From owner-freebsd-security Sun Nov 26 6:16: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 05E4437B4CF for ; Sun, 26 Nov 2000 06:15:52 -0800 (PST) Received: (qmail 12050 invoked by uid 0); 26 Nov 2000 14:15:51 -0000 Received: from p3ee21636.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.54) by mail.gmx.net (mail02) with SMTP; 26 Nov 2000 14:15:51 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id IAA24861 for freebsd-security@FreeBSD.ORG; Sun, 26 Nov 2000 08:55:14 +0100 Date: Sun, 26 Nov 2000 08:55:14 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: static ARP tables Message-ID: <20001126085514.H27042@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200011252212.PAA26585@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200011252212.PAA26585@faith.cs.utah.edu>; from dga@pobox.com on Sat, Nov 25, 2000 at 03:12:56PM -0700 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Nov 25, 2000 at 15:12 -0700, David G. Andersen wrote: > > You have a point, of course; this shouldn't be plugged as "the > perfect solution for ip-based authentication," because it does > have many holes of which a user must be aware, but it's a very > nice thing to have around, and I'd love to see it controllable > via rc.conf. OK, I took this point I wasn't quite aware before. Of course every security measure does not stand alone but every single one contributes to raising the bar for the bad guys and avoid the legitimate users from doing harm to themselves as well as others. > One thing that would be nice from my perspective would be the > ability to specify an external file that contains the static > ARP entries, e.g. > > static_arp_table="/etc/arpfile" > > (The same kind of functionality currently provided by > rc.firewall). You might want to followup to the PR (to have it in the audit trail) with a patch that makes the table fill in loop read something like case ${static_arp_table} in /*) # file name specified while read ADDR; do ... done < ${static_arp_table} ;; [1-9]*) # starts with an IP address for ADDR in ${static_arp_table}; do ... done ;; esac Alternatively you could try to use the same body for every branch by doing some magic like ( case ${static_arp_table} in /*) # file name specified cat ${static_arp_table} ;; [1-9]*) # starts with an IP address echo ${static_arp_table} | tr ' ' '\n' ;; esac ) | while read ADDR; do ... done depending on what kind of notation you consider least painful. :) Beware that this is a skeleton and still needs some cleanup (remove comment lines, drop empty lines, squeeze redundant whitespaces, etc). Plus the static ARP table could be done the way ifconfig (with network_interfaces and inconfig_$IF) and static routes are done: to have an index list and wade through the "indexed" variables of elements. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 6:53: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from rowdy.panther.net (rowdy.panther.net [209.197.223.18]) by hub.freebsd.org (Postfix) with ESMTP id 8C11437B479 for ; Sun, 26 Nov 2000 06:53:00 -0800 (PST) Received: from localhost (2169 bytes) by rowdy.panther.net via sendmail with P:stdio/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) (ident using unix) id for ; Sun, 26 Nov 2000 08:53:13 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #2 built 2000-Feb-26) Message-Id: From: kward@panther.net (Keith Ward) Subject: Re: Re[2]: wuftp In-Reply-To: <3A1FD6C030C.864DMELON@postman.orangenetwork.net> from Melon at "Nov 26, 2000 00:12:00 am" To: Melon Date: Sun, 26 Nov 2000 08:53:13 -0600 (CST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL69 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Melon, I ran into this same thing last week while attempting to utilize PAM with the installation of ProFTPD. After compiling the pam libraries with debugging enabled, I was able to determine that the error message "No modules loaded for `ftp' service" was actually being generated after the "auth" and "account" pam sections had been successfully processed. The ProFTPD source also attempts to utilize pam_open_session which is not documented or included in the sample entries for the pam.conf. You can utilize the "pam_permit" module for the session entry which will always return PAM_SUCCESS for the session. So, add a third line (under the ftp auth/account entries) to your pam.conf with: ftp session required pam_permit.so And the error message will stop, and pam will work. Of course if you don't need/want pam, you can also just disable the use of pam in the proftpd.conf file with "AuthPAM Off". Keith According to the writings of Melon > Hello, > > I'm trying to use ProFTPD 1.2.0 rc2 instead of wu-ftpd 2.6.1 > > After installing ProFTPD, I found > No modules loaded for `ftp' service > error messeges each time user succesffully logged in. > > How come this message appear? > > Any suggestions will be appreciated. > > Melon > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Keith Ward N5OOD kward@Panther.net ...!rwsys!rowdy!kward =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I don't suffer from insanity, I enjoy every minute of it. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 7:10:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail8.sc.rr.com (fe8.southeast.rr.com [24.93.67.55]) by hub.freebsd.org (Postfix) with ESMTP id 7F2A137B4D7 for ; Sun, 26 Nov 2000 07:09:59 -0800 (PST) Received: from cae88-102-101.sc.rr.com ([24.88.102.101]) by mail8.sc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Sun, 26 Nov 2000 10:08:58 -0500 Date: Mon, 13 Sep 1999 17:35:32 -0400 From: "Donald J . Maddox" To: The Mad Scientist Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info Message-ID: <19990913173532.A842@dmaddox.conterra.com> Reply-To: dmaddox@conterra.com References: <4.1.19990913003757.0096b660@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre1i In-Reply-To: <4.1.19990913003757.0096b660@mail.thegrid.net> Content-Length: 3200 Lines: 101 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bzzzt! The correct answer is in /etc/login.conf, of course. You assume a lot. How do you know I don't have the user in a jail that doesn't even remotely resemble a *BSD system (even though it actually is within one)? On Mon, Sep 13, 1999 at 12:38:35AM -0700, The Mad Scientist wrote: > If someone can get a shell on your machine, it should be trivial to > determine (at the very least) that the machine is running a bsd OS. > (existance of /usr/ucb, flags to ps, etc) You'd need to take care of > uname, dmesg, and so on. It's better to spend your time fixing real > security holes. > -Dean > At 01:13 PM 9/12/99 -0400, you wrote: > >Is there a way to suppress the copyright info? This is pretty much > >a dead giveaway (At least that it's *BSD), huh? See lines 14-15 below: > > > >$ telnet dmaddox.conterra.com > >Trying 127.0.0.1... > >Connected to localhost. > >Escape character is '^]'. > > > >dmaddox.conterra.com > >Access Restricted > > > >Today is Sun Sep 12 13:09:57 EDT 1999 > > > >login: myself > >Password: > >Last login: Sun Sep 12 13:07:17 from localhost > >Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 > > The Regents of the University of California. All rights reserved. > > > >Welcome to BogoDOS! > >You have mail. > >$ > > > > > >On Sun, Sep 12, 1999 at 12:56:39PM -0400, Hector Colmenares wrote: > >> > >> > >> If you dont want people to know what OS are you running > >> when they telnet into your box just change to this the info in > >> /etc/gettytab > >> > >> default:\ > >> :cb:ce:ck:lc:fd#1000:im=\r\n\%h\r\nAccess Restricted\ > >> r\n\r\nFor info, email admin@%h\r\nToday is %d\r\n\r\n > >> > >> > >> ;-) > >> > >> cheers !! > >> > >> On Sun, 12 Sep 1999, Will Andrews wrote: > >> > >> > > >> > On 12-Sep-99 Ben Smithurst wrote: > >> > > Jeremy L. Ramirez wrote: > >> > > > >> > >> telnet stream tcp nowait root /usr/libexec/telnetd > >telnetd -h > >> > >> > >> > >> what you are doing is adding the -h at the end of the line which > >prevents > >> > >> a user from seeing the OS before even logging in. > >> > > > >> > > An even better way is to disable telnet completely, and use ssh like > you > >> > > should. Note that people can still use nmap or something to guess at > >> > > your OS. > >> > > > >> > > -- > >> > > Ben Smithurst | PGP: 0x99392F7D > >> > > ben@scientia.demon.co.uk | key available from keyservers and > >> > > | ben+pgp@scientia.demon.co.uk > >> > > > >> > > > >> > > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > > with "unsubscribe freebsd-security" in the body of the message > >> > > >> > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > with "unsubscribe freebsd-questions" in the body of the message > >> > > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-questions" in the body of the message > >> > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 7:10:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail8.sc.rr.com (fe8.southeast.rr.com [24.93.67.55]) by hub.freebsd.org (Postfix) with ESMTP id 3BFCA37B663 for ; Sun, 26 Nov 2000 07:10:03 -0800 (PST) Received: from cae88-102-101.sc.rr.com ([24.88.102.101]) by mail8.sc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Sun, 26 Nov 2000 10:08:59 -0500 Date: Mon, 13 Sep 1999 21:05:13 -0400 From: "Donald J . Maddox" To: "Jeffrey J. Mountin" Cc: dmaddox@conterra.com, freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info Message-ID: <19990913210513.A3167@dmaddox.conterra.com> Reply-To: dmaddox@conterra.com References: <4.1.19990913003757.0096b660@mail.thegrid.net> <4.1.19990913003757.0096b660@mail.thegrid.net> <19990913173532.A842@dmaddox.conterra.com> <3.0.3.32.19990913191825.00ad66f0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre1i In-Reply-To: <3.0.3.32.19990913191825.00ad66f0@207.227.119.2> Content-Length: 1304 Lines: 39 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 13, 1999 at 07:18:25PM -0500, Jeffrey J. Mountin wrote: > At 05:35 PM 9/13/99 -0400, Donald J . Maddox wrote: > >Bzzzt! The correct answer is in /etc/login.conf, of course. > > > >You assume a lot. How do you know I don't have the user in a jail > >that doesn't even remotely resemble a *BSD system (even though it > >actually is within one)? > > Ding! Ding! Ding! Give the man a prize... > > For a colossal waste time. Don't care to get into what would be required > to remove all traces of FreeBSD in all files and good luck doing so. > > > Scramble away and lock me up... > > Won't help much if 'strings' is around and if it isn't... > > Still no problem. 8-) Sigh. This point is not worth all this discussion, but _again_... There may not be ANYTHING *BSD in the jail environment, let alone 'strings'. Again, assumptions. The point of my original question was just to find out how NOT to make the OS flavor readily apparent. That there are good reasons for doing so is not a point I am going to debate. We've all seen the 'security through obscurity' debates rehashed on these lists MANY times. Let's not do it again. > > > Jeff Mountin - jeff@mountin.net > Systems/Network Administrator > FreeBSD - the power to serve > '86 Yamaha MaxiumX (not FBSD powered) > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 7:10:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail8.sc.rr.com (fe8.southeast.rr.com [24.93.67.55]) by hub.freebsd.org (Postfix) with ESMTP id 7B11C37B682; Sun, 26 Nov 2000 07:10:04 -0800 (PST) Received: from cae88-102-101.sc.rr.com ([24.88.102.101]) by mail8.sc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Sun, 26 Nov 2000 10:08:57 -0500 Date: Sun, 12 Sep 1999 13:13:44 -0400 From: "Donald J . Maddox" To: Hector Colmenares Cc: Will Andrews , Ben Smithurst , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, dev-null@ns1.digicomsystems.net, "Jeremy L. Ramirez" Subject: Re: How to prevent motd including os info Message-ID: <19990912131344.B31706@dmaddox.conterra.com> Reply-To: dmaddox@conterra.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre1i In-Reply-To: Content-Length: 2093 Lines: 74 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way to suppress the copyright info? This is pretty much a dead giveaway (At least that it's *BSD), huh? See lines 14-15 below: $ telnet dmaddox.conterra.com Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. dmaddox.conterra.com Access Restricted Today is Sun Sep 12 13:09:57 EDT 1999 login: myself Password: Last login: Sun Sep 12 13:07:17 from localhost Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. Welcome to BogoDOS! You have mail. $ On Sun, Sep 12, 1999 at 12:56:39PM -0400, Hector Colmenares wrote: > > > If you dont want people to know what OS are you running > when they telnet into your box just change to this the info in > /etc/gettytab > > default:\ > :cb:ce:ck:lc:fd#1000:im=\r\n\%h\r\nAccess Restricted\ > r\n\r\nFor info, email admin@%h\r\nToday is %d\r\n\r\n > > > ;-) > > cheers !! > > On Sun, 12 Sep 1999, Will Andrews wrote: > > > > > On 12-Sep-99 Ben Smithurst wrote: > > > Jeremy L. Ramirez wrote: > > > > > >> telnet stream tcp nowait root /usr/libexec/telnetd telnetd -h > > >> > > >> what you are doing is adding the -h at the end of the line which prevents > > >> a user from seeing the OS before even logging in. > > > > > > An even better way is to disable telnet completely, and use ssh like you > > > should. Note that people can still use nmap or something to guess at > > > your OS. > > > > > > -- > > > Ben Smithurst | PGP: 0x99392F7D > > > ben@scientia.demon.co.uk | key available from keyservers and > > > | ben+pgp@scientia.demon.co.uk > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 7:10:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail8.sc.rr.com (fe8.southeast.rr.com [24.93.67.55]) by hub.freebsd.org (Postfix) with ESMTP id 6A4DB37B685 for ; Sun, 26 Nov 2000 07:10:06 -0800 (PST) Received: from cae88-102-101.sc.rr.com ([24.88.102.101]) by mail8.sc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Sun, 26 Nov 2000 10:09:05 -0500 Date: Fri, 17 Sep 1999 17:56:03 -0400 From: "Donald J . Maddox" To: John-Mark Gurney Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info Message-ID: <19990917175603.A1571@dmaddox.conterra.com> Reply-To: dmaddox@conterra.com References: <4.1.19990913003757.0096b660@mail.thegrid.net> <4.1.19990913003757.0096b660@mail.thegrid.net> <19990913173532.A842@dmaddox.conterra.com> <3.0.3.32.19990913191825.00ad66f0@207.227.119.2> <19990913210513.A3167@dmaddox.conterra.com> <19990917120236.39316@hydrogen.fircrest.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre1i In-Reply-To: <19990917120236.39316@hydrogen.fircrest.net> Content-Length: 879 Lines: 18 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 17, 1999 at 12:02:36PM -0700, John-Mark Gurney wrote: > Donald J . Maddox scribbled this message on Sep 13: > > There may not be ANYTHING *BSD in the jail environment, let alone > > 'strings'. Again, assumptions. > ^^^^^^^^^^^^^^^^^^ > ummm.. yes there is... can we say ENOSYS?? I knew you could... assuming > people have write permissions and execute permissions... ^^^^^^^^ When discussing an environment one has no knowledge of whatsoever, it's not a good idea to assume a lot. For the record, it may very well be impossible to create an environment that is 100% anonymous, and yet not so crippled as to be useless; however, it may not be. I find it interesting that all the responses I've seen to this thread so far seem to assume that the environment will allow compiling and executing arbitrary code. Why would anybody assume that? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 8:12:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 2A6D637B479 for ; Sun, 26 Nov 2000 08:12:26 -0800 (PST) Received: from n2 ([213.30.47.163]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id QAA27430 for ; Sun, 26 Nov 2000 16:07:46 GMT Message-ID: <001701c057c4$1e1ac010$0200a8c0@n2> From: "Nuno Teixeira" To: Subject: NATD: failed to write packet back (Permission denied) Date: Sun, 26 Nov 2000 16:15:36 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello to all, I have a dialup firewall working ok ( I follow the FreeBSD Dialup Firewall example). In my fwrule I have a "$fwcmd add 65435 allow icmp from any to any" so I can have traceroute working. The problem is: I can do a traceroute from my internal network to the outside with no problems but I can't do it from the gateway computer to the outside. The system gives the error: "Nov 26 16:11:11 gateway natd[122]: failed to write packet back (Permission denied)" Do you know how to resolv this? Thanks very much, Nuno Teixeira To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 8:33:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id 91A0137B479 for ; Sun, 26 Nov 2000 08:33:20 -0800 (PST) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id eAQGg7f76925 for ; Sun, 26 Nov 2000 11:42:07 -0500 (COT) Date: Sun, 26 Nov 2000 11:42:07 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: fics Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anybody knows about a trojan or something bad called "fics"??? I found this in one pc on my intranet: Interesting ports on (192.168.20.50): Port State Protocol Service 5000 open tcp fics Thanks by any coments... ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 8:59:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 22DF737B479 for ; Sun, 26 Nov 2000 08:59:35 -0800 (PST) Received: (qmail 371 invoked by uid 1000); 26 Nov 2000 16:59:02 -0000 Date: Sun, 26 Nov 2000 18:59:02 +0200 From: Peter Pentchev To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: fics Message-ID: <20001126185902.A356@ringworld.oblivion.bg> Mail-Followup-To: Buliwyf McGraw , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Sun, Nov 26, 2000 at 11:42:07AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 11:42:07AM -0500, Buliwyf McGraw wrote: > > Anybody knows about a trojan or something bad called "fics"??? > > I found this in one pc on my intranet: > > Interesting ports on (192.168.20.50): > Port State Protocol Service > 5000 open tcp fics > > Thanks by any coments... FICS is the Free Internet Chess Server, a server for providing human-to-human play across the 'net to gnuchess, xboard and similar chess programs. I guess your question is better rephrased as 'Anybody know about a trojan or something bad listening on port 5000', though I guess somebody might be running a gnuchess/xboard/WinBoard or something on that PC; I do not remember if FICS clients also needed a listening port on the client side, though I think not. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 9:29:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id A612C37B4C5 for ; Sun, 26 Nov 2000 09:29:41 -0800 (PST) Received: from algroup.co.uk (socks-fw.aldigital.co.uk [192.168.254.10]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id RAA05718; Sun, 26 Nov 2000 17:29:25 GMT Message-ID: <3A2139E0.EA965351@algroup.co.uk> Date: Sun, 26 Nov 2000 16:27:12 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: =?iso-8859-1?Q?P=E4r?= Thoren Cc: freebsd-security@freebsd.org Subject: Re: secure tunnel References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pär Thoren wrote: > > Can I forward port 80 on a natd server so that every connection that is > made by local machines (nat clients) to port 80 on the natdserver(on the > internal interface) will go to another server? Can this be done with ssh > tunneling so that the connection between the natdserver and the other www > server will be secure? you could, but stunnel would probably be more appropriate. http://www.stunnel.org/ cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 11: 2:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 590E237B4CF for ; Sun, 26 Nov 2000 11:00:45 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 10:59:13 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQJ0hj47126; Sun, 26 Nov 2000 11:00:43 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 11:00:43 -0800 From: "Crist J . Clark" To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: static ARP tables Message-ID: <20001126110042.B34151@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200011252212.PAA26585@faith.cs.utah.edu> <20001126085514.H27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001126085514.H27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Sun, Nov 26, 2000 at 08:55:14AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 08:55:14AM +0100, Gerhard Sittig wrote: > On Sat, Nov 25, 2000 at 15:12 -0700, David G. Andersen wrote: > > > > You have a point, of course; this shouldn't be plugged as "the > > perfect solution for ip-based authentication," because it does > > have many holes of which a user must be aware, but it's a very > > nice thing to have around, and I'd love to see it controllable > > via rc.conf. > > OK, I took this point I wasn't quite aware before. Of course > every security measure does not stand alone but every single one > contributes to raising the bar for the bad guys and avoid the > legitimate users from doing harm to themselves as well as others. > > > One thing that would be nice from my perspective would be the > > ability to specify an external file that contains the static > > ARP entries, e.g. > > > > static_arp_table="/etc/arpfile" > > > > (The same kind of functionality currently provided by > > rc.firewall). > > You might want to followup to the PR (to have it in the audit > trail) with a patch that makes the table fill in loop read > something like > > case ${static_arp_table} in > /*) > # file name specified > while read ADDR; do > ... > done < ${static_arp_table} > ;; > [1-9]*) > # starts with an IP address > for ADDR in ${static_arp_table}; do > ... > done > ;; > esac The arp(8) command does have an option to read a file already. See the '-f' option. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 11: 8:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 09C4937B479 for ; Sun, 26 Nov 2000 11:08:05 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 11:06:27 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQJ7vV51546; Sun, 26 Nov 2000 11:07:57 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 11:07:56 -0800 From: "Crist J . Clark" To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001126110756.C34151@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <001701c057c4$1e1ac010$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <001701c057c4$1e1ac010$0200a8c0@n2>; from nuno.teixeira@pt-quorum.com on Sun, Nov 26, 2000 at 04:15:36PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 04:15:36PM -0000, Nuno Teixeira wrote: > Hello to all, > > I have a dialup firewall working ok ( I follow the FreeBSD Dialup Firewall > example). > > In my fwrule I have a "$fwcmd add 65435 allow icmp from any to any" so I can > have traceroute working. Do you also pass high port (>33434) UDP going out? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 11:17:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id C190537B4C5 for ; Sun, 26 Nov 2000 11:17:24 -0800 (PST) Received: from n2 ([213.30.47.45]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id TAA28675; Sun, 26 Nov 2000 19:12:47 GMT Message-ID: <000b01c057dd$f9423ab0$0200a8c0@n2> From: "Nuno Teixeira" To: Cc: References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> Subject: Re: NATD: failed to write packet back (Permission denied) Date: Sun, 26 Nov 2000 19:20:41 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I think not. Can you tell me how to add this rule to my ruleset? Thanks very much, Nuno Teixeira ----- Original Message ----- From: "Crist J . Clark" To: "Nuno Teixeira" Cc: Sent: Sunday, November 26, 2000 7:07 PM Subject: Re: NATD: failed to write packet back (Permission denied) > On Sun, Nov 26, 2000 at 04:15:36PM -0000, Nuno Teixeira wrote: > > Hello to all, > > > > I have a dialup firewall working ok ( I follow the FreeBSD Dialup Firewall > > example). > > > > In my fwrule I have a "$fwcmd add 65435 allow icmp from any to any" so I can > > have traceroute working. > > Do you also pass high port (>33434) UDP going out? > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 11:37:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 8F52337B4C5 for ; Sun, 26 Nov 2000 11:37:22 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 11:35:51 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQJbLq70271; Sun, 26 Nov 2000 11:37:21 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 11:37:21 -0800 From: "Crist J . Clark" To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001126113720.A70192@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000b01c057dd$f9423ab0$0200a8c0@n2>; from nuno.teixeira@pt-quorum.com on Sun, Nov 26, 2000 at 07:20:41PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > Hi, > > I think not. Can you tell me how to add this rule to my ruleset? The two rules needed to get UNIX-style traceroutes to work are, Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} $fwcmd add allow icmp from any to any icmptype 3,11 in via ${oif} But you already have a more promiscuous rule for ICMP so that is not needed. 'oif' is your external interface on a gateway machine. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 11:48:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 9F00C37B479; Sun, 26 Nov 2000 11:48:54 -0800 (PST) Received: from vangelderen.org (grolsch.ai [209.88.68.214]) by cypherpunks.ai (Postfix) with ESMTP id B94DF51; Sun, 26 Nov 2000 15:48:49 -0400 (AST) Message-ID: <3A216921.D2E9F772@vangelderen.org> Date: Sun, 26 Nov 2000 15:48:49 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re: OpenSSH 2.3.0 pre-upgrade References: <200011242328.eAONSJ560421@green.dyndns.org> <20001124153307.A71713@citusc17.usc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Fri, Nov 24, 2000 at 06:28:19PM -0500, Brian F. Feldman wrote: > > > What's new in this release? Mostly the adding of the AES (Rijndael) to the > > SSH2 algorithms. Is anything now broken? Well, nothing new broken that I > > Doesn't that rely on AES support in OpenSSL? > > > There's some weird issue where for the Diffie-Hellman exchange, OpenSSH > > wants primes but doesn't seem to want to generate them... it expects an > > /etc/ssh/primes (which should become /var/run/ssh_primes, if anything) and I > > have no clue where the program is that supposedly generates them. So, for > > SSH2, the authentication stage generates a large warning and uses a > > hardcoded prime. This should not actually have an affect on security, > > though, according to my understanding of the Diffie-Hellman protocol. > > They're static - OpenBSD just committed the file with some good primes > generated from OpenSSL, presumably. You happen to know who came up with the non-standard extension to the SSH2 protocol that allows these primes to be used?? I have not been paying much attention to the SSH list lately but this mode of key exchange seems undocumented in the latest set of drafts at: http://www.ietf.org/ids.by.wg/secsh.html It seems prudent to not introduce OpenSSH proprietary features in FreeBSD. Given the lack of documentation for this protocol 'feature' I'd suggest we disable it until documented in the appropriate I-Ds or RFCs. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org "It is not utopian to work for a society without taxation; it is utopian to think that the power to tax won't be abused once it is granted." -- Murray N. Rothbard (1926-1995) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 12:10:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2]) by hub.freebsd.org (Postfix) with ESMTP id 3501437B4C5 for ; Sun, 26 Nov 2000 12:10:17 -0800 (PST) Received: from localhost (localhost [[UNIX: localhost]]) by phalse.2600.com (8.8.8/8.8.8) with ESMTP id PAA15407 for ; Sun, 26 Nov 2000 15:10:16 -0500 (EST) Date: Sun, 26 Nov 2000 15:10:16 -0500 (EST) From: Dominick LaTrappe To: freebsd-security@freebsd.org Subject: Re: static ARP tables In-Reply-To: <200011252212.PAA26585@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 25 Nov 2000 "David G. Andersen" wrote: > When used in conjunction with switch-enfored MAC security, it's actually > quite useful. You yourself state this; I have a need for exactly this > kind of functionality for Utah's network testbed, actually. What I'd really like to see is a 'static' flag that can be added to individual ARP table entries. I have several networks with servers and routers whose MAC/IP/switchport associtions should never change, but also workstations that change all the time. I'm going to try to work on a patch for this, though maybe someone already knows a hack? ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 12:32: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id EA8CF37B479 for ; Sun, 26 Nov 2000 12:32:01 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 12:30:25 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQKVsg70697; Sun, 26 Nov 2000 12:31:54 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 12:31:53 -0800 From: "Crist J . Clark" To: Dominick LaTrappe Cc: freebsd-security@FreeBSD.ORG Subject: Re: static ARP tables Message-ID: <20001126123153.D70192@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200011252212.PAA26585@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from seraf@2600.COM on Sun, Nov 26, 2000 at 03:10:16PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 03:10:16PM -0500, Dominick LaTrappe wrote: > On Sat, 25 Nov 2000 "David G. Andersen" wrote: > > When used in conjunction with switch-enfored MAC security, it's actually > > quite useful. You yourself state this; I have a need for exactly this > > kind of functionality for Utah's network testbed, actually. > > What I'd really like to see is a 'static' flag that can be added to > individual ARP table entries. I have several networks with servers and > routers whose MAC/IP/switchport associtions should never change, but also > workstations that change all the time. > > I'm going to try to work on a patch for this, though maybe someone already > knows a hack? $ man arp . . . -s hostname ether_addr Create an ARP entry for the host called hostname with the Ether- net address ether_addr. The Ethernet address is given as six hex bytes separated by colons. The entry will be permanent unless the word temp is given in the command. ^^^^^^^^^ Writing a script to 'permanentize' an existing entry is straightforward, #!/bin/sh # # arpperm # # Usage: arpperm hostname | ip ARP=/usr/sbin/arp if [ -z $1 ] || [ $# -gt 1 ]; then echo "Usage: $0 hostname | ip" >&2 exit 1 fi MAC=`$ARP -n $1 | cut -f4 -d" "` if expr $MAC : '[0-9a-f]*:[0-9a-f]*:[0-9a-f]*:[0-9a-f]*:[0-9a-f]*:[0-9a-f]*' > /dev/null 2>&1; then $ARP -S $1 $MAC else echo "$0: trouble getting MAC address" >&2 exit 1 fi exit 0 -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 13:17:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.prod.itd.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id CB8A537B479 for ; Sun, 26 Nov 2000 13:17:18 -0800 (PST) Received: from 1Cust126.tnt14.krk1.da.uu.net (1Cust126.tnt14.krk1.da.uu.net [63.26.25.126]) by albatross.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id NAA04076 for ; Sun, 26 Nov 2000 13:17:09 -0800 (PST) Date: Sun, 26 Nov 2000 15:17:06 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org To: freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info In-Reply-To: <19990913173532.A842@dmaddox.conterra.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- >> If someone can get a shell on your machine, it should be trivial to >> determine (at the very least) that the machine is running a bsd OS. >> (existance of /usr/ucb, flags to ps, etc) You'd need to take care of >> uname, dmesg, and so on. It's better to spend your time fixing real >> security holes. Not disagreeing with you in principle, but your examples don't really hold up ... /usr/ucb is present even Solaris; flags to ps might change if the system uses /usr/ucb/ps by default, etc. Pardon my ignorance, but would any of the suggestions in this thread fool nmap -O? I'm with those who don't see the point of obscurity; it only fools the novices that I'm not worried about anyway. - -d - -- David Talkington Community Networking Initiative dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc >> -Dean >> At 01:13 PM 9/12/99 -0400, you wrote: >> >Is there a way to suppress the copyright info? This is pretty much >> >a dead giveaway (At least that it's *BSD), huh? See lines 14-15 below: >> > >> >$ telnet dmaddox.conterra.com >> >Trying 127.0.0.1... >> >Connected to localhost. >> >Escape character is '^]'. >> > >> >dmaddox.conterra.com >> >Access Restricted >> > >> >Today is Sun Sep 12 13:09:57 EDT 1999 >> > >> >login: myself >> >Password: >> >Last login: Sun Sep 12 13:07:17 from localhost >> >Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 >> > The Regents of the University of California. All rights reserved. >> > >> >Welcome to BogoDOS! >> >You have mail. >> >$ >> > >> > >> >On Sun, Sep 12, 1999 at 12:56:39PM -0400, Hector Colmenares wrote: >> >> >> >> >> >> If you dont want people to know what OS are you running >> >> when they telnet into your box just change to this the info in >> >> /etc/gettytab >> >> >> >> default:\ >> >> :cb:ce:ck:lc:fd#1000:im=\r\n\%h\r\nAccess Restricted\ >> >> r\n\r\nFor info, email admin@%h\r\nToday is %d\r\n\r\n >> >> >> >> >> >> ;-) >> >> >> >> cheers !! >> >> >> >> On Sun, 12 Sep 1999, Will Andrews wrote: >> >> >> >> > >> >> > On 12-Sep-99 Ben Smithurst wrote: >> >> > > Jeremy L. Ramirez wrote: >> >> > > >> >> > >> telnet stream tcp nowait root /usr/libexec/telnetd >> >telnetd -h >> >> > >> >> >> > >> what you are doing is adding the -h at the end of the line which >> >prevents >> >> > >> a user from seeing the OS before even logging in. >> >> > > >> >> > > An even better way is to disable telnet completely, and use ssh like >> you >> >> > > should. Note that people can still use nmap or something to guess at >> >> > > your OS. >> >> > > >> >> > > -- >> >> > > Ben Smithurst | PGP: 0x99392F7D >> >> > > ben@scientia.demon.co.uk | key available from keyservers and >> >> > > | ben+pgp@scientia.demon.co.uk >> >> > > >> >> > > >> >> > > To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> > > with "unsubscribe freebsd-security" in the body of the message >> >> > >> >> > >> >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> > with "unsubscribe freebsd-questions" in the body of the message >> >> > >> >> >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-questions" in the body of the message >> >> >> > >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-security" in the body of the message >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOiF91r1ZYOtSwT+tAQGrIgf/a6xRkw6X1OLulqbKnNWM8HhscveDcexL XKiIcLM8epI134gao90mC8pi91GT6gx2/GXzqv5DU8j3692PFK5MYtjTUWEVW0xq UbdPznd9wPgNErxig1zV3nBrgGlyPhg8HZzQ60lbvVUPkwXHKh0XIsdbqT7Y010v r5FAXpJOJ7v7khb7Ax7kJWsqm6x7wUWpOIQTm/CJgo2SIyX+OwT7ecgOFx0LBEGp ERD0vnrOU9oF/w2giTGScMhFGljaoaw/Lvb8juS52Sfb6UYcJVCiyb+6WaCZ2cT6 IIM1MXgF/KQ57Vkk6sjMnmRiHAWuzzIokZPRPYx7rifAEGa/RsT9WA== =g7tA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 13:42:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtprelay3.adelphia.net (smtprelay3.adelphia.net [64.8.25.8]) by hub.freebsd.org (Postfix) with ESMTP id 16F7537B479 for ; Sun, 26 Nov 2000 13:42:55 -0800 (PST) Received: from pa-westmifflin1a-530.pit.adelphia.net ([24.48.239.18]) by smtprelay3.adelphia.net (Netscape Messaging Server 4.15) with ESMTP id G4NIWL00.A7Y for ; Sun, 26 Nov 2000 16:41:09 -0500 Date: Sun, 26 Nov 2000 16:36:46 -0500 (EST) From: pW X-Sender: packetwhore@beastie To: freebsd-security@freebsd.org Subject: iplog Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am running FreeBSD 4.1 RELEASE and I am running iplog. The problem that I run into is iplog just seems to randomly die with no log messages explaining why. I will notice that it hasn't logged anything in a while then I will run a ps -aux to see if it is running and it won't be... so I restart it: iplog --udp=false --tcp=true --icmp=true -l /var/log/iplog.log and it starts, but I can never tell when or why it dies as there aren't any log messages anywhere explaining why it died... any ideas? pW To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 13:43:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id B189D37B479 for ; Sun, 26 Nov 2000 13:43:28 -0800 (PST) Received: from FreeBSD.org (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id NAA06885; Sun, 26 Nov 2000 13:43:04 -0800 (PST) (envelope-from DougB@FreeBSD.org) Message-ID: <3A2183E7.6039C582@FreeBSD.org> Date: Sun, 26 Nov 2000 13:43:03 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Nuno Teixeira , freebsd-security@FreeBSD.org Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" wrote: > > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > Hi, > > > > I think not. Can you tell me how to add this rule to my ruleset? > > The two rules needed to get UNIX-style traceroutes to work are, > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} When I do a traceroute from a freebsd machine outside my firewall to the firewall machine, I see this: ipfw: 1200 Deny UDP :38575 :33468 in via ep0 ipfw: 1200 Deny UDP :38597 :33477 in via ep0 ipfw: 1200 Deny UDP :38597 :33478 in via ep0 ipfw: 1200 Deny UDP :38597 :33479 in via ep0 Which supports what I've been told that unix traceroute uses udp packets. It sounds like in order to allow traceroutes through the firewall you have to open up a pretty big hole for udp... Doug -- So what I want to know is, where does the RED brick road go? Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 13:56:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by hub.freebsd.org (Postfix) with ESMTP id E883037B479; Sun, 26 Nov 2000 13:56:25 -0800 (PST) Received: from citi.umich.edu (ssh-mapper.citi.umich.edu [141.211.92.147]) by citi.umich.edu (Postfix) with ESMTP id 21D89207C1; Sun, 26 Nov 2000 16:56:25 -0500 (EST) From: Niels Provos Subject: Re: OpenSSH 2.3.0 pre-upgrade To: "Jeroen C. van Gelderen" Cc: Kris Kennaway , "Brian F. Feldman" , security@FreeBSD.ORG Date: Sun, 26 Nov 2000 16:56:25 -0500 Message-Id: <20001126215625.21D89207C1@citi.umich.