN floods that disable machines and networks for hours on end. The old classic technique of filling queues has long since been fixed, but syn floods in sufficient quantity remain a killer. Why? First, some analysis from my own experience. One day I got sick and tired of hearing about systems going down and of course under freebsd rebooting when under syn flood, so I whipped out two machines and decided to do some tests. The first machine was a Cyrix 133 P166+, the second was a Pentium II 450 (yes a little uneven, but all I had available at the time), both running FreeBSD 3.2-STABLE with identical Netgear 310TX PNIC-based 100Mbit PCI ethernet cards, crossover'd and running in full duplex. Bandwidth and packets per second (pps) analysis done with "netstat -n 1" on both ends. First I found some packet kiddie programs, synk4, slice, and the like (some truely bad code in all of it, all derived from the original synk.c flooders, but a starting point). I then sat down and wrote the best possible syn flooder I could write. From my P166, I was able to generate around 3kpps (3,000 packets per second) with the synk-based programs, using my flooder and the most optimal techniques I could come up with (including asm checksum :P) I was about to generate approx 15kpps (a 4.6x improvement). The pII 450 was able to do ~ 150kpps. /* The stuff that I'm going to gloss over here for public security interests, if you're interested and can prove that you're not a packet kiddie, you can contact me privately for details */ The limitation in a synflood is calls to sendto(), significant overhead exists for copying the packet to kernelland every time, doing all the checks (routing etc etc), building the ethernet frame, and actually shipping it out to the NIC queue. I'm certain the more observant will realize the simple solution to improving syn floods dramatically, but I'm not going to go into detail. /* Ok done with all that nastiness */ Some interesting things to note. Firstly, when attacking the P166, I was able to hit it so hard the cursor stopped blinking (hardware interrupts getting 150kpps from the nic?). When attacking the 450: - Hitting closed ports which generated RSTs used approx 25% cpu, all interrupt, as reported by top. - Hitting open ports generated a hell of a lot of SYN|ACKs, which normally (in an internet situation) would go outward unto the net towards all those little random hosts (more on this later), but because of the simulation they were going back to the attacking machine (the P166) and beating the ever loving crap out of it (the same as a syn flood would :P) - ipfw'ing syns inbound cuts cpu to approx 20% - ipfw'ing syn|ack's and rst's outbound allowed the test machine to generate a full 15kpps, and completely blew the 450 away, 100% interrupt cpu usage. - I was able to make memory usage in the Wired state rise to almost 64MB with those unanswered SYN|ACKs being held in state, and of course retransmitted on a regular basis. Some thoughts... CPU load caused by having to run through that huge queue and retransmit syn|acks? Possible solutions, stop retransmitting so often and discard from the queue quicker when under attack (if thats the source of the cpu load)? SYN Cookies would be a quick way to get rid of that problem (with a better hash algorithm and some more thought given to design, like not picking common MSS numbers out of your ass? :P MD5 on very syn and every ack is wasteful in the extreme, and considering they only use the first 32 bits of the 128 bit result and throw away the rest... hello, anyone home? :P). However, we know that the linux syn flood defense is not effective, so I would really like to take a look and see where it fails. Some practical defense... Firstly, filter reserved ip blocks to cut the dammage caused by random source attacks. And I'm not talking RFC1918 here, I'm talking 64.0.0.0/2 and 224.0.0.0/3, etc (those two alone cut 35% of the ip space). Those are certainly good filters to apply on your network borders (for the acl challanged thats 64.0.0.0 192.0.0.0 and 224.0.0.0 224.0.0.0), but remember that 64.0.0.0/2 covers the 127/8 reserved for loopback, so if you filter by that on your system make sure you include a recv interface param or you'll hose your loopback :P. If your ethernet can take it (100Mbit, 10 is not terribly hard to fill and turn the syn flood into a bandwidth attack, also remember that these 40 byte packets will be padded to 64 byte frames, so the bandwidth attack is 1.6x more effective then it would seem by looking at iphdr/tcphdr), it may be a better solution for you to let the syns hit the actual target machine, and discard them there (assuming a decent-sized cpu too), for the following reason. If you can't find