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Jeroen C. van Gelderen wrote: >You happen to know who came up with the non-standard >extension to the SSH2 protocol that allows these primes >to be used?? The key exchange is documented in Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol draft-provos-secsh-dh-group-exchange-00.txt All rationale is contained within. Regards, Niels Provos. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 13:59:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id BCCB637B479 for ; Sun, 26 Nov 2000 13:59:19 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAQM04D38958; Sun, 26 Nov 2000 14:00:04 -0800 (PST) (envelope-from kris) Date: Sun, 26 Nov 2000 14:00:03 -0800 From: Kris Kennaway To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: fics Message-ID: <20001126140003.A38904@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Sun, Nov 26, 2000 at 11:42:07AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Nov 26, 2000 at 11:42:07AM -0500, Buliwyf McGraw wrote: >=20 > Anybody knows about a trojan or something bad called "fics"??? >=20 > I found this in one pc on my intranet: >=20 > Interesting ports on (192.168.20.50): > Port State Protocol Service > 5000 open tcp fics That service name is meaningless; it can be anything listening on that port, fics is just the name of the protocol which is officially allowed to use it. The only reliable way to tell what protocol it is is to jump on the machine itself and look at the processes with a lsof-like tool. I don't know of any of these for Windows. Kris --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjohh+MACgkQWry0BWjoQKVz+QCgoMyhm+z2lGZPckSBXUhVs0Fq 1YcAoL1TVRu27hrWVRI4J+gj4ymdn5D1 =u9l4 -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 14: 0:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id D3AF237B479; Sun, 26 Nov 2000 14:00:37 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 13:59:05 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQM0Y871333; Sun, 26 Nov 2000 14:00:34 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 14:00:33 -0800 From: "Crist J . Clark" To: Doug Barton Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001126140033.E70192@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A2183E7.6039C582@FreeBSD.org>; from DougB@FreeBSD.ORG on Sun, Nov 26, 2000 at 01:43:03PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 01:43:03PM -0800, Doug Barton wrote: > "Crist J . Clark" wrote: > > > > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > > Hi, > > > > > > I think not. Can you tell me how to add this rule to my ruleset? > > > > The two rules needed to get UNIX-style traceroutes to work are, > > > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} > > When I do a traceroute from a freebsd machine outside my firewall to the > firewall machine, I see this: > > ipfw: 1200 Deny UDP :38575 :33468 in via ep0 > > ipfw: 1200 Deny UDP :38597 :33477 in via ep0 > ipfw: 1200 Deny UDP :38597 :33478 in via ep0 > ipfw: 1200 Deny UDP :38597 :33479 in via ep0 > > Which supports what I've been told that unix traceroute uses udp > packets. It sounds like in order to allow traceroutes through the > firewall you have to open up a pretty big hole for udp... But if you want to traceroute other people, you only need to let the UDP _out_ and the ICMP types 11 and 3 in (11:0 and 3:3 to be precise). As for how it works, read the manpage, This program attempts to trace the route an IP packet would follow to some internet host by launching UDP probe packets with a small ttl (time to live) then listening for an ICMP "time exceeded" reply from a gateway. We start our probes with a ttl of one and increase by one until we get an ICMP "port unreachable" (which means we got to "host") or hit a max (which defaults to 30 hops & can be changed with the -m flag). As for people tracerouting you, blocking the ususal UNIX-style (the one we've been discussing) or M$-style (using pings rather than UDP) is not too tough. However, if you let any traffic into your network (and what's the point of connecting to the 'Net if you don't), it is extremely difficult to stop people from tracerouting you by other means. If you want to let people traceroute your net, yeah, you need to make a pretty big hole... but if you want to let people to traceroute you, you apparently are interested in giving out a lot of information anyway. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 14: 0:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 568C837B4D7; Sun, 26 Nov 2000 14:00:43 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAQM1bk38995; Sun, 26 Nov 2000 14:01:37 -0800 (PST) (envelope-from kris) Date: Sun, 26 Nov 2000 14:01:37 -0800 From: Kris Kennaway To: "Jeroen C. van Gelderen" Cc: Kris Kennaway , "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re: OpenSSH 2.3.0 pre-upgrade Message-ID: <20001126140137.B38904@citusc17.usc.edu> References: <200011242328.eAONSJ560421@green.dyndns.org> <20001124153307.A71713@citusc17.usc.edu> <3A216921.D2E9F772@vangelderen.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A216921.D2E9F772@vangelderen.org>; from jeroen@vangelderen.org on Sun, Nov 26, 2000 at 03:48:49PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Nov 26, 2000 at 03:48:49PM -0400, Jeroen C. van Gelderen wrote: > You happen to know who came up with the non-standard > extension to the SSH2 protocol that allows these primes > to be used??=20 Niels Provos, I think. > It seems prudent to not introduce OpenSSH proprietary > features in FreeBSD. Given the lack of documentation > for this protocol 'feature' I'd suggest we disable it > until documented in the appropriate I-Ds or RFCs. I don't have a problem with that. It doesn't seem any more useful than the existing modes, and there's nothing third-party to interop with. Kris --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjohiEAACgkQWry0BWjoQKWmQQCeIGDy+RB+geappZJhWMkHybUM Xr8An0DK9ATen7CEOHJvnj5Ni57RS2RO =4HLJ -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 14:19:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 7C98837B479 for ; Sun, 26 Nov 2000 14:19:13 -0800 (PST) Received: from FreeBSD.org (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id OAA07381; Sun, 26 Nov 2000 14:19:08 -0800 (PST) (envelope-from DougB@FreeBSD.org) Message-ID: <3A218C5B.9F677E51@FreeBSD.org> Date: Sun, 26 Nov 2000 14:19:07 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Nuno Teixeira , freebsd-security@FreeBSD.org Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" wrote: > But if you want to traceroute other people, you only need to let the > UDP _out_ Ah, sorry, I misread part of it. For that I just use: allow udp from any to any out But that's for my private home network. I trust myself to only send out useful, productive packets. :) Doug -- So what I want to know is, where does the RED brick road go? Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 14:19:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 71C4537B479; Sun, 26 Nov 2000 14:19:44 -0800 (PST) Received: (from jmz@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id OAA78370; Sun, 26 Nov 2000 14:19:44 -0800 (PST) (envelope-from jmz@FreeBSD.org) Date: Sun, 26 Nov 2000 14:19:44 -0800 (PST) Message-Id: <200011262219.OAA78370@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jmz set sender to jmz@FreeBSD.org using -f From: Jean-Marc Zucconi To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: fics In-Reply-To: References: X-Mailer: Emacs 20.7.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> Buliwyf McGraw writes: > Anybody knows about a trojan or something bad called "fics"??? > I found this in one pc on my intranet: > Interesting ports on (192.168.20.50): > Port State Protocol Service > 5000 open tcp fics fics = Free Internet Chess Server (see http://www.freechess.org). It uses port 5000. Nothing bad here :-) Jean-Marc -- Jean-Marc Zucconi PGP Key: finger jmz@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 14:57:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 8CCC637B479; Sun, 26 Nov 2000 14:57:17 -0800 (PST) Received: from vangelderen.org (grolsch.ai [209.88.68.214]) by cypherpunks.ai (Postfix) with ESMTP id B0CB04C; Sun, 26 Nov 2000 18:57:16 -0400 (AST) Message-ID: <3A21954C.F9E9D25F@vangelderen.org> Date: Sun, 26 Nov 2000 18:57:16 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Niels Provos Cc: Kris Kennaway , "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re: OpenSSH 2.3.0 pre-upgrade References: <20001126215625.21D89207C1@citi.umich.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Niels, Niels Provos wrote: > > Hi, > > Jeroen C. van Gelderen wrote: > >You happen to know who came up with the non-standard > >extension to the SSH2 protocol that allows these primes > >to be used?? > The key exchange is documented in > > Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol > draft-provos-secsh-dh-group-exchange-00.txt > > All rationale is contained within. Ah! Thanks for the reference. You might want to publish a refence to it (and the other I-D/RFCs) on openssh.com. I do like the idea behind this new SSH2 key exchange but I have a question: how does the client detect cooked primes? Or at a more basic level: Are cooked primes a problem in this setting?[1] If not, you want to mention this as a non-issue in the "Security Considerations" section. If cooked primes are indeed a problem the protocol needs to be enhanced to counter them. Either way, the draft needs a couple of extra words IMHO. Anyway, my assumption that dh-group-exchange is non-standard still holds as far as I can see so I'd still recommend not enabling this feature by default for now. What steps have to taken to have this standardized? Is this proposal being considered by the IETF secsh working group? Cheers, Jeroen [1] My gut feeling says that cooked primes could cause privacy and repudation problems; I may very well be wrong. -- Jeroen C. van Gelderen - jeroen@vangelderen.org "It is not utopian to work for a society without taxation; it is utopian to think that the power to tax won't be abused once it is granted." -- Murray N. Rothbard (1926-1995) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 16:41:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4A62737B479; Sun, 26 Nov 2000 16:41:38 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 16:39:36 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAR0etL72487; Sun, 26 Nov 2000 16:40:55 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 16:40:55 -0800 From: "Crist J . Clark" To: "Jeroen C. van Gelderen" Cc: Niels Provos , Kris Kennaway , "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re: OpenSSH 2.3.0 pre-upgrade Message-ID: <20001126164055.K70192@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001126215625.21D89207C1@citi.umich.edu> <3A21954C.F9E9D25F@vangelderen.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A21954C.F9E9D25F@vangelderen.org>; from jeroen@vangelderen.org on Sun, Nov 26, 2000 at 06:57:16PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 06:57:16PM -0400, Jeroen C. van Gelderen wrote: > Hi Niels, > > Niels Provos wrote: > > > > Hi, > > > > Jeroen C. van Gelderen wrote: > > >You happen to know who came up with the non-standard > > >extension to the SSH2 protocol that allows these primes > > >to be used?? > > The key exchange is documented in > > > > Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol > > draft-provos-secsh-dh-group-exchange-00.txt > > > > All rationale is contained within. > > Ah! Thanks for the reference. You might want to publish > a refence to it (and the other I-D/RFCs) on openssh.com. > > I do like the idea behind this new SSH2 key exchange but > I have a question: how does the client detect cooked primes? Why would a client need to? You already place trust in the server; it can obviously decrypt what you send to it. If someone wants to eavesdrop and has compromised the server, there are much, much easier ways for them to do so than slip in "cooked primes." -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 16:48:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 130BA37B4C5 for ; Sun, 26 Nov 2000 16:48:39 -0800 (PST) Received: (qmail 73975 invoked by uid 1000); 27 Nov 2000 00:48:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Nov 2000 00:48:38 -0000 Date: Sun, 26 Nov 2000 18:48:37 -0600 (CST) From: Mike Silbersack To: Kris Kennaway Cc: Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: fics In-Reply-To: <20001126140003.A38904@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 26 Nov 2000, Kris Kennaway wrote: > is to jump on the machine itself and look at the processes with a > lsof-like tool. I don't know of any of these for Windows. > > Kris I found an lsof-like program called "inzider" a few weeks ago, it should be findable on winfiles or through a search engine. It works ok, but not great; it seems to miss some sockets. However, it's better than nothing. Granted, that could be due to oddities of win9x - there are other lsof programs which only run under NT/2000 and are presumably more accurate. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 17:30:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 2791437B4CF; Sun, 26 Nov 2000 17:30:18 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id UAA88239; Sun, 26 Nov 2000 20:30:17 -0500 (EST) (envelope-from wollman) Date: Sun, 26 Nov 2000 20:30:17 -0500 (EST) From: Garrett Wollman Message-Id: <200011270130.UAA88239@khavrinen.lcs.mit.edu> To: Doug Barton Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <3A218C5B.9F677E51@FreeBSD.org> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > allow udp from any to any out > But that's for my private home network. I trust myself to only send out > useful, productive packets. :) I must admit to being puzzled by home firewalls, at least among this group of people. If you've got some promiscuous operating system from Washington State running, I can somewhat understand doing that. If you just have a single machine, which is under your direct control, then doing packet filtering is just silly. If your machine is properly configured and secured, filtering out packets which would otherwise be thrown away anyway serves no useful purpose. (If the bandwidth potentially wasted matters to you, that's a problem you have to deal with at the upstream side anyway.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 17:30:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 96C7037B4E5 for ; Sun, 26 Nov 2000 17:30:19 -0800 (PST) Received: from n2 ([213.30.47.209]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id BAA32711; Mon, 27 Nov 2000 01:25:45 GMT Message-ID: <003301c05812$0f7deb60$0200a8c0@n2> From: "Nuno Teixeira" To: Cc: References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> Subject: Re: NATD: failed to write packet back (Permission denied) Date: Mon, 27 Nov 2000 01:33:32 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, 1. Ok. It works. Now I can traceroute others but the outside can't traceroute me. The result is: "65435 Deny UDP other_server:65302 my_server:33509 in via tun0" 2. I found one problem: when I login other computer via FTP and I make a "ls" I get the log: "65435 Deny TCP ftp_server:20 my_server:49152 in via tun0" Does I forgot something? My fwrules are: # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via ed0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example shows that people may connect # to ssh and apache. # $fwcmd add allow tcp from any to any 80 setup # $fwcmd add allow tcp from any to any 22 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # -- ISP NAME SERVERS: # NETC 212.18.160.133 212.18.160.134 # IOL 193.126.4.33 193.126.4.33 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 212.18.160.133 53 out xmit tun0 $fwcmd add allow udp from any to 212.18.160.134 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 212.18.160.133 53 to any in recv tun0 $fwcmd add allow udp from 212.18.160.134 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any $fwcmd add allow udp from any to any 33434-33474 out via tun0 # Deny all the rest. $fwcmd add 65435 deny log ip from any to any Thanks, Nuno Teixeira ----- Original Message ----- From: "Crist J . Clark" To: "Doug Barton" Cc: "Nuno Teixeira" ; Sent: Sunday, November 26, 2000 10:00 PM Subject: Re: NATD: failed to write packet back (Permission denied) > On Sun, Nov 26, 2000 at 01:43:03PM -0800, Doug Barton wrote: > > "Crist J . Clark" wrote: > > > > > > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > > > Hi, > > > > > > > > I think not. Can you tell me how to add this rule to my ruleset? > > > > > > The two rules needed to get UNIX-style traceroutes to work are, > > > > > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} > > > > When I do a traceroute from a freebsd machine outside my firewall to the > > firewall machine, I see this: > > > > ipfw: 1200 Deny UDP :38575 :33468 in via ep0 > > > > ipfw: 1200 Deny UDP :38597 :33477 in via ep0 > > ipfw: 1200 Deny UDP :38597 :33478 in via ep0 > > ipfw: 1200 Deny UDP :38597 :33479 in via ep0 > > > > Which supports what I've been told that unix traceroute uses udp > > packets. It sounds like in order to allow traceroutes through the > > firewall you have to open up a pretty big hole for udp... > > But if you want to traceroute other people, you only need to let the > UDP _out_ and the ICMP types 11 and 3 in (11:0 and 3:3 to be precise). > > As for how it works, read the manpage, > > This program attempts to trace the route an IP packet > would follow to some internet host by launching UDP probe > packets with a small ttl (time to live) then listening for > an ICMP "time exceeded" reply from a gateway. We start > our probes with a ttl of one and increase by one until we > get an ICMP "port unreachable" (which means we got to > "host") or hit a max (which defaults to 30 hops & can be > changed with the -m flag). > > As for people tracerouting you, blocking the ususal UNIX-style (the > one we've been discussing) or M$-style (using pings rather than UDP) > is not too tough. However, if you let any traffic into your network > (and what's the point of connecting to the 'Net if you don't), it is > extremely difficult to stop people from tracerouting you by other > means. > > If you want to let people traceroute your net, yeah, you need to make > a pretty big hole... but if you want to let people to traceroute you, > you apparently are interested in giving out a lot of information > anyway. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 18:32:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from postman.orangenetwork.net (ns.orangenetwork.net [211.123.49.50]) by hub.freebsd.org (Postfix) with SMTP id 6775537B479 for ; Sun, 26 Nov 2000 18:32:25 -0800 (PST) Received: (qmail 10032 invoked from network); 27 Nov 2000 11:32:11 +0900 Received: from unknown (HELO stanley) (202.214.96.71) by ns.orangenetwork.net with SMTP; 27 Nov 2000 11:32:11 +0900 Date: Mon, 27 Nov 2000 11:32:22 +0900 From: Melon To: freebsd-security@freebsd.org Subject: ProFTPD PAM error message (was wuftpd) Message-Id: <3A21C7B6B4.310CMELON@postman.orangenetwork.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.26.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, I appreciated for your advices. I have decided to disable PAM at this time. I'm still using 3.4-RELEASE which have a bug on PAM... I will try use PAM again when I upgrade to 4.2-RELEASE. - Melon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 18:42: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from sunny.pacific.net.sg (sunny.pacific.net.sg [203.120.90.127]) by hub.freebsd.org (Postfix) with ESMTP id BE9B637B4C5 for ; Sun, 26 Nov 2000 18:42:02 -0800 (PST) Received: from pop2.pacific.net.sg (pop2.pacific.net.sg [203.120.90.86]) by sunny.pacific.net.sg with ESMTP id eAR2fxo28951; Mon, 27 Nov 2000 10:41:59 +0800 (SGT) Received: from gchang (spoff250.pacific.net.sg [203.120.94.250]) by pop2.pacific.net.sg with SMTP id KAA22813; Mon, 27 Nov 2000 10:41:48 +0800 (SGT) Message-ID: <00db01c0581b$48959de0$fa5e78cb@gchang> From: "James Lim" To: "Melon" , References: <3A21C7B6B4.310CMELON@postman.orangenetwork.net> Subject: Re: ProFTPD PAM error message (was wuftpd) Date: Mon, 27 Nov 2000 10:39:26 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, Try AuthPAM off on the conf file of proftpd which will solve the problem. It worked for me. Regards, James Lim ----- Original Message ----- From: "Melon" To: Sent: Monday, November 27, 2000 10:32 AM Subject: ProFTPD PAM error message (was wuftpd) > Hello all, > > I appreciated for your advices. > > I have decided to disable PAM at this time. I'm still using 3.4-RELEASE > which have a bug on PAM... > > I will try use PAM again when I upgrade to 4.2-RELEASE. > > - Melon > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 19:15:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 6466C37B479 for ; Sun, 26 Nov 2000 19:15:38 -0800 (PST) Received: (qmail 22465 invoked by uid 0); 27 Nov 2000 03:15:36 -0000 Received: from p3ee21622.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.34) by mail.gmx.net (mail07) with SMTP; 27 Nov 2000 03:15:36 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA26054 for freebsd-security@freebsd.org; Sun, 26 Nov 2000 21:31:34 +0100 Date: Sun, 26 Nov 2000 21:31:34 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: static ARP tables Message-ID: <20001126213134.K27042@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <200011252212.PAA26585@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from seraf@2600.COM on Sun, Nov 26, 2000 at 03:10:16PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 15:10 -0500, Dominick LaTrappe wrote: > > What I'd really like to see is a 'static' flag that can be > added to individual ARP table entries. I have several networks > with servers and routers whose MAC/IP/switchport associtions > should never change, but also workstations that change all the > time. If I get your "static" right this already is the default behaviour of "arp -s"ed entries: ----- man 8 arp -------------------------------------------- ... -s hostname ether_addr Create an ARP entry for the host called hostname with the Ether- net address ether_addr. [ ... ] The entry will be permanent unless the word temp is given in the command. [ ... ] ... ----- man 8 arp -------------------------------------------- virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 20:11:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 4317D37B479 for ; Sun, 26 Nov 2000 20:11:39 -0800 (PST) Received: from FreeBSD.org (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id UAA12629; Sun, 26 Nov 2000 20:11:20 -0800 (PST) (envelope-from DougB@FreeBSD.org) Message-ID: <3A21DEE8.13CEA4EA@FreeBSD.org> Date: Sun, 26 Nov 2000 20:11:20 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: freebsd-security@FreeBSD.org Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > allow udp from any to any out > > > But that's for my private home network. I trust myself to only send out > > useful, productive packets. :) > > I must admit to being puzzled by home firewalls, at least among this > group of people. If you've got some promiscuous operating system from > Washington State running, I can somewhat understand doing that. If > you just have a single machine "Network," in the sentence above implies that this is not the case. :) Doug -- So what I want to know is, where does the RED brick road go? Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 20:28: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 797D837B479; Sun, 26 Nov 2000 20:28:04 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1683 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 26 Nov 2000 22:27:14 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sun, 26 Nov 2000 22:27:12 -0600 (CST) From: James Wyatt To: Garrett Wollman Cc: Doug Barton , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <200011270130.UAA88239@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 26 Nov 2000, Garrett Wollman wrote: > < said: > > But that's for my private home network. I trust myself to only send out > > useful, productive packets. :) > > I must admit to being puzzled by home firewalls, at least among this > group of people. If you've got some promiscuous operating system from > Washington State running, I can somewhat understand doing that. If > you just have a single machine, which is under your direct control, > then doing packet filtering is just silly. If your machine is > properly configured and secured, filtering out packets which would > otherwise be thrown away anyway serves no useful purpose. (If the [ ... ] Some of us set our home networks (really small office) to use this stuff so that when we build a "real" (for money and protecting another company) we know how everything operates and have something to compare to should something not work the way we expect. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 20:29:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id A992737B4E5 for ; Sun, 26 Nov 2000 20:29:32 -0800 (PST) Received: from pir by moek.pir.net with local (Exim) id 140Fuw-0003Lc-00 for freebsd-security@FreeBSD.ORG; Sun, 26 Nov 2000 23:29:26 -0500 Date: Sun, 26 Nov 2000 23:29:26 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001126232925.E29815@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200011270130.UAA88239@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jwyatt@rwsystems.net on Sun, Nov 26, 2000 at 10:27:12PM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt probably said: > Some of us set our home networks (really small office) to use this stuff > so that when we build a "real" (for money and protecting another company) > we know how everything operates and have something to compare to should > something not work the way we expect. - Jy@ and some of us just like to know when our machines are being scanned and such, and preventing access to some services. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 26 21: 7: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id CA05937B479 for ; Sun, 26 Nov 2000 21:07:01 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 21:05:19 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAR56eo74130; Sun, 26 Nov 2000 21:06:40 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 21:06:34 -0800 From: "Crist J . Clark" To: Nuno Teixeira Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001126210634.O70192@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <003301c05812$0f7deb60$0200a8c0@n2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <003301c05812$0f7deb60$0200a8c0@n2>; from nuno.teixeira@pt-quorum.com on Mon, Nov 27, 2000 at 01:33:32AM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 01:33:32AM -0000, Nuno Teixeira wrote: > Hello, > > 1. Ok. It works. Now I can traceroute others but the outside can't > traceroute me. The result is: > > "65435 Deny UDP other_server:65302 my_server:33509 in via tun0" Oh, you wanted to allow traceroutes in? Someone else posted the rules to allow it in and also mentioned that it is a really big hole to put in the firewall. But to review, you basically just need to allow the same stuff in the other direction. > 2. I found one problem: when I login other computer via FTP and I make a > "ls" I get the log: > > "65435 Deny TCP ftp_server:20 my_server:49152 in via tun0" > > Does I forgot something? Your ftp-data connections is being denied. FTP is a ugly, ugly protocol for firewalls since it uses two channels, i.e. two completely independent TCP connections. That looks like a failure of an data-connetion initiated with a PORT command. Use passive (PASV) FTP. It should work fine. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 1:25:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from backend2.aha.ru (terra.zenon.net [213.189.198.210]) by hub.freebsd.org (Postfix) with ESMTP id 82B8B37B479; Mon, 27 Nov 2000 01:25:39 -0800 (PST) Received: from [213.189.200.112] (HELO sunny.aha.ru) by backend2.aha.ru (CommuniGate Pro SMTP 3.3.1) with ESMTP id 64534182; Mon, 27 Nov 2000 12:25:34 +0300 Received: from AMARKELO (focus.futures.msk.ru [195.2.76.180]) by sunny.aha.ru (8.9.3/8.9.3) with ESMTP id MAA49088; Mon, 27 Nov 2000 12:25:00 +0300 (MSK) Date: Mon, 27 Nov 2000 12:24:43 +0300 From: "Alex N. Markelov" X-Mailer: The Bat! (v1.45) Personal Reply-To: "Alex N. Markelov" Organization: Folium Ltd. X-Priority: 3 (Normal) Message-ID: <1771564079.20001127122443@futures.msk.ru> To: "Will Mitayai Keeso Rowe" Cc: "Steve Reid" , "Vladimir I. Kulakov" , , Subject: Re[2]: DOS atack of hardware problem? In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Will, Friday, November 24, 2000, 11:30:54 AM, you wrote: WMKR> has this been known to happen with xl0/3Com 3C509TX? Yes, I saw the effect with 3Com network card and 3Com switch :(. Without manual configuration it haven't worked properly. WMKR> On Fri, Nov 24, 2000 at 09:21:32AM +0300, Vladimir I. Kulakov wrote: >> It seems the network card in our server unpedicably swithes from 100 >> to 10 Mbits and from half-duplex to full duplex. Best regards, Alex N. Markelov ---------------------------- System administrator. Folium Ltd., Moscow, Russia. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 3: 0:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 4276837B479 for ; Mon, 27 Nov 2000 03:00:08 -0800 (PST) Received: from gateway ([213.30.47.63]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id KAA03482; Mon, 27 Nov 2000 10:55:26 GMT Message-ID: <005901c05861$1528eed0$0100a8c0@gateway> From: "Nuno Teixeira" To: Cc: References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <003301c05812$0f7deb60$0200a8c0@n2> <20001126210634.O70192@149.211.6.64.reflexcom.com> Subject: Re: NATD: failed to write packet back (Permission denied) Date: Mon, 27 Nov 2000 10:59:00 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, 1. Traceroute: No. I don't want anyone to traceroute me. It is working ok and I can traceroute others but they can't traceroute me. 2. FTP: Yes you right. I have a internal machine that have LeapFTP installed and it can do a "ls" with no problems because it works in passive mode. I found this problem to when I tryed to install freebsd ports. I think that is a way of turning on passive mode on installing new ports since they are downloaded by ftp almost the times. Thanks very much, Nuno Teixeira ----- Original Message ----- From: "Crist J . Clark" To: "Nuno Teixeira" Cc: ; Sent: Monday, November 27, 2000 5:06 AM Subject: Re: NATD: failed to write packet back (Permission denied) > On Mon, Nov 27, 2000 at 01:33:32AM -0000, Nuno Teixeira wrote: > > Hello, > > > > 1. Ok. It works. Now I can traceroute others but the outside can't > > traceroute me. The result is: > > > > "65435 Deny UDP other_server:65302 my_server:33509 in via tun0" > > Oh, you wanted to allow traceroutes in? Someone else posted the rules > to allow it in and also mentioned that it is a really big hole to put > in the firewall. But to review, you basically just need to allow the > same stuff in the other direction. > > > 2. I found one problem: when I login other computer via FTP and I make a > > "ls" I get the log: > > > > "65435 Deny TCP ftp_server:20 my_server:49152 in via tun0" > > > > Does I forgot something? > > Your ftp-data connections is being denied. FTP is a ugly, ugly > protocol for firewalls since it uses two channels, i.e. two completely > independent TCP connections. That looks like a failure of an > data-connetion initiated with a PORT command. Use passive (PASV) > FTP. It should work fine. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 3:19: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from samson.ff.phys.spbu.ru (gw.ff.phys.spbu.ru [195.19.232.5]) by hub.freebsd.org (Postfix) with ESMTP id 1996C37B4C5 for ; Mon, 27 Nov 2000 03:18:56 -0800 (PST) Received: (from uucp@localhost) by samson.ff.phys.spbu.ru (8.9.3/8.9.3) with UUCP id OAA26127; Mon, 27 Nov 2000 14:24:10 +0300 (MSK) Received: from perl.dkn (perl.dkn [192.168.1.7]) by whisky.dkn (8.8.8/8.8.7) with SMTP id OAA06846; Mon, 27 Nov 2000 14:19:25 +0300 (MSK) (envelope-from prof@infosite.ru) Message-ID: <007201c05863$e65f8480$0701a8c0@dkn> From: "Oleg A. Paraschenko" To: , "Dominick LaTrappe" Cc: References: <200011252212.PAA26585@faith.cs.utah.edu> <20001126123153.D70192@149.211.6.64.reflexcom.com> Subject: Re: static ARP tables Date: Mon, 27 Nov 2000 14:19:25 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! > > What I'd really like to see is a 'static' flag that can be added to > > individual ARP table entries. I have several networks with servers and > > routers whose MAC/IP/switchport associtions should never change, but also > > workstations that change all the time. > -s hostname ether_addr > Create an ARP entry for the host called hostname with the Ether- > net address ether_addr. The Ethernet address is given as six hex > bytes separated by colons. The entry will be permanent unless > the word temp is given in the command. ^^^^^^^^^ > In FreeBSD 2.2.7 term 'permanent' means that kernel will not delete ARP entry after time of inactivity of workstation. Any host on network can change IP, and kernel will say 'arp: %s moved from %6D to %6D', even if IP/MAC is set to 'permanent'. > > > > I'm going to try to work on a patch for this, though maybe someone already > > knows a hack? > I chanhed '/sys/netinet/if_ether.c' in order to disable IP/MAC changes. ---- Old file ... la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0); if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) { if (sdl->sdl_alen && bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) log(LOG_INFO, "arp: %s moved from %6D to %6D\n", inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":", ea->arp_sha, ":"); (void)memcpy(LLADDR(sdl), ea->arp_sha, sizeof(ea->arp_sha)); sdl->sdl_alen = sizeof(ea->arp_sha); ... ----- New file ... if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) { #ifndef DONT_MOVE_ARP if (sdl->sdl_alen && bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) log(LOG_INFO, "arp: %s moved from %6D to %6D\n", inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":", ea->arp_sha, ":"); (void)memcpy(LLADDR(sdl), ea->arp_sha, sizeof(ea->arp_sha)); #else // DONT_MOVE_ARP if (sdl->sdl_alen && bcmp((caddr_t)ea->arp_sha, LLADDR(sdl), sdl->sdl_alen)) { log(LOG_INFO, "arp: %s will not be moved from %6D to %6D\n", inet_ntoa(isaddr), (u_char *)LLADDR(sdl), ":", ea->arp_sha, ":"); } else { (void)memcpy(LLADDR(sdl), ea->arp_sha, sizeof(ea->arp_sha)); } #endif // DONT_MOVE_ARP sdl->sdl_alen = sizeof(ea->arp_sha); ... -------- Probably it is not what you want, but you can start with it. Bye! ---- Oleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 3:21:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by hub.freebsd.org (Postfix) with ESMTP id E1FE037B4C5 for ; Mon, 27 Nov 2000 03:21:36 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id 8B9AA212E29; Mon, 27 Nov 2000 03:21:36 -0800 (PST) Date: Mon, 27 Nov 2000 03:21:36 -0800 From: Steve Reid To: Nuno Teixeira Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001127032136.A47483@grok> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <003301c05812$0f7deb60$0200a8c0@n2> <20001126210634.O70192@149.211.6.64.reflexcom.com> <005901c05861$1528eed0$0100a8c0@gateway> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <005901c05861$1528eed0$0100a8c0@gateway>; from Nuno Teixeira on Mon, Nov 27, 2000 at 10:59:00AM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 10:59:00AM -0000, Nuno Teixeira wrote: > I think that is a way of turning on passive mode on installing new > ports since they are downloaded by ftp almost the times. For ports: export FETCH_BEFORE_ARGS="-p" For general /usr/bin/ftp usage: export FTP_PASSIVE_MODE="yes" Stick those in your rc file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 4:31:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.neonsky.net (shell.neonsky.net [63.144.86.194]) by hub.freebsd.org (Postfix) with ESMTP id 84F1637B479 for ; Mon, 27 Nov 2000 04:31:42 -0800 (PST) Received: from pavilion (AC9B87AB.ipt.aol.com [172.155.135.171]) by shell.neonsky.net (8.11.0/8.9.3) with SMTP id eARCVaR53467 for ; Mon, 27 Nov 2000 12:31:38 GMT (envelope-from mh@neonsky.net) Message-ID: <028e01c0586d$fb1c7680$0101a8c0@pavilion> From: "Richard Ward" To: Subject: *login Date: Mon, 27 Nov 2000 07:31:31 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_028B_01C05844.0FB95B00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_028B_01C05844.0FB95B00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I'm wondering what program would use root to execute 'login -h -p". I've noticed every now and then that it would be = running as root, and as a regular user, you cannot use the -h option. = What exactly could be going on? I only run telnet and ssh1 as remote = login daemons. Does telnet or ssh1 require this login command to be = executed certain times or randomly? I have both telnet and ssh clients = chmod 700, so a regular user won't be able to remotely login from my = computer... Any ideas? -- Richard Ward "sleep deprived and caffeine-empowered" ------=_NextPart_000_028B_01C05844.0FB95B00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
I'm wondering what program would use = root to=20 execute 'login -h <some weird host> -p". I've noticed every now = and then=20 that it would be running as root, and as a regular user, you cannot use = the -h=20 option. What exactly could be going on? I only run telnet and ssh1 as = remote=20 login daemons. Does telnet or ssh1 require this login command to be = executed=20 certain times or randomly? I have both telnet and ssh clients chmod 700, = so a=20 regular user won't be able to remotely login from my = computer...
 
Any ideas?
--
Richard Ward
"sleep deprived and=20 caffeine-empowered"
------=_NextPart_000_028B_01C05844.0FB95B00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 4:46: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id B3D6B37B479 for ; Mon, 27 Nov 2000 04:45:53 -0800 (PST) Received: (qmail 3219 invoked by uid 1000); 27 Nov 2000 11:45:02 -0000 Date: Mon, 27 Nov 2000 13:45:02 +0200 From: Peter Pentchev To: Steve Reid Cc: Nuno Teixeira , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001127134502.A420@ringworld.oblivion.bg> Mail-Followup-To: Steve Reid , Nuno Teixeira , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <003301c05812$0f7deb60$0200a8c0@n2> <20001126210634.O70192@149.211.6.64.reflexcom.com> <005901c05861$1528eed0$0100a8c0@gateway> <20001127032136.A47483@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001127032136.A47483@grok>; from sreid@sea-to-sky.net on Mon, Nov 27, 2000 at 03:21:36AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 03:21:36AM -0800, Steve Reid wrote: > On Mon, Nov 27, 2000 at 10:59:00AM -0000, Nuno Teixeira wrote: > > I think that is a way of turning on passive mode on installing new > > ports since they are downloaded by ftp almost the times. > > For ports: > export FETCH_BEFORE_ARGS="-p" > > For general /usr/bin/ftp usage: > export FTP_PASSIVE_MODE="yes" > > Stick those in your rc file. Actually FTP_PASSIVE_MODE="yes" works for fetch too. G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 4:50:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id AAF5837B479 for ; Mon, 27 Nov 2000 04:50:25 -0800 (PST) Received: (qmail 3977 invoked by uid 1000); 27 Nov 2000 12:49:54 -0000 Date: Mon, 27 Nov 2000 14:49:54 +0200 From: Peter Pentchev To: Richard Ward Cc: freebsd-security@FreeBSD.ORG Subject: Re: *login Message-ID: <20001127144953.C420@ringworld.oblivion.bg> Mail-Followup-To: Richard Ward , freebsd-security@FreeBSD.ORG References: <028e01c0586d$fb1c7680$0101a8c0@pavilion> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <028e01c0586d$fb1c7680$0101a8c0@pavilion>; from mh@neonsky.net on Mon, Nov 27, 2000 at 07:31:31AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 07:31:31AM -0500, Richard Ward wrote: > Hello, > I'm wondering what program would use root to execute 'login -h -p". I've noticed every now and then that it would be running as root, and as a regular user, you cannot use the -h option. What exactly could be going on? I only run telnet and ssh1 as remote login daemons. Does telnet or ssh1 require this login command to be executed certain times or randomly? I have both telnet and ssh clients chmod 700, so a regular user won't be able to remotely login from my computer... Both /usr/libexec/telnetd and the OpenSSH sshd start login with a -h option. However, it is next to impossible (or at least very, very improbable) to feed fake hostnames to either of them - SSH as a whole is notoriously picky as to DNS-resolving hostnames and such, and I've just checked the telnetd source in 4.2-STABLE - it accepts no data from the client, but tries to resolve the hostname both ways using realhostname_sa(3). So, both telnetd and sshd only record (and pass to login) the real client hostname. Have you been seeing actual login processes on your system, running with a weird -h command-line option, or do you base your judgement on utmp/wtmp records? If it is utmp/wtmp records, there might be other candidates for writing bad info there - X terminals come to mind immediately, PAM might also be involved in some way, and there certainly are other possibilities. G'luck, Peter -- This sentence contradicts itself - or rather - well, no, actually it doesn't! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 6:56:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by hub.freebsd.org (Postfix) with ESMTP id B492637B479; Mon, 27 Nov 2000 06:56:55 -0800 (PST) Received: from citi.umich.edu (ssh-mapper.citi.umich.edu [141.211.92.147]) by citi.umich.edu (Postfix) with ESMTP id 07C53207C1; Mon, 27 Nov 2000 09:56:55 -0500 (EST) Subject: Re: OpenSSH 2.3.0 pre-upgrade From: Niels Provos In-Reply-To: "Jeroen C. van Gelderen", Sun, 26 Nov 2000 18:57:16 -0400 To: "Jeroen C. van Gelderen" Cc: Kris Kennaway , "Brian F. Feldman" , security@FreeBSD.ORG Date: Mon, 27 Nov 2000 09:56:55 -0500 Message-Id: <20001127145655.07C53207C1@citi.umich.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3A21954C.F9E9D25F@vangelderen.org>, "Jeroen C. van Gelderen" writes : >Or at a more basic level: Are cooked primes a problem in >this setting?[1] If not, you want to mention this as a >non-issue in the "Security Considerations" section. If >cooked primes are indeed a problem the protocol needs to >be enhanced to counter them. Either way, the draft needs >a couple of extra words IMHO. That is not an issue. You need to trust the server anyway. If you have any helpful wording that could be added to the draft, I will be more than happy to include it. >Anyway, my assumption that dh-group-exchange is non-standard >still holds as far as I can see so I'd still recommend not >enabling this feature by default for now. There are a couple of implementations besides OpenSSH that support it. Of course, you could still disable it, but you should think about it carefully. >What steps have to taken to have this standardized? Is this >proposal being considered by the IETF secsh working group? We are working on it, it takes time though. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:14: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by hub.freebsd.org (Postfix) with ESMTP id 913E537B479 for ; Mon, 27 Nov 2000 08:14:01 -0800 (PST) Received: from tot-wi.proxy.aol.com (tot-wi.proxy.aol.com [205.188.197.1]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id LAA06250; Mon, 27 Nov 2000 11:13:42 -0500 (EST) Received: from pavilion (AC86C1F9.ipt.aol.com [172.134.193.249]) by tot-wi.proxy.aol.com (8.10.0/8.10.0) with SMTP id eARGDeR15071; Mon, 27 Nov 2000 11:13:40 -0500 (EST) Message-ID: <000b01c0588d$0138b320$0101a8c0@pavilion> From: "Richard Ward" To: Cc: "Peter Pentchev" References: <028e01c0586d$fb1c7680$0101a8c0@pavilion> <20001127144953.C420@ringworld.oblivion.bg> Subject: Re: *login Date: Mon, 27 Nov 2000 11:13:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Apparently-From: Nis8840@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I saw the login running with the -h option for long periods of times on numerous ip addresses, but not with "high risk" host names (dialup, aol, etc) None of which I can recognize as a regular user's host name, maybe someone who is trying to login with telnet/ssh unsuccessfully? Recently a FreeBSD 4.1.1-STABLE box that I administrate was exploited via the default ports package's named 8.2.3-T5B which according to many I have talked with is not exploitable with the 4.1.1-STABLE release. Since I run bind with userid/groupid "bind", a non-privileged user, the "hacker" was only able to add absurd messages to my named.conf, causing named to fail when reading the conf file and not start back up. I checked www.isc.org's website and found an upgrade from T5B to T6B saying quote "infamous "munnari" bug suite fixed". Could this be the bug that was exploited in my case? Are there any patches or port upgrades to fix an exploitable named 8.2.3-T5B that might be included in T6B? Thanks. -- Richard Ward "sleep deprived and caffeine-empowered" ----- Original Message ----- From: Peter Pentchev To: Richard Ward Cc: Sent: Monday, November 27, 2000 7:49 AM Subject: Re: *login > On Mon, Nov 27, 2000 at 07:31:31AM -0500, Richard Ward wrote: > > Hello, > > I'm wondering what program would use root to execute 'login -h -p". I've noticed every now and then that it would be running as root, and as a regular user, you cannot use the -h option. What exactly could be going on? I only run telnet and ssh1 as remote login daemons. Does telnet or ssh1 require this login command to be executed certain times or randomly? I have both telnet and ssh clients chmod 700, so a regular user won't be able to remotely login from my computer... > > Both /usr/libexec/telnetd and the OpenSSH sshd start login with a -h option. > However, it is next to impossible (or at least very, very improbable) to feed > fake hostnames to either of them - SSH as a whole is notoriously picky as to > DNS-resolving hostnames and such, and I've just checked the telnetd source > in 4.2-STABLE - it accepts no data from the client, but tries to resolve > the hostname both ways using realhostname_sa(3). So, both telnetd and sshd > only record (and pass to login) the real client hostname. > > Have you been seeing actual login processes on your system, running with > a weird -h command-line option, or do you base your judgement on utmp/wtmp > records? If it is utmp/wtmp records, there might be other candidates for > writing bad info there - X terminals come to mind immediately, PAM might > also be involved in some way, and there certainly are other possibilities. > > G'luck, > Peter > > -- > This sentence contradicts itself - or rather - well, no, actually it doesn't! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:22:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id E5F5137B479 for ; Mon, 27 Nov 2000 08:22:15 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13zuVa-0000CI-00; Sat, 25 Nov 2000 22:37:50 -0700 Message-ID: <3A20A1AD.2CB9861C@softweyr.com> Date: Sat, 25 Nov 2000 22:37:49 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: =?iso-8859-1?Q?P=E4r?= Thoren Cc: freebsd-security@freebsd.org Subject: Re: secure tunnel References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pär Thoren wrote: > > Can I forward port 80 on a natd server so that every connection that is > made by local machines (nat clients) to port 80 on the natdserver(on the > internal interface) will go to another server? Can this be done with ssh > tunneling so that the connection between the natdserver and the other www > server will be secure? ipfilter and ipnat can do this. See the transproxy port for an example of a transparent www proxy using ipnat. I'm not sure how close this might be to your problem, but it's a start. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:22:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id C18F237B4C5 for ; Mon, 27 Nov 2000 08:22:19 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 1408aC-0000AC-00; Sun, 26 Nov 2000 13:39:32 -0700 Message-ID: <3A217504.7FBE2F62@softweyr.com> Date: Sun, 26 Nov 2000 13:39:32 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: dmaddox@conterra.com Cc: John-Mark Gurney , freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info References: <4.1.19990913003757.0096b660@mail.thegrid.net> <4.1.19990913003757.0096b660@mail.thegrid.net> <19990913173532.A842@dmaddox.conterra.com> <3.0.3.32.19990913191825.00ad66f0@207.227.119.2> <19990913210513.A3167@dmaddox.conterra.com> <19990917120236.39316@hydrogen.fircrest.net> <19990917175603.A1571@dmaddox.conterra.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Donald J . Maddox" wrote: > > On Fri, Sep 17, 1999 at 12:02:36PM -0700, John-Mark Gurney wrote: > > Donald J . Maddox scribbled this message on Sep 13: > > > There may not be ANYTHING *BSD in the jail environment, let alone > > > 'strings'. Again, assumptions. > > ^^^^^^^^^^^^^^^^^^ > > ummm.. yes there is... can we say ENOSYS?? I knew you could... assuming > > people have write permissions and execute permissions... ^^^^^^^^ > > When discussing an environment one has no knowledge of whatsoever, it's > not a good idea to assume a lot. You know, this is all sounding rather preachy and pedantic, especially coming from somebody who's sending mail dated over a year ago. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:22:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 5EFDA37B4CF; Mon, 27 Nov 2000 08:22:20 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 140Ig5-00009j-00; Mon, 27 Nov 2000 00:26:18 -0700 Message-ID: <3A220C99.1DCAB7EC@softweyr.com> Date: Mon, 27 Nov 2000 00:26:17 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Jean-Marc Zucconi Cc: Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: fics References: <200011262219.OAA78370@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jean-Marc Zucconi wrote: > > >>>>> Buliwyf McGraw writes: > > > Anybody knows about a trojan or something bad called "fics"??? > > > I found this in one pc on my intranet: > > > Interesting ports on (192.168.20.50): > > Port State Protocol Service > > 5000 open tcp fics > > fics = Free Internet Chess Server (see http://www.freechess.org). It > uses port 5000. Nothing bad here :-) Has it been audited? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:22:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 0164237B4D7; Mon, 27 Nov 2000 08:22:22 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 140JAh-0000G6-00; Mon, 27 Nov 2000 00:57:55 -0700 Message-ID: <3A221402.D88321D8@softweyr.com> Date: Mon, 27 Nov 2000 00:57:54 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: Doug Barton , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > allow udp from any to any out > > > But that's for my private home network. I trust myself to only send out > > useful, productive packets. :) > > I must admit to being puzzled by home firewalls, at least among this > group of people. If you've got some promiscuous operating system from > Washington State running, I can somewhat understand doing that. If > you just have a single machine, which is under your direct control, > then doing packet filtering is just silly. If your machine is My "machine"? You certainly don't understand my basement/network operating center, which includes a mixture of Free/Net/OpenBSD, Solaris, various Windows, and a lone Atari 520ST. OK, so the Atari isn't really on the network. > properly configured and secured, filtering out packets which would > otherwise be thrown away anyway serves no useful purpose. (If the > bandwidth potentially wasted matters to you, that's a problem you have > to deal with at the upstream side anyway.) Since I have T-1 speeds coming into said basement, it is entirely likely that somebody may notice and attempt to hijack one or more of my machines to use in a DDOS attack. In fact, somebody already has tried. And failed. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:37:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 0FB0537B4CF for ; Mon, 27 Nov 2000 08:37:12 -0800 (PST) Received: (qmail 6681 invoked by uid 1000); 27 Nov 2000 16:36:38 -0000 Date: Mon, 27 Nov 2000 18:36:38 +0200 From: Peter Pentchev To: Wes Peters Cc: Jean-Marc Zucconi , Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: fics Message-ID: <20001127183638.I420@ringworld.oblivion.bg> Mail-Followup-To: Wes Peters , Jean-Marc Zucconi , Buliwyf McGraw , freebsd-security@FreeBSD.ORG References: <200011262219.OAA78370@freefall.freebsd.org> <3A220C99.1DCAB7EC@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A220C99.1DCAB7EC@softweyr.com>; from wes@softweyr.com on Mon, Nov 27, 2000 at 12:26:17AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 12:26:17AM -0700, Wes Peters wrote: > Jean-Marc Zucconi wrote: > > > > >>>>> Buliwyf McGraw writes: > > > > > Anybody knows about a trojan or something bad called "fics"??? > > > > > I found this in one pc on my intranet: > > > > > Interesting ports on (192.168.20.50): > > > Port State Protocol Service > > > 5000 open tcp fics > > > > fics = Free Internet Chess Server (see http://www.freechess.org). It > > uses port 5000. Nothing bad here :-) > > Has it been audited? I do not want to sling mud where no mud is due, but when I tried a version of about six months ago, it only took me three minutes and an attempt to restore a saved game to make the server crash (inadvertently). I *hope* they've fixed a couple of things in there, 'cause I just might have to use FICS in a couple of interesting ways in several months' time :( G'luck, Peter -- This sentence is false. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:38:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from cae88-102-101.sc.rr.com (cae88-102-101.sc.rr.com [24.88.102.101]) by hub.freebsd.org (Postfix) with ESMTP id 634E037B4C5 for ; Mon, 27 Nov 2000 08:38:22 -0800 (PST) Received: (from myself@localhost) by cae88-102-101.sc.rr.com (8.11.1/8.9.3) id eARGbiG20006; Mon, 27 Nov 2000 11:37:44 -0500 (EST) (envelope-from myself) Date: Mon, 27 Nov 2000 11:37:44 -0500 From: "Donald J . Maddox" To: Wes Peters Cc: dmaddox@conterra.com, John-Mark Gurney , freebsd-security@FreeBSD.ORG Subject: Re: How to prevent motd including os info Message-ID: <20001127113744.A19971@cae88-102-101.sc.rr.com> Reply-To: dmaddox@sc.rr.com Mail-Followup-To: "Donald J . Maddox" , Wes Peters , dmaddox@conterra.com, John-Mark Gurney , freebsd-security@FreeBSD.ORG References: <4.1.19990913003757.0096b660@mail.thegrid.net> <4.1.19990913003757.0096b660@mail.thegrid.net> <19990913173532.A842@dmaddox.conterra.com> <3.0.3.32.19990913191825.00ad66f0@207.227.119.2> <19990913210513.A3167@dmaddox.conterra.com> <19990917120236.39316@hydrogen.fircrest.net> <19990917175603.A1571@dmaddox.conterra.com> <3A217504.7FBE2F62@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A217504.7FBE2F62@softweyr.com>; from wes@softweyr.com on Sun, Nov 26, 2000 at 01:39:32PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I apologize profusely :-( I normally use mutt for email. Mutt saves all messages I send in a file called '~/Mail/outbox'. Yesterday, I decided to install KDE2 just to try it out. In the process, I decided to try KMail. Unfortunately, KMail looks at ~/Mail/outbox for messages waiting to be sent. So... All the email I've sent for about a year or 2 got RESENT :( I am NOT intentionally spamming the lists with year-old mail... Again, I apologize for all this. On Sun, Nov 26, 2000 at 01:39:32PM -0700, Wes Peters wrote: > "Donald J . Maddox" wrote: > > > > On Fri, Sep 17, 1999 at 12:02:36PM -0700, John-Mark Gurney wrote: > > > Donald J . Maddox scribbled this message on Sep 13: > > > > There may not be ANYTHING *BSD in the jail environment, let alone > > > > 'strings'. Again, assumptions. > > > ^^^^^^^^^^^^^^^^^^ > > > ummm.. yes there is... can we say ENOSYS?? I knew you could... assuming > > > people have write permissions and execute permissions... ^^^^^^^^ > > > > When discussing an environment one has no knowledge of whatsoever, it's > > not a good idea to assume a lot. > > You know, this is all sounding rather preachy and pedantic, especially > coming from somebody who's sending mail dated over a year ago. > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > wes@softweyr.com http://softweyr.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 8:38:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdone.bsdwins.com (www.bsdwins.com [192.58.184.33]) by hub.freebsd.org (Postfix) with ESMTP id 466BB37B479 for ; Mon, 27 Nov 2000 08:38:54 -0800 (PST) Received: (from jwd@localhost) by bsdone.bsdwins.com (8.11.0/8.11.0) id eARGbVL00252; Mon, 27 Nov 2000 11:37:31 -0500 (EST) (envelope-from jwd) Date: Mon, 27 Nov 2000 11:37:31 -0500 From: "John W. De Boskey" To: cjclark@alum.mit.edu Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001127113731.A99705@bsdwins.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001126113720.A70192@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Sun, Nov 26, 2000 at 11:37:21AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Crist J . Clark's Original Message ----- > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > Hi, > > > > I think not. Can you tell me how to add this rule to my ruleset? > > The two rules needed to get UNIX-style traceroutes to work are, > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} I've had to up the tail value of the udp port range to allow traceroute to work correctly in some instances. For instance, if I ping my home machine from freefall and I have full logging turned on, I get the following: ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33486 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33487 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33488 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 Note the udp port number in the last request is 88. The range in the example is only 40 port numbers, but traceroute defaults to 30 hops, 3 probes max per hop. At least, that's how I read the source. -john > $fwcmd add allow icmp from any to any icmptype 3,11 in via ${oif} > > But you already have a more promiscuous rule for ICMP so that is not > needed. 'oif' is your external interface on a gateway machine. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 9:28:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id B24C837B479 for ; Mon, 27 Nov 2000 09:28:54 -0800 (PST) Received: (qmail 71607 invoked by uid 1001); 27 Nov 2000 17:28:48 +0000 (GMT) To: mh@neonsky.net Cc: freebsd-security@FreeBSD.ORG, roam@orbitel.bg Subject: Re: *login From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 27 Nov 2000 11:13:38 -0500" References: <000b01c0588d$0138b320$0101a8c0@pavilion> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 27 Nov 2000 18:28:48 +0100 Message-ID: <71605.975346128@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I checked www.isc.org's > website and found an upgrade from T5B to T6B saying quote "infamous > "munnari" bug suite fixed". Could this be the bug that was exploited in my > case? Probably not. The infamous "munnari" bug suite refers to a problem which was discussed on bind-workers@isc.org in a thread "8.2.3 - maybe a problem" started by Robert Elz on July 4, 2000. The problem was basically that named on some extremely busy systems managed to effectively block SIGCHLD, and therefore didn't clean up all of its children - and thus sooner or later ran out of virtual memory/swap space. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 9:48:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id D2C3C37B479; Mon, 27 Nov 2000 09:48:14 -0800 (PST) Received: from ts8-a150.dial.sovam.com ([195.239.2.150]:1086 "EHLO ts8-a150.dial.sovam.com" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Mon, 27 Nov 2000 20:48:03 +0300 Date: Mon, 27 Nov 2000 20:47:48 +0300 From: "Vladimir I. Kulakov" X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: "Vladimir I. Kulakov" Organization: Kudesniki JSC X-Priority: 3 (Normal) Message-ID: <15940795775.20001127204748@kudesniki.ru> To: "Alex N. Markelov" Cc: freebsd-isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re[3]: DOS atack or hardware problem? In-reply-To: <1771564079.20001127122443@futures.msk.ru> References: <1771564079.20001127122443@futures.msk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Alex, ANM> Friday, November 24, 2000, 11:30:54 AM, you wrote: WMKR>> has this been known to happen with xl0/3Com 3C509TX? ANM> Yes, I saw the effect with 3Com network card and 3Com switch :(. ANM> Without manual configuration it haven't worked properly. How to lock fxp0 to 100BASE/TX half-duplex? There is only an option to set the full-duplex ('mediaopt full-duplex'). Is it implied half-duplex by default, of by default it's set to "autodetect"? Thanks -- Best regards, Vladimir mailto:kulakov@kudesniki.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 10:26: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from pro.fais.net (unknown [208.249.141.254]) by hub.freebsd.org (Postfix) with ESMTP id 072CD37B479; Mon, 27 Nov 2000 10:25:57 -0800 (PST) Received: from drnet.fais.net (root@drnet.fais.net [208.249.141.31]) by pro.fais.net (8.9.3/8.9.3/Debian/GNU) with ESMTP id NAA01866; Mon, 27 Nov 2000 13:12:20 -0600 Received: from wks01 (wks01.drnet.fais.net [10.64.80.10]) by drnet.fais.net (8.11.0/8.11.0) with SMTP id eARCMT731704; Mon, 27 Nov 2000 12:22:33 GMT (envelope-from jwpauler@jwpages.com) Message-ID: <003b01c0589e$a6683c60$0a50400a@drnet.fais.net> From: "Justin W. Pauler" To: "Vladimir I. Kulakov" , "Alex N. Markelov" Cc: , References: <1771564079.20001127122443@futures.msk.ru> <15940795775.20001127204748@kudesniki.ru> Subject: Re: Re[3]: DOS atack or hardware problem? Date: Mon, 27 Nov 2000 12:19:48 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe by default they usually go to 'autodetect'. but to lock it in at 100BASE/TX half-duplex, I would try: ifconfig fxp0 media 100baseTX mediaopt half-duplex I have come to find that if you are going to be running a FreeBSD server in ANY type of production environment, you should not be using 'autodetect'. Justin W. Pauler (drnet) E-Mail: jwpauler@jwpages.com ICQ: 95989631 IRC: Undernet IRC Network ----- Original Message ----- From: "Vladimir I. Kulakov" To: "Alex N. Markelov" Cc: ; Sent: Monday, November 27, 2000 11:47 AM Subject: Re[3]: DOS atack or hardware problem? > Hello Alex, > > ANM> Friday, November 24, 2000, 11:30:54 AM, you wrote: > WMKR>> has this been known to happen with xl0/3Com 3C509TX? > ANM> Yes, I saw the effect with 3Com network card and 3Com switch :(. > ANM> Without manual configuration it haven't worked properly. > > How to lock fxp0 to 100BASE/TX half-duplex? > There is only an option to set the full-duplex ('mediaopt full-duplex'). > Is it implied half-duplex by default, of by default it's set to > "autodetect"? > > Thanks > > -- > Best regards, > Vladimir mailto:kulakov@kudesniki.ru > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 10:27:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from yav.com.spb.ru (unknown [195.201.43.183]) by hub.freebsd.org (Postfix) with ESMTP id 68A9037B4CF for ; Mon, 27 Nov 2000 10:27:19 -0800 (PST) Received: (from yav@localhost) by yav.com.spb.ru (8.11.1/8.11.0) id eARIRFo01020; Mon, 27 Nov 2000 21:27:15 +0300 (MSK) (envelope-from yav) Date: Mon, 27 Nov 2000 21:27:15 +0300 From: Alexey Yambarshev To: "Vladimir I. Kulakov" Cc: security@freebsd.org Subject: Re: DOS atack or hardware problem? Message-ID: <20001127212715.B825@yav.spb.ru> References: <1771564079.20001127122443@futures.msk.ru> <15940795775.20001127204748@kudesniki.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15940795775.20001127204748@kudesniki.ru>; from kulakov@kudesniki.ru on Mon, Nov 27, 2000 at 08:47:48PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello Alex, > > ANM> Friday, November 24, 2000, 11:30:54 AM, you wrote: > WMKR>> has this been known to happen with xl0/3Com 3C509TX? > ANM> Yes, I saw the effect with 3Com network card and 3Com switch :(. > ANM> Without manual configuration it haven't worked properly. > > How to lock fxp0 to 100BASE/TX half-duplex? > There is only an option to set the full-duplex ('mediaopt full-duplex'). > Is it implied half-duplex by default, of by default it's set to > "autodetect"? In rc.conf must be ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx media 100BaseTX" BR, Alexey Yambarshev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 10:49:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 4087D37B4C5; Mon, 27 Nov 2000 10:49:52 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eARIoTH63231; Mon, 27 Nov 2000 10:50:29 -0800 (PST) (envelope-from kris) Date: Mon, 27 Nov 2000 10:50:29 -0800 From: Kris Kennaway To: Wes Peters Cc: Jean-Marc Zucconi , Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: fics Message-ID: <20001127105029.A63148@citusc17.usc.edu> References: <200011262219.OAA78370@freefall.freebsd.org> <3A220C99.1DCAB7EC@softweyr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A220C99.1DCAB7EC@softweyr.com>; from wes@softweyr.com on Mon, Nov 27, 2000 at 12:26:17AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 27, 2000 at 12:26:17AM -0700, Wes Peters wrote: > > > I found this in one pc on my intranet: > >=20 > > > Interesting ports on (192.168.20.50): > > > Port State Protocol Service > > > 5000 open tcp fics > >=20 > > fics =3D Free Internet Chess Server (see http://www.freechess.org). It > > uses port 5000. Nothing bad here :-) >=20 > Has it been audited? It's probably not even fics. People should learn not to believe /etc/services because it's just a wild guess about what would be using that port if this were a perfect internet and everyone only used their assigned port numbers. Obviously, this internet is not perfect, and port 5000 is an obvious enough port number for a human to pick that it could be literally anything running there. The only way to tell with some kind of assurance what service is running on a given port is to get on that machine with superuser privileges and interrogate things, and even then you can't be sure. Kris --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoirPQACgkQWry0BWjoQKW4fACfWkeVMFCZU2yZ7kw95Zckeug+ cl4AoIa9GT4qcLC234agbvXSjx6R82Bn =OUw1 -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 10:56:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from hermes.cs.brandeis.edu (hermes.cs.brandeis.edu [129.64.2.5]) by hub.freebsd.org (Postfix) with ESMTP id 16B7437B479 for ; Mon, 27 Nov 2000 10:56:18 -0800 (PST) Received: from pearl.cs.brandeis.edu (pearl.cs.brandeis.edu [129.64.2.86]) by hermes.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id NAA15114 for ; Mon, 27 Nov 2000 13:56:16 -0500 Received: from localhost (meshko@localhost) by pearl.cs.brandeis.edu (8.9.3/8.9.3) with SMTP id NAA24840 for ; Mon, 27 Nov 2000 13:56:16 -0500 (EST) X-Authentication-Warning: pearl.cs.brandeis.edu: meshko owned process doing -bs Date: Mon, 27 Nov 2000 13:56:16 -0500 (EST) From: Mikhail Kruk To: freebsd-security@FreeBSD.ORG Subject: Re: fics In-Reply-To: <20001127105029.A63148@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org btw, why doesn't daily security script include diffs for netstat -an | grep LIST output? that would be kind of useful, no? > It's probably not even fics. People should learn not to believe > /etc/services because it's just a wild guess about what would be using > that port if this were a perfect internet and everyone only used their > assigned port numbers. Obviously, this internet is not perfect, and > port 5000 is an obvious enough port number for a human to pick that it > could be literally anything running there. > > The only way to tell with some kind of assurance what service is > running on a given port is to get on that machine with superuser > privileges and interrogate things, and even then you can't be sure. > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 11:10:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id CADC237B479 for ; Mon, 27 Nov 2000 11:10:29 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eARJBDW63730; Mon, 27 Nov 2000 11:11:13 -0800 (PST) (envelope-from kris) Date: Mon, 27 Nov 2000 11:11:13 -0800 From: Kris Kennaway To: Mikhail Kruk Cc: freebsd-security@FreeBSD.ORG Subject: Re: fics Message-ID: <20001127111113.A63657@citusc17.usc.edu> References: <20001127105029.A63148@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from meshko@cs.brandeis.edu on Mon, Nov 27, 2000 at 01:56:16PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 27, 2000 at 01:56:16PM -0500, Mikhail Kruk wrote: > btw, why doesn't daily security script include diffs for > netstat -an | grep LIST >=20 > output? that would be kind of useful, no? Better to use sockstat. Send patches :-) Kris --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoisdAACgkQWry0BWjoQKUmlwCgwNR/e/oSia3CPUup4EYOD+u8 it0AmwWAH6a6583jTv8dXbUdru9Dr8a4 =HL5E -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 11:38:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id 070D037B4C5; Mon, 27 Nov 2000 11:38:28 -0800 (PST) Received: from ts8-a150.dial.sovam.com ([195.239.2.150]:1196 "EHLO ts8-a150.dial.sovam.com" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Mon, 27 Nov 2000 22:38:12 +0300 Date: Mon, 27 Nov 2000 22:37:49 +0300 From: "Vladimir I. Kulakov" X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: "Vladimir I. Kulakov" Organization: Kudesniki JSC X-Priority: 3 (Normal) Message-ID: <13447397719.20001127223749@kudesniki.ru> To: freebsd-isp@FreeBSD.ORG, security@FreeBSD.ORG, sean@stat.Duke.EDU Subject: Re[2]: DOS atack or hardware problem? In-reply-To: <20001127125635.M45407@stat.Duke.EDU> References: <1771564079.20001127122443@futures.msk.ru> <15940795775.20001127204748@kudesniki.ru> <20001127125635.M45407@stat.Duke.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Sean, Monday, November 27, 2000, 8:56:35 PM, you wrote: SOC> Vladimir I. Kulakov stated: SOC> : Hello Alex, SOC> : : ANM>> Friday, November 24, 2000, 11:30:54 AM, you wrote: : WMKR>>> has this been known to happen with xl0/3Com 3C509TX? : ANM>> Yes, I saw the effect with 3Com network card and 3Com switch :(. : ANM>> Without manual configuration it haven't worked properly. SOC> : SOC> : How to lock fxp0 to 100BASE/TX half-duplex? SOC> : There is only an option to set the full-duplex ('mediaopt full-duplex'). SOC> : Is it implied half-duplex by default, of by default it's set to SOC> : "autodetect"? SOC> : SOC> : Thanks SOC> : SOC> : -- SOC> : Best regards, SOC> Vladimir- SOC> I believe that if you just use: SOC> media 100baseTX SOC> it will be in half-duplex mode by default. The mediaopt flag SOC> is only helpful for full-duplex if you are hardcoding the media. SOC> The alternative is to try and let the driver autonegotiate--ie, SOC> do not pass any media/mediaopt flags to ifconfig_fxp0. Ok. Then how to set the mediaopt to autodetect half/full-duplex, in case it'l be needed? Is there an option "half-duplex"? Or this card can't autodetect half/full duplex? -- Best regards, Vladimir mailto:kulakov@kudesniki.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 11:45:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 4228337B479; Mon, 27 Nov 2000 11:45:53 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id OAA96357; Mon, 27 Nov 2000 14:45:52 -0500 (EST) (envelope-from wollman) Date: Mon, 27 Nov 2000 14:45:52 -0500 (EST) From: Garrett Wollman Message-Id: <200011271945.OAA96357@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: Mikhail Kruk , freebsd-security@FreeBSD.ORG Subject: Re: fics In-Reply-To: <20001127111113.A63657@citusc17.usc.edu> References: <20001127105029.A63148@citusc17.usc.edu> <20001127111113.A63657@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Better to use sockstat. Send patches :-) Only if it's optional. I don't need a constantly-changing list of a hundred random people who were looking at my Web page early in the morning. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 12:11:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 6EE3B37B479 for ; Mon, 27 Nov 2000 12:11:27 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA07977; Mon, 27 Nov 2000 13:10:59 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id NAA26835; Mon, 27 Nov 2000 13:10:52 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14882.49100.131730.989201@nomad.yogotech.com> Date: Mon, 27 Nov 2000 13:10:52 -0700 (MST) To: Wes Peters Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <3A221402.D88321D8@softweyr.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > allow udp from any to any out > > > > > But that's for my private home network. I trust myself to only send out > > > useful, productive packets. :) > > > > I must admit to being puzzled by home firewalls, at least among this > > group of people. Because many of these 'homes' have full-time connections, which are constantly scanned for weaknesses. > > If you've got some promiscuous operating system from > > Washington State running, I can somewhat understand doing that. Even FreeBSD (*gasp*) has security problems, especially older releases and/or misconfigured releases. Unless you want to upgrade every system in your network everytime a new security issue is found (and known), it's better to have a policy that minimizes risks, which includes a firewall. > > If > > you just have a single machine, which is under your direct control, > > then doing packet filtering is just silly. If your machine is I disagree completely. > > properly configured and secured, filtering out packets which would > > otherwise be thrown away anyway serves no useful purpose. Sure, but who determines if the packets are going to be thrown out, if not a firewall? Your upstream provider? Most decent ISP's are not into content-filtering your packets, so if you are silly enough to run something (accidentally or on purpose) then the packets will get out. > Since I have T-1 speeds coming into said basement, it is entirely likely > that somebody may notice and attempt to hijack one or more of my machines > to use in a DDOS attack. In fact, somebody already has tried. And failed. Only once? I'm scanned 3-4 times/day, and weekly get script kiddies attempting to do remote exploits. Having been responsible for monitoring a box on the internet full-time since '94, I can't imagine *NOT* using a firewall if you have a full-time connection, static IP or not. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 12:26:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B106437B479 for ; Mon, 27 Nov 2000 12:26:41 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA96641; Mon, 27 Nov 2000 15:26:23 -0500 (EST) (envelope-from wollman) Date: Mon, 27 Nov 2000 15:26:23 -0500 (EST) From: Garrett Wollman Message-Id: <200011272026.PAA96641@khavrinen.lcs.mit.edu> To: nate@yogotech.com (Nate Williams) Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <14882.49100.131730.989201@nomad.yogotech.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Sure, but who determines if the packets are going to be thrown out, if > not a firewall? The kernel's table of protocol control blocks. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 12:28:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id ACDE037B479 for ; Mon, 27 Nov 2000 12:28:29 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA08297; Mon, 27 Nov 2000 13:28:27 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id NAA26997; Mon, 27 Nov 2000 13:28:26 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14882.50145.87646.623077@nomad.yogotech.com> Date: Mon, 27 Nov 2000 13:28:17 -0700 (MST) To: Garrett Wollman Cc: nate@yogotech.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <200011272026.PAA96641@khavrinen.lcs.mit.edu> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <200011272026.PAA96641@khavrinen.lcs.mit.edu> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Sure, but who determines if the packets are going to be thrown out, if > > not a firewall? > > The kernel's table of protocol control blocks. For UDP packets, which was the rule you commented on? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 12:30:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from nova.fnal.gov (nova.fnal.gov [131.225.18.207]) by hub.freebsd.org (Postfix) with ESMTP id 4301637B479 for ; Mon, 27 Nov 2000 12:30:09 -0800 (PST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id OAA17558 for ; Mon, 27 Nov 2000 14:30:07 -0600 (CST) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Mon, 27 Nov 2000 14:30:07 -0600 (CST) From: Tim Zingelman X-Sender: To: Subject: Re: fics In-Reply-To: <200011271945.OAA96357@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > < said: > > Better to use sockstat. Send patches :-) > Only if it's optional. I don't need a constantly-changing list of a > hundred random people who were looking at my Web page early in the > morning. -GAWollman How about: sockstat|grep "\*\.[0-9 ]*\*\.\*"|cut -c10-18,39-45|sort -n -u +1 The results of this should be more static and somewhat more useful than netstat -an | grep LIST ? - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 12:33:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B9DF237B479 for ; Mon, 27 Nov 2000 12:33:30 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA96696; Mon, 27 Nov 2000 15:33:16 -0500 (EST) (envelope-from wollman) Date: Mon, 27 Nov 2000 15:33:16 -0500 (EST) From: Garrett Wollman Message-Id: <200011272033.PAA96696@khavrinen.lcs.mit.edu> To: nate@yogotech.com (Nate Williams) Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <14882.50145.87646.623077@nomad.yogotech.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <200011272026.PAA96641@khavrinen.lcs.mit.edu> <14882.50145.87646.623077@nomad.yogotech.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> The kernel's table of protocol control blocks. > For UDP packets, which was the rule you commented on? The same place. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 12:39: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id AF42937B479; Mon, 27 Nov 2000 12:39:00 -0800 (PST) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id PAA32363; Mon, 27 Nov 2000 15:38:50 -0500 Date: Mon, 27 Nov 2000 15:38:50 -0500 (EST) From: Mikhail Kruk To: Garrett Wollman Cc: Kris Kennaway , Subject: Re: fics In-Reply-To: <200011271945.OAA96357@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org it's not going to show random people, only the listening sockets which should be constant unless you changing something... > Only if it's optional. I don't need a constantly-changing list of a > hundred random people who were looking at my Web page early in the > morning. > > -GAWollman > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 13:27:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from nova.fnal.gov (nova.fnal.gov [131.225.18.207]) by hub.freebsd.org (Postfix) with ESMTP id 08AA237B479 for ; Mon, 27 Nov 2000 13:27:44 -0800 (PST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id PAA20389 for ; Mon, 27 Nov 2000 15:27:42 -0600 (CST) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Mon, 27 Nov 2000 15:27:42 -0600 (CST) From: Tim Zingelman X-Sender: To: Subject: Re: fics In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Nov 2000, Tim Zingelman wrote: > sockstat|grep "\*\.[0-9 ]*\*\.\*"|cut -c10-18,39-45|sort -n -u +1 Oops, you caught me... I built this on a 3.x system... it doesn't work on a 4.2 system. Sockstat output now uses : not . to separate ip & port. Also, it looks like sort -u weeds out duplicate keys, not duplicate rows as I'd assumed :( I'm starting to think this is too complex a solution... but: sockstat|grep "\*.[0-9 ]*\*.\*"|cut -c1-9,10-18,39-45|sort -u|sort -n +2 seems to do what I want both on 3.x and 4.x systems. If people think this is ok, I'd be glad to submit patches... - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 14: 4:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id EAF4A37B479; Mon, 27 Nov 2000 14:04:05 -0800 (PST) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id RAA00751; Mon, 27 Nov 2000 17:04:02 -0500 Date: Mon, 27 Nov 2000 17:04:02 -0500 (EST) From: Mikhail Kruk To: Tim Zingelman , Cc: Subject: Re: fics In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1082244355-1703506624-975362642=:32226" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1082244355-1703506624-975362642=:32226 Content-Type: TEXT/PLAIN; charset=US-ASCII I added it to my /etc/security and it seems to work. diff file is attached (with the new 4.2 compatible version by Tim) could someone enlighten me on what actually has to be done to the diff so it can become real patch and eventually make it into the system? I'm rather green but would really like to start contributing to FreeBSD. On Mon, 27 Nov 2000, Tim Zingelman wrote: > On Mon, 27 Nov 2000, Tim Zingelman wrote: > > > sockstat|grep "\*\.[0-9 ]*\*\.\*"|cut -c10-18,39-45|sort -n -u +1 > > Oops, you caught me... I built this on a 3.x system... it doesn't work > on a 4.2 system. Sockstat output now uses : not . to separate ip & port. > Also, it looks like sort -u weeds out duplicate keys, not duplicate rows > as I'd assumed :( > > I'm starting to think this is too complex a solution... but: > > sockstat|grep "\*.[0-9 ]*\*.\*"|cut -c1-9,10-18,39-45|sort -u|sort -n +2 > > seems to do what I want both on 3.x and 4.x systems. > > If people think this is ok, I'd be glad to submit patches... > > - Tim > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --1082244355-1703506624-975362642=:32226 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="security.