distinguishing characteristics to filter the fake syns by, any rate limiting you do will also do a pretty effective job of preventing new connections. Look around, you'll find LOTS of distinguishing characteristics that allow you to pick off the packet kiddie syns with a 2 line kernel modification. Now down to the actual rate limiting that prevents you from keeling over completely. If you have Cisco Express Forwarding (only for the highend 7000+ series on 11.3 IOS, available for 2600+ in 12.0 IOS), you have Committed Access Rates. If you just want to rate-limit at the machine, the simplest way is to use dummynet (man dummynet, options DUMMYNET, yada yada), and: ipfw pipe 1 config bw 256Kbit/s queue 100Packets ipfw add pipe 1 tcp from any to in recv . Solaris is particularly easy to toast with a syn flood. Perhaps someone would like to hack in some rate limiting to IP Filter? Oh, and as for that annoying little kernel panic issue. Some thoughts. When you're flooded with all those random source packets, and actually reply with rst or syn|ack or whatever, you're going to be hitting a lot of dud ips and getting a lot of ICMP Redirects from some dumb networks out there. FreeBSD will happily add temporary routing table entries for them (do we really want this behavior? I can certainly think of ways that being able to create arbitrary routing table entries on the unfiltered with some spoofed redirects could be a "bad thing" *hint*. OpenBSD has net.inet.icmp.rediraccept :P). Enough of my rambling for one day. Thoughts, ideas, flames? -- Richard Steenbergen humble@EFNet PGP ID: 0x741D0374 PGP Key Fingerprint: C6EF EFA0 83B2 071F 1AB6 B879 1F70 4303 741D 0374 http://users.quadrunner.com/humble To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 18:33:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id E59F0150FC for ; Sat, 19 Jun 1999 18:33:43 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id LAA04118; Sun, 20 Jun 1999 11:34:29 +1000 Date: Sun, 20 Jun 1999 11:34:28 +1000 (EST) From: Nicholas Brawn To: Frank Tobin Cc: Chris Shenton , freebsd-security@FreeBSD.ORG Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Jun 1999, Frank Tobin wrote: > Chris Shenton, at 11:18 on 18 Jun 1999, wrote: > > > But if inetd can start daemons on priv ports, then a cracker can just > > modify inetd.conf to start (say) "nc" on the telnet port. Or am I > > missing something? > > chflags simmutable inetd.conf; Need I say more? :) > > chflags is a real wonder drug, IMO. The intruder could still setup a cron job to periodically start up the backdoor. Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 21:12:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id B8492150ED for ; Sat, 19 Jun 1999 21:12:54 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 66898 invoked by uid 1000); 20 Jun 1999 04:12:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Jun 1999 04:12:53 -0000 Date: Sat, 19 Jun 1999 23:12:53 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu Cc: FreeBSD-security Mailing List Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Brawn, at 11:34 on Sun, 20 Jun 1999, wrote: > The intruder could still setup a cron job to periodically start up > the backdoor. I mean, jeez, how many times do I have to say 'chflags'? -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 21:22:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id F235714CE6 for ; Sat, 19 Jun 1999 21:22:15 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 66924 invoked by uid 1000); 20 Jun 1999 04:22:14 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Jun 1999 04:22:14 -0000 Date: Sat, 19 Jun 1999 23:22:14 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: FreeBSD-security Mailing List Subject: Re: proposed secure-level 4 patch (fwd) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY=vtzGhvizbBRQ85DL Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --vtzGhvizbBRQ85DL Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Kris is awesome. ---------- Forwarded message ---------- here is the no-union-mount-in-secure-mode diff and the tcp diff, which should both be against -current. k -- kris wehner (kris@further.com) "VMS is about as secure as a poodle encased in a block of lucite... ...about as useful, too." -wendigo@pobox.com --vtzGhvizbBRQ85DL Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME="union_current.diff" *** vfs_syscalls.c.orig Sat Jun 19 21:28:28 1999 --- vfs_syscalls.c Sat Jun 19 21:28:50 1999 *************** *** 215,220 **** --- 215,228 ---- vput(vp); return (error); } + /* + * Disable union mounts in super-secure mode + */ + if (securelevel >= 2) + if (SCARG(uap, flags) & MNT_UNION || !strcmp(fstypename,"union")) { + vput(vp); + return