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="security.diff" NzhhNzksOTUNCj4gIyBTaG93IGNoYW5nZXMgaW4gdGhlIG9wZW4gdGNwIHNv Y2tldHMNCj4gIw0KPiBpZiBzb2Nrc3RhdHxncmVwICJcKi5bMC05IF0qXCou XCoifGN1dCAtYzEtOSwxMC0xOCwzOS00NXxzb3J0IC11fHNvcnQgLW4gKzIg PiAkVE1QOyB0aGVuDQo+ICAgICAgICAgaWYgWyAhIC1mICRMT0cvc29ja3N0 YXQudG9kYXkgXTsgdGhlbg0KPiAgICAgICAgICAgICAgICAgc2VwYXJhdG9y DQo+ICAgICAgICAgICAgICAgICBlY2hvICJubyAkTE9HL3NvY2tzdGF0LnRv ZGF5Ig0KPiAgICAgICAgICAgICAgICAgY3AgJFRNUCAkTE9HL3NvY2tzdGF0 LnRvZGF5DQo+ICAgICAgICAgZmkNCj4gICAgICAgICBpZiBjbXAgJExPRy9z b2Nrc3RhdC50b2RheSAkVE1QID4vZGV2L251bGwgMj4mMTsgdGhlbiA6OyBl bHNlDQo+ICAgICAgICAgICAgICAgICBzZXBhcmF0b3INCj4gICAgICAgICAg ICAgICAgIGVjaG8gIiRob3N0IGNoYW5nZXMgaW4gb3BlbiBuZXR3b3JrIHNv Y2tldHM6Ig0KPiAgICAgICAgICAgICAgICAgZGlmZiAtYiAkTE9HL3NvY2tz dGF0LnRvZGF5ICRUTVANCj4gICAgICAgICAgICAgICAgIG12ICRMT0cvc29j a3N0YXQudG9kYXkgJExPRy9zb2Nrc3RhdC55ZXN0ZXJkYXkNCj4gICAgICAg ICAgICAgICAgIG12ICRUTVAgJExPRy9zb2Nrc3RhdC50b2RheQ0KPiAgICAg ICAgIGZpDQo+IGZpDQo+IA0KMTQwYTE1OA0KPiANCg== --1082244355-1703506624-975362642=:32226-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 15:31:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from pt-quorum.com (pt-quorum.com [209.10.167.210]) by hub.freebsd.org (Postfix) with ESMTP id 4FE7937B479 for ; Mon, 27 Nov 2000 15:31:30 -0800 (PST) Received: from n2 ([213.30.47.237]) by pt-quorum.com (8.9.3/8.9.3) with SMTP id XAA21203; Mon, 27 Nov 2000 23:26:54 GMT Message-ID: <006901c058ca$aa683cd0$0200a8c0@n2> From: "Nuno Teixeira" To: "Peter Pentchev" Cc: References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <003301c05812$0f7deb60$0200a8c0@n2> <20001126210634.O70192@149.211.6.64.reflexcom.com> <005901c05861$1528eed0$0100a8c0@gateway> <20001127032136.A47483@grok> <20001127134502.A420@ringworld.oblivion.bg> Subject: Re: NATD: failed to write packet back (Permission denied) Date: Mon, 27 Nov 2000 23:34:59 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, For ftp, the ' export FTP_PASSIVE_MODE="yes" ' works ok but I can't download ports with the ' export FETCH_BEFORE_ARGS="-p" '. The only way that i can fetch a file is doing this in the port directory: ' make FETCH_BEFORE_ARGS=-p install '. Does anyone know why export doesn't work for fetch command? Thanks very much, Nuno Teixeira ----- Original Message ----- From: "Peter Pentchev" To: "Steve Reid" Cc: "Nuno Teixeira" ; ; Sent: Monday, November 27, 2000 11:45 AM Subject: Re: NATD: failed to write packet back (Permission denied) > On Mon, Nov 27, 2000 at 03:21:36AM -0800, Steve Reid wrote: > > On Mon, Nov 27, 2000 at 10:59:00AM -0000, Nuno Teixeira wrote: > > > I think that is a way of turning on passive mode on installing new > > > ports since they are downloaded by ftp almost the times. > > > > For ports: > > export FETCH_BEFORE_ARGS="-p" > > > > For general /usr/bin/ftp usage: > > export FTP_PASSIVE_MODE="yes" > > > > Stick those in your rc file. > > Actually FTP_PASSIVE_MODE="yes" works for fetch too. > > G'luck, > Peter > > -- > You have, of course, just begun reading the sentence that you have just finished reading. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 15:38: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2]) by hub.freebsd.org (Postfix) with ESMTP id 93BE937B479 for ; Mon, 27 Nov 2000 15:38:02 -0800 (PST) Received: from localhost (localhost [[UNIX: localhost]]) by phalse.2600.com (8.8.8/8.8.8) with ESMTP id SAA29858; Mon, 27 Nov 2000 18:37:33 -0500 (EST) Date: Mon, 27 Nov 2000 18:37:33 -0500 (EST) From: Dominick LaTrappe To: "Oleg A. Paraschenko" Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: static ARP tables In-Reply-To: <007201c05863$e65f8480$0701a8c0@dkn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Nov 2000, Oleg A. Paraschenko wrote: > In FreeBSD 2.2.7 term 'permanent' means that kernel will not delete ARP > entry after time of inactivity of workstation. Any host on network can > change IP, and kernel will say 'arp: %s moved from %6D to %6D', even if > IP/MAC is set to 'permanent'. Would someone from the FreeBSD project like to verify that this is the expected behavior, and whether it applies to {3|4|5}.x too? ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 27 16:16:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix.rby.hk-r.se [194.47.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 71FC637B479 for ; Mon, 27 Nov 2000 16:16:39 -0800 (PST) Received: from orc.rby.hk-r.se (orc [194.47.134.179]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id eAS0GZK19089; Tue, 28 Nov 2000 01:16:36 +0100 (MET) Received: from localhost (t98pth@localhost) by orc.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id eAS0GYb17762; Tue, 28 Nov 2000 01:16:34 +0100 (MET) Date: Tue, 28 Nov 2000 01:16:34 +0100 (MET) From: =?ISO-8859-1?Q?P=E4r_Thoren?= To: Wes Peters Cc: =?iso-8859-1?Q?P=E4r?= Thoren , freebsd-security@freebsd.org Subject: Re: secure tunnel In-Reply-To: <3A20A1AD.2CB9861C@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I solved it like this: bounce -p 601 localhost 800 ssh -L800:localhost:80 www.otherserver.com natclient does: http://192.168.1.1:601 and gets a secure connection to www.otherserver.com any comments? /P=E4r On Sat, 25 Nov 2000, Wes Peters wrote: > P=E4r Thoren wrote: > >=20 > > Can I forward port 80 on a natd server so that every connection that is > > made by local machines (nat clients) to port 80 on the natdserver(on th= e > > internal interface) will go to another server? Can this be done with ss= h > > tunneling so that the connection between the natdserver and the other w= ww > > server will be secure? >=20 > ipfilter and ipnat can do this. See the transproxy port for an example > of a transparent www proxy using ipnat. I'm not sure how close this migh= t > be to your problem, but it's a start. >=20 > --=20 > "Where am I, and what am I doing in this handbasket?" >=20 > Wes Peters Softwe= yr LLC > wes@softweyr.com http://softwey= r.com/ >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 2: 3:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BE5BE37B401 for ; Tue, 28 Nov 2000 02:03:31 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA67718; Tue, 28 Nov 2000 11:03:28 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Tim Zingelman Cc: Subject: Re: fics References: From: Dag-Erling Smorgrav Date: 28 Nov 2000 11:03:28 +0100 In-Reply-To: Tim Zingelman's message of "Mon, 27 Nov 2000 15:27:42 -0600 (CST)" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tim Zingelman writes: > Also, it looks like sort -u weeds out duplicate keys, not duplicate rows > as I'd assumed :( That's what uniq(1) is for. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 2: 5:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 32AA137B400 for ; Tue, 28 Nov 2000 02:05:41 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA67728; Tue, 28 Nov 2000 11:05:37 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Nuno Teixeira" Cc: , Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <003301c05812$0f7deb60$0200a8c0@n2> <20001126210634.O70192@149.211.6.64.reflexcom.com> <005901c05861$1528eed0$0100a8c0@gateway> From: Dag-Erling Smorgrav Date: 28 Nov 2000 11:05:36 +0100 In-Reply-To: "Nuno Teixeira"'s message of "Mon, 27 Nov 2000 10:59:00 -0000" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Nuno Teixeira" writes: > I found this problem to when I tryed to install freebsd ports. I think that > is a way of turning on passive mode on installing new ports since they are > downloaded by ftp almost the times. Passive mode is the default unless the FTP_PASSIVE_MODE environment variable is set to NO. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 2:53:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool52-tch-1.Sofia.0rbitel.net [212.95.170.52]) by hub.freebsd.org (Postfix) with SMTP id D984837B400 for ; Tue, 28 Nov 2000 02:53:52 -0800 (PST) Received: (qmail 10284 invoked by uid 1000); 28 Nov 2000 10:53:15 -0000 Date: Tue, 28 Nov 2000 12:53:14 +0200 From: Peter Pentchev To: Richard Ward Cc: freebsd-security@FreeBSD.ORG Subject: Re: *login Message-ID: <20001128125314.A9810@ringworld.oblivion.bg> Mail-Followup-To: Richard Ward , freebsd-security@FreeBSD.ORG References: <028e01c0586d$fb1c7680$0101a8c0@pavilion> <20001127144953.C420@ringworld.oblivion.bg> <000b01c0588d$0138b320$0101a8c0@pavilion> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000b01c0588d$0138b320$0101a8c0@pavilion>; from mh@neonsky.net on Mon, Nov 27, 2000 at 11:13:38AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 11:13:38AM -0500, Richard Ward wrote: > I saw the login running with the -h option for long periods of times on > numerous ip addresses, but not with "high risk" host names (dialup, aol, > etc) None of which I can recognize as a regular user's host name, maybe > someone who is trying to login with telnet/ssh unsuccessfully? If you are seeing something like (from an ps axwww | fgrep login) root 10261 0.0 1.0 1044 612 p0 Ss+ 12:50PM 0:00.01 login -h pool52-tch-1.Sofia.0rbitel.net -p then yes, this is a still unauthenticated incoming connection, spawned by either telnetd or sshd (if compiled with the --with-login option to finish incoming connections with login(1)). This is truly normal, and may only be worked around by 1. using tcp-wrappers, or 2. using a firewall :) G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 4: 4:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 65D5F37B402 for ; Tue, 28 Nov 2000 04:04:54 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 140jUy-0001m6-00; Tue, 28 Nov 2000 14:04:36 +0200 Date: Tue, 28 Nov 2000 14:04:36 +0200 (IST) From: Roman Shterenzon To: =?ISO-8859-1?Q?P=E4r_Thoren?= Cc: Subject: Re: secure tunnel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=koi8-r Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Nov 2000, [ISO-8859-1] P=E4r Thoren wrote: > > I solved it like this: > > bounce -p 601 localhost 800 > ssh -L800:localhost:80 www.otherserver.com > > natclient does: > > http://192.168.1.1:601 > > > and gets a secure connection to www.otherserver.com > > > any comments? Server compromise as a consequence of gateway compromise, perhaps? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 4:31:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.nettoll.com (unknown [212.155.143.61]) by hub.freebsd.org (Postfix) with ESMTP id EA6C337B402 for ; Tue, 28 Nov 2000 04:31:32 -0800 (PST) Received: by smtp.nettoll.com; Tue, 28 Nov 2000 13:27:32 +0100 (MET) Message-Id: <4.3.0.20001128132927.00d8fa80@pop.free.fr> X-Sender: usebsd@pop.free.fr X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 28 Nov 2000 13:32:48 +0100 To: Dominick LaTrappe , "Oleg A. Paraschenko" From: mouss Subject: Re: static ARP tables Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG In-Reply-To: References: <007201c05863$e65f8480$0701a8c0@dkn> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org not sure, but netinet/if_ether.c says: ... if (rt->rt_expire) .... ... moved form ... else .... "arp: %6D attempts to modiy permanent entry for %s on %s%d\n" so I guess that one cannot modify a permanent entry regards, mouss At 18:37 27/11/00 -0500, Dominick LaTrappe wrote: >On Mon, 27 Nov 2000, Oleg A. Paraschenko wrote: > > In FreeBSD 2.2.7 term 'permanent' means that kernel will not delete ARP > > entry after time of inactivity of workstation. Any host on network can > > change IP, and kernel will say 'arp: %s moved from %6D to %6D', even if > > IP/MAC is set to 'permanent'. > >Would someone from the FreeBSD project like to verify that this is the >expected behavior, and whether it applies to {3|4|5}.x too? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 8: 6:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id 8F2B637B402 for ; Tue, 28 Nov 2000 08:06:15 -0800 (PST) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id eASGFEf80659 for ; Tue, 28 Nov 2000 11:15:16 -0500 (COT) Date: Tue, 28 Nov 2000 11:15:14 -0500 (COT) From: Buliwyf McGraw To: security@FreeBSD.ORG Subject: NMBCLUSTERS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This morning my server reboot alone... i check in the /var/log/messages and i found this: Nov 28 10:53:42 server /kernel: Out of mbuf clusters - adjust NMBCLUSTERS or increase maxusers! Anyone can explain me what is going on? especially about "NMBCLUSTERS" ??? Thanks a lot. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 8:16: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.i-sphere.com (www.i-sphere.com [207.126.121.224]) by hub.freebsd.org (Postfix) with ESMTP id 3C04E37B400 for ; Tue, 28 Nov 2000 08:16:03 -0800 (PST) Received: (from fasty@localhost) by www.i-sphere.com (8.11.0/8.11.0) id eASGEli09762; Tue, 28 Nov 2000 08:14:47 -0800 (PST) (envelope-from fasty) Date: Tue, 28 Nov 2000 08:14:47 -0800 From: faSty To: Buliwyf McGraw Cc: freebsd-security@freebsd.org Subject: Re: NMBCLUSTERS Message-ID: <20001128081447.D6393@i-sphere.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Tue, Nov 28, 2000 at 11:15:14AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you need recompile the kernel, the conf is located /usr/src/sys/i386/conf, -- Im not sure if you ever had compile kernel before or not.. copy GENERIC and add options NMBCLUSTERS=4098 or more depends how big you are. then recompile the kernel and install. It will stop errors in your messages. :) if you never been compile the kernel. I recommend you read the instruction on www.freebsd.org under handbook section. you will find "Configuring the FreeBSD kernel" URL: http://www.freebsd.org/handbook/kernelconfig.html hope this help you. I had that same kind problem in past :) -trev On Tue, Nov 28, 2000 at 11:15:14AM -0500, Buliwyf McGraw wrote: > > This morning my server reboot alone... i check in the /var/log/messages > and i found this: > > Nov 28 10:53:42 server /kernel: Out of mbuf clusters - adjust > NMBCLUSTERS or increase maxusers! > > Anyone can explain me what is going on? > especially about "NMBCLUSTERS" ??? > > Thanks a lot. > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 8:24: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B14E837B400 for ; Tue, 28 Nov 2000 08:24:00 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA68955; Tue, 28 Nov 2000 17:23:50 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: faSty Cc: Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: NMBCLUSTERS References: <20001128081447.D6393@i-sphere.com> From: Dag-Erling Smorgrav Date: 28 Nov 2000 17:23:49 +0100 In-Reply-To: faSty's message of "Tue, 28 Nov 2000 08:14:47 -0800" Message-ID: Lines: 8 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org faSty writes: > you need recompile the kernel, the conf is located /usr/src/sys/i386/conf, No, nmbclusters is settable at boot time. See /boot/defaults/loader.conf. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 10:54:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id ADD6237B400 for ; Tue, 28 Nov 2000 10:54:47 -0800 (PST) Received: from algroup.co.uk (socks-fw.aldigital.co.uk [192.168.254.10]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id SAA10296; Tue, 28 Nov 2000 18:52:42 GMT Message-ID: <3A23FEF2.9701D5FA@algroup.co.uk> Date: Tue, 28 Nov 2000 18:52:34 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: faSty , Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: NMBCLUSTERS References: <20001128081447.D6393@i-sphere.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > faSty writes: > > you need recompile the kernel, the conf is located /usr/src/sys/i386/conf, > > No, nmbclusters is settable at boot time. See /boot/defaults/loader.conf. since the default setting is too low to survive a reasonably heavy network load, is it time the default was upped? presumably this is a hangover from the days when RAM was a scarce commodity? cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 11: 9:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id C165B37B698 for ; Tue, 28 Nov 2000 11:09:44 -0800 (PST) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id eASJIc998055 for ; Tue, 28 Nov 2000 14:18:38 -0500 (COT) Date: Tue, 28 Nov 2000 14:18:38 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Re: Kernel Emergency... Please!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello... i need help... i need recompile the kernel of my server, i did it several times before without problems, but now when i try it... i get this: Im using the GENERIC configure file. When i do 'make depend', I see this warning: make -f ../../dev/aic7xxx/Makefile MAKESRCPATH=../../dev/aic7xxx Warning: Object directory not changed from original /usr/src/sys/compile/GENERIC yacc -d ../../dev/aic7xxx/aicasm_gram.y mv y.tab.c aicasm_gram.c And when i do 'make', I get this error message: ../../dev/aic7xxx.c : In function 'ahc_download_instr': machine/bus.h: 575 Invalid 'asm' stament: machine/bus.h: fixed or forbidden registre 2(cx) was spilled for class CREG Did you know something about it??? My real problem is this: i need load de drivers for 3com in the server, is necesary recompiling??? Can i load the drivers for 3com without recompile the kernel??? Thanks for any help, today was a hard day... believe me!!! ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 12:16:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 65C0137B400 for ; Tue, 28 Nov 2000 12:16:08 -0800 (PST) Received: (qmail 20706 invoked by uid 0); 28 Nov 2000 20:16:02 -0000 Received: from p3ee21610.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.16) by mail.gmx.net (mail07) with SMTP; 28 Nov 2000 20:16:02 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA29652 for freebsd-security@FreeBSD.ORG; Tue, 28 Nov 2000 18:16:42 +0100 Date: Tue, 28 Nov 2000 18:16:42 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: sockstat in /etc/security (was: fics) Message-ID: <20001128181642.M27042@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from meshko@cs.brandeis.edu on Mon, Nov 27, 2000 at 05:04:02PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 17:04 -0500, Mikhail Kruk wrote: > > [ ... sockstat(1) survey ... ] > > I added it to my /etc/security and it seems to work. > diff file is attached (with the new 4.2 compatible version by Tim) > > [ ... ] > > 78a79,95 > > # Show changes in the open tcp sockets > > # > > if sockstat|grep "\*.[0-9 ]*\*.\*"|cut -c1-9,10-18,39-45|sort -u|sort -n +2 > $TMP; then What do you expect to be the exit status of this command (look at "man sh" and search for "Pipelines")? Reading "man sort" and searching for "exit" and "resu" I don't see any(!) defined return value for the "sort -n" invocation. I would even dare to say this /etc/security block shouldn't have *any* condition for execution. Changing from or to zero listening sockets (installing a new machine or disabling all services) is something you definitely want to know. Maybe the suid files' list is the best template to derive from. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 13:28:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from cg.nu (e106195.upc-e.chello.nl [213.93.106.195]) by hub.freebsd.org (Postfix) with ESMTP id 9A33F37B402; Tue, 28 Nov 2000 13:28:36 -0800 (PST) Received: from kpnlep (unknown [10.0.1.8]) by cg.nu (Postfix) with SMTP id 063121312A; Tue, 28 Nov 2000 22:28:33 +0100 (CET) From: "Henk Wevers" To: Cc: Subject: FreeBSD hacked? Date: Tue, 28 Nov 2000 22:28:33 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <20001128181642.M27042@speedy.gsinet> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD got a new Security Officer Nohican and {} would like to wish the new Security Officer (Kris) good luck on his new job. We are sure you will do a great job! Look at the bottom of http://freebsd.org.index.html Henk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 14:32: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from hboss-bsd.powersurfr.com (hboss-bsd.powersurfr.com [24.108.165.216]) by hub.freebsd.org (Postfix) with ESMTP id 7E11037B400 for ; Tue, 28 Nov 2000 14:31:55 -0800 (PST) Received: from localhost (akwan@localhost) by hboss-bsd.powersurfr.com (8.11.1/8.11.0) with ESMTP id eASMX2c06466; Tue, 28 Nov 2000 15:33:04 -0700 (MST) (envelope-from akwan@hboss-bsd.powersurfr.com) Date: Tue, 28 Nov 2000 15:33:01 -0700 (MST) From: Al Kwan To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel Emergency... Please!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you run "config GENERIC" in that directory first, then cd ../../compile/GENERIC and "make depend", "make" and "make install" you should be fine. Al On Tue, 28 Nov 2000, Buliwyf McGraw wrote: > > Hello... i need help... i need recompile the kernel of my server, > i did it several times before without problems, > but now when i try it... i get this: > > Im using the GENERIC configure file. > > When i do 'make depend', I see this warning: > > make -f ../../dev/aic7xxx/Makefile MAKESRCPATH=../../dev/aic7xxx > Warning: Object directory not changed from original /usr/src/sys/compile/GENERIC > yacc -d ../../dev/aic7xxx/aicasm_gram.y > mv y.tab.c aicasm_gram.c > > And when i do 'make', I get this error message: > > ../../dev/aic7xxx.c : In function 'ahc_download_instr': > > machine/bus.h: 575 Invalid 'asm' stament: > machine/bus.h: fixed or forbidden registre 2(cx) was spilled for > class CREG > > Did you know something about it??? > > My real problem is this: i need load de drivers for 3com in the server, > is necesary recompiling??? > Can i load the drivers for 3com without recompile the kernel??? > > Thanks for any help, today was a hard day... believe me!!! > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 14:38:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 932BE37B400 for ; Tue, 28 Nov 2000 14:38:26 -0800 (PST) Received: from wkst ([10.10.1.70]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id RAA20795 for ; Tue, 28 Nov 2000 17:39:43 -0500 Reply-To: From: "Peter Brezny" To: Subject: ipfw stateful rules not allowing ftp Date: Tue, 28 Nov 2000 17:38:11 -0800 Message-ID: <000401c059a5$096a2100$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm using a 4.2-release box used as a firewall. I can connect to the machine via ftp and can pwd to get what directory i am in however ls and get don't work. when I disable the firewall, ftp can connect and function normally. I have sorted throug the rules but can't figure out why ftp seems to get hobled by the firewall. Especially since there is this rule $fwcmd add allow ip from $oip to any keep-state out via $oif which ought to let anything originating on this machine back out....? my firewall config is below, any help will be greatly appreciated. TIA fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.0/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.0/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input # # Rules # $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log ip from $inwr to any in via $oif $fwcmd add deny log ip from not $inwr to any in via $iif $fwcmd add divert natd all from any to any via $oif $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add allow tcp from $ns1 to $oip 53 keep-state $fwcmd add allow tcp from any to $oip 21,22,25,80,443 keep-state # $fwcmd add allow icmp from any to any $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add allow udp from any 53 to $oip 53 keep-state # $fwcmd add allow udp from $ntp 123 to $oip 123 $fwcmd add 65435 deny log ip from any to any Peter Brezny SysAdmin Services Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 14:53:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from field.videotron.net (field.videotron.net [205.151.222.108]) by hub.freebsd.org (Postfix) with ESMTP id 73C1137B699 for ; Tue, 28 Nov 2000 14:53:48 -0800 (PST) Received: from modemcable213.3-201-24.mtl.mc.videotron.ca ([24.201.3.213]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0G4R00M6WBLLW2@field.videotron.net> for security@FreeBSD.ORG; Tue, 28 Nov 2000 17:53:45 -0500 (EST) Date: Tue, 28 Nov 2000 17:54:21 -0500 (EST) From: Bosko Milekic Subject: Re: NMBCLUSTERS In-reply-to: To: Buliwyf McGraw Cc: security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is not normal if you are using a recent enough version of FreeBSD. What version of FreeBSD are you using? If you are running 4.x and above and are seeing this, please enable debugging and provide some debugging information... this would be very much appreciated. On Tue, 28 Nov 2000, Buliwyf McGraw wrote: > > This morning my server reboot alone... i check in the /var/log/messages > and i found this: > > Nov 28 10:53:42 server /kernel: Out of mbuf clusters - adjust > NMBCLUSTERS or increase maxusers! > > Anyone can explain me what is going on? > especially about "NMBCLUSTERS" ??? > > Thanks a lot. > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= Thanks, Bosko Milekic bmilekic@technokratis.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 14:54:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id E709137B400 for ; Tue, 28 Nov 2000 14:54:39 -0800 (PST) Received: (qmail 28038 invoked by uid 0); 28 Nov 2000 22:54:38 -0000 Received: from p3e9e034a.dip.t-dialin.net (HELO forge.local) (62.158.3.74) by mail.gmx.net (mail04) with SMTP; 28 Nov 2000 22:54:38 -0000 Received: from thomas by forge.local with local (Exim 3.12 #1 (Debian)) id 140tcZ-0000xH-00 for ; Tue, 28 Nov 2000 23:53:07 +0100 Date: Tue, 28 Nov 2000 23:53:07 +0100 To: freebsd-security@freebsd.org Subject: Re: ipfw stateful rules not allowing ftp Message-ID: <20001128235307.A3638@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-security@freebsd.org References: <000401c059a5$096a2100$46010a0a@sysadmininc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000401c059a5$096a2100$46010a0a@sysadmininc.com>; from peter@sysadmin-inc.com on Tue, Nov 28, 2000 at 05:38:11PM -0800 From: Thomas Moestl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm using a 4.2-release box used as a firewall. I can connect to the > machine via ftp and can pwd to get what directory i am in however ls and get > don't work. when I disable the firewall, ftp can connect and function > normally. I have sorted throug the rules but can't figure out why ftp seems > to get hobled by the firewall. Especially since there is this rule > > $fwcmd add allow ip from $oip to any keep-state out via $oif > > which ought to let anything originating on this machine back out....? No, not quite. It will open a dynamic rule when a packet arrives that matches this rule. The newly created dynamic rule will admit packets going to and from the ip/port pairs set in the packet that triggered the creation (read ipfw(8) for more details). This does not help you with a ftp data connection. This is opened by the server when it has data for you (eg a directory listing or a downloaded file), but of course on another port than your control connection. Either use ftp passive mode or a proxy, or do some magic using natd, which knows about ftp, and can also insert ipfw rules to let data connections pass. - Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 16:12:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 7167137B401 for ; Tue, 28 Nov 2000 16:12:34 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id QAA15478; Tue, 28 Nov 2000 16:09:18 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda15475; Tue Nov 28 16:09:02 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eAT08rN10134; Tue, 28 Nov 2000 16:08:53 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdl10131; Tue Nov 28 16:08:03 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eAT083M16683; Tue, 28 Nov 2000 16:08:03 -0800 (PST) Message-Id: <200011290008.eAT083M16683@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdq16677; Tue Nov 28 16:07:10 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: peter@sysadmin-inc.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw stateful rules not allowing ftp In-reply-to: Your message of "Tue, 28 Nov 2000 17:38:11 PST." <000401c059a5$096a2100$46010a0a@sysadmininc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 28 Nov 2000 16:07:10 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <000401c059a5$096a2100$46010a0a@sysadmininc.com>, "Peter Brezny" wri tes: > I'm using a 4.2-release box used as a firewall. I can connect to the > machine via ftp and can pwd to get what directory i am in however ls and get > don't work. when I disable the firewall, ftp can connect and function > normally. I have sorted throug the rules but can't figure out why ftp seems > to get hobled by the firewall. Especially since there is this rule Without getting into the gory details, IPFW does not support an FTP proxy. You will need to perform passive mode FTP transfers. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 16:12:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id C538137B400; Tue, 28 Nov 2000 16:12:45 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAT0DPu89858; Tue, 28 Nov 2000 16:13:25 -0800 (PST) (envelope-from kris) Date: Tue, 28 Nov 2000 16:13:24 -0800 From: Kris Kennaway To: Henk Wevers Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001128161324.A89746@citusc17.usc.edu> References: <20001128181642.M27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wevers@cg.nu on Tue, Nov 28, 2000 at 10:28:33PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 28, 2000 at 10:28:33PM +0100, Henk Wevers wrote: >=20 >=20 >=20 > FreeBSD got a new Security Officer >=20 > Nohican and {} would like to wish the new Security Officer (Kris) good lu= ck > on his new job. We are sure you will do a great job! >=20 > Look at the bottom of http://freebsd.org.index.html Yes, I can confirm this happened last night. We were immediately informed by those who did it including how it was achieved. The penetration mechanism was not a vulnerability in FreeBSD and was corrected immediately. While we don't believe that any malicious activity took place while the machine was compromised, we've taken steps to sanitize things anyway. Kris P.S. This kind of thing would have been better sent to security-officer..for example, it's off-topic for -stable. --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjokSiQACgkQWry0BWjoQKUQSACbBUxDjMy4Gv+buiSgcKiZGaU0 BicAmwQ5Z50Kx/Gaha5q7GyaBohJQ2Gv =MVZ8 -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 16:45:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from fep23-svc.tin.it (unknown [212.216.176.76]) by hub.freebsd.org (Postfix) with ESMTP id 9478437B401; Tue, 28 Nov 2000 16:45:47 -0800 (PST) Received: from mother ([212.216.6.215]) by fep23-svc.tin.it (InterMail vM.4.01.02.39 201-229-119-122) with SMTP id <20001129004541.MBQX12693.fep23-svc.tin.it@mother>; Wed, 29 Nov 2000 01:45:41 +0100 Message-Id: <3.0.5.32.20001129014716.009d3820@civetta.gufi.org> X-Sender: riva@civetta.gufi.org X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 29 Nov 2000 01:47:16 +0100 To: Kris Kennaway From: Stefano Riva Subject: Re: FreeBSD hacked? Cc: security@freebsd.org In-Reply-To: <20001128161324.A89746@citusc17.usc.edu> References: <20001128181642.M27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 16.13 28/11/00 -0800, you wrote: >Yes, I can confirm this happened last night. We were immediately >informed by those who did it including how it was achieved. The >penetration mechanism was not a vulnerability in FreeBSD and was >corrected immediately. Could you give us some detail about the mechanism used? --- Stefano Riva sriva@gufi.org Gruppo Utenti FreeBSD Italia http://www.gufi.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 16:49:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from henry.noproblem.net (unknown [195.172.128.79]) by hub.freebsd.org (Postfix) with SMTP id 8423737B401 for ; Tue, 28 Nov 2000 16:49:42 -0800 (PST) Received: (qmail 44954 invoked from network); 29 Nov 2000 00:49:40 -0000 Received: from unknown (HELO blacktan.ambafrance.org.uk) (195.172.128.88) by liushu.noproblem.net with SMTP; 29 Nov 2000 00:49:40 -0000 Reply-To: From: "Thomas Beauchamp" To: Subject: RE: FreeBSD hacked? Date: Wed, 29 Nov 2000 00:49:34 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <3.0.5.32.20001129014716.009d3820@civetta.gufi.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PLEASE! -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Stefano Riva Sent: Wednesday, November 29, 2000 12:47 AM To: Kris Kennaway Cc: security@freebsd.org Subject: Re: FreeBSD hacked? At 16.13 28/11/00 -0800, you wrote: >Yes, I can confirm this happened last night. We were immediately >informed by those who did it including how it was achieved. The >penetration mechanism was not a vulnerability in FreeBSD and was >corrected immediately. Could you give us some detail about the mechanism used? --- Stefano Riva sriva@gufi.org Gruppo Utenti FreeBSD Italia http://www.gufi.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 17:46:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from coresync.com (ns1.coresync.net [64.71.131.2]) by hub.freebsd.org (Postfix) with SMTP id 990D337B401 for ; Tue, 28 Nov 2000 17:46:34 -0800 (PST) Received: (qmail 20274 invoked by uid 1153); 29 Nov 2000 01:46:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Nov 2000 01:46:29 -0000 Date: Tue, 28 Nov 2000 17:46:29 -0800 (PST) From: "Jonathan M. Slivko" To: Kris Kennaway Cc: Henk Wevers , , Subject: Re: FreeBSD hacked? In-Reply-To: <20001128161324.A89746@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Apparently, it happened again. -- Jonathan M. Slivko On Tue, 28 Nov 2000, Kris Kennaway wrote: > On Tue, Nov 28, 2000 at 10:28:33PM +0100, Henk Wevers wrote: > > > > > > > > FreeBSD got a new Security Officer > > > > Nohican and {} would like to wish the new Security Officer (Kris) good luck > > on his new job. We are sure you will do a great job! > > > > Look at the bottom of http://freebsd.org.index.html > > Yes, I can confirm this happened last night. We were immediately > informed by those who did it including how it was achieved. The > penetration mechanism was not a vulnerability in FreeBSD and was > corrected immediately. While we don't believe that any malicious > activity took place while the machine was compromised, we've taken > steps to sanitize things anyway. > > Kris > > P.S. This kind of thing would have been better sent to > security-officer..for example, it's off-topic for -stable. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 18:17:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 670C637B402; Tue, 28 Nov 2000 18:17:21 -0800 (PST) Received: from vangelderen.org (grolsch.ai [209.88.68.214]) by cypherpunks.ai (Postfix) with ESMTP id 0FEC251; Tue, 28 Nov 2000 22:17:20 -0400 (AST) Message-ID: <3A24672F.5758FBF4@vangelderen.org> Date: Tue, 28 Nov 2000 22:17:19 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Niels Provos Cc: Kris Kennaway , "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re: OpenSSH 2.3.0 pre-upgrade References: <20001127145655.07C53207C1@citi.umich.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Niels Provos wrote: > > In message <3A21954C.F9E9D25F@vangelderen.org>, "Jeroen C. van Gelderen" writes > : > >Or at a more basic level: Are cooked primes a problem in > >this setting?[1] If not, you want to mention this as a > >non-issue in the "Security Considerations" section. If > >cooked primes are indeed a problem the protocol needs to > >be enhanced to counter them. Either way, the draft needs > >a couple of extra words IMHO. > > That is not an issue. You need to trust the server anyway. If you > have any helpful wording that could be added to the draft, I will be > more than happy to include it. I'm still thinking about it, bear with me... I was worried about cooked primes because it makes it easier to compromise an sshd without it ever being noticed. Disabling encryption or leaking information from the server are both easy to detect with -say- tcpdump. Installing a cooked prime OTOH is likely to go unnoticed forever as: a. the protocol will seem to work correctly; b. it's impossible (for all but the most trivial cases) to look at just the prime and detect whether it is cooked or not. (You need some assurance, see below.) I thought that installing a cooked prime(s) is the kind of thing that a mole in ones organisation (or a disgruntled employee) would do without running the risk of ever getting caught :-) Depending on your attack model and protocol design goals it is a vulnerability or a non-issue. If it's a non-issue I would mention just that in the "security considerations" section: "Cooked primes are deemed to be a non-issue, thanks." If it is considered to be vulnerability it would need to be dealt with in the protocol. One way of doing so is to mandate that primes are generated from a seed which is run trough a hash. Servers would send the seed in addition to the prime. Clients could (if they chose to do so) verify that the received seed indeed expands to the prime the server sent: byte SSH_MSG_KEX_DH_GEX_GROUP string seed mpint p, safe prime mpint g, generator for subgroup in GF(p) The seed could (should?) be optional. A paranoid client could refuse those primes that are not accompanied by a seed. Am I being dense, overcomplicated or overly paranoid? (Yes, I am smoking crack, thanks...) > >Anyway, my assumption that dh-group-exchange is non-standard > >still holds as far as I can see so I'd still recommend not > >enabling this feature by default for now. > > There are a couple of implementations besides OpenSSH that support it. > Of course, you could still disable it, but you should think about it > carefully. Mea culpa, I really couldn't find any references to it but I only searched for a couple of minutes. I still think it's premature for our sshd do send out such packets given that it doesn't really add to security at this point in time. > >What steps have to taken to have this standardized? Is this > >proposal being considered by the IETF secsh working group? > > We are working on it, it takes time though. Red tape... I understand. Put it on openssh.com in the meantime? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org "It is not utopian to work for a society without taxation; it is utopian to think that the power to tax won't be abused once it is granted." -- Murray N. Rothbard (1926-1995) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 18:41:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8AF2837B402 for ; Tue, 28 Nov 2000 18:41:13 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA15797; Tue, 28 Nov 2000 18:40:42 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda15795; Tue Nov 28 18:40:40 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eAT2eZa10735; Tue, 28 Nov 2000 18:40:35 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdJ10733; Tue Nov 28 18:40:11 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eAT2e6d17225; Tue, 28 Nov 2000 18:40:06 -0800 (PST) Message-Id: <200011290240.eAT2e6d17225@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdd17209; Tue Nov 28 18:39:21 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: thomas@noproblem.net Cc: security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-reply-to: Your message of "Wed, 29 Nov 2000 00:49:34 GMT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 28 Nov 2000 18:39:20 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Thomas Beaucha mp" writes: > > PLEASE! > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Stefano Riva > Sent: Wednesday, November 29, 2000 12:47 AM > To: Kris Kennaway > Cc: security@freebsd.org > Subject: Re: FreeBSD hacked? > > > At 16.13 28/11/00 -0800, you wrote: > >Yes, I can confirm this happened last night. We were immediately > >informed by those who did it including how it was achieved. The > >penetration mechanism was not a vulnerability in FreeBSD and was > >corrected immediately. > > Could you give us some detail about the mechanism used? 5 will get you 10 that it's probably a CGI exploit. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 20:49:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C58C37B401 for ; Tue, 28 Nov 2000 20:49:13 -0800 (PST) Received: from localhost (localhost [[UNIX: localhost]]) by phalse.2600.com (8.8.8/8.8.8) with ESMTP id XAA17095 for ; Tue, 28 Nov 2000 23:49:09 -0500 (EST) Date: Tue, 28 Nov 2000 23:49:09 -0500 (EST) From: Dominick LaTrappe To: freebsd-security@freebsd.org Subject: filtering ipsec traffic Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME does, and on the way out, after. This limits ipfilter to inspecting traffic from IPsec peers on on layer 3 only. Since I see no packet-filtering mechanism in KAME itself, this presents a severe limitation, namely that I must trust my IPsec peers enough for their traffic to bypass any layer-4 filters. Is there some way to give ipfilter two passes, pre-KAME and post-KAME? The even better fix, I suppose, would be to have 4 ipfilter rulesets instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out. In the mean time, I'm using tcpwrappers as a last-line-of-defense where I can, but it's not enough. ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 21:54:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1F0F837B400 for ; Tue, 28 Nov 2000 21:54:29 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAT5t8694909; Tue, 28 Nov 2000 21:55:08 -0800 (PST) (envelope-from kris) Date: Tue, 28 Nov 2000 21:55:08 -0800 From: Kris Kennaway To: Stefano Riva Cc: security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001128215508.A94876@citusc17.usc.edu> References: <20001128181642.M27042@speedy.gsinet> <20001128161324.A89746@citusc17.usc.edu> <3.0.5.32.20001129014716.009d3820@civetta.gufi.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.5.32.20001129014716.009d3820@civetta.gufi.org>; from sriva@gufi.org on Wed, Nov 29, 2000 at 01:47:16AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 29, 2000 at 01:47:16AM +0100, Stefano Riva wrote: > At 16.13 28/11/00 -0800, you wrote: > >Yes, I can confirm this happened last night. We were immediately > >informed by those who did it including how it was achieved. The > >penetration mechanism was not a vulnerability in FreeBSD and was > >corrected immediately. >=20 > Could you give us some detail about the mechanism used? Not at this time. I'll release more details in a few days once we've had time to look things over better. Kris --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjokmjsACgkQWry0BWjoQKW7OACg08rRQakS/Hm0J8kgwlAdw6Lj LccAoIbSIP6slRSmbABUG+38p94KZluP =AXGq -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 22:44:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.agama.com (mx1.agama.com [195.239.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 06E8337B404 for ; Tue, 28 Nov 2000 22:44:10 -0800 (PST) Received: from esp.agama.com (esp.agama.com [195.239.248.33]) by smtp.agama.com (8.11.0/8.11.0) with ESMTP id eAT6hoe90941; Wed, 29 Nov 2000 09:43:51 +0300 (MSK) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Wed, 29 Nov 2000 09:43:50 +0300 (MSK) Organization: Agama AO From: Eugene Panenko To: Bosko Milekic Subject: Re: NMBCLUSTERS Cc: security@FreeBSD.ORG, Buliwyf McGraw Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 28-Nov-00 Bosko Milekic wrote: > > This is not normal if you are using a recent enough version of > FreeBSD. This is a usual thing for FreeBSD, even for 4.x ... > What version of FreeBSD are you using? > > If you are running 4.x and above and are seeing this, please enable > debugging and provide some debugging information... this would be very > much appreciated. > > On Tue, 28 Nov 2000, Buliwyf McGraw wrote: > >> >> This morning my server reboot alone... i check in the /var/log/messages >> and i found this: >> >> Nov 28 10:53:42 server /kernel: Out of mbuf clusters - adjust >> NMBCLUSTERS or increase maxusers! >> >> Anyone can explain me what is going on? >> especially about "NMBCLUSTERS" ??? >> >> Thanks a lot. >> >> ======================================================================= >> Buliwyf McGraw >> Administrador del Servidor Libertad >> Centro de Servicios de Informacion >> Universidad del Valle >> ======================================================================= > > Thanks, > Bosko Milekic > bmilekic@technokratis.