EPERM; + } for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) if (!strcmp(vfsp->vfc_name, fstypename)) break; --vtzGhvizbBRQ85DL Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME="tcp_patch.diff" *** tcp_usrreq.c.orig Fri Jun 18 19:12:18 1999 --- tcp_usrreq.c Fri Jun 18 19:15:49 1999 *************** *** 185,190 **** --- 185,198 ---- error = EAFNOSUPPORT; goto out; } + /* + * Disallow bind if we are in super secure mode and port <= 1024 + */ + if (sinp->sin_family == AF_INET && sinp->sin_port <= 1024 && + securelevel >= 4) { + error = EACCES; + goto out; + } error = in_pcbbind(inp, nam, p); if (error) goto out; --vtzGhvizbBRQ85DL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 21:50:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id BE82315180 for ; Sat, 19 Jun 1999 21:50:19 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id OAA05782; Sun, 20 Jun 1999 14:50:27 +1000 (EST) From: Darren Reed Message-Id: <199906200450.OAA05782@cheops.anu.edu.au> Subject: Re: proposed secure-level 4 patch To: brian@CSUA.Berkeley.EDU (Brian W. Buchanan) Date: Sun, 20 Jun 1999 14:50:26 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Brian W. Buchanan" at Jun 18, 99 11:35:52 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Brian W. Buchanan, sie said: [...] > I'd totally agree with you on the -2 issue, but adding securelevel 4 which > the system can be raised to after root-owned processes have bound all the > privileged ports they need could be a useful thing to have. Man, that's nasty. Reboot to restart something. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 22:15:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from srh0710.urh.uiuc.edu (srh0710.urh.uiuc.edu [130.126.76.32]) by hub.freebsd.org (Postfix) with SMTP id DBB5814C59 for ; Sat, 19 Jun 1999 22:15:35 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 67035 invoked by uid 1000); 20 Jun 1999 05:15:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Jun 1999 05:15:34 -0000 Date: Sun, 20 Jun 1999 00:15:34 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0710.urh.uiuc.edu To: FreeBSD-security Mailing List Subject: Re: securelevel descr In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Frank Tobin, at 23:12 on Sat, 19 Jun 1999, wrote: > Nicholas Brawn, at 11:34 on Sun, 20 Jun 1999, wrote: > > > The intruder could still setup a cron job to periodically start up > > the backdoor. > > I mean, jeez, how many times do I have to say 'chflags'? > Erm, I wasn't thinking straight when I sent that. A better thing that I should have said is that you start up cron in the startup scripts late, so that the intruder can't influece the startup sequence through a 'memorization' process. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F http://www.bigfoot.com/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 19 23:11: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from beach.silcom.com (beach.silcom.com [199.201.128.19]) by hub.freebsd.org (Postfix) with ESMTP id A091114D6D for ; Sat, 19 Jun 1999 23:11:07 -0700 (PDT) (envelope-from brian@CSUA.Berkeley.EDU) Received: from smarter.than.nu (pm0-31.vpop1.avtel.net [207.71.237.31]) by beach.silcom.com (Postfix) with ESMTP id DE3FA3B6; Sat, 19 Jun 1999 23:11:03 -0700 (PDT) Date: Sat, 19 Jun 1999 23:11:03 -0700 (PDT) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: proposed secure-level 4 patch In-Reply-To: <199906200450.OAA05782@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Jun 1999, Darren Reed wrote: > Man, that's nasty. Reboot to restart something. Security and convenience are almost always a tradeoff. Running at securelevel 1 (and using it properly) means you can't upgrade a lot of stuff live, can't purge logs, can't load modules, etc. Running at securelevel 2 means you can't newfs while running multi-user. Level 3 means you can't change your IPFW rules. Each time you tighten security, you give up a little convenience to gain a little peace of mind. In the proposed case, people who are paranoid about having a root compromise lead to someone binding a modified version of sshd or other login daemon to steal passwords can bring the system to securelevel 4 after daemon startup and ensure that the attacker cannot simply kill sshd and replace it. Well-written daemons should *not* die unless killed, and if you're running with a positive securelevel, you've already given up the luxury of live upgrades. To minimize downtime due to dead daemons, just spawn everything from inetd and make darn sure that inetd won't die unless root decides it should. Anyway, this all boils down to a matter of choice. If you value being able to restart daemons without rebooting, then don't use this level of protection. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message