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Regards, Eugene Panenko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 28 23:10:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 1C8C737B400 for ; Tue, 28 Nov 2000 23:10:35 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 1411QF-0000OP-00; Wed, 29 Nov 2000 00:12:55 -0700 Message-ID: <3A24AC77.51EF28C@softweyr.com> Date: Wed, 29 Nov 2000 00:12:55 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > > > Since I have T-1 speeds coming into said basement, it is entirely likely > > that somebody may notice and attempt to hijack one or more of my machines > > to use in a DDOS attack. In fact, somebody already has tried. And failed. > > Only once? I'm scanned 3-4 times/day, and weekly get script kiddies > attempting to do remote exploits. I get scanned several times a day. I've only captured one dedicated attack attempt, using several known attacks on DNS, POP, and telnet. They didn't get far, but they did try. > Having been responsible for monitoring a box on the internet full-time > since '94, I can't imagine *NOT* using a firewall if you have a > full-time connection, static IP or not. Ditto. In fact, I work full-time building a firewall/router/server for "ordinary people". ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 0:29: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from dns.comrax.com (dns.comrax.com [194.90.246.124]) by hub.freebsd.org (Postfix) with ESMTP id 3735637B401; Wed, 29 Nov 2000 00:29:00 -0800 (PST) Received: from NOOR (unknown [156.27.243.27]) by dns.comrax.com (Postfix) with SMTP id B6C4212C566; Wed, 29 Nov 2000 10:26:06 +0200 (IST) From: "Noor Dawod" To: "Kris Kennaway" , "Henk Wevers" Cc: , Subject: RE: FreeBSD hacked? Date: Wed, 29 Nov 2000 10:22:49 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal In-Reply-To: <20001128161324.A89746@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Kris and all, Since I'm amongst others that use FreeBSD as their chosen and trusted OS, I would like to know, if possible, how the system was compromised? Thanks in advance. Noor -----Original Message----- From: owner-freebsd-stable@FreeBSD.ORG [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Wednesday, November 29, 2000 2:13 AM To: Henk Wevers Cc: freebsd-security@FreeBSD.ORG; freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD hacked? On Tue, Nov 28, 2000 at 10:28:33PM +0100, Henk Wevers wrote: > > > > FreeBSD got a new Security Officer > > Nohican and {} would like to wish the new Security Officer (Kris) good luck > on his new job. We are sure you will do a great job! > > Look at the bottom of http://freebsd.org.index.html Yes, I can confirm this happened last night. We were immediately informed by those who did it including how it was achieved. The penetration mechanism was not a vulnerability in FreeBSD and was corrected immediately. While we don't believe that any malicious activity took place while the machine was compromised, we've taken steps to sanitize things anyway. Kris P.S. This kind of thing would have been better sent to security-officer..for example, it's off-topic for -stable. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 0:42:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 7072437B402; Wed, 29 Nov 2000 00:42:36 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAT8hHh97946; Wed, 29 Nov 2000 00:43:17 -0800 (PST) (envelope-from kris) Date: Wed, 29 Nov 2000 00:43:17 -0800 From: Kris Kennaway To: Noor Dawod Cc: Kris Kennaway , Henk Wevers , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001129004317.A97873@citusc17.usc.edu> References: <20001128161324.A89746@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from noor@comrax.com on Wed, Nov 29, 2000 at 10:22:49AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 29, 2000 at 10:22:49AM +0200, Noor Dawod wrote: > Hi Kris and all, >=20 > Since I'm amongst others that use FreeBSD as their chosen and trusted > OS, I would like to know, if possible, how the system was compromised? As I said in my earlier email, the means by which they gained access was not a vulnerability in FreeBSD and therefore does not affect other FreeBSD systems. I will release more information in a couple of days once we've had the chance to look things over more thoroughly. I know people are curious, but please just leave it for now.. Kris --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjokwaUACgkQWry0BWjoQKX2pACfSq+5zwmlSBUQosVFV6Oqe0Nl qkUAn1GNiEu+Q3T92RcdWAPXroyneh5y =tcxm -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 2:34:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailgw3.netvision.net.il (mailgw3.netvision.net.il [194.90.1.11]) by hub.freebsd.org (Postfix) with ESMTP id A48D237B401 for ; Wed, 29 Nov 2000 02:34:52 -0800 (PST) Received: from alchemy.oven.org (ras9-p162.hfa.netvision.net.il [62.0.104.162]) by mailgw3.netvision.net.il (8.9.3/8.9.3) with ESMTP id MAA20222 for ; Wed, 29 Nov 2000 12:33:49 +0200 (IST) Received: (from mapc@localhost) by alchemy.oven.org (8.11.1/8.11.1) id eATAYm574604; Wed, 29 Nov 2000 12:34:48 +0200 (IST) (envelope-from mapc) Date: Wed, 29 Nov 2000 12:34:48 +0200 From: Roman Shterenzon To: freebsd-security@freebsd.org Cc: "bash1 port maintainer "@alchemy.oven.org, "bash2 port maintainer "@alchemy.oven.org Subject: bash vulnerability Message-ID: <20001129123448.A74595@alchemy.oven.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, The bash seems vulnerable to the symlink attack as well: http://www.securityfocus.com/bid/2006 --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 2:35:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailgw2.netvision.net.il (mailgw2.netvision.net.il [194.90.1.9]) by hub.freebsd.org (Postfix) with ESMTP id 0B81737B400 for ; Wed, 29 Nov 2000 02:35:51 -0800 (PST) Received: from alchemy.oven.org (ras9-p162.hfa.netvision.net.il [62.0.104.162]) by mailgw2.netvision.net.il (8.9.3/8.9.3) with ESMTP id MAA10800 for ; Wed, 29 Nov 2000 12:36:18 +0200 (IST) Received: (from mapc@localhost) by alchemy.oven.org (8.11.1/8.11.1) id eATAZml74619; Wed, 29 Nov 2000 12:35:48 +0200 (IST) (envelope-from mapc) Date: Wed, 29 Nov 2000 12:35:48 +0200 From: Roman Shterenzon To: freebsd-security@freebsd.org Cc: "bash1 port maintainer "@alchemy.oven.org Subject: bash vulnerability Message-ID: <20001129123448.A74595@alchemy.oven.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, The bash seems vulnerable to the symlink attack as well: http://www.securityfocus.com/bid/2006 Who is the maintainer of the bash2 now? ache@freebsd.org seems unreachable.. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 2:36:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailgw1.netvision.net.il (mailgw1.netvision.net.il [194.90.1.14]) by hub.freebsd.org (Postfix) with ESMTP id BB71B37B698; Wed, 29 Nov 2000 02:36:22 -0800 (PST) Received: from alchemy.oven.org (ras9-p162.hfa.netvision.net.il [62.0.104.162]) by mailgw1.netvision.net.il (8.9.3/8.9.3) with ESMTP id MAA03971; Wed, 29 Nov 2000 12:36:20 +0200 (IST) Received: (from mapc@localhost) by alchemy.oven.org (8.11.1/8.11.1) id eATAaJg74630; Wed, 29 Nov 2000 12:36:19 +0200 (IST) (envelope-from mapc) Date: Wed, 29 Nov 2000 12:36:19 +0200 From: Roman Shterenzon To: freebsd-security@freebsd.org Cc: obrien@freebsd.org, ache@freebsd.org Subject: bash vulnerability Message-ID: <20001129123448.A74595@alchemy.oven.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, The bash seems vulnerable to the symlink attack as well: http://www.securityfocus.com/bid/2006 --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 2:49:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 0572537B401 for ; Wed, 29 Nov 2000 02:49:37 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 1414nl-000593-00; Wed, 29 Nov 2000 12:49:25 +0200 Date: Wed, 29 Nov 2000 12:49:25 +0200 (IST) From: Roman Shterenzon To: Nevermind Cc: Subject: Re: bash vulnerability In-Reply-To: <20001129124057.M17181@nevermind.kiev.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Nov 2000, Nevermind wrote: > Hello, Roman Shterenzon! > > On Wed, Nov 29, 2000 at 12:36:19PM +0200, you wrote: > > > Hi, > > The bash seems vulnerable to the symlink attack as well: > > http://www.securityfocus.com/bid/2006 > Where have you seen bash or FreeBSD? Installed from /usr/ports/shells/bash2 (or bash1). I don't know if the shipping /bin/sh is vulnerable. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 6: 5: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 7B0B937B698 for ; Wed, 29 Nov 2000 06:05:04 -0800 (PST) Received: from netch@localhost by burka.carrier.kiev.ua id QBY10919; Wed, 29 Nov 2000 16:05:01 +0200 (EET) (envelope-from netch) Date: Wed, 29 Nov 2000 16:05:01 +0200 (EET) Message-Id: <200011291405.QBY10919@burka.carrier.kiev.ua> From: netch@carrier.kiev.ua (Valentin Nechayev) To: freebsd-security@freebsd.org Subject: Re: bash vulnerability User-Agent: tin/1.4.1-19991201 ("Polish") (UNIX) (FreeBSD/3.5-STABLE (i386)) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> > The bash seems vulnerable to the symlink attack as well: >> > http://www.securityfocus.com/bid/2006 Part of ktrace of bash-2.03 from port: 9820 bash CALL open(0xbfbfd548,0xe01,0x180) 9820 bash NAMI "/tmp/t9820-0-sh" 9820 bash RET open 3 Here, O_EXCL|O_CREAT|O_TRUNC is seen => not vulnerable to symlink attack. But later, it closes the file and reopens it: 9820 bash CALL dup(0x3) 9820 bash RET dup 4 [...] 9820 bash CALL write(0x4,0x811b00c,0x44) 9820 bash GIO fd 4 wrote 68 bytes "Only root can create /etc/nologin. Do any boot-time scripts use sh? " 9820 bash RET write 68/0x44 9820 bash CALL close(0x4) 9820 bash RET close 0 9820 bash CALL close(0x3) 9820 bash RET close 0 9820 bash CALL open(0xbfbfd548,0,0x180) 9820 bash NAMI "/tmp/t9820-0-sh" 9820 bash RET open 3 9820 bash CALL unlink(0xbfbfd548) 9820 bash NAMI "/tmp/t9820-0-sh" 9820 bash RET unlink 0 hence, the race condition exists when file can be changed in these few microseconds between close & open ;| >> Where have you seen bash or FreeBSD? RS> Installed from /usr/ports/shells/bash2 (or bash1). RS> I don't know if the shipping /bin/sh is vulnerable. No, it is not: it forks, and child pipes here-document to parent. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 7: 7:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 09E0A37B402 for ; Wed, 29 Nov 2000 07:07:31 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA16392; Wed, 29 Nov 2000 10:07:27 -0500 (EST) (envelope-from wollman) Date: Wed, 29 Nov 2000 10:07:27 -0500 (EST) From: Garrett Wollman Message-Id: <200011291507.KAA16392@khavrinen.lcs.mit.edu> To: Wes Peters Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <3A24AC77.51EF28C@softweyr.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <3A24AC77.51EF28C@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I get scanned several times a day. My networks (12 x /16) get scanned continuously for one thing or another.[1] Everyone who puts a machine on the network is required to take responsibility for configuring it securely, and they know that I'll cut them off at the first hint of trouble. On my home machine, I am perfectly capable of only configuring those services which I actually need. -GAWollman [1] According to my ARP table, there are scans going on right now on all but two of my networks. The other two are probably also being scanned, but those networks are subnetted and thus don't leave telltale traces in the ARP table. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 7:21:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8596937B400 for ; Wed, 29 Nov 2000 07:21:22 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA18027; Wed, 29 Nov 2000 07:20:26 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda18025; Wed Nov 29 07:20:26 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eATFKKx13553; Wed, 29 Nov 2000 07:20:20 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdF13543; Wed Nov 29 07:19:28 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eATFJSN20826; Wed, 29 Nov 2000 07:19:28 -0800 (PST) Message-Id: <200011291519.eATFJSN20826@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdl20822; Wed Nov 29 07:19:25 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: Dominick LaTrappe Cc: freebsd-security@FreeBSD.ORG Subject: Re: filtering ipsec traffic In-reply-to: Your message of "Tue, 28 Nov 2000 23:49:09 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Nov 2000 07:19:25 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dominick LaTrappe writes: > It seems that, on the way in, ipfilter on FreeBSD gets packets before KAME > does, and on the way out, after. This limits ipfilter to inspecting > traffic from IPsec peers on on layer 3 only. Since I see no > packet-filtering mechanism in KAME itself, this presents a severe > limitation, namely that I must trust my IPsec peers enough for their > traffic to bypass any layer-4 filters. > > Is there some way to give ipfilter two passes, pre-KAME and post-KAME? > The even better fix, I suppose, would be to have 4 ipfilter rulesets > instead of 2 -- pre-KAME in, pre-KAME out, post-KAME in, post-KAME out. > > In the mean time, I'm using tcpwrappers as a last-line-of-defense where I > can, but it's not enough. Looking at the source, I don't see any references to IPFW either, meaning this is not a simple copy-the-code change. One option would be to set up a point-to-point IPSec tunnel between the two gateways, then use an IP tunnel within it. Alternatively you could pipsecd which sets up an IPSec tunnel and defines a tun interface, which can be filtered using IP Filter or IPFW. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 7:38: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from oxygen.americanisp.net (oxygen.americanisp.net [208.244.174.10]) by hub.freebsd.org (Postfix) with SMTP id 8331137B699 for ; Wed, 29 Nov 2000 07:38:04 -0800 (PST) Received: (qmail 6975 invoked by uid 7860); 29 Nov 2000 15:37:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Nov 2000 15:37:05 -0000 Date: Wed, 29 Nov 2000 08:37:05 -0700 (MST) From: Peter To: Stefano Riva Cc: Kris Kennaway , Subject: Re: FreeBSD hacked? In-Reply-To: <3.0.5.32.20001129014716.009d3820@civetta.gufi.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For the interested, and the ones that never seen that hacked page, can you give us details of what exactly was at the bottom? Or can I go check it out @ attrition.org ? **Random Fortune for this instance of pine** Buzz off, Banana Nose; Relieve mine eyes Of hateful soreness, purge mine ears of corn; Less dear than army ants in apple pies Art thou, old prune-face, with thy chestnuts worn, Dropt from thy peeling lips like lousy fruit; Like honeybees upon the perfum'd rose They suck, and like the double-breasted suit Are out of date; therefore, Banana Nose, Go fly a kite, thy welcome's overstayed; And stem the produce of thy waspish wits: Thy logick, like thy locks, is disarrayed; Thy cheer, like thy complexion, is the pits. Be off, I say; go bug somebody new, Scram, beat it, get thee hence, and nuts to you. --- www.nul.cjb.net --- The Power to Crash! --- www.FreeBSD.org --- The Power to Serve! On Wed, 29 Nov 2000, Stefano Riva wrote: > At 16.13 28/11/00 -0800, you wrote: > >Yes, I can confirm this happened last night. We were immediately > >informed by those who did it including how it was achieved. The > >penetration mechanism was not a vulnerability in FreeBSD and was > >corrected immediately. > > Could you give us some detail about the mechanism used? > > --- > > Stefano Riva > sriva@gufi.org > Gruppo Utenti FreeBSD Italia > http://www.gufi.org/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 8:11:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 3617D37B402; Wed, 29 Nov 2000 08:11:40 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eATGCIc05459; Wed, 29 Nov 2000 08:12:18 -0800 (PST) (envelope-from kris) Date: Wed, 29 Nov 2000 08:12:18 -0800 From: Kris Kennaway To: Peter Cc: Stefano Riva , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001129081218.A5361@citusc17.usc.edu> References: <3.0.5.32.20001129014716.009d3820@civetta.gufi.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from peterk@americanisp.net on Wed, Nov 29, 2000 at 08:37:05AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 29, 2000 at 08:37:05AM -0700, Peter wrote: >=20 > For the interested, and the ones that never seen that hacked page, can you > give us details of what exactly was at the bottom? Or can I go check it > out @ attrition.org ? It was already posted. Like I said, it was not a major penetration, we've been working with the guys involved for another problem and every indication is that all they did was to add a friendly message to the main webpage (which they told us about). Kris --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjolKuIACgkQWry0BWjoQKWh3gCg4i6R/WvYeszEMWA0YaSEvCWd uREAoIHgyCQrB1HO7dOne7F7jdOhZ6e5 =Ks68 -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 8:14: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 816B437B400 for ; Wed, 29 Nov 2000 08:14:06 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eATGERk05538; Wed, 29 Nov 2000 08:14:27 -0800 (PST) (envelope-from kris) Date: Wed, 29 Nov 2000 08:14:27 -0800 From: Kris Kennaway To: Roman Shterenzon Cc: Nevermind , freebsd-security@FreeBSD.ORG Subject: Re: bash vulnerability Message-ID: <20001129081426.A5498@citusc17.usc.edu> References: <20001129124057.M17181@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Wed, Nov 29, 2000 at 12:49:25PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 29, 2000 at 12:49:25PM +0200, Roman Shterenzon wrote: > On Wed, 29 Nov 2000, Nevermind wrote: >=20 > > Hello, Roman Shterenzon! > > > > On Wed, Nov 29, 2000 at 12:36:19PM +0200, you wrote: > > > > > Hi, > > > The bash seems vulnerable to the symlink attack as well: > > > http://www.securityfocus.com/bid/2006 > > Where have you seen bash or FreeBSD? >=20 > Installed from /usr/ports/shells/bash2 (or bash1). Is it bash2 as well? I've only seen bash1 reported on bugtraq. > I don't know if the shipping /bin/sh is vulnerable. It's not. Kris --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjolK2IACgkQWry0BWjoQKXSCwCfcQumb74MZxp6572TpCQCd+oW AGUAoNMfKgMdOQD/U++YD8bvY4Q+bx8P =0Bmf -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 9:19:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 5490837B402 for ; Wed, 29 Nov 2000 09:16:21 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 141Ark-00009r-00; Wed, 29 Nov 2000 10:17:57 -0700 Message-ID: <3A253A44.D7EA9113@softweyr.com> Date: Wed, 29 Nov 2000 10:17:56 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <3A24AC77.51EF28C@softweyr.com> <200011291507.KAA16392@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > I get scanned several times a day. > > My networks (12 x /16) get scanned continuously for one thing or > another.[1] Everyone who puts a machine on the network is required to > take responsibility for configuring it securely, and they know that > I'll cut them off at the first hint of trouble. On my home machine, I > am perfectly capable of only configuring those services which I > actually need. But you keep saying "on my home machine" and seem to insist that having a single machine on the internet at home is somehow normal. It's not, and it's becoming less normal at a rapid pace. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 10: 2:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id BEEDC37B402 for ; Wed, 29 Nov 2000 10:02:26 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA17650; Wed, 29 Nov 2000 13:02:12 -0500 (EST) (envelope-from wollman) Date: Wed, 29 Nov 2000 13:02:12 -0500 (EST) From: Garrett Wollman Message-Id: <200011291802.NAA17650@khavrinen.lcs.mit.edu> To: Wes Peters Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <3A253A44.D7EA9113@softweyr.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <3A24AC77.51EF28C@softweyr.com> <200011291507.KAA16392@khavrinen.lcs.mit.edu> <3A253A44.D7EA9113@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > But you keep saying "on my home machine" and seem to insist that having > a single machine on the internet at home is somehow normal. To a large fraction of the world's population, having a ``home machine'' of any kind is out of the ordinary. Most of the people who have net access today have only one computer. In any case, the actual number doesn't make much difference -- the same argument (that you are perfectly capable of setting up your machines securely) still holds. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 10:39:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.enteract.com (mail.enteract.com [207.229.143.33]) by hub.freebsd.org (Postfix) with ESMTP id C00F637B401 for ; Wed, 29 Nov 2000 10:39:07 -0800 (PST) Received: from shell-3.enteract.com (presence@shell-3.enteract.com [207.229.143.42]) by mail.enteract.com (8.9.3/8.9.3) with SMTP id MAA04761 for ; Wed, 29 Nov 2000 12:39:06 -0600 (CST) (envelope-from presence@churchofinformationwarfare.org) Date: Wed, 29 Nov 2000 12:39:05 -0600 (CST) From: Reverend K Kanno X-Sender: presence@shell-3.enteract.com To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe sysadmin@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 11:22: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 49BA437B400 for ; Wed, 29 Nov 2000 11:22:03 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA24261; Wed, 29 Nov 2000 12:21:51 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA17974; Wed, 29 Nov 2000 12:21:49 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14885.22348.875384.616155@nomad.yogotech.com> Date: Wed, 29 Nov 2000 12:21:48 -0700 (MST) To: Garrett Wollman Cc: Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <200011291802.NAA17650@khavrinen.lcs.mit.edu> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <3A24AC77.51EF28C@softweyr.com> <200011291507.KAA16392@khavrinen.lcs.mit.edu> <3A253A44.D7EA9113@softweyr.com> <200011291802.NAA17650@khavrinen.lcs.mit.edu> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > But you keep saying "on my home machine" and seem to insist that having > > a single machine on the internet at home is somehow normal. > > To a large fraction of the world's population, having a ``home > machine'' of any kind is out of the ordinary. Most of the people who > have net access today have only one computer. > > In any case, the actual number doesn't make much difference -- the > same argument (that you are perfectly capable of setting up your > machines securely) still holds. And it involves installing a firewall on it, in case you're configuration isn't as secure as you'd like it to be. (Because of forgetfulness, lack of information, etc...) Many, many, many home users now have 'full-time' connections to the internet, which means that accidental misconfigurations can easily be prevented by using a simple firewall ruleset, such as the one that comes 'out of the box' with FreeBSD today. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 12:16:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id DA1C437B401 for ; Wed, 29 Nov 2000 12:16:13 -0800 (PST) Received: (qmail 9487 invoked by uid 0); 29 Nov 2000 20:16:11 -0000 Received: from p3ee21627.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.39) by mail.gmx.net (mail03) with SMTP; 29 Nov 2000 20:16:11 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA32210 for freebsd-security@freebsd.org; Wed, 29 Nov 2000 18:57:52 +0100 Date: Wed, 29 Nov 2000 18:57:52 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: filtering ipsec traffic Message-ID: <20001129185752.O27042@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from seraf@2600.COM on Tue, Nov 28, 2000 at 11:49:09PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org X On Tue, Nov 28, 2000 at 23:49 -0500, Dominick LaTrappe wrote: > > It seems that, on the way in, ipfilter on FreeBSD gets packets > before KAME does, and on the way out, after. This limits > ipfilter to inspecting traffic from IPsec peers on on layer 3 > only. [ ... ] Is there some way to give ipfilter two passes, > pre-KAME and post-KAME? The even better fix, I suppose, would > be to have 4 ipfilter rulesets instead of 2 -- pre-KAME in, > pre-KAME out, post-KAME in, post-KAME out. Am I wrong thinking that one already has these four hooks available? (Sorry, I haven't toyed with IPsec yet.) AFAIK it's as follows: - Your IPsec traffics comes in on tun0 or whatever your external interface is called - it then runs through the IPsec code (which you refer to as "KAME" in the above, I guess) and turns into "regular" IPv4 packets - which leave the machine (or go into localhost applications) via the enc0 interface And the way out is similar with a chain of app -> enc0 -> IPsec -> tun0 -> wire Please tell me if I'm wrong. I'm looking forward to learning new things which are helpful for future projects. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 12:22:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id EF68237B402 for ; Wed, 29 Nov 2000 12:22:48 -0800 (PST) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id UAA20127; Wed, 29 Nov 2000 20:16:28 GMT Date: Wed, 29 Nov 2000 20:16:27 +0000 (GMT) From: ALAOUI EL HASSANI ALI <961BE653994@stud.alakhawayn.ma> To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Question Concerning IPSEC In-Reply-To: <20001129185752.O27042@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear All, Dear all I worked with ipsec in one of my security projects. My Question is: Is IPsec the only way of security over IP or are there other Standards. Best Regards, Ali To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 14:15:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2]) by hub.freebsd.org (Postfix) with ESMTP id 4AE3537B698 for ; Wed, 29 Nov 2000 14:15:49 -0800 (PST) Received: from localhost (localhost [[UNIX: localhost]]) by phalse.2600.com (8.8.8/8.8.8) with ESMTP id RAA27658; Wed, 29 Nov 2000 17:11:57 -0500 (EST) Date: Wed, 29 Nov 2000 17:11:57 -0500 (EST) From: Dominick LaTrappe To: Gerhard Sittig Cc: freebsd-security@freebsd.org Subject: Re: filtering ipsec traffic Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In-Reply-To: <20001129185752.O27042@speedy.gsinet> On Wed, 29 Nov 2000 18:57:52 +0100, Gerhard Sittig wrote: > AFAIK it's as follows: > - Your IPsec traffics comes in on tun0 or whatever your external > interface is called > - it then runs through the IPsec code (which you refer to as > "KAME" in the above, I guess) and turns into "regular" IPv4 > packets > - which leave the machine (or go into localhost applications) via > the enc0 interface From what I've gathered so far, it seems like giving ipfilter/ipfw a pass over an 'unwrapped' (de-esp'd and/or de-ah'd and/or de-ipcomp'd) packet is only possible by having that unwrapped packet enter another interface. I think that's what's going on in you scenario (though I'm not familar with the 'enc' interface), and in Cy Schubert's solutions (earlier in this thread). These are all solutions, but it's unfortunate that one of the most basic KAME setups -- using transport mode on individual hosts -- still has the problem. I wonder if it would be wise to reverse the order of things in the IP stack, so that ipfilter/ipfw always sees packets in their unwrapped form. To use the ipfiler example, this removes the ability to filter "proto ah" and "proto esp", but those filters (mainly used to decide "with whom do I speak IPsec?") can be easily incorporated into KAME. It would certainly be easier than the OpenBSD/FreeSWAN solution, which is to work lots of packet-filtering functionality into the IPsec code itself. Can anyone think of a reason why this would be really undesirable? ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 15: 0:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from heyday.seas.upenn.edu (HEYDAY.SEAS.UPENN.EDU [158.130.64.49]) by hub.freebsd.org (Postfix) with ESMTP id 2B57F37B404 for ; Wed, 29 Nov 2000 15:00:47 -0800 (PST) Received: from red.seas.upenn.edu (wfdavis@RED.SEAS.UPENN.EDU [158.130.64.176]) by heyday.seas.upenn.edu (8.10.1/8.10.1) with ESMTP id eATN0kT22408 for ; Wed, 29 Nov 2000 18:00:46 -0500 (EST) Received: from localhost (wfdavis@localhost) by red.seas.upenn.edu (8.10.1/8.10.1) with ESMTP id eATN0kY27473 for ; Wed, 29 Nov 2000 18:00:46 -0500 (EST) Date: Wed, 29 Nov 2000 18:00:45 -0500 (EST) From: Wayne F Davis To: freebsd-security@freebsd.org Subject: IPsec interoperability with Windows 2000 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I need to get IPsec setup between some windows boxes and a freebsd server. I have IPsec going between the windows boxes and I configured IPsec on the server, however it's not working properly. Win2k's IP Security Monitor shows a lot of Bad SPI Packets and the windows box cannot talk to the freebsd box. Here's my setup on freebsd: add 192.168.0.1 192.168.0.2 esp 9876 -E 3des-cbc "blahblahblahblahblahblah"; add 192.168.0.2 192.168.0.1 esp 10000 -E 3des-cbc "blahblahblahblahblahblah"; add 192.168.0.1 192.168.0.2 ah 9877 -A hmac-md5 "blahblahblahblah"; add 192.168.0.2 192.168.0.1 ah 10001 -A hmac-md5 "blahblahblahblah"; spdadd 192.168.0.1 192.168.0.2 any -P out ipsec esp/transport//use ah/transport//use; My setup on Win2k: All IP Traffic Request Security Auth Method Preshared Key: blahblahblahblah -- So, I'm wondering if anyone has setup IPsec between FreeBSD and Win2k. I'd appreciate any comments. Thanks. Wayne Davis - wfdavis@seas.upenn.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 16:21:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from field.videotron.net (field.videotron.net [205.151.222.108]) by hub.freebsd.org (Postfix) with ESMTP id 143FE37B400 for ; Wed, 29 Nov 2000 16:21:55 -0800 (PST) Received: from modemcable213.3-201-24.mtl.mc.videotron.ca ([24.201.3.213]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0G4T00E76AAAKC@field.videotron.net> for security@FreeBSD.ORG; Wed, 29 Nov 2000 19:20:34 -0500 (EST) Date: Wed, 29 Nov 2000 19:21:13 -0500 (EST) From: Bosko Milekic Subject: Re: NMBCLUSTERS In-reply-to: To: Eugene Panenko Cc: security@FreeBSD.ORG, Buliwyf McGraw Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Nov 2000, Eugene Panenko wrote: > > On 28-Nov-00 Bosko Milekic wrote: > > > > This is not normal if you are using a recent enough version of > > FreeBSD. > This is a usual thing for FreeBSD, even for 4.x ... No, it isn't. In RELENG_4, m_mballoc_wait() appeared, at least deffinately since version 1.51 of uipc_mbuf.c which is dated Dec 28, 1999. If you're seeing _related_ panics in RELENG_4, then you should let us know, with proper debugging information, so that we can fix it. > -- > Regards, > Eugene Panenko Regards, Bosko Milekic bmilekic@technokratis.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 17:23:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.253.163.10]) by hub.freebsd.org (Postfix) with ESMTP id B601E37B400; Wed, 29 Nov 2000 17:23:48 -0800 (PST) Received: by alpha.simphost.com (Postfix, from userid 1060) id 01A4D66B0A; Wed, 29 Nov 2000 18:23:54 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id EBCF662D03; Wed, 29 Nov 2000 18:23:54 -0700 (MST) Date: Wed, 29 Nov 2000 18:23:54 -0700 (MST) From: "Jonathan M. Slivko" To: freebsd-security@freebsd.org Cc: freebsd-isp@freebsd.org Subject: Danger Ports Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can someone tell me what are the "danger" ports on FreeBSD, ports that perhaps need to be blocked because they are insecure? I would like to know so in the future, I can prevent outside attacks and concentrate more on internal attacks, or "insider jobs" as they're called. ---- Jonathan M. Slivko Technical Support, CoreSync Corporation (http://www.coresync.net) Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) Pager/Voicemail: (917) 388-5304 ---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 18: 4:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 3447337B400; Wed, 29 Nov 2000 18:04:35 -0800 (PST) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Wed, 29 Nov 2000 18:04:34 -0800 Message-ID: <013b01c05a72$d1f96d10$fd01a8c0@pacbell.net> From: "John Howie" To: "Jonathan M. Slivko" , Cc: References: Subject: Re: Danger Ports Date: Wed, 29 Nov 2000 18:11:15 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1800 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jonathan, Rather than denying access to certain ports on your system, and allowing access to the rest, you might find it easier to think in the reverse - What ports do I need to leave open to outside (presumably Internet) users? The answer to that question depends on the needs of your outside users. You will probably need to allow SSH access, and I would suggest that you get users to use SCP instead of FTP (unless you have a public FTP site that allows anonymous connections). You might also need to open up access to SMTP and POP3 services for mail (while ensuring that your site can't be used as a mail relay). DNS is another service that you might need to provide access to. If users need access to so-called dangerous services such as X, printer, NFS, NIS, SNMP, etc. then I would look for a VPN solution that brings them into your network through the firewall and allows them to access these services as an internal user. O'Reilly does a good book on Firewall Security, I suggest that you get it and have a read. CERT also has a good document on packet filtering (http://www.cert.org). Also, check the FreeBSD handbook or The Complete FreeBSD for more information about setting up firewalls on FreeBSD systems. Hope this helps, john... ----- Original Message ----- From: "Jonathan M. Slivko" To: Cc: Sent: Wednesday, November 29, 2000 5:23 PM Subject: Danger Ports > Can someone tell me what are the "danger" ports on FreeBSD, ports that > perhaps need to be blocked because they are insecure? I would like to know > so in the future, I can prevent outside attacks and concentrate more on > internal attacks, or "insider jobs" as they're called. > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 18: 8: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.253.163.10]) by hub.freebsd.org (Postfix) with ESMTP id B73C537B400; Wed, 29 Nov 2000 18:07:58 -0800 (PST) Received: by alpha.simphost.com (Postfix, from userid 1060) id CF05466B0A; Wed, 29 Nov 2000 19:08:09 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id C7A6D62D03; Wed, 29 Nov 2000 19:08:09 -0700 (MST) Date: Wed, 29 Nov 2000 19:08:09 -0700 (MST) From: "Jonathan M. Slivko" To: John Howie Cc: freebsd-security@freebsd.org, freebsd-isp@freebsd.org Subject: Re: Danger Ports In-Reply-To: <013b01c05a72$d1f96d10$fd01a8c0@pacbell.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am referring to the Back Orifice, Trinoo server ports, etc. Where can I get my hands on a list of those port #'s? or are there any utilities that act as those servers and log all attempts in hopes of catching those users who will no doubt try and take advantage of an open system? ---- Jonathan M. Slivko Technical Support, CoreSync Corporation (http://www.coresync.net) Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) Pager/Voicemail: (917) 388-5304 ---- On Wed, 29 Nov 2000, John Howie wrote: > Jonathan, > > Rather than denying access to certain ports on your system, and allowing > access to the rest, you might find it easier to think in the reverse - What > ports do I need to leave open to outside (presumably Internet) users? > > The answer to that question depends on the needs of your outside users. You > will probably need to allow SSH access, and I would suggest that you get > users to use SCP instead of FTP (unless you have a public FTP site that > allows anonymous connections). You might also need to open up access to SMTP > and POP3 services for mail (while ensuring that your site can't be used as a > mail relay). DNS is another service that you might need to provide access > to. > > If users need access to so-called dangerous services such as X, printer, > NFS, NIS, SNMP, etc. then I would look for a VPN solution that brings them > into your network through the firewall and allows them to access these > services as an internal user. > > O'Reilly does a good book on Firewall Security, I suggest that you get it > and have a read. CERT also has a good document on packet filtering > (http://www.cert.org). Also, check the FreeBSD handbook or The Complete > FreeBSD for more information about setting up firewalls on FreeBSD systems. > > Hope this helps, > > john... > > ----- Original Message ----- > From: "Jonathan M. Slivko" > To: > Cc: > Sent: Wednesday, November 29, 2000 5:23 PM > Subject: Danger Ports > > > > Can someone tell me what are the "danger" ports on FreeBSD, ports that > > perhaps need to be blocked because they are insecure? I would like to know > > so in the future, I can prevent outside attacks and concentrate more on > > internal attacks, or "insider jobs" as they're called. > > > > ---- > > Jonathan M. Slivko > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > Pager/Voicemail: (917) 388-5304 > > ---- > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 19: 1:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 806B037B401; Wed, 29 Nov 2000 19:00:40 -0800 (PST) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Wed, 29 Nov 2000 19:00:39 -0800 Message-ID: <016801c05a7a$a7bac8c0$fd01a8c0@pacbell.net> From: "John Howie" To: , , "Jonathan M. Slivko" Subject: Re: Danger Ports Date: Wed, 29 Nov 2000 19:07:20 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0165_01C05A37.992C91F0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1800 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0165_01C05A37.992C91F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Jonathon, My apologies - I see what you are after now. Yes, there is a list = floating around, but I usually head over to SANS and get theirs: http://www.sans.org/newlook/resources/IDFAQ/oddports.htm You will see that it is extensive! Regarding your followup on dummy applications acting as these rogue services/daemons I think you are after a Honeypot. There are a couple = but I'll need to check out the details as I don't have them off the top of = my head. Depending on the level of sophistication you are after it might = just be easier to have your firewall log any attempt to access one the ports = that you are interested in and deny access. Hope this helps, john... ----- Original Message ----- From: "Jonathan M. Slivko" To: "John Howie" Cc: ; Sent: Wednesday, November 29, 2000 6:08 PM Subject: Re: Danger Ports > I am referring to the Back Orifice, Trinoo server ports, etc. Where = can I > get my hands on a list of those port #'s? or are there any utilities = that > act as those servers and log all attempts in hopes of catching those = users > who will no doubt try and take advantage of an open system? > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Wed, 29 Nov 2000, John Howie wrote: > > > Jonathan, > > > > Rather than denying access to certain ports on your system, and = allowing > > access to the rest, you might find it easier to think in the reverse = - What > > ports do I need to leave open to outside (presumably Internet) = users? > > > > The answer to that question depends on the needs of your outside = users. You > > will probably need to allow SSH access, and I would suggest that you = get > > users to use SCP instead of FTP (unless you have a public FTP site = that > > allows anonymous connections). You might also need to open up access = to SMTP > > and POP3 services for mail (while ensuring that your site can't be = used as a > > mail relay). DNS is another service that you might need to provide access > > to. > > > > If users need access to so-called dangerous services such as X, = printer, > > NFS, NIS, SNMP, etc. then I would look for a VPN solution that = brings them > > into your network through the firewall and allows them to access = these > > services as an internal user. > > > > O'Reilly does a good book on Firewall Security, I suggest that you = get it > > and have a read. CERT also has a good document on packet filtering > > (http://www.cert.org). Also, check the FreeBSD handbook or The = Complete > > FreeBSD for more information about setting up firewalls on FreeBSD systems. > > > > Hope this helps, > > > > john... > > > > ----- Original Message ----- > > From: "Jonathan M. Slivko" > > To: > > Cc: > > Sent: Wednesday, November 29, 2000 5:23 PM > > Subject: Danger Ports > > > > > > > Can someone tell me what are the "danger" ports on FreeBSD, ports = that > > > perhaps need to be blocked because they are insecure? I would like = to know > > > so in the future, I can prevent outside attacks and concentrate = more on > > > internal attacks, or "insider jobs" as they're called. > > > > > > ---- > > > Jonathan M. Slivko > > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > > Pager/Voicemail: (917) 388-5304 > > > ---- > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > ------=_NextPart_000_0165_01C05A37.992C91F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Jonathon,

My apologies - I see = what you=20 are after now. Yes, there is a list floating
around, but I usually = head over=20 to SANS and get theirs:

http://www.sans.org/newlook/resources/IDFAQ/oddports.htm<= /A>

You will see that it is extensive!

Regarding your = followup on=20 dummy applications acting as these rogue
services/daemons I think you = are=20 after a Honeypot. There are a couple but
I'll need to check out the = details=20 as I don't have them off the top of my
head. Depending on the level = of=20 sophistication you are after it might just
be easier to have your = firewall=20 log any attempt to access one the ports that
you are interested in = and deny=20 access.

Hope this helps,

john...

----- Original = Message=20 -----
From: "Jonathan M. Slivko" <jon_slivko@simphost.com>
To: = "John Howie"=20 <JHowie@msn.com>
Cc: = <freebsd-security@freebsd.org>; = <freebsd-isp@freebsd.org>
Sent: = Wednesday,=20 November 29, 2000 6:08 PM
Subject: Re: Danger Ports


> I = am=20 referring to the Back Orifice, Trinoo server ports, etc. Where can = I
> get=20 my hands on a list of those port #'s? or are there any utilities = that
>=20 act as those servers and log all attempts in hopes of catching those=20 users
> who will no doubt try and take advantage of an open=20 system?
>
> ----
> Jonathan M. Slivko <jon_slivko@simphost.com>
> = Technical=20 Support, CoreSync Corporation (http://www.coresync.net)
> Team = Leader,=20 SecureIRC Project (http://secureirc.sourceforge.net)
>=20 Pager/Voicemail: (917) 388-5304
> ----
>
> On Wed, 29 = Nov=20 2000, John Howie wrote:
>
> > Jonathan,
> = >
> >=20 Rather than denying access to certain ports on your system, and = allowing
>=20 > access to the rest, you might find it easier to think in the = reverse=20 -
What
> > ports do I need to leave open to outside = (presumably=20 Internet) users?
> >
> > The answer to that question = depends=20 on the needs of your outside users.
You
> > will probably = need to=20 allow SSH access, and I would suggest that you get
> > users to = use SCP=20 instead of FTP (unless you have a public FTP site that
> > = allows=20 anonymous connections). You might also need to open up access = to
SMTP
>=20 > and POP3 services for mail (while ensuring that your site can't be=20 used
as a
> > mail relay). DNS is another service that you = might=20 need to provide
access
> > to.
> >
> > If = users=20 need access to so-called dangerous services such as X, printer,
> = >=20 NFS, NIS, SNMP, etc. then I would look for a VPN solution that=20 brings
them
> > into your network through the firewall and = allows=20 them to access these
> > services as an internal user.
>=20 >
> > O'Reilly does a good book on Firewall Security, I = suggest that=20 you get
it
> > and have a read. CERT also has a good = document on=20 packet filtering
> > (http://www.cert.org). Also, check the = FreeBSD=20 handbook or The Complete
> > FreeBSD for more information about = setting=20 up firewalls on FreeBSD
systems.
> >
> > Hope this=20 helps,
> >
> > john...
> >
> > ----- = Original Message -----
> > From: "Jonathan M. Slivko" = <jon_slivko@simphost.com>
> = > To:=20 <freebsd-security@freebsd.org>
> > Cc:=20 <freebsd-isp@freebsd.org>
> = > Sent:=20 Wednesday, November 29, 2000 5:23 PM
> > Subject: Danger = Ports
>=20 >
> >
> > > Can someone tell me what are the = "danger"=20 ports on FreeBSD, ports that
> > > perhaps need to be = blocked=20 because they are insecure? I would like to
know
> > > so = in the=20 future, I can prevent outside attacks and concentrate more
on
> = >=20 > internal attacks, or "insider jobs" as they're called.
> > = >
> > > ----
> > > Jonathan M. Slivko = <jon_slivko@simphost.com>
> = > >=20 Technical Support, CoreSync Corporation (http://www.coresync.net)
> > = > Team=20 Leader, SecureIRC Project (http://secureirc.sourceforge.net)
> >=20 > Pager/Voicemail: (917) 388-5304
> > > ----
> > = >
> > >
> > >
> > > To = Unsubscribe: send=20 mail to majordomo@FreeBSD.org
> > = > with=20 "unsubscribe freebsd-security" in the body of the message
> >=20 >
> >
> >
> >
>=20 >
>
>

------=_NextPart_000_0165_01C05A37.992C91F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 19: 1:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail1.toronto.istar.net (mail1.toronto.istar.net [209.89.75.17]) by hub.freebsd.org (Postfix) with ESMTP id 369EA37B402; Wed, 29 Nov 2000 19:01:53 -0800 (PST) Received: from d141-117-39.home.cgocable.net ([24.141.117.39]) by mail1.toronto.istar.net with esmtp (Exim 2.02 #1) id 141JzE-0006rF-00; Wed, 29 Nov 2000 22:02:16 -0500 Date: Wed, 29 Nov 2000 22:08:14 -0500 (EST) From: Dru To: "Jonathan M. Slivko" Cc: John Howie , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Danger Ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Nov 2000, Jonathan M. Slivko wrote: > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? Hi Jonathan, These aren't FreeBSD specific, but here's my favourite links for port #s and things to look out for: http://www.robertgraham.com/pubs/firewall-seen.html http://nethog.net/feeds/niteryder/trojans.htm http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html http://www.portsdb.org/bin/portsdb.cgi These might get you started. Cheers, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 19:51:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from beamail.beasys.com (unknown [63.96.163.38]) by hub.freebsd.org (Postfix) with ESMTP id 5EF9637B400 for ; Wed, 29 Nov 2000 19:51:47 -0800 (PST) Received: from san-francisco.beasys.com (san-francisco.beasys.com [192.168.9.10]) by beamail.beasys.com (8.9.1b+Sun/8.9.1) with ESMTP id TAA22173 for ; Wed, 29 Nov 2000 19:51:47 -0800 (PST) Received: from ashbury.weblogic.com (ashbury.beasys.com [172.17.8.3]) by san-francisco.beasys.com (8.9.3+Sun/8.9.1) with ESMTP id TAA01524 for ; Wed, 29 Nov 2000 19:51:48 -0800 (PST) Received: from beasys.com ([192.168.53.2]) by ashbury.weblogic.com (Post.Office MTA v3.5.3 release 223 ID# 0-53833U200L200S0V35) with ESMTP id com for ; Wed, 29 Nov 2000 20:11:42 -0800 Message-ID: <3A25CDDA.EBF3BC48@beasys.com> Date: Wed, 29 Nov 2000 20:47:38 -0700 From: garya@bea.com (Gary Aitken) Organization: BEA WebXpress X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: /etc/passwd upgrade Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm installing a clean version of 4.1 and would like to maintain the passwords from a 2.1 version. The 4.1 version has 128 bit encryption, and I suspect this is the reason the encrypted password field is larger. So... Is there any way to take the entries from an old 2.1 low-strength passwd file and munge them into the high-strength one? Tell me to go away if this is a stupid question... Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 20:45:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from flux.c-zone.net (flux.c-zone.net [216.190.4.216]) by hub.freebsd.org (Postfix) with ESMTP id 8A5DD37B401; Wed, 29 Nov 2000 20:45:11 -0800 (PST) Received: from localhost (bdan@localhost) by flux.c-zone.net (8.11.1/8.11.1) with ESMTP id eAU4j4m38167; Wed, 29 Nov 2000 20:45:04 -0800 (PST) Date: Wed, 29 Nov 2000 20:45:03 -0800 (PST) From: Dan Babb To: "Jonathan M. Slivko" Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Danger Ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org this is right out of the ACL for my core router.. ! reserved networks access-list 110 deny ip 127.0.0.0 0.0.0.255 any log access-list 110 deny ip 10.0.0.0 0.255.255.255 any log access-list 110 deny ip 172.16.0.0 0.15.255.255 any log access-list 110 deny ip 172.31.0.0 0.0.255.255 any log access-list 110 deny ip 192.168.0.0 0.0.255.255 any log ! various exploits, netbios, back orifice, netbus protection access-list 110 deny tcp any any range 137 139 access-list 110 deny tcp any any eq 31337 access-list 110 deny udp any any eq 31337 access-list 110 deny tcp any any range 12345 12350 access-list 110 deny udp any any range 12345 12350 - Dan On Wed, 29 Nov 2000, Jonathan M. Slivko wrote: > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 22: 2: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9995A37B400 for ; Wed, 29 Nov 2000 22:01:58 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAU62cw17821; Wed, 29 Nov 2000 22:02:39 -0800 (PST) (envelope-from kris) Date: Wed, 29 Nov 2000 22:02:38 -0800 From: Kris Kennaway To: Gary Aitken Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/passwd upgrade Message-ID: <20001129220238.A17777@citusc17.usc.edu> References: <3A25CDDA.EBF3BC48@beasys.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A25CDDA.EBF3BC48@beasys.com>; from garya@bea.com on Wed, Nov 29, 2000 at 08:47:38PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 29, 2000 at 08:47:38PM -0700, Gary Aitken wrote: > I'm installing a clean version of 4.1 and would like to maintain the pass= words > from a 2.1 version. The 4.1 version has 128 bit encryption, and I suspect > this is the reason the encrypted password field is larger. >=20 > So... Is there any way to take the entries from an old 2.1 low-strength > passwd file and munge them into the high-strength one? Short answer: no. Slightly more helpful answer: expire all of your old user passwords so they will be recreated the next time the user logs in. Kris --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjol7X4ACgkQWry0BWjoQKVQdgCcDPJZQd6DjAfYoNW4ey0MZAme jB0AoIjDGlLGwvnoRNZUFGRLyJ7tvqJl =Guqx -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 22:59:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from fork.computel.sk (fork.computel.sk [195.28.96.96]) by hub.freebsd.org (Postfix) with ESMTP id 7D0C337B400 for ; Wed, 29 Nov 2000 22:59:26 -0800 (PST) Received: from tempest.sk (t74.tempest.sk [195.28.100.74]) by fork.computel.sk with ESMTP id HAA04518 for ; Thu, 30 Nov 2000 07:59:22 +0100 Message-ID: <3A25FACA.B139237B@tempest.sk> Date: Thu, 30 Nov 2000 07:59:22 +0100 From: Pavol Adamec Organization: Tempest X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.1.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD hacked? References: <20001128161324.A89746@citusc17.usc.edu> <20001129004317.A97873@citusc17.usc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > I know people are curious, but please just leave it for now.. > Will it be explained later? I wouldn't like to change my relationship to the security of FreeBSD from convincement to the faith. Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 29 23: 3:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 34C2D37B402 for ; Wed, 29 Nov 2000 23:03:31 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAU73sm19067; Wed, 29 Nov 2000 23:03:54 -0800 (PST) (envelope-from kris) Date: Wed, 29 Nov 2000 23:03:53 -0800 From: Kris Kennaway To: Pavol Adamec Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001129230353.A19045@citusc17.usc.edu> References: <20001128161324.A89746@citusc17.usc.edu> <20001129004317.A97873@citusc17.usc.edu> <3A25FACA.B139237B@tempest.sk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A25FACA.B139237B@tempest.sk>; from pavol_adamec@tempest.sk on Thu, Nov 30, 2000 at 07:59:22AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 30, 2000 at 07:59:22AM +0100, Pavol Adamec wrote: > Kris Kennaway wrote: > >=20 > > I know people are curious, but please just leave it for now.. > >=20 >=20 > Will it be explained later? I wouldn't like to change my > relationship to the security of FreeBSD from convincement > to the faith. For the last time, yes! Kris --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjol+9kACgkQWry0BWjoQKVHjwCfRfvQU2SAimvUUD/mvW7OpDhz 7boAnjLV2D4ZUGMZSGTj3EeCy9ga2ANJ =Ow3f -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 3:35:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 9145637B400; Thu, 30 Nov 2000 03:35:05 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id GAA42040; Thu, 30 Nov 2000 06:39:51 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Thu, 30 Nov 2000 06:39:51 -0500 (EST) From: Ralph Huntington To: "Jonathan M. Slivko" Cc: John Howie , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check out "fakebo" and "portsentry" in /usr/ports/security/ On Wed, 29 Nov 2000, Jonathan M. Slivko wrote: > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Wed, 29 Nov 2000, John Howie wrote: > > > Jonathan, > > > > Rather than denying access to certain ports on your system, and allowing > > access to the rest, you might find it easier to think in the reverse - What > > ports do I need to leave open to outside (presumably Internet) users? > > > > The answer to that question depends on the needs of your outside users. You > > will probably need to allow SSH access, and I would suggest that you get > > users to use SCP instead of FTP (unless you have a public FTP site that > > allows anonymous connections). You might also need to open up access to SMTP > > and POP3 services for mail (while ensuring that your site can't be used as a > > mail relay). DNS is another service that you might need to provide access > > to. > > > > If users need access to so-called dangerous services such as X, printer, > > NFS, NIS, SNMP, etc. then I would look for a VPN solution that brings them > > into your network through the firewall and allows them to access these > > services as an internal user. > > > > O'Reilly does a good book on Firewall Security, I suggest that you get it > > and have a read. CERT also has a good document on packet filtering > > (http://www.cert.org). Also, check the FreeBSD handbook or The Complete > > FreeBSD for more information about setting up firewalls on FreeBSD systems. > > > > Hope this helps, > > > > john... > > > > ----- Original Message ----- > > From: "Jonathan M. Slivko" > > To: > > Cc: > > Sent: Wednesday, November 29, 2000 5:23 PM > > Subject: Danger Ports > > > > > > > Can someone tell me what are the "danger" ports on FreeBSD, ports that > > > perhaps need to be blocked because they are insecure? I would like to know > > > so in the future, I can prevent outside attacks and concentrate more on > > > internal attacks, or "insider jobs" as they're called. > > > > > > ---- > > > Jonathan M. Slivko > > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > > Pager/Voicemail: (917) 388-5304 > > > ---- > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 3:35:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 2901337B400 for ; Thu, 30 Nov 2000 03:35:21 -0800 (PST) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97]) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 141Rzk-000KEp-00 for freebsd-security@freebsd.org; Thu, 30 Nov 2000 11:35:20 +0000 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.9.3/8.9.3) id LAA72117 for freebsd-security@freebsd.org; Thu, 30 Nov 2000 11:35:15 GMT (envelope-from rasputin) Date: Thu, 30 Nov 2000 11:35:15 +0000 From: Rasputin To: freebsd-security@freebsd.org Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001130113515.A72030@dogma.freebsd-uk.eu.org> References: <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <3A24AC77.51EF28C@softweyr.com> <200011291507.KAA16392@khavrinen.lcs.mit.edu> <3A253A44.D7EA9113@softweyr.com> <200011291802.NAA17650@khavrinen.lcs.mit.edu> <14885.22348.875384.616155@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <14885.22348.875384.616155@nomad.yogotech.com>; from nate@yogotech.com on Wed, Nov 29, 2000 at 12:21:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 29, 2000 at 12:21:48PM -0700, Nate Williams wrote: > > > But you keep saying "on my home machine" and seem to insist that having > > > a single machine on the internet at home is somehow normal. > > > > To a large fraction of the world's population, having a ``home > > machine'' of any kind is out of the ordinary. Most of the people who > > have net access today have only one computer. > > > > In any case, the actual number doesn't make much difference -- the > > same argument (that you are perfectly capable of setting up your > > machines securely) still holds. > > And it involves installing a firewall on it, in case you're > configuration isn't as secure as you'd like it to be. (Because of > forgetfulness, lack of information, etc...) > > Many, many, many home users now have 'full-time' connections to the > internet, which means that accidental misconfigurations can easily be > prevented by using a simple firewall ruleset, such as the one that comes > 'out of the box' with FreeBSD today. Hear hear. There are many network services that don't run from inted/tcp-wrappers/etc, having their own (dubious?) security mechanisms. It's safer to block inbound access to that port if unneeded, especially if you don't have time to wade through cryptic access restiction docs. I trust BSD's TCP stack more than $APPLICATION. And to be blunt, It's *my* 'home PC', so I'll run what the hell I like on it, thanks all the same. If it upsets you, tough. It's not *your* data at risk, is it? Can we pack this thread in now please? -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 4: 5:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natmail2.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id B689A37B400 for ; Thu, 30 Nov 2000 04:05:33 -0800 (PST) Received: from localhost.localdom (p3E9E1559.dip.t-dialin.net [62.158.21.89]) by post.webmailer.de (8.9.3/8.8.7) with ESMTP id NAA09057 for ; Thu, 30 Nov 2000 13:05:35 +0100 (MET) Received: from masterpc (master [192.168.0.1]) by localhost.localdom (8.11.1/8.11.1) with ESMTP id eAUBdwu00895; Thu, 30 Nov 2000 12:39:58 +0100 (CET) Date: Thu, 30 Nov 2000 12:39:57 -0800 From: Boris X-Mailer: The Bat! (v1.46d) Personal Reply-To: Boris X-Priority: 3 (Normal) Message-ID: <873931232.20001130123957@x-itec.de> To: Wayne F Davis Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPsec interoperability with Windows 2000 In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Wayne, Wednesday, November 29, 2000, 3:00:45 PM, you wrote: WFD> Hi, WFD> I need to get IPsec setup between some windows boxes and a freebsd WFD> server. I have IPsec going between the windows boxes and I configured WFD> IPsec on the server, however it's not working properly. WFD> Win2k's IP Security Monitor shows a lot of Bad SPI Packets and the WFD> windows box cannot talk to the freebsd box. WFD> Here's my setup on freebsd: WFD> add 192.168.0.1 192.168.0.2 esp 9876 -E 3des-cbc WFD> "blahblahblahblahblahblah"; WFD> add 192.168.0.2 192.168.0.1 esp 10000 -E 3des-cbc WFD> "blahblahblahblahblahblah"; WFD> add 192.168.0.1 192.168.0.2 ah 9877 -A hmac-md5 "blahblahblahblah"; WFD> add 192.168.0.2 192.168.0.1 ah 10001 -A hmac-md5 "blahblahblahblah"; WFD> spdadd 192.168.0.1 192.168.0.2 any -P out ipsec esp/transport//use WFD> ah/transport//use; WFD> My setup on Win2k: WFD> All IP Traffic WFD> Request Security WFD> Auth Method Preshared Key: blahblahblahblah WFD> -- WFD> So, I'm wondering if anyone has setup IPsec between FreeBSD and WFD> Win2k. I'd appreciate any comments. Take a look at the IPSEC-HOWTO http://asherah.dyndns.org/~josh/ipsec-howto.txt -- Best regards, Boris mailto:koester@x-itec.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 4: 5:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id 0A7F837B401 for ; Thu, 30 Nov 2000 04:05:38 -0800 (PST) Received: (qmail 4255 invoked from network); 30 Nov 2000 12:03:56 -0000 Received: from unknown (HELO nirvana) (200.242.253.60) by soure.expert.com.br with SMTP; 30 Nov 2000 12:03:56 -0000 Message-ID: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: Subject: FreeBSD Firewall - Help please Date: Thu, 30 Nov 2000 09:05:12 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've set up a FreeBSD 4.1.1 firewall that deny everything by default. I opened some ports that I need but, I'm having some problems with this services : DNS,FTP,POP3 and SMTP. I put this rules in order to open this services but, it doesn't work. Please, Help me ## Allow TCP through if setup succeeded $fw add pass tcp from any to any stablished ## Allow DNS queries out in the world $fw add pass udp from any 53 to $ip $fw add pass udp from $ip to any ## Allow DNS access to my DNS $fw add pass tcp from any to $ip 53 setup ## Allow setup of incomming email $fw add pass tcp from any to $ip 25 setup ## Allow POP3 $fw add pass tcp from any to $ip 106 via $if setup ## Allow FTP from local network $fw add pass tcp from $net:$mask to $ip 20 setup $fw add pass tcp from $net:$mask to $ip 21 setup $fw add pass udp from $net:$mask to $ip 20 $fw add pass udp from $net:$mask to $ip 21 # Deny everything $fw add 65534 deny log all from any to any Thanks for help Roberto Samarone Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 5:26: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool73-tch-1.Sofia.0rbitel.net [212.95.170.73]) by hub.freebsd.org (Postfix) with SMTP id EB67D37B400 for ; Thu, 30 Nov 2000 05:25:57 -0800 (PST) Received: (qmail 15292 invoked by uid 1000); 30 Nov 2000 13:25:22 -0000 Date: Thu, 30 Nov 2000 15:25:22 +0200 From: Peter Pentchev To: "Roberto Samarone Araujo (RSA)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001130152521.B9269@ringworld.oblivion.bg> Mail-Followup-To: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana>; from sama@supridad.com.br on Thu, Nov 30, 2000 at 09:05:12AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 09:05:12AM -0300, Roberto Samarone Araujo (RSA) wrote: > Hi, > > I've set up a FreeBSD 4.1.1 firewall that deny everything by default. I > opened some ports that I need but, I'm having some problems with this > services : DNS,FTP,POP3 and SMTP. I put this rules in order to open this > services but, it doesn't work. > Please, Help me It looks pretty much ok, just a few remarks.. > > ## Allow TCP through if setup succeeded > $fw add pass tcp from any to any stablished I *hope* this reads 'established', not 'stablished' ;) > ## Allow DNS queries out in the world > $fw add pass udp from any 53 to $ip > $fw add pass udp from $ip to any > ## Allow DNS access to my DNS > $fw add pass tcp from any to $ip 53 setup If you are running a nameserver and you want to allow the world to query your server, then you should allow UDP queries to port 53, not just TCP. > ## Allow setup of incomming email > $fw add pass tcp from any to $ip 25 setup > ## Allow POP3 > $fw add pass tcp from any to $ip 106 via $if setup POP3 is usually on port 110, not 106. > ## Allow FTP from local network > $fw add pass tcp from $net:$mask to $ip 20 setup > $fw add pass tcp from $net:$mask to $ip 21 setup > $fw add pass udp from $net:$mask to $ip 20 > $fw add pass udp from $net:$mask to $ip 21 OK, this will be OK for incoming passive-mode FTP. Most clients still use active-mode FTP, though, so you should also allow outgoing connections. In any case, it would be best if you allowed outgoing connections from your address to pretty much anywhere: $fw add pass tcp from $ip to any setup > # Deny everything > $fw add 65534 deny log all from any to any G'luck, Peter -- This sentence contains exactly threee erors. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 6:31: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id EF25B37B401 for ; Thu, 30 Nov 2000 06:31:01 -0800 (PST) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id OAA14546; Thu, 30 Nov 2000 14:30:21 GMT Message-ID: <3A26643D.E0CCD8FD@algroup.co.uk> Date: Thu, 30 Nov 2000 14:29:17 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Peter Pentchev Cc: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Firewall - Help please References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Pentchev wrote: > > On Thu, Nov 30, 2000 at 09:05:12AM -0300, Roberto Samarone Araujo (RSA) wrote: > > Hi, > > > > I've set up a FreeBSD 4.1.1 firewall that deny everything by default. I > > opened some ports that I need but, I'm having some problems with this > > services : DNS,FTP,POP3 and SMTP. I put this rules in order to open this > > services but, it doesn't work. > > Please, Help me > > It looks pretty much ok, just a few remarks.. > > > > > ## Allow TCP through if setup succeeded > > $fw add pass tcp from any to any stablished > > I *hope* this reads 'established', not 'stablished' ;) > > > ## Allow DNS queries out in the world > > $fw add pass udp from any 53 to $ip > > $fw add pass udp from $ip to any > > ## Allow DNS access to my DNS > > $fw add pass tcp from any to $ip 53 setup > > If you are running a nameserver and you want to allow the world to query > your server, then you should allow UDP queries to port 53, not just TCP. even if you're not, you don't want to allow any traffic based on source port (see "## Allow DNS queries out in the world" rule). cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 6:40:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool73-tch-1.Sofia.0rbitel.net [212.95.170.73]) by hub.freebsd.org (Postfix) with SMTP id DCD4437B400 for ; Thu, 30 Nov 2000 06:40:14 -0800 (PST) Received: (qmail 15986 invoked by uid 1000); 30 Nov 2000 14:39:37 -0000 Date: Thu, 30 Nov 2000 16:39:37 +0200 From: Peter Pentchev To: Adam Laurie Cc: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001130163937.D9269@ringworld.oblivion.bg> Mail-Followup-To: Adam Laurie , "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A26643D.E0CCD8FD@algroup.co.uk>; from adam@algroup.co.uk on Thu, Nov 30, 2000 at 02:29:17PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 02:29:17PM +0000, Adam Laurie wrote: [snip] > > > > > ## Allow DNS queries out in the world > > > $fw add pass udp from any 53 to $ip > > > $fw add pass udp from $ip to any > > > ## Allow DNS access to my DNS > > > $fw add pass tcp from any to $ip 53 setup > > > > If you are running a nameserver and you want to allow the world to query > > your server, then you should allow UDP queries to port 53, not just TCP. > > > even if you're not, you don't want to allow any traffic based on source > port (see "## Allow DNS queries out in the world" rule). > Much too true.. indeed, for those who haven't seen it the first few thousand times, there are numerous telnet- and netcat-like utilities, that are able to connect to previously installed backdoors, sending TCP or UDP packets with a specified source port. The above-pasted firewall config will happily let those in, assuming they are DNS replies. The only way to get around this is with a stateful firewall - allowing UDP-source-port-53 traffic only after an outgoing UDP packet to that host's port 53. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 6:49:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id 12CB837B400 for ; Thu, 30 Nov 2000 06:49:56 -0800 (PST) Received: (qmail 10586 invoked from network); 30 Nov 2000 14:48:17 -0000 Received: from unknown (HELO nirvana) (200.242.253.60) by soure.expert.com.br with SMTP; 30 Nov 2000 14:48:17 -0000 Message-ID: <01b901c05adc$bfc29800$3cfdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> Subject: Re: FreeBSD Firewall - Help please Date: Thu, 30 Nov 2000 11:49:31 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > ## Allow DNS queries out in the world > > > $fw add pass udp from any 53 to $ip > > > $fw add pass udp from $ip to any > > > ## Allow DNS access to my DNS > > > $fw add pass tcp from any to $ip 53 setup When I try to ask for a hostname from another machine, the server where firewall is running doesn't respond :/ C:\>nslookup DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 200.244.255.3: Timed out DNS request timed out. timeout was 2 seconds. Default Server: UnKnown Address: 200.244.255.3 Roberto Samarone dos Santos Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 7:28:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id EDF9737B400; Thu, 30 Nov 2000 07:28:38 -0800 (PST) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id IAA09380; Thu, 30 Nov 2000 08:28:37 -0700 (MST) Date: Thu, 30 Nov 2000 08:28:32 -0700 (MST) From: Travis {RapidSupport} To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Nov 2000, Dan Babb wrote: > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? Probably the best thing for exactly what you are describing is called SNORT it's a light weight intrusion detection software called SNORT which you can get at: http://www.snort.org I can identify exactly what you are referring to in my logs. I also use an ipf firewall to block that which I ID with the IDS software. Here is a snippet of actual logs from snort on my machine: [begin log snippet] [**] Netbus/GabanBus [**] 09/20-21:11:08.683624 *.*.*.*:1891 -> *.*.*.*:12345 TCP TTL:64 TOS:0x0 ID:60113 DF S***** Seq: 0x750B7F5F Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 [**] Traceroute ICMP [**] 09/20-22:26:12.133438 204.178.16.36 -> *.*.*.* ICMP TTL:1 TOS:0x0 ID:47254 ID:3699 Seq:13803 ECHO [**] SYN FIN Scan [**] 10/01-22:18:16.531398 203.41.93.253:21 -> *.*.*.*:21 TCP TTL:28 TOS:0x0 ID:39426 SF**** Seq: 0x205F74F Ack: 0x55003324 Win: 0x404 [**] PCAnywhere [**] 10/02-17:45:14.656264 *.*.*.*:1030 -> *.*.*.*:22 UDP TTL:125 TOS:0x0 ID:16896 Len: 10 [**] Backdoor-31337-shell [**] 11/20-16:43:17.064386 *.*.*.*:2286 -> *.*.*.*:31337 TCP TTL:64 TOS:0x0 ID:57979 DF S***** Seq: 0xDDD33B02 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 --- [end log snippet] As you can see I have *'d out the destination IP's (my servers) and some of the attackers IP's. While it creates these quick fingerprints of the attack it also holds more information on a per IP basis. Personally - I don't always have time to dig through the logs so I use "snort snarf" which takes the logs and creates a very nice web interface for tracking attacks and trends. Snort Snarf can be downloaded from the Snort website... Oh, did I mention this is free? =) Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 7:30:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 5B5B837B401; Thu, 30 Nov 2000 07:30:39 -0800 (PST) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id IAA10607; Thu, 30 Nov 2000 08:30:38 -0700 (MST) Date: Thu, 30 Nov 2000 08:30:38 -0700 (MST) From: Travis {RapidSupport} To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Nov 2000, Travis {RapidSupport} wrote: > called SNORT it's a light weight intrusion detection software called SNORT ...proof that coffee is needed at all hours. Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 7:31:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 8EF8737B404 for ; Thu, 30 Nov 2000 07:31:10 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA29203; Thu, 30 Nov 2000 10:29:42 -0500 (EST) (envelope-from wollman) Date: Thu, 30 Nov 2000 10:29:42 -0500 (EST) From: Garrett Wollman Message-Id: <200011301529.KAA29203@khavrinen.lcs.mit.edu> To: Rasputin Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <20001130113515.A72030@dogma.freebsd-uk.eu.org> References: <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <3A24AC77.51EF28C@softweyr.com> <200011291507.KAA16392@khavrinen.lcs.mit.edu> <3A253A44.D7EA9113@softweyr.com> <200011291802.NAA17650@khavrinen.lcs.mit.edu> <14885.22348.875384.616155@nomad.yogotech.com> <20001130113515.A72030@dogma.freebsd-uk.eu.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > There are many network services that don't run from inted/tcp-wrappers/etc, > having their own (dubious?) security mechanisms. > It's safer to block inbound access to that port if unneeded, especially if > you don't have time to wade through cryptic access restiction docs. Safer still not to run applications whose access-control model you don't fully understand. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 7:39:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id DFCF037B401 for ; Thu, 30 Nov 2000 07:39:14 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA29269; Thu, 30 Nov 2000 10:39:08 -0500 (EST) (envelope-from wollman) Date: Thu, 30 Nov 2000 10:39:08 -0500 (EST) From: Garrett Wollman Message-Id: <200011301539.KAA29269@khavrinen.lcs.mit.edu> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Firewall - Help please In-Reply-To: <20001130163937.D9269@ringworld.oblivion.bg> References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > The only way to get around this is with a stateful firewall - allowing > UDP-source-port-53 traffic only after an outgoing UDP packet to that > host's port 53. But for a lot of reasons, you're better off running a caching nameserver on (or around) your firewall anyway. Then you don't need to allow any DNS traffic through your filtering rules. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 7:44:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool73-tch-1.Sofia.0rbitel.net [212.95.170.73]) by hub.freebsd.org (Postfix) with SMTP id 26A3337B400 for ; Thu, 30 Nov 2000 07:44:21 -0800 (PST) Received: (qmail 16499 invoked by uid 1000); 30 Nov 2000 15:43:44 -0000 Date: Thu, 30 Nov 2000 17:43:44 +0200 From: Peter Pentchev To: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001130174344.F9269@ringworld.oblivion.bg> Mail-Followup-To: freebsd-security@FreeBSD.org References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg> <200011301539.KAA29269@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011301539.KAA29269@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Nov 30, 2000 at 10:39:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 10:39:08AM -0500, Garrett Wollman wrote: > < said: > > > The only way to get around this is with a stateful firewall - allowing > > UDP-source-port-53 traffic only after an outgoing UDP packet to that > > host's port 53. > > But for a lot of reasons, you're better off running a caching > nameserver on (or around) your firewall anyway. Then you don't need > to allow any DNS traffic through your filtering rules. I think the original poster was talking about configuring exactly a gateway/firewall machine. G'luck, Peter -- What would this sentence be like if it weren't self-referential? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 8: 6:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 83BAC37B400; Thu, 30 Nov 2000 08:06:39 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eAUG6YQ73135; Thu, 30 Nov 2000 09:06:35 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id JAA29021; Thu, 30 Nov 2000 09:06:33 -0700 (MST) Message-Id: <200011301606.JAA29021@harmony.village.org> To: "Henk Wevers" Subject: Re: FreeBSD hacked? Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG In-reply-to: Your message of "Tue, 28 Nov 2000 22:28:33 +0100." References: Date: Thu, 30 Nov 2000 09:06:33 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Henk Wevers" writes: : Look at the bottom of http://freebsd.org.index.html Looks normal to me. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 9: 2:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id 290FD37B400 for ; Thu, 30 Nov 2000 09:02:06 -0800 (PST) Received: from sherman.spotnet.org (slip-71.prairienet.org [192.17.3.91]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id LAA12662 for ; Thu, 30 Nov 2000 11:02:01 -0600 (CST) Date: Thu, 30 Nov 2000 11:01:54 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: <20001128161324.A89746@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- I seem to recall that these guys were the ones who hacked Slashdot some time back. Same M.O. -- nothing destructive, left a polite calling card, full disclosure of the penetration method. That one wasn't a software vulnerability either; just an embarrassing configuration problem (unmodified default password, I think!)... - -d - -- David Talkington Community Networking Initiative dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc Kris Kennaway wrote: >On Tue, Nov 28, 2000 at 10:28:33PM +0100, Henk Wevers wrote: >> >> >> >> FreeBSD got a new Security Officer >> >> Nohican and {} would like to wish the new Security Officer (Kris) good luck >> on his new job. We are sure you will do a great job! >> >> Look at the bottom of http://freebsd.org.index.html > >Yes, I can confirm this happened last night. We were immediately >informed by those who did it including how it was achieved. The >penetration mechanism was not a vulnerability in FreeBSD and was >corrected immediately. While we don't believe that any malicious >activity took place while the machine was compromised, we've taken >steps to sanitize things anyway. > >Kris > >P.S. This kind of thing would have been better sent to >security-officer..for example, it's off-topic for -stable. > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOiaIB71ZYOtSwT+tAQEowwgAseWkXQs4HVacvrXLMvqNWMu62qrqLYLZ aMWUStaD6jcniu4b9d2XAgiA7bQ11VHZ8gjp/LdHDHoWrzYpTpFVsqUZF647/tcz tConkjeORGnHvgoLcUIryVMxBEn2eWlGlanhfZMak6+o1uWTUnJc+Mpst8r/y8FF bjHKXnmzXACgGl18qkOSq1DpwSY9FO0ON8ECy+XierKCBO3CnkOs4a3j+EXFVZ+U VFMkAVhnmfZe8dHRa8v7hUu3daDkU/KN4IKNpOxt8HtntF+cpU49peFBV5HZQRUy eQJ19tgHMub+2AyFCcGaGvb8sPHPT8vbWP5MZx7vW1TFbUxz/TsjGA== =Ia0L -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 9:44:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id A520037B400; Thu, 30 Nov 2000 09:44:12 -0800 (PST) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA44928; Thu, 30 Nov 2000 09:43:58 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200011301743.JAA44928@gndrsh.dnsmgr.net> Subject: Re: Danger Ports In-Reply-To: from Dan Babb at "Nov 29, 2000 08:45:03 pm" To: bdan@c-zone.net (Dan Babb) Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) Cc: jon_slivko@simphost.com (Jonathan M. Slivko), freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please do all the rest of us a favor and filter the packets to reserved networks, not just from them. > this is right out of the ACL for my core router.. > > ! reserved networks > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log access-list 110 deny ip any 127.0.0.0 0.0.0.255 log access-list 110 deny ip any 10.0.0.0 0.255.255.255 log access-list 110 deny ip any 172.16.0.0 0.15.255.255 log access-list 110 deny ip any 172.31.0.0 0.0.255.255 log access-list 110 deny ip any 192.168.0.0 0.0.255.255 log -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 9:50:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from thelab.hub.org (CDR22-173.accesscable.net [24.138.22.173]) by hub.freebsd.org (Postfix) with ESMTP id A905C37B401; Thu, 30 Nov 2000 09:50:56 -0800 (PST) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.11.1/8.11.1) with ESMTP id eAUHoUu56428; Thu, 30 Nov 2000 13:50:30 -0400 (AST) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Thu, 30 Nov 2000 13:50:26 -0400 (AST) From: The Hermit Hacker To: Kris Kennaway Cc: Stefano Riva , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: <20001128215508.A94876@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Nov 2000, Kris Kennaway wrote: > On Wed, Nov 29, 2000 at 01:47:16AM +0100, Stefano Riva wrote: > > At 16.13 28/11/00 -0800, you wrote: > > >Yes, I can confirm this happened last night. We were immediately > > >informed by those who did it including how it was achieved. The > > >penetration mechanism was not a vulnerability in FreeBSD and was > > >corrected immediately. > > > > Could you give us some detail about the mechanism used? > > Not at this time. I'll release more details in a few days once we've > had time to look things over better. so, for the next few days, there is a possibility that the rest of us are as vulnerable? *raised eyebrow* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 9:54:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id E931A37B402 for ; Thu, 30 Nov 2000 09:54:36 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id KAA23235; Thu, 30 Nov 2000 10:54:33 -0700 (MST) Message-Id: <200011301754.KAA23235@faith.cs.utah.edu> Subject: Re: FreeBSD hacked? To: scrappy@hub.org (The Hermit Hacker) Date: Thu, 30 Nov 2000 10:54:33 -0700 (MST) Cc: security@freebsd.org In-Reply-To: from "The Hermit Hacker" at Nov 30, 2000 01:50:26 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For crying out loud, how many times does he have to say that it was NOT a basic FreeBSD vulnerability, but something specific to www.freebsd.org? (e.g. open mouth, insert brain, and figure that it was probably a vulnerability in either a search, registration, or pr-related script). -Dave Lo and behold, The Hermit Hacker once said: > > > > Not at this time. I'll release more details in a few days once we've > > had time to look things over better. > > so, for the next few days, there is a possibility that the rest of us are > as vulnerable? *raised eyebrow* -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 9:56:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from ceasefire.bitstream.net (ceasefire.bitstream.net [216.243.128.220]) by hub.freebsd.org (Postfix) with SMTP id 675B437B401 for ; Thu, 30 Nov 2000 09:56:49 -0800 (PST) Received: (qmail 65834 invoked by uid 73); 30 Nov 2000 17:56:50 -0000 Received: from unknown (HELO dmitri.bitstream.net) (216.243.132.33) by amazhan with SMTP; 30 Nov 2000 17:56:50 -0000 Date: Thu, 30 Nov 2000 11:53:40 -0600 (CST) From: Dan Debertin To: The Hermit Hacker Cc: Subject: Re: FreeBSD hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 30 Nov 2000, The Hermit Hacker wrote: > > so, for the next few days, there is a possibility that the rest of us are > as vulnerable? *raised eyebrow* If you had been reading the posts for the past few days, you would know that you aren't. Now, drop it already. ~Dan D. - -- ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 ++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjomlCoACgkQvvQKXDANI4etawCfRMd/IM5hZ9cWkzUl9SpXUnvR w2MAn0B/Nd8SRYIQJQ6OPdVp9Hkq8XX7 =oqN/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10: 0:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id E0E5737B404; Thu, 30 Nov 2000 10:00:30 -0800 (PST) Received: from sherman.spotnet.org (slip-71.prairienet.org [192.17.3.91]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id MAA18982; Thu, 30 Nov 2000 12:00:24 -0600 (CST) Date: Thu, 30 Nov 2000 12:00:17 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org To: The Hermit Hacker Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- >> Not at this time. I'll release more details in a few days once we've >> had time to look things over better. > >so, for the next few days, there is a possibility that the rest of us are >as vulnerable? *raised eyebrow* There will always be that possibility. =) The tone and substance of Kris' message suggests that it was a configuration problem, not a software problem. Maybe they haven't had time to correct it yet, hence the silence ... I'm sure if the problem was specific to FreeBSD, he'd have said so. Patience, grasshopper. =) -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOiaVt71ZYOtSwT+tAQG5Sgf9E6CXM2F7E+cf6T/EOn6zmn7cx1Y0bDR4 1bTMJeMnahHCqdO48puEaUrmwPLNM+NU224fp4fpArNPgPh9zvYaen+QzopT5Gya +xtYZ+dZUUk/sSJEW26SsCb1Bkv9wRtuG9YHKiMD8AvB2pLCD3mZgE37y4aA30GF XFD43P02QvPsReoORPZV/7EvE6xWa00FWUZUzIuVM9FYZZUzZdvv2Qzyu7l5OPBU /lnigsqczzY8MRXhqKg0GFDges0RDbZyyx+J/pBtiwinjV+5SoiAlyIrZt7yluRJ J9g+9ugx4obUxCdrZJUZWpKEBkvCrqjgZ8fQ7jkhrksrPnAQ366vCw== =G0vt -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10: 2:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id B978337B402 for ; Thu, 30 Nov 2000 10:02:19 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 141Y4y-0000Pl-00; Thu, 30 Nov 2000 11:05:08 -0700 Message-ID: <3A2696D4.7ECEE367@softweyr.com> Date: Thu, 30 Nov 2000 11:05:08 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> <14882.49100.131730.989201@nomad.yogotech.com> <3A24AC77.51EF28C@softweyr.com> <200011291507.KAA16392@khavrinen.lcs.mit.edu> <3A253A44.D7EA9113@softweyr.com> <200011291802.NAA17650@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > But you keep saying "on my home machine" and seem to insist that having > > a single machine on the internet at home is somehow normal. > > To a large fraction of the world's population, having a ``home > machine'' of any kind is out of the ordinary. Most of the people who > have net access today have only one computer. > > In any case, the actual number doesn't make much difference -- the > same argument (that you are perfectly capable of setting up your > machines securely) still holds. No, it doesn't, I have Windows machines on the net. They cannot be secured without a firewall. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10: 2:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 40CCB37B402 for ; Thu, 30 Nov 2000 10:02:45 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id NAA27215 for freebsd-security@freebsd.org; Thu, 30 Nov 2000 13:02:44 -0500 (EST) (envelope-from str) Date: Thu, 30 Nov 2000 13:02:44 -0500 (EST) From: Igor Roshchin Message-Id: <200011301802.NAA27215@giganda.komkon.org> To: freebsd-security@freebsd.org Subject: Re: Danger Ports In-Reply-To: <200011301743.JAA44928@gndrsh.dnsmgr.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: "Rodney W. Grimes" > Subject: Re: Danger Ports > Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) > > Please do all the rest of us a favor and filter the > packets to reserved networks, not just from them. > > > this is right out of the ACL for my core router.. > > > > ! reserved networks > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log > > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log > > I am not sure if filtering some reserved networks would not stop legible traffic for some people. E.g. Home.net (@Home, @Work) is using 10.0.0.0 to number their aggregation routers. Thus its users will probably suffer if they block this network at the firewall. Regards, Igor PS. Here is how a traceroute output looks for a client of @Work: 1 local router ... 2 10.252.4.49 (10.252.4.49) 16.012 ms 12.834 ms 12.852 ms 3 10.252.6.1 (10.252.6.1) 11.823 ms 7.354 ms 4.556 ms 4 c1-pos6-0.hrfrct1.home.net (24.7.74.65) 3.496 ms 15.956 ms 2.303 ms 5 c1-pos6-0.nycmny1.home.net (24.7.69.2) 5.043 ms 7.764 ms 15.248 ms 6 c1-pos8-0.cmdnnj1.home.net (24.7.65.229) 15.514 ms 22.998 ms 9.477 ms 7 24.7.69.33 (24.7.69.33) 66.412 ms 66.057 ms 79.060 ms 8 24.7.76.81 (24.7.76.81) 77.324 ms 65.984 ms 77.516 ms 9 bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118) 66.701 ms 78.673 ms 66.758 ms 10 bfr-ge0-0.excite.com (24.7.70.34) 67.170 ms 66.809 ms 77.240 ms 11 192.168.249.139 (192.168.249.139) 81.213 ms 68.489 ms 81.637 ms 12 192.168.251.4 (192.168.251.4) 67.023 ms 164.883 ms 173.432 ms 13 nblb1.dmz.home.net (199.172.150.100) 179.639 ms 178.223 ms 197.902 ms To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10: 4: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id 4360A37B404; Thu, 30 Nov 2000 10:04:06 -0800 (PST) Received: from sherman.spotnet.org (slip-71.prairienet.org [192.17.3.91]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id MAA19305; Thu, 30 Nov 2000 12:04:03 -0600 (CST) Date: Thu, 30 Nov 2000 12:03:59 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org To: The Hermit Hacker Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- >> Not at this time. I'll release more details in a few days once we've >> had time to look things over better. Oops, my apologies; I see that he also said it was already corrected. In any case, I'm sure Kris is awfully busy double checking that his i's are dotted and t's crossed, just as we all would be... -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOiaWkr1ZYOtSwT+tAQHmtAgA0PL3sNKSBfVOMnN+AWdGfbnPCdIsgsMV tY/4hvdUFL3KiusJMr3IuVHg4pPrRk8PyuLwWcAw5I9py2RpLEe8AY7WH0dxjGuO 4CdIeAyxhe4odl5ivE78jwYVg4DPSnPBJUVXBypDug9on+B56nlF14YquujMxUVG FI9z7Hxsm9BrWiJRsg6GeOWQ5TTfUXqAYhGvhZDy4xogOxAyfxgr+vfohja3+gMu cY0EyebdSzdheyrAqpHNIWrhUrzZg8Pyc3jxi6VES/igovSKSVmg045QMxgete1k JO8akvbYxA4UgOojsAfJeYF02riA7341DB7xYSKTBwipWNKW/6sz6Q== =7Pf7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10:11:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id 52E9437B401; Thu, 30 Nov 2000 10:11:50 -0800 (PST) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id MAA08853; Thu, 30 Nov 2000 12:32:41 -0500 (EST) Message-Id: <200011301732.MAA08853@easeway.com> Subject: Re: FreeBSD hacked? In-Reply-To: from The Hermit Hacker at "Nov 30, 0 01:50:26 pm" To: scrappy@hub.org (The Hermit Hacker) Date: Thu, 30 Nov 100 12:32:41 -0500 (EST) Cc: kris@FreeBSD.ORG, sriva@gufi.org, security@FreeBSD.ORG From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [picking this message to respond to in general, not you in particular] Kris has said that it wasn't a FreeBSD bug. Freefall runs *how* many services, CGIs, and so on? If he says it's not a FreeBSD bug, and he'll explain in a couple days when he's had time to complete a post-mortem and confirm it, we'll have to deal. If he's wrong, and it *is* a FreeBSD bug, we'll know it when he figures it out. (Or we'll have a new Security Officer PDQ, but that's not likely.) My journalistic voyeurism^H^H^H^H^H^H^H^H^Hcuriosity is aching like anything, but we have to give him time to be correct. Yep, some of us might be vulnerable. I hope I'm not one of them. (scurry off to check Apache version...) No, I'm not one of them. But unless the hole is confirmed, notification is pretty much useless. :( Besides, the hackers *claim* it was a "harmless" intrusion. Kris must be going nuts finding out what else was changed, or confirming nothing else was. We've all been there. IIRC, Freefall's been rooted before. It'll probably be rooted again. A security admin's job sucks, but life goes on. ==ml PS: For those who are new to intrusion response: If Kris says "Oh, they hacked us via the honketyblatt CGI script," and he turns out to be wrong, he gets bitched out. If Kris says "Oh, they hacked us via the honketyblatt CGI script," and he is correct but can't back it up, he gets bitched out. If Kris says "Let me check things, and I'll tell you later," he gets bitched out. Kris has lots of other possible actions. They all end with, "he gets bitched out." He's basically doomed. Sorry, Kris. Remind me to never volunteer for the security officer position. ==ml -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10:21: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id A833D37B400 for ; Thu, 30 Nov 2000 10:21:05 -0800 (PST) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA45049; Thu, 30 Nov 2000 10:20:57 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200011301820.KAA45049@gndrsh.dnsmgr.net> Subject: Re: Danger Ports In-Reply-To: <200011301802.NAA27215@giganda.komkon.org> from Igor Roshchin at "Nov 30, 2000 01:02:44 pm" To: str@giganda.komkon.org (Igor Roshchin) Date: Thu, 30 Nov 2000 10:20:57 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > From: "Rodney W. Grimes" > > Subject: Re: Danger Ports > > Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) > > > > Please do all the rest of us a favor and filter the > > packets to reserved networks, not just from them. > > > > > this is right out of the ACL for my core router.. > > > > > > ! reserved networks > > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log > > > > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log > > > > > > I am not sure if filtering some reserved networks would not stop legible > traffic for some people. E.g. Home.net (@Home, @Work) > is using 10.0.0.0 to number their aggregation routers. Thus its > users will probably suffer if they block this network at the firewall. No they won't suffer, reserved networks are reserved, blocking them at AS boundaries is a BCP, both source and desitnation address. It does do some funny things to traceroute, but it doesn't effect normal operations: traceroute to 199.172.150.100 (199.172.150.100), 30 hops max, 40 byte packets 1 12.127.217.157 (12.127.217.157) 9.037 ms 8.890 ms 8.914 ms 2 gbr1-p20.wswdc.ip.att.net (12.123.194.130) 15.247 ms 15.217 ms 15.454 ms 3 gbr3-p70.wswdc.ip.att.net (12.122.1.157) 16.046 ms 15.984 ms 16.376 ms 4 gbr3-p80.sl9mo.ip.att.net (12.122.2.145) 31.230 ms 31.205 ms 31.215 ms 5 gbr3-p20.sffca.ip.att.net (12.122.2.74) 71.592 ms 71.609 ms 83.002 ms 6 gbr1-p50.sffca.ip.att.net (12.122.1.162) 73.615 ms 70.807 ms 70.809 ms 7 ar4-a300s3.sffca.ip.att.net (12.123.12.89) 72.431 ms 72.168 ms 72.241 ms 8 12.126.204.18 (12.126.204.18) 72.468 ms 78.563 ms 74.011 ms 9 * * * 10 * * * 11 nblb1.dmz.home.net (199.172.150.100) 72.997 ms 72.785 ms 72.876 ms Notice what happened to the 192.168.*.* addresses.... > Regards, > > Igor > > PS. > Here is how a traceroute output looks for a client of @Work: > 1 local router ... > 2 10.252.4.49 (10.252.4.49) 16.012 ms 12.834 ms 12.852 ms > 3 10.252.6.1 (10.252.6.1) 11.823 ms 7.354 ms 4.556 ms > 4 c1-pos6-0.hrfrct1.home.net (24.7.74.65) 3.496 ms 15.956 ms 2.303 ms > 5 c1-pos6-0.nycmny1.home.net (24.7.69.2) 5.043 ms 7.764 ms 15.248 ms > 6 c1-pos8-0.cmdnnj1.home.net (24.7.65.229) 15.514 ms 22.998 ms 9.477 ms > 7 24.7.69.33 (24.7.69.33) 66.412 ms 66.057 ms 79.060 ms > 8 24.7.76.81 (24.7.76.81) 77.324 ms 65.984 ms 77.516 ms > 9 bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118) 66.701 ms 78.673 ms 66.758 ms > 10 bfr-ge0-0.excite.com (24.7.70.34) 67.170 ms 66.809 ms 77.240 ms > 11 192.168.249.139 (192.168.249.139) 81.213 ms 68.489 ms 81.637 ms > 12 192.168.251.4 (192.168.251.4) 67.023 ms 164.883 ms 173.432 ms > 13 nblb1.dmz.home.net (199.172.150.100) 179.639 ms 178.223 ms 197.902 ms > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10:21:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id ABCD137B400; Thu, 30 Nov 2000 10:21:18 -0800 (PST) Received: from sherman.spotnet.org (slip-71.prairienet.org [192.17.3.91]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id MAA21384; Thu, 30 Nov 2000 12:21:13 -0600 (CST) Date: Thu, 30 Nov 2000 12:21:07 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org To: mwlucas@exceptionet.com Cc: The Hermit Hacker , kris@FreeBSD.ORG, sriva@gufi.org, security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: <200011301732.MAA08853@easeway.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- >PS: For those who are new to intrusion response: > >If Kris says "Oh, they hacked us via the honketyblatt CGI script," and he >turns out to be wrong, he gets bitched out. > >If Kris says "Oh, they hacked us via the honketyblatt CGI script," and he >is correct but can't back it up, he gets bitched out. > >If Kris says "Let me check things, and I'll tell you later," he gets >bitched out. > >Kris has lots of other possible actions. They all end with, "he gets >bitched out." He's basically doomed. Sorry, Kris. Brilliant synopsis. I believe I'll change the names and post this on the wall of my office! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOiaal71ZYOtSwT+tAQG7AAf9F3dQG9l2TMKvohkmrfTkUJ7Gec2cfIdL jyeeVhtNiJP/lllpvoF2DWHAE8obRotF8iN00MObgi1wn4rU0SwB/BjDsqCYlzT+ 7L8PK3a+2rfX0Oq7qojctWO7Q7deE2NlTLODzALwJfP7KQLbdSyxZFtiIjDLJpNJ OEfkuSHUqoNyMOMm3szkqpoUdOk2Ri7gNmo+DVbQcJYCiZOpcwG2CUIsofu0Ni6l mYzjWQ0RSyvuQXzTL/FeViPAMSrL/Bgla/EhItsqLETZsfeOySWvT1mN4Gn0AGWa kxYKwKyRn2KnZ4XixjEPPYK3kpvuaM5yGxEOEp2esNAgFPA3jrm1Hg== =w3U/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10:45:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from postman.orangenetwork.net (ns.orangenetwork.net [211.123.49.50]) by hub.freebsd.org (Postfix) with SMTP id BC4C637B400 for ; Thu, 30 Nov 2000 10:45:09 -0800 (PST) Received: (qmail 1918 invoked from network); 1 Dec 2000 03:44:54 +0900 Received: from stanley.orangenetwork.net (HELO stanley) (211.123.49.54) by ns.orangenetwork.net with SMTP; 1 Dec 2000 03:44:54 +0900 Date: Fri, 01 Dec 2000 03:44:35 +0900 From: Melon To: freebsd-security@freebsd.org Subject: 137/udp Message-Id: <3A26A013136.BF8AMELON@postman.orangenetwork.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.26.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, All network administrator may always see rejected 137/udp packet... I want to know how these udp packets are occured? I expect some stupid kids attacked me. However, is there any exception? Someone sent only 3 137/udp packets to specific IP address. In general, these stupid does not sent to specific IP address, sent to all IP addresses I have. Any suggestions appreciated. - Melon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10:47:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from kaon.intercom.com (kaon.intercom.com [198.143.3.30]) by hub.freebsd.org (Postfix) with ESMTP id F2A8037B400 for ; Thu, 30 Nov 2000 10:47:54 -0800 (PST) Received: from [198.143.3.26] (helo=intercom.com) by kaon.intercom.com with esmtp (Exim 3.16 #1) id 141Yjy-000AF4-00; Thu, 30 Nov 2000 13:47:30 -0500 Date: Thu, 30 Nov 2000 13:47:30 -0500 (EST) From: "Jason J. Horton" X-Sender: mail@kaon.intercom.com To: Melon Cc: freebsd-security@freebsd.org Subject: Re: 137/udp In-Reply-To: <3A26A013136.BF8AMELON@postman.orangenetwork.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org # grep "137\/" /etc/services netbios-ns 137/tcp #NETBIOS Name Service netbios-ns 137/udp #NETBIOS Name Service > All network administrator may always see rejected 137/udp packet... > > I want to know how these udp packets are occured? > I expect some stupid kids attacked me. However, is there any exception? > > Someone sent only 3 137/udp packets to specific IP address. In general, > these stupid does not sent to specific IP address, sent to all IP > addresses I have. > > Any suggestions appreciated. > > - Melon > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10:53:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id BA36737B402 for ; Thu, 30 Nov 2000 10:53:11 -0800 (PST) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.9.3/8.9.3) with SMTP id MAA76329 for ; Thu, 30 Nov 2000 12:53:09 -0600 (CST) From: "Chuck Rock" To: Subject: RE: /etc/passwd upgrade Date: Thu, 30 Nov 2000 12:55:38 -0600 Message-ID: <003e01c05aff$21333be0$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <20001129220238.A17777@citusc17.usc.edu> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We've upgraded from 2.2.8 to 3.2 and will be soon 4.2 by just copying the passwd files over. There is a mix of 3DES and MD5 passwords in the passwd file as 2.2.8 was configured with 3DES and the 3.2 is configrued with MD5. All new users get MD5 by default, but the users with 3DES password still work, and won't get MD5 unless they change their password. We've had no problems whatsoever with this, but all the home directories and so forth have to match the passwd file. Is the 128bit ecryption mentioned the MD5 passwords, or is this a security feature we havent used on our system that would make this copying of passwd files not work? Chuck EPC > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway > Sent: Thursday, November 30, 2000 12:03 AM > To: Gary Aitken > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: /etc/passwd upgrade > > > On Wed, Nov 29, 2000 at 08:47:38PM -0700, Gary Aitken wrote: > > I'm installing a clean version of 4.1 and would like to > maintain the passwords > > from a 2.1 version. The 4.1 version has 128 bit encryption, > and I suspect > > this is the reason the encrypted password field is larger. > > > > So... Is there any way to take the entries from an old 2.1 low-strength > > passwd file and munge them into the high-strength one? > > Short answer: no. > > Slightly more helpful answer: expire all of your old user passwords so > they will be recreated the next time the user logs in. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 10:58: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 420D937B400 for ; Thu, 30 Nov 2000 10:58:00 -0800 (PST) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.9.3/8.9.3) with SMTP id MAA76670 for ; Thu, 30 Nov 2000 12:57:57 -0600 (CST) From: "Chuck Rock" To: Subject: RE: 137/udp Date: Thu, 30 Nov 2000 13:00:27 -0600 Message-ID: <003f01c05aff$cd481ef0$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <3A26A013136.BF8AMELON@postman.orangenetwork.net> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Port 137 is NetBIOS Name Service, and NetBIOS is used by Windows for network communications. You have some users with the Microsoft Client in their network configuration trying to speak to your firewall, and these packets are getting rejected. The users with the Microsoft client may have a huge security hole if they are coming in from the Internet. That would mean their computer is either listening on their Internet IP's for other network clients, or they are specifically scanning for computers configured this way so they can try to log into them for themselves. My 2 cents, Chuck > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Melon > Sent: Thursday, November 30, 2000 12:45 PM > To: freebsd-security@FreeBSD.ORG > Subject: 137/udp > > > Hello, > > All network administrator may always see rejected 137/udp packet... > > I want to know how these udp packets are occured? > I expect some stupid kids attacked me. However, is there any exception? > > Someone sent only 3 137/udp packets to specific IP address. In general, > these stupid does not sent to specific IP address, sent to all IP > addresses I have. > > Any suggestions appreciated. > > - Melon > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 11: 7:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id CB7A837B400 for ; Thu, 30 Nov 2000 11:07:17 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAUJ7fS29702; Thu, 30 Nov 2000 11:07:41 -0800 (PST) (envelope-from kris) Date: Thu, 30 Nov 2000 11:07:41 -0800 From: Kris Kennaway To: The Hermit Hacker Cc: Stefano Riva , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001130110741.B29627@citusc17.usc.edu> References: <20001128215508.A94876@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nVMJ2NtxeReIH9PS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from scrappy@hub.org on Thu, Nov 30, 2000 at 01:50:26PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --nVMJ2NtxeReIH9PS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 30, 2000 at 01:50:26PM -0400, The Hermit Hacker wrote: > > > >Yes, I can confirm this happened last night. We were immediately > > > >informed by those who did it including how it was achieved. The > > > >penetration mechanism was not a vulnerability in FreeBSD and was ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > >corrected immediately. > > >=20 > > > Could you give us some detail about the mechanism used? > >=20 > > Not at this time. I'll release more details in a few days once we've > > had time to look things over better. >=20 > so, for the next few days, there is a possibility that the rest of us are > as vulnerable? *raised eyebrow* Only if you think I'm a damned liar ;-) Kris --nVMJ2NtxeReIH9PS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjompXwACgkQWry0BWjoQKXW5wCgnhLOobs3d0jUKPMRqIdLX7te Ey8An1WPUdFztzqJzROn3IyIjIwVAnqW =sYiN -----END PGP SIGNATURE----- --nVMJ2NtxeReIH9PS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 11:12:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id E677737B698 for ; Thu, 30 Nov 2000 11:12:39 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id OAA29596; Thu, 30 Nov 2000 14:12:39 -0500 (EST) (envelope-from str) Date: Thu, 30 Nov 2000 14:12:39 -0500 (EST) From: Igor Roshchin Message-Id: <200011301912.OAA29596@giganda.komkon.org> To: freebsd@gndrsh.dnsmgr.net, str@giganda.komkon.org Subject: Re: Danger Ports Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200011301820.KAA45049@gndrsh.dnsmgr.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: "Rodney W. Grimes" > Date: Thu, 30 Nov 2000 10:20:57 -0800 (PST) > <..> > > > > I am not sure if filtering some reserved networks would not stop legible > > traffic for some people. E.g. Home.net (@Home, @Work) > > is using 10.0.0.0 to number their aggregation routers. Thus its > > users will probably suffer if they block this network at the firewall. > > No they won't suffer, reserved networks are reserved, blocking them > at AS boundaries is a BCP, both source and desitnation address. It > does do some funny things to traceroute, but it doesn't effect normal > operations: Yes, you are right. Thanks for correcting me. The will be no problem for general traffic. The only problem would be if one wants to find out which of the ISP's routers is causing the connectivity problem at the particular moment (as I had to do this many times to prove @Work's customer service that _they_ have problems). Thanks, Igor Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 11:22:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.253.163.10]) by hub.freebsd.org (Postfix) with ESMTP id 6E1D237B400 for ; Thu, 30 Nov 2000 11:22:44 -0800 (PST) Received: by alpha.simphost.com (Postfix, from userid 1060) id 3BB1A66B0A; Thu, 30 Nov 2000 12:22:51 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 3698562D03; Thu, 30 Nov 2000 12:22:51 -0700 (MST) Date: Thu, 30 Nov 2000 12:22:51 -0700 (MST) From: "Jonathan M. Slivko" To: Melon Cc: freebsd-security@freebsd.org Subject: Re: 137/udp In-Reply-To: <3A26A013136.BF8AMELON@postman.orangenetwork.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know that my response to this e-mail isn't technical, but a comment on some of the language used on this mail that I am replying to. Apparently, someone out there seems to think that all the teen computer users out there are stupid kids. I fail to agree with you, even though I am a "stupid kid" to put it in your words, even though I am 18 years old. So, I personally take offense at that statement and would request that you refrain from using such derogative statements in further e-mails on this issue. This is a constructive e-mail list, and not a mail list where people express their opinions on what other people, children no less do. However, I do have to agree with you on one point, the evidence that you have shown us appears to be consistent with the workings of an inexperienced user, not neccessarily a child, mind you. But, that is besides the point. I would have expected better language from a network administrator, being that I am one myself, for a rather large company. If you would like to take this matter up further, please don't hesitate to E-Mail me personally. My E-Mail address is listed on the bottom of this E-Mail. Thank You for your time. -- Jonathan M. Slivko ---- Jonathan M. Slivko Technical Support, CoreSync Corporation (http://www.coresync.net) Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) Pager/Voicemail: (917) 388-5304 ---- On Fri, 1 Dec 2000, Melon wrote: > Hello, > > All network administrator may always see rejected 137/udp packet... > > I want to know how these udp packets are occured? > I expect some stupid kids attacked me. However, is there any exception? > > Someone sent only 3 137/udp packets to specific IP address. In general, > these stupid does not sent to specific IP address, sent to all IP > addresses I have. > > Any suggestions appreciated. > > - Melon > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 11:30:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id D503437B400 for ; Thu, 30 Nov 2000 11:30:11 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id OAA15834; Thu, 30 Nov 2000 14:29:23 -0500 Date: Thu, 30 Nov 2000 14:29:23 -0500 (EST) From: Mikhail Kruk To: "Jonathan M. Slivko" Cc: Melon , Subject: Re: 137/udp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > However, I do have to agree with you on one point, the evidence that you > have shown us appears to be consistent with the workings of an > inexperienced user, not neccessarily a child, mind you. But, that is I think he was referring to stupid kids from 31331 haxor scene (or whatever the right name is). I insist that you leave us (everybody on this list) the right to call these kids stupid because by my estimation 99% of them are and 1% is clever enough to know this and not be offended. You, in particular, are too old to fall into this category anyways. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 11:41:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.redshells.net (unknown [208.189.113.190]) by hub.freebsd.org (Postfix) with SMTP id E018237B400 for ; Thu, 30 Nov 2000 11:41:39 -0800 (PST) Received: (qmail 49528 invoked from network); 30 Nov 2000 19:42:35 -0000 Received: from unknown (HELO redshells.net) (208.189.113.201) by mail.redshells.net with SMTP; 30 Nov 2000 19:42:35 -0000 Message-ID: <3A26A029.7676CA2F@redshells.net> Date: Thu, 30 Nov 2000 12:44:57 -0600 From: Chris Lucas X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Jonathan M. Slivko" Cc: Melon , freebsd-security@freebsd.org Subject: Re: 137/udp References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm... I'm wondering where he said that 'all' teen computer users are stupid. The way I read it was that he thought he was hacked. I think we all can agree that the majority of hacking activity is coming from kids these days. Many older "hackers" know better and would rather not end up in jail, hence the reference to stupid kids. "Jonathan M. Slivko" wrote: > I know that my response to this e-mail isn't technical, but a comment on > some of the language used on this mail that I am replying to. Apparently, > someone out there seems to think that all the teen computer users out > there are stupid kids. I fail to agree with you, even though I am a > "stupid kid" to put it in your words, even though I am 18 years old. So, I > personally take offense at that statement and would request that you > refrain from using such derogative statements in further e-mails on this > issue. This is a constructive e-mail list, and not a mail list where > people express their opinions on what other people, children no less > do. > > However, I do have to agree with you on one point, the evidence that you > have shown us appears to be consistent with the workings of an > inexperienced user, not neccessarily a child, mind you. But, that is > besides the point. I would have expected better language from a network > administrator, being that I am one myself, for a rather large company. If > you would like to take this matter up further, please don't hesitate to > E-Mail me personally. My E-Mail address is listed on the bottom of this > E-Mail. Thank You for your time. > > -- Jonathan M. Slivko > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Fri, 1 Dec 2000, Melon wrote: > > > Hello, > > > > All network administrator may always see rejected 137/udp packet... > > > > I want to know how these udp packets are occured? > > I expect some stupid kids attacked me. However, is there any exception? > > > > Someone sent only 3 137/udp packets to specific IP address. In general, > > these stupid does not sent to specific IP address, sent to all IP > > addresses I have. > > > > Any suggestions appreciated. > > > > - Melon > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 11:45:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.253.163.10]) by hub.freebsd.org (Postfix) with ESMTP id 5B65337B401 for ; Thu, 30 Nov 2000 11:45:09 -0800 (PST) Received: by alpha.simphost.com (Postfix, from userid 1060) id A30CB66B0A; Thu, 30 Nov 2000 12:45:07 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 9BD3B62D03; Thu, 30 Nov 2000 12:45:07 -0700 (MST) Date: Thu, 30 Nov 2000 12:45:07 -0700 (MST) From: "Jonathan M. Slivko" To: Chris Lucas Cc: Melon , freebsd-security@freebsd.org Subject: Re: 137/udp In-Reply-To: <3A26A029.7676CA2F@redshells.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org However, if you read my later statement, I said I agree that in this case, the evidence warrents the assumption that it was a kid that launched the udp sequence. However, there are alot of extremely bright kids out there who are good on computers, hence the New York Times (http://www.nytimes.com) article on it awhile ago. And, with that, I would like to end this portion of the discussion. ---- Jonathan M. Slivko Technical Support, CoreSync Corporation (http://www.coresync.net) Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) Pager/Voicemail: (917) 388-5304 ---- On Thu, 30 Nov 2000, Chris Lucas wrote: > Hmm... I'm wondering where he said that 'all' teen computer users are stupid. > The way I read it was that he thought he was hacked. I think we all can agree > that the majority of hacking activity is coming from kids these days. Many > older "hackers" know better and would rather not end up in jail, hence the > reference to stupid kids. > > "Jonathan M. Slivko" wrote: > > > I know that my response to this e-mail isn't technical, but a comment on > > some of the language used on this mail that I am replying to. Apparently, > > someone out there seems to think that all the teen computer users out > > there are stupid kids. I fail to agree with you, even though I am a > > "stupid kid" to put it in your words, even though I am 18 years old. So, I > > personally take offense at that statement and would request that you > > refrain from using such derogative statements in further e-mails on this > > issue. This is a constructive e-mail list, and not a mail list where > > people express their opinions on what other people, children no less > > do. > > > > However, I do have to agree with you on one point, the evidence that you > > have shown us appears to be consistent with the workings of an > > inexperienced user, not neccessarily a child, mind you. But, that is > > besides the point. I would have expected better language from a network > > administrator, being that I am one myself, for a rather large company. If > > you would like to take this matter up further, please don't hesitate to > > E-Mail me personally. My E-Mail address is listed on the bottom of this > > E-Mail. Thank You for your time. > > > > -- Jonathan M. Slivko > > > > ---- > > Jonathan M. Slivko > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > Pager/Voicemail: (917) 388-5304 > > ---- > > > > On Fri, 1 Dec 2000, Melon wrote: > > > > > Hello, > > > > > > All network administrator may always see rejected 137/udp packet... > > > > > > I want to know how these udp packets are occured? > > > I expect some stupid kids attacked me. However, is there any exception? > > > > > > Someone sent only 3 137/udp packets to specific IP address. In general, > > > these stupid does not sent to specific IP address, sent to all IP > > > addresses I have. > > > > > > Any suggestions appreciated. > > > > > > - Melon > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 11:48:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id 1E12037B401; Thu, 30 Nov 2000 11:48:38 -0800 (PST) Received: from winston.osd.bsdi.com (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.1/8.11.1) with ESMTP id eAUJmSM18751; Thu, 30 Nov 2000 11:48:29 -0800 (PST) (envelope-from jkh@winston.osd.bsdi.com) To: The Hermit Hacker Cc: Kris Kennaway , Stefano Riva , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: Message from The Hermit Hacker of "Thu, 30 Nov 2000 13:50:26 -0400." Date: Thu, 30 Nov 2000 11:48:28 -0800 Message-ID: <18748.975613708@winston.osd.bsdi.com> From: Jordan Hubbard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > so, for the next few days, there is a possibility that the rest of us are > as vulnerable? *raised eyebrow* Only if you run all of FreeBSD.org's CGI scripts. Do you? :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 12:13:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id 2627837B400 for ; Thu, 30 Nov 2000 12:13:30 -0800 (PST) Received: (qmail 3738 invoked by uid 1000); 30 Nov 2000 20:13:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Nov 2000 20:13:30 -0000 Date: Thu, 30 Nov 2000 12:13:30 -0800 (PST) From: Brian Behlendorf X-Sender: brian@localhost To: David Talkington Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Nov 2000, David Talkington wrote: > I seem to recall that these guys were the ones who hacked Slashdot > some time back. Same M.O. -- nothing destructive, left a polite > calling card, full disclosure of the penetration method. That one > wasn't a software vulnerability either; just an embarrassing > configuration problem (unmodified default password, I think!)... Someone claiming to be {} was also involved in the apache.org hack we had ~6 months ago . How they'd get in? Through a combo of a world-writeable FTP directory, with a hole in Bugzilla and a poorly configured Mysql daemon. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 12:16:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9EEAC37B404 for ; Thu, 30 Nov 2000 12:16:26 -0800 (PST) Received: (qmail 16495 invoked by uid 0); 30 Nov 2000 20:16:25 -0000 Received: from p3ee21627.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.39) by mail.gmx.net (mail04) with SMTP; 30 Nov 2000 20:16:25 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA01803 for freebsd-security@freebsd.org; Thu, 30 Nov 2000 18:26:28 +0100 Date: Thu, 30 Nov 2000 18:26:28 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: filtering ipsec traffic Message-ID: <20001130182628.P27042@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20001129185752.O27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001129185752.O27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Wed, Nov 29, 2000 at 06:57:52PM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 29, 2000 at 18:57 +0100, Gerhard Sittig wrote: > > Am I wrong thinking that one already has these four hooks > available? (Sorry, I haven't toyed with IPsec yet.) > > [ ... ] > > And the way out is similar with a chain of > app -> enc0 -> IPsec -> tun0 -> wire Woops, forget the above, please! :) I must have been asleep and was confusing this with OpenBSD. Let me cite from their manpages (sorry, don't have a running system around here so I will UTSL :) -- feel free to read the online manpages at www.CC.freebsd.org in your preferred output format). ----- ipsec(4) -------------------------------------------------- ... For example: .Bd -literal -offset indent Net A <----> Firewall 1 <--- Internet ---> Firewall 2 <----> Net B .Ed .Pp Firewall 1 and Firewall 2 can protect all communications between Net A and Net B by using .Tn IPsec in tunnel mode, as illustrated above. .Pp This implementation makes use of a virtual interface .Nm enc0 , which can be used in packet filters to specify those packets that have been or will be processed by .Tn IPsec. ... ----------------------------------------------------------------- ----- enc(4) ---------------------------------------------------- ... .Sh SYNOPSIS .Cd "pseudo-device enc 4" .Sh DESCRIPTION The .Nm interface is a software loopback mechanism that allows hosts or firewalls to filter .Xr ipsec 4 traffic using .Xr ipf 5 . The .Xr vpn 8 manpage shows an example of such a setup. ... ----------------------------------------------------------------- Maybe that's something FreeBSD wants to have, too? I don't see a difference in which filter gets the packet once is enters / leaves the IPsec functionality block and feel the mention of ipf(5) -- why 5, not 8 or 4? -- to come from the fact that it's OpenBSD's native filter. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 12:20:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.redshells.net (mail.redshells.net [208.189.113.190]) by hub.freebsd.org (Postfix) with SMTP id 906AA37B400 for ; Thu, 30 Nov 2000 12:20:08 -0800 (PST) Received: (qmail 49772 invoked from network); 30 Nov 2000 20:21:06 -0000 Received: from unknown (HELO redshells.net) (208.189.113.201) by mail.redshells.net with SMTP; 30 Nov 2000 20:21:06 -0000 Message-ID: <3A26A8C6.35B94E4F@redshells.net> Date: Thu, 30 Nov 2000 13:21:43 -0600 From: Chris Lucas X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Jonathan M. Slivko" Cc: Melon , freebsd-security@freebsd.org Subject: Re: 137/udp References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm sure you would like to end this portion of the discussion, however that is not up to you. As far as your later statement I will quote: "the evidence that you have shown us appears to be consistent with the workings of an inexperienced user, not neccessarily (SIC) a child, mind you." Also, I never attempted to make a point that there are not many bright kids who are good on computers. So, with that said I will respectfully ask that this issue be put to rest and apologize to anyone who wasted their time reading these last few emails. Thank you "Jonathan M. Slivko" wrote: > However, if you read my later statement, I said I agree that in this case, > the evidence warrents the assumption that it was a kid that launched the > udp sequence. However, there are alot of extremely bright kids out there > who are good on computers, hence the New York Times > (http://www.nytimes.com) article on it awhile ago. > > And, with that, I would like to end this portion of the discussion. > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Thu, 30 Nov 2000, Chris Lucas wrote: > > > Hmm... I'm wondering where he said that 'all' teen computer users are stupid. > > The way I read it was that he thought he was hacked. I think we all can agree > > that the majority of hacking activity is coming from kids these days. Many > > older "hackers" know better and would rather not end up in jail, hence the > > reference to stupid kids. > > > > "Jonathan M. Slivko" wrote: > > > > > I know that my response to this e-mail isn't technical, but a comment on > > > some of the language used on this mail that I am replying to. Apparently, > > > someone out there seems to think that all the teen computer users out > > > there are stupid kids. I fail to agree with you, even though I am a > > > "stupid kid" to put it in your words, even though I am 18 years old. So, I > > > personally take offense at that statement and would request that you > > > refrain from using such derogative statements in further e-mails on this > > > issue. This is a constructive e-mail list, and not a mail list where > > > people express their opinions on what other people, children no less > > > do. > > > > > > However, I do have to agree with you on one point, the evidence that you > > > have shown us appears to be consistent with the workings of an > > > inexperienced user, not neccessarily a child, mind you. But, that is > > > besides the point. I would have expected better language from a network > > > administrator, being that I am one myself, for a rather large company. If > > > you would like to take this matter up further, please don't hesitate to > > > E-Mail me personally. My E-Mail address is listed on the bottom of this > > > E-Mail. Thank You for your time. > > > > > > -- Jonathan M. Slivko > > > > > > ---- > > > Jonathan M. Slivko > > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > > Pager/Voicemail: (917) 388-5304 > > > ---- > > > > > > On Fri, 1 Dec 2000, Melon wrote: > > > > > > > Hello, > > > > > > > > All network administrator may always see rejected 137/udp packet... > > > > > > > > I want to know how these udp packets are occured? > > > > I expect some stupid kids attacked me. However, is there any exception? > > > > > > > > Someone sent only 3 137/udp packets to specific IP address. In general, > > > > these stupid does not sent to specific IP address, sent to all IP > > > > addresses I have. > > > > > > > > Any suggestions appreciated. > > > > > > > > - Melon > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 12:26:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from beamail.beasys.com (unknown [63.96.163.38]) by hub.freebsd.org (Postfix) with ESMTP id 0483B37B400 for ; Thu, 30 Nov 2000 12:26:48 -0800 (PST) Received: from san-francisco.beasys.com (san-francisco.beasys.com [192.168.9.10]) by beamail.beasys.com (8.9.1b+Sun/8.9.1) with ESMTP id MAA29168 for ; Thu, 30 Nov 2000 12:26:47 -0800 (PST) Received: from ashbury.weblogic.com (ashbury.beasys.com [172.17.8.3]) by san-francisco.beasys.com (8.9.3+Sun/8.9.1) with ESMTP id MAA17928; Thu, 30 Nov 2000 12:26:47 -0800 (PST) Received: from beasys.com ([192.168.53.2]) by ashbury.weblogic.com (Post.Office MTA v3.5.3 release 223 ID# 0-53833U200L200S0V35) with ESMTP id com; Thu, 30 Nov 2000 12:46:43 -0800 Message-ID: <3A26B705.BB9C836E@beasys.com> Date: Thu, 30 Nov 2000 13:22:29 -0700 From: garya@bea.com (Gary Aitken) Organization: BEA WebXpress X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Chuck Rock Cc: freebsd-security@freebsd.org Subject: Re: /etc/passwd upgrade References: <003e01c05aff$21333be0$1805010a@epconline.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chuck Rock wrote: > > We've upgraded from 2.2.8 to 3.2 and will be soon 4.2 by just copying the > passwd files over. > > There is a mix of 3DES and MD5 passwords in the passwd file as 2.2.8 was > configured with 3DES and the 3.2 is configrued with MD5. All new users get > MD5 by default, but the users with 3DES password still work, and won't get > MD5 unless they change their password. > > We've had no problems whatsoever with this, but all the home directories and > so forth have to match the passwd file. > > Is the 128bit ecryption mentioned the MD5 passwords, or is this a security > feature we havent used on our system that would make this copying of passwd > files not work? Thanks. I copied the appropriate entries from the old (2.1) file and it appears to be working, so you should be ok. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 13:47:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 99F3037B400 for ; Thu, 30 Nov 2000 13:47:24 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id QAA369172; Thu, 30 Nov 2000 16:47:01 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Thu, 30 Nov 2000 16:47:00 -0500 To: "Jonathan M. Slivko" , Melon From: Garance A Drosihn Subject: Re: 137/udp Cc: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:22 PM -0700 11/30/00, Jonathan M. Slivko wrote: >I know that my response to this e-mail isn't technical, but >a comment on some of the language used on this mail that I >am replying to. Apparently, someone out there seems to think >that all the teen computer users out there are stupid kids. Please leave the politically-correct posturing off this list. The "language" used was perfectly fine. He did not in any way insult "all the teen users" anywhere. He said: > > I expect some stupid kids attacked me. > > However, is there any exception? Assuming you were not gratuitously searching for an insult, all he said was "the people who attacked me were stupid kids", and not "all kids are stupid, and I think a few of those kids -- who by definition must be stupid because I have used the word 'kid' -- have attacked me". Pulling out the PC police force on such a benign statement is much more obnoxious than the original statement was. There was no swearing, no blanket statements of condemnation, just a comment that the attack seemed to be from some stupid kids. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 14:49:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id DF68737B400 for ; Thu, 30 Nov 2000 14:49:10 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 58C0E2B28D; Thu, 30 Nov 2000 16:49:05 -0600 (CST) Date: Thu, 30 Nov 2000 16:49:05 -0600 From: Bill Fumerola To: "Rodney W. Grimes" Cc: Igor Roshchin , freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports Message-ID: <20001130164905.E83422@elvis.mu.org> References: <200011301802.NAA27215@giganda.komkon.org> <200011301820.KAA45049@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011301820.KAA45049@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Thu, Nov 30, 2000 at 10:20:57AM -0800 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 10:20:57AM -0800, Rodney W. Grimes wrote: > No they won't suffer, reserved networks are reserved, blocking them > at AS boundaries is a BCP, both source and desitnation address. It > does do some funny things to traceroute, but it doesn't effect normal > operations: I wouldn't go as far as BCP. See nanog archives. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 15: 3:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from aurora.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 958EB37B400; Thu, 30 Nov 2000 15:03:36 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by aurora.scoop.co.nz (8.9.3/8.9.3) with SMTP id MAA03519; Fri, 1 Dec 2000 12:03:14 +1300 (NZDT) Date: Fri, 1 Dec 2000 12:03:14 +1300 (NZDT) From: Andrew McNaughton Reply-To: andrew@scoop.co.nz To: "Jonathan M. Slivko" Cc: John Howie , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Danger Ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Back Orifice et al are only dangerous ports if you are listening to those ports. Seems unlikely you'd do that under FreeBSD. You might want to block packets to these ports on other machines of course, but that has nothing to do with FreeBSD's security. Andrew McNaughton On Wed, 29 Nov 2000, Jonathan M. Slivko wrote: > Date: Wed, 29 Nov 2000 19:08:09 -0700 (MST) > From: "Jonathan M. Slivko" > To: John Howie > Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG > Subject: Re: Danger Ports > > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Wed, 29 Nov 2000, John Howie wrote: > > > Jonathan, > > > > Rather than denying access to certain ports on your system, and allowing > > access to the rest, you might find it easier to think in the reverse - What > > ports do I need to leave open to outside (presumably Internet) users? > > > > The answer to that question depends on the needs of your outside users. You > > will probably need to allow SSH access, and I would suggest that you get > > users to use SCP instead of FTP (unless you have a public FTP site that > > allows anonymous connections). You might also need to open up access to SMTP > > and POP3 services for mail (while ensuring that your site can't be used as a > > mail relay). DNS is another service that you might need to provide access > > to. > > > > If users need access to so-called dangerous services such as X, printer, > > NFS, NIS, SNMP, etc. then I would look for a VPN solution that brings them > > into your network through the firewall and allows them to access these > > services as an internal user. > > > > O'Reilly does a good book on Firewall Security, I suggest that you get it > > and have a read. CERT also has a good document on packet filtering > > (http://www.cert.org). Also, check the FreeBSD handbook or The Complete > > FreeBSD for more information about setting up firewalls on FreeBSD systems. > > > > Hope this helps, > > > > john... > > > > ----- Original Message ----- > > From: "Jonathan M. Slivko" > > To: > > Cc: > > Sent: Wednesday, November 29, 2000 5:23 PM > > Subject: Danger Ports > > > > > > > Can someone tell me what are the "danger" ports on FreeBSD, ports that > > > perhaps need to be blocked because they are insecure? I would like to know > > > so in the future, I can prevent outside attacks and concentrate more on > > > internal attacks, or "insider jobs" as they're called. > > > > > > ---- > > > Jonathan M. Slivko > > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > > Pager/Voicemail: (917) 388-5304 > > > ---- > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Andrew McNaughton Scoop Media Ltd andrew@scoop.co.nz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 15:11:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 3B2C537B400; Thu, 30 Nov 2000 15:11:42 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id AF3301AC4; Thu, 30 Nov 2000 18:11:41 -0500 (EST) Date: Thu, 30 Nov 2000 18:11:41 -0500 From: Will Andrews To: mwlucas@exceptionet.com Cc: The Hermit Hacker , kris@FreeBSD.ORG, sriva@gufi.org, security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001130181141.Y559@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , mwlucas@exceptionet.com, The Hermit Hacker , kris@FreeBSD.ORG, sriva@gufi.org, security@FreeBSD.ORG References: <200011301732.MAA08853@easeway.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011301732.MAA08853@easeway.com>; from mwlucas@exceptionet.com on Thu, Nov 30, 2000 at 12:32:41PM -0500 X-Operating-System: FreeBSD 4.1-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 12:32:41PM -0500, mwlucas@exceptionet.com wrote: > IIRC, Freefall's been rooted before. It'll probably be rooted again. A > security admin's job sucks, but life goes on. *Apparently* only a html file was changed.. so you don't know it was rooted. It'd be pretty hard to root *.freebsd.org boxes.. But yes, it's been rooted before. However, the last time was about 2 or 3 years ago (to my knowledge), and there hasn't been one since. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 15:36: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id B18E937B698 for ; Thu, 30 Nov 2000 15:36:01 -0800 (PST) Received: from wkst ([209.16.228.146]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id SAA09122 for ; Thu, 30 Nov 2000 18:37:31 -0500 Reply-To: From: "Peter Brezny" To: Subject: ipfw dynamic firewall opening Large amounts of dynamic rules normal? Date: Thu, 30 Nov 2000 18:35:09 -0800 Message-ID: <007901c05b3f$537026a0$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everyone, On a 4.2-stable box I've got ipfw and nat running with 2 dynamic rules (see complete rule set below). $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif This box is in the testing phase, and with me as the only user behind the firewall with a couple browsers and a mail client running, sysctl net.inet.ip.fw shows ...dyn_count:178 (see below) When i ipfw show it appears that for each outbound request for a website between six and 10 rules are created, one for the private ip of the internal machine followed by several for the (I'm assuming) translated internal request heading out to the remote web server (see below). Is this behavior normal? And if so, how high is it recommended to set the sectl net.inet.ip.fw.dyn_max: variable (I'm using the default of 1000)? I've attached a copy of my firewall rules below as well. Any advice will be greatly appreciated. TIA Peter Brezny SysAdmin Services Inc. sysctl output net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 178 net.inet.ip.fw.dyn_max: 1000 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 30 ipfw show output 01300 0 0 (T 0, # 34) ty 0 tcp, 10.10.1.70 1265 <-> 209.16.228.140 25 01200 0 0 (T 0, # 36) ty 0 tcp, 209.16.228.146 1256 <-> 208.201.239.14 80 01200 0 0 (T 0, # 37) ty 0 tcp, 209.16.228.146 1262 <-> 204.148.40.9 80 01200 0 0 (T 0, # 38) ty 0 tcp, 209.16.228.146 1261 <-> 204.148.40.9 80 01200 0 0 (T 0, # 40) ty 0 tcp, 209.16.228.146 1251 <-> 204.148.40.9 80 01200 0 0 (T 0, # 41) ty 0 tcp, 209.16.228.146 1253 <-> 208.201.239.14 80 01200 0 0 (T 0, # 43) ty 0 tcp, 209.16.228.146 1255 <-> 208.201.239.14 80 01200 0 0 (T 0, # 47) ty 0 tcp, 209.16.228.146 1252 <-> 204.148.40.9 80 01300 0 0 (T 0, # 49) ty 0 tcp, 10.10.1.70 1216 <-> 64.41.203.231 80 01200 1 477 (T 0, # 52) ty 0 udp, 209.16.228.146 1055 <-> 209.16.228.140 53 01200 1 154 (T 0, # 53) ty 0 udp, 209.16.228.146 1054 <-> 209.16.228.140 53 01200 1 149 (T 0, # 54) ty 0 udp, 209.16.228.146 1053 <-> 209.16.228.140 53 01200 1 132 (T 0, # 55) ty 0 udp, 209.16.228.146 1052 <-> 209.16.228.140 53 01200 0 0 (T 0, # 64) ty 0 tcp, 209.16.228.146 1163 <-> 204.148.40.9 80 01200 0 0 (T 0, # 65) ty 0 tcp, 209.16.228.146 1162 <-> 204.148.40.9 80 01200 0 0 (T 0, # 66) ty 0 tcp, 209.16.228.146 1161 <-> 204.148.40.9 80 01200 0 0 (T 0, # 67) ty 0 tcp, 209.16.228.146 1160 <-> 204.148.40.9 80 01200 0 0 (T 0, # 68) ty 0 tcp, 209.16.228.146 1167 <-> 204.148.40.9 80 01200 0 0 (T 0, # 69) ty 0 tcp, 209.16.228.146 1166 <-> 204.148.40.9 80 Current firewall ruleset. fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input # # Rules # $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log ip from $inwr to any in via $oif $fwcmd add deny log ip from not $inwr to any in via $iif $fwcmd add divert natd all from any to any via $oif $fwcmd add allow tcp from any to any established $fwcmd add allow tcp from any to $oip 22,25,80,443 setup # $fwcmd add allow icmp from any to any $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add allow udp from any 53 to $ns1 53 # $fwcmd add allow udp from $ntp 123 to $oip 123 $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add 65435 deny log ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16: 4:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 2673B37B400 for ; Thu, 30 Nov 2000 16:04:11 -0800 (PST) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA26262; Thu, 30 Nov 2000 16:01:23 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id QAA52048; Thu, 30 Nov 2000 16:01:22 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA01418; Thu, 30 Nov 2000 16:01:22 -0800 (PST) From: Don Lewis Message-Id: <200012010001.QAA01418@salsa.gv.tsc.tdk.com> Date: Thu, 30 Nov 2000 16:01:22 -0800 In-Reply-To: <20001130163937.D9269@ringworld.oblivion.bg> References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Peter Pentchev , Adam Laurie Subject: Re: FreeBSD Firewall - Help please Cc: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Nov 30, 4:39pm, Peter Pentchev wrote: } Subject: Re: FreeBSD Firewall - Help please } Much too true.. indeed, for those who haven't seen it the first few } thousand times, there are numerous telnet- and netcat-like utilities, } that are able to connect to previously installed backdoors, sending } TCP or UDP packets with a specified source port. The above-pasted } firewall config will happily let those in, assuming they are DNS replies. } } The only way to get around this is with a stateful firewall - allowing } UDP-source-port-53 traffic only after an outgoing UDP packet to that } host's port 53. ... or run named and only allow responses to go to its query-source port. The disadvantage of this is that you can't debug DNS problems by pointing dig at other name servers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16:13: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 240B637B400 for ; Thu, 30 Nov 2000 16:13:04 -0800 (PST) Received: from slave (Studded@slave [10.0.0.1]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id QAA69826; Thu, 30 Nov 2000 16:10:14 -0800 (PST) (envelope-from DougB@gorean.org) Date: Thu, 30 Nov 2000 16:10:14 -0800 (PST) From: Doug Barton X-Sender: doug@dt051n37.san.rr.com To: Nuno Teixeira Cc: Peter Pentchev , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <006901c058ca$aa683cd0$0200a8c0@n2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Nov 2000, Nuno Teixeira wrote: > Hi, > > For ftp, the ' export FTP_PASSIVE_MODE="yes" ' works ok but I can't download > ports with the ' export FETCH_BEFORE_ARGS="-p" '. The only way that i can > fetch a file is doing this in the port directory: ' make > FETCH_BEFORE_ARGS=-p install '. Does anyone know why export doesn't work for > fetch command? FTP_PASSIVE_MODE is a shell environment variable, FETCH_BEFORE_ARGS is a make variable. You want to put FETCH_BEFORE_ARGS=-p in /etc/make.conf. Good luck, Doug -- So what I want to know is, where does the RED brick road go? Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16:13:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id D846137B402; Thu, 30 Nov 2000 16:13:07 -0800 (PST) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id KAA85464; Fri, 1 Dec 2000 10:16:36 +1000 (EST) (envelope-from akm) Date: Fri, 1 Dec 2000 10:16:36 +1000 From: Andrew Kenneth Milton To: Kris Kennaway Cc: The Hermit Hacker , Stefano Riva , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001201101636.S14398@zeus.theinternet.com.au> References: <20001128215508.A94876@citusc17.usc.edu> <20001130110741.B29627@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20001130110741.B29627@citusc17.usc.edu>; from Kris Kennaway on Thu, Nov 30, 2000 at 11:07:41AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +-------[ Kris Kennaway ]---------------------- | On Thu, Nov 30, 2000 at 01:50:26PM -0400, The Hermit Hacker wrote: | | > > > >Yes, I can confirm this happened last night. We were immediately | > > > >informed by those who did it including how it was achieved. The | > > > >penetration mechanism was not a vulnerability in FreeBSD and was | | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | > > > >corrected immediately. | > > > | > > > Could you give us some detail about the mechanism used? | > > | > > Not at this time. I'll release more details in a few days once we've | > > had time to look things over better. | > | > so, for the next few days, there is a possibility that the rest of us are | > as vulnerable? *raised eyebrow* | | Only if you think I'm a damned liar ;-) Are you really the head of the Kwik-e-mart? -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16:37:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from thelab.hub.org (CDR22-173.accesscable.net [24.138.22.173]) by hub.freebsd.org (Postfix) with ESMTP id 89D0637B402 for ; Thu, 30 Nov 2000 16:37:37 -0800 (PST) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.11.1/8.11.1) with ESMTP id eB10b2Y74115; Thu, 30 Nov 2000 20:37:02 -0400 (AST) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Thu, 30 Nov 2000 20:37:02 -0400 (AST) From: The Hermit Hacker To: Dan Debertin Cc: security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Nov 2000, Dan Debertin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 30 Nov 2000, The Hermit Hacker wrote: > > > > so, for the next few days, there is a possibility that the rest of us are > > as vulnerable? *raised eyebrow* > > If you had been reading the posts for the past few days, you would know > that you aren't. Now, drop it already. I have been reading the posts, and read that it wasn't a *FreeBSD* vulnerability ... so are you saying that it has nothing to do with the web server software either? Or any other third-party apps that I might have installed on my system? *raised eyebrow* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16:38:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from thelab.hub.org (CDR22-173.accesscable.net [24.138.22.173]) by hub.freebsd.org (Postfix) with ESMTP id 11D6F37B400 for ; Thu, 30 Nov 2000 16:38:18 -0800 (PST) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.11.1/8.11.1) with ESMTP id eB10bqq74119; Thu, 30 Nov 2000 20:37:52 -0400 (AST) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Thu, 30 Nov 2000 20:37:51 -0400 (AST) From: The Hermit Hacker To: "David G. Andersen" Cc: security@freebsd.org Subject: Re: FreeBSD hacked? In-Reply-To: <200011301754.KAA23235@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Nov 2000, David G. Andersen wrote: > For crying out loud, how many times does he have to say that it was NOT a > basic FreeBSD vulnerability, but something specific to www.freebsd.org? sorry, all I read was that it was "NOT a basic FreeBSD vulnerability" ... I never saw a reference to "something specific to www.freebsd.org" ... > > (e.g. open mouth, insert brain, and figure that it was probably a > vulnerability in either a search, registration, or pr-related script). > > -Dave > > Lo and behold, The Hermit Hacker once said: > > > > > > Not at this time. I'll release more details in a few days once we've > > > had time to look things over better. > > > > so, for the next few days, there is a possibility that the rest of us are > > as vulnerable? *raised eyebrow* > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16:42: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from lucifer.techometer.net (techometer.net [216.240.169.101]) by hub.freebsd.org (Postfix) with ESMTP id CFD9B37B400 for ; Thu, 30 Nov 2000 16:42:04 -0800 (PST) Received: (from emechler@localhost) by lucifer.techometer.net (8.11.1/8.11.1) id eB10fUZ84577; Thu, 30 Nov 2000 16:41:30 -0800 (PST) Date: Thu, 30 Nov 2000 16:41:30 -0800 From: Erick Mechler To: The Hermit Hacker Cc: Dan Debertin , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? Message-ID: <20001130164130.A84522@lucifer.techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from The Hermit Hacker on Thu, Nov 30, 2000 at 08:37:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Um, of course you're vulnerable. If you don't want to be vulnerable, then take your machine off the Internet. Now can we please just be quiet and friggin' wait for Kris to let us know? All this talk is totally unnecessary. --Erick At Thu, Nov 30, 2000 at 08:37:02PM -0400, The Hermit Hacker said this: :: On Thu, 30 Nov 2000, Dan Debertin wrote: :: :: > -----BEGIN PGP SIGNED MESSAGE----- :: > Hash: SHA1 :: > :: > On Thu, 30 Nov 2000, The Hermit Hacker wrote: :: > > :: > > so, for the next few days, there is a possibility that the rest of us are :: > > as vulnerable? *raised eyebrow* :: > :: > If you had been reading the posts for the past few days, you would know :: > that you aren't. Now, drop it already. :: :: I have been reading the posts, and read that it wasn't a *FreeBSD* :: vulnerability ... so are you saying that it has nothing to do with the web :: server software either? Or any other third-party apps that I might have :: installed on my system? *raised eyebrow* :: :: :: :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16:44:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 5615037B404 for ; Thu, 30 Nov 2000 16:44:46 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id TAA17426; Thu, 30 Nov 2000 19:44:43 -0500 Date: Thu, 30 Nov 2000 19:44:43 -0500 (EST) From: Mikhail Kruk To: The Hermit Hacker Cc: Subject: Re: FreeBSD hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > If you had been reading the posts for the past few days, you would know > > that you aren't. Now, drop it already. > > I have been reading the posts, and read that it wasn't a *FreeBSD* > vulnerability ... so are you saying that it has nothing to do with the web > server software either? Or any other third-party apps that I might have > installed on my system? *raised eyebrow* could anyone who is good with sendmail post configs to filter out mail with "FreeBSD hacked?" subject? please, please let's stop discussing this... jkh told you very clearly: it's problem with one of the CGI scripts. If you don't trust at least two of the core team members it may be very good reason to switch to Linux (you just have to say "Linus is god and there is no god but Linus" and you'll be all set) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 16:47: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from turtle.looksharp.net (cc360882-a.strhg1.mi.home.com [24.2.221.22]) by hub.freebsd.org (Postfix) with ESMTP id 492F237B400 for ; Thu, 30 Nov 2000 16:46:59 -0800 (PST) Received: from localhost (bsdx@localhost) by turtle.looksharp.net (8.9.3/8.9.3) with ESMTP id TAA93025; Thu, 30 Nov 2000 19:47:54 -0500 (EST) (envelope-from bsdx@looksharp.net) Date: Thu, 30 Nov 2000 19:47:54 -0500 (EST) From: Adam To: Melon Cc: freebsd-security@FreeBSD.ORG Subject: Re: 137/udp In-Reply-To: <3A26A013136.BF8AMELON@postman.orangenetwork.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Dec 2000, Melon wrote: >Hello, > >All network administrator may always see rejected 137/udp packet... > >I want to know how these udp packets are occured? >I expect some stupid kids attacked me. However, is there any exception? Windows likes to send Netbios name query packets to a host on port 137 with certain normal use operations, including dns lookups. Consider it normal activity if you have windows clients using resources on your computer, but abnormal if you see hits to port 137 to all of your ip's within a short timerange. Also, if you are not running samba, you have no reason to worry about incoming netbios packets. > >Someone sent only 3 137/udp packets to specific IP address. In general, >these stupid does not sent to specific IP address, sent to all IP >addresses I have. > >Any suggestions appreciated. > >- Melon > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 17: 9:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id 8D09937B400 for ; Thu, 30 Nov 2000 17:09:15 -0800 (PST) Received: from sherman.spotnet.org (slip-43.prairienet.org [192.17.3.63]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id TAA11140 for ; Thu, 30 Nov 2000 19:09:14 -0600 (CST) Date: Thu, 30 Nov 2000 19:09:09 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org Cc: security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- >could anyone who is good with sendmail post configs to filter out mail >with "FreeBSD hacked?" subject? Hmm. How 'bout, in .procmailrc: :0: * ^(Subject).*(FreeBSD hacked) /dev/null Quick and dirty ... =) -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOib6OL1ZYOtSwT+tAQGTawf/RFFNSxbytLuHZgZFLWOfxvDc3oLnFE/L P+ZCyPUNWt5Jqu4zCRYah9Q1Ka60/VIR/7fncdZ/8YxbexBhbUCmeYTE8Ukcuh5V Tb3yloEiv6fcRXjFu9Mcbcd5Ak8rvUMaDNGkJMIOavaS9XygJpzj22iST9vj1Rzp +0rxuv7+G7/gSA9vG+HgQ6wC239vxGRsHP+/L3QQQ2Mb2wp7t1O9JUyZtDi0YuZX uhMH7UUyVoNwaTawSrwu5R0UooYcRjZwm7Jlmi/KNxucfmTsGrVpokzLSgIJx3yw uWeGGeN3NNmOInfxqdfFINJRxhgzJHm9f072haEHN4z9cCyw1d/Y8A== =SwM2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 18:56:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 7BB0A37B400 for ; Thu, 30 Nov 2000 18:56:24 -0800 (PST) Received: from jardan.infowest.com (jardan.infowest.com [216.190.28.251]) by ns1.infowest.com (Postfix) with SMTP id 1371021285 for ; Thu, 30 Nov 2000 19:56:10 -0700 (MST) From: Aaron D.Gifford Date: Thu, 30 Nov 2000 19:56:15 -0700 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" To: freebsd-security@freebsd.org Subject: Re: ipfw dynamic firewall opening Large amounts of dynamic rules normal? MIME-Version: 1.0 Message-Id: <00113019561500.07081@jardan.infowest.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11/30/2000 18:35:09, Peter Brezny wrote: >Hello Everyone, > >On a 4.2-stable box I've got ipfw and nat running with 2 dynamic rules (see >complete rule set below). > > $fwcmd add check-state > $fwcmd add allow ip from $oip to any keep-state out via $oif > $fwcmd add allow ip from $inwr to any keep-state via $iif > >This box is in the testing phase, and with me as the only user behind the >firewall with a couple browsers and a mail client running, > >sysctl net.inet.ip.fw > >shows ...dyn_count:178 (see below) > >When i What you are seeing is current ACTIVE dynamic rules AND inactive expired rules whose place in the table (I assume it's a hash table for quick lookups on IP packets) has not yet been reused. So an active system will gradually accumulate rules (expired rules mostly) until there are nearly as many as there are spots in the hash table. The number of active dynamic rules at any one time, however, is almost always much smaller. > >ipfw show > >it appears that for each outbound request for a website between six and 10 >rules are created, one for the private ip of the internal machine followed >by several for the (I'm assuming) translated internal request heading out to >the remote web server (see below). > >Is this behavior normal? And if so, how high is it recommended to set the From what I see in your message it looks very normal and your example shows very little traffic (but that may have been on purpose since you most likely did not wish to flood the list). > >sectl net.inet.ip.fw.dyn_max: > >variable (I'm using the default of 1000)? In nearly every case I've seen, it's been plenty. You may need to increse the number if the box is allocating dynamic rules for traffic from many hosts (if it's acting as a firewall) and/or traffic patterns at your location tend to be a lot of separate IP flows versus fewer TCP flows. It's not the sheer number of packets that governs the number of dynamic rules, but the number of individual matching flows (UDP and TCP). > >I've attached a copy of my firewall rules below as well. > >Any advice will be greatly appreciated. > >TIA > >Peter Brezny >SysAdmin Services Inc. > <> > >ipfw show output >01300 0 0 (T 0, # 34) ty 0 tcp, 10.10.1.70 1265 <-> 209.16.228.140 25 >01200 0 0 (T 0, # 36) ty 0 tcp, 209.16.228.146 1256 <-> 208.201.239.14 80 >01200 0 0 (T 0, # 37) ty 0 tcp, 209.16.228.146 1262 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 38) ty 0 tcp, 209.16.228.146 1261 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 40) ty 0 tcp, 209.16.228.146 1251 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 41) ty 0 tcp, 209.16.228.146 1253 <-> 208.201.239.14 80 >01200 0 0 (T 0, # 43) ty 0 tcp, 209.16.228.146 1255 <-> 208.201.239.14 80 >01200 0 0 (T 0, # 47) ty 0 tcp, 209.16.228.146 1252 <-> 204.148.40.9 80 >01300 0 0 (T 0, # 49) ty 0 tcp, 10.10.1.70 1216 <-> 64.41.203.231 80 >01200 1 477 (T 0, # 52) ty 0 udp, 209.16.228.146 1055 <-> 209.16.228.140 53 >01200 1 154 (T 0, # 53) ty 0 udp, 209.16.228.146 1054 <-> 209.16.228.140 53 >01200 1 149 (T 0, # 54) ty 0 udp, 209.16.228.146 1053 <-> 209.16.228.140 53 >01200 1 132 (T 0, # 55) ty 0 udp, 209.16.228.146 1052 <-> 209.16.228.140 53 >01200 0 0 (T 0, # 64) ty 0 tcp, 209.16.228.146 1163 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 65) ty 0 tcp, 209.16.228.146 1162 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 66) ty 0 tcp, 209.16.228.146 1161 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 67) ty 0 tcp, 209.16.228.146 1160 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 68) ty 0 tcp, 209.16.228.146 1167 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 69) ty 0 tcp, 209.16.228.146 1166 <-> 204.148.40.9 80 <> A quick look at the above shows that ALL the listed dynamic rules have expired -- see the "T 0" part shows there are 0 seconds left before the rule expires. And in fact it looks like there were 4 DNS queries, 1 SMTP stream, 1 HTTP flow from 10.10.1.70 to 64.41.203.231, and most likely only 2 web pages requested by 209.16.228.146, each which very likely had several images or other page content files that resulted in additional streams being created. Very normal. You can write a cron job to keep an eye on your log files. I believe ipfw will write to the log if you hit the maximum number of dynamic rules. Off the top of my head I don't recall where it logs (/var/log/security or /var/log messages, I suspect) nor what the exact entry is. Then if you see such an entry, bump your maximum up. I tune several ipfw related things in /etc/sysctl.conf on some of the systems I work with to match the specific traffic patterns the hosts encounter. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 20:12:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from thelab.hub.org (CDR22-173.accesscable.net [24.138.22.173]) by hub.freebsd.org (Postfix) with ESMTP id B31C637B400; Thu, 30 Nov 2000 20:12:44 -0800 (PST) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.11.1/8.11.1) with ESMTP id eB14C4h68894; Fri, 1 Dec 2000 00:12:04 -0400 (AST) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Fri, 1 Dec 2000 00:12:04 -0400 (AST) From: The Hermit Hacker To: Jordan Hubbard Cc: Kris Kennaway , Stefano Riva , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-Reply-To: <18748.975613708@winston.osd.bsdi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 30 Nov 2000, Jordan Hubbard wrote: > > so, for the next few days, there is a possibility that the rest of us are > > as vulnerable? *raised eyebrow* > > Only if you run all of FreeBSD.org's CGI scripts. Do you? :) Again, apologies ... I saw the threads that talked about the fact that it was in the CGI's as part of subthreads, but never saw the original post from either you or Kris :( To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 20:48:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id DCDDC37B400 for ; Thu, 30 Nov 2000 20:48:53 -0800 (PST) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id XAA10308; Thu, 30 Nov 2000 23:09:41 -0500 (EST) Message-Id: <200012010409.XAA10308@easeway.com> Subject: Re: FreeBSD hacked? In-Reply-To: <20001130181141.Y559@puck.firepipe.net> from Will Andrews at "Nov 30, 0 06:11:41 pm" To: will@physics.purdue.edu Date: Thu, 30 Nov 100 23:09:40 -0500 (EST) Cc: security@freebsd.org From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [cc's trimmed] > *Apparently* only a html file was changed.. so you don't know it was > rooted. It'd be pretty hard to root *.freebsd.org boxes.. True, my bad. Still, having a html file changed through a CGI exploit is enough to make you run for your Tripwire disk. Think about it: "Nah, I just changed the web page, I didn't root you and install a back door. Really." Wow, that sends *my* trust level soaring. ==ml -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 21:16:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from users.ozlinx.com.au (users.ozlinx.com.au [203.37.234.22]) by hub.freebsd.org (Postfix) with ESMTP id 0A63A37B400 for ; Thu, 30 Nov 2000 21:16:47 -0800 (PST) Received: from zandrea (brmp-port-58.dataline.net.au [203.58.154.58]) by users.ozlinx.com.au (8.10.0/8.10.0) with SMTP id eB15GGY21409 for ; Fri, 1 Dec 2000 15:16:25 +1000 Message-ID: <000801c05b56$732e40a0$3a9a3acb@zandrea> From: "Zandrea&John Norman" To: Subject: health and saftey Date: Fri, 1 Dec 2000 15:20:32 +1000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C05BAA.3EB21500" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 Disposition-Notification-To: "Zandrea&John Norman" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C05BAA.3EB21500 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable may I be on your mailing list please=20 ------=_NextPart_000_0005_01C05BAA.3EB21500 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
may  I  be on your mailing = list please=20
------=_NextPart_000_0005_01C05BAA.3EB21500-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 21:31:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 9232A37B402 for ; Thu, 30 Nov 2000 21:31:27 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 141ipd-00005o-00; Thu, 30 Nov 2000 22:34:01 -0700 Message-ID: <3A273849.33B09A91@softweyr.com> Date: Thu, 30 Nov 2000 22:34:01 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garance A Drosihn Cc: "Jonathan M. Slivko" , Melon , freebsd-security@FreeBSD.ORG Subject: Re: 137/udp References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garance A Drosihn wrote: > > At 12:22 PM -0700 11/30/00, Jonathan M. Slivko wrote: > >I know that my response to this e-mail isn't technical, but > >a comment on some of the language used on this mail that I > >am replying to. Apparently, someone out there seems to think > >that all the teen computer users out there are stupid kids. > > Assuming you were not gratuitously searching for an insult, > all he said was "the people who attacked me were stupid > kids", and not "all kids are stupid, and I think a few > of those kids -- who by definition must be stupid because > I have used the word 'kid' -- have attacked me". Everyone has a different definition of kid, too. Mine includes anyone who hadn't at least started college when I graduated -- 1984. I'd appreciate it if you kids would keep it down in here. Some of us are trying to drive Kris crazy, er, help secure FreeBSD. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 21:45: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id 74E1837B400 for ; Thu, 30 Nov 2000 21:45:00 -0800 (PST) Received: from sherman.spotnet.org (slip-59.prairienet.org [192.17.3.79]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id XAA06591 for ; Thu, 30 Nov 2000 23:44:58 -0600 (CST) Date: Thu, 30 Nov 2000 23:44:52 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: 137/udp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Garance A Drosihn wrote: >Please leave the politically-correct posturing off this >list. The "language" used was perfectly fine. He did not >in any way insult "all the teen users" anywhere. He said: > >> > I expect some stupid kids attacked me. >> > However, is there any exception? I suspect that by "is there any exception?", you thought he meant "are there any kids that aren't stupid?", and that perhaps what he really meant was, "is there an alternative to my theory that this was an attack by stupid kids?". Perhaps the original poster's syntax was merely ambiguous, and not deliberately inflammatory? - -d - -- David Talkington Prairienet / Community Networking Initiative 217-244-1962 dtalk@prairienet.org -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOic62b1ZYOtSwT+tAQHWGwf/ePS5Hxmm3K7aaOcSqFvt3qCOiH7HrBdp cfYcTAEz5ukII2R7yz8ovOk1pB8TFUa8jWnD7bWiglXgl+/1/WpVhBINMKXXyTHj 1Q53A8jNiY9x1D0UgYdFc1QlppCE/qSWoQu3HvyqHW7lc2gaRHDG5PeJUpZ5fa01 4ewFTrhfCr88p9ecuxWAQBcmdUFgEm7lPrGztlMdkiV9jRpPaqFrgUOh+8Ob4AbV PzekFnYb/bMkb3YWYGIlpqH7cFOxI9Tu5j61sqAzOdghECTifgSwkkwxUkK5A/wO eVYpnLz4w+eJkx1Ip4AxjFv874V74yCLRFGFHTU4UxTUhKO8WgTycw== =WHad -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 21:48: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id DB07A37B400 for ; Thu, 30 Nov 2000 21:47:56 -0800 (PST) Received: from sherman.spotnet.org (slip-59.prairienet.org [192.17.3.79]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id XAA06889 for ; Thu, 30 Nov 2000 23:47:55 -0600 (CST) Date: Thu, 30 Nov 2000 23:47:50 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: 137/udp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Oops, speaking of ambiguity, I misquoted. I meant to respond to Mr. Slivko's post, not to Mr. Drosihn's: >At 12:22 PM -0700 11/30/00, Jonathan M. Slivko wrote: >>I know that my response to this e-mail isn't technical, but >>a comment on some of the language used on this mail that I >>am replying to. Apparently, someone out there seems to think >>that all the teen computer users out there are stupid kids. > >> > I expect some stupid kids attacked me. >> > However, is there any exception? > Giving up and going to bed, - -d -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOic7ib1ZYOtSwT+tAQF2wQgAyCOwUtRD2B+lCvLfgJaHUBXHSOxq/SrH wHvxA8rpILAwbxrvUnCQmiCaHSlXqKo/XId95A1mardwUpmKawm4Qul/aDnmerwI bdV9BYNKqcELCC9i3GTelmtuZptUsYbbvyXypwgEDHdaRTP5rZ4ZTku0bHZYSiEI fog6nyY7kbhIH8qaUavvs+G61PqPcKyeuc0WIXfxM7Bx+5lNpYZRiBY2H5Gy/Wv6 dRaIWEKf4ZiVQhmPXvBqayg8dEzqdKhGYrC8xbq/pY9Sgb20KJAyFf37qytjiyWm l/hv/Ee9z5oQM9xILuuCgPpek6jhnQhOVRUfUKZTh5deR6g13Pm8Ew== =Epa0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 22: 7:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id DFB0837B400 for ; Thu, 30 Nov 2000 22:07:14 -0800 (PST) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA46736; Thu, 30 Nov 2000 22:07:06 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200012010607.WAA46736@gndrsh.dnsmgr.net> Subject: Re: Danger Ports In-Reply-To: <20001130164905.E83422@elvis.mu.org> from Bill Fumerola at "Nov 30, 2000 04:49:05 pm" To: billf@mu.org (Bill Fumerola) Date: Thu, 30 Nov 2000 22:07:05 -0800 (PST) Cc: str@giganda.komkon.org (Igor Roshchin), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, Nov 30, 2000 at 10:20:57AM -0800, Rodney W. Grimes wrote: > > > No they won't suffer, reserved networks are reserved, blocking them > > at AS boundaries is a BCP, both source and desitnation address. It > > does do some funny things to traceroute, but it doesn't effect normal > > operations: > > I wouldn't go as far as BCP. Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8: Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ should not be forwarded across such links. Routers in networks not ^^^^^^^^^^^^^^^^^^^^^^^ using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error. The problem is that the other RFC/BCP's (2827, 3013 in particular) only talk about ingress filtering on source address, totally ignoreing what RFC1918 says about these addresses :-( > See nanog archives. Can you be more specific? -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 22:16:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3928037B400; Thu, 30 Nov 2000 22:16:42 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 30 Nov 2000 22:15:05 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eB16GVh13992; Thu, 30 Nov 2000 22:16:31 -0800 (PST) (envelope-from cjc) Date: Thu, 30 Nov 2000 22:16:31 -0800 From: "Crist J . Clark" To: "Rodney W. Grimes" Cc: Dan Babb , "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Danger Ports Message-ID: <20001130221631.E99903@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200011301743.JAA44928@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200011301743.JAA44928@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Thu, Nov 30, 2000 at 09:43:57AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 09:43:57AM -0800, Rodney W. Grimes wrote: [snip] > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log Is it me? Isn't the second network in each a subset of the first? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 22:24: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 08EC237B400; Thu, 30 Nov 2000 22:24:00 -0800 (PST) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA46764; Thu, 30 Nov 2000 22:23:33 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200012010623.WAA46764@gndrsh.dnsmgr.net> Subject: Re: Danger Ports In-Reply-To: <20001130221631.E99903@149.211.6.64.reflexcom.com> from "Crist J . Clark" at "Nov 30, 2000 10:16:31 pm" To: cjclark@alum.mit.edu Date: Thu, 30 Nov 2000 22:23:33 -0800 (PST) Cc: bdan@c-zone.net (Dan Babb), jon_slivko@simphost.com (Jonathan M. Slivko), freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, Nov 30, 2000 at 09:43:57AM -0800, Rodney W. Grimes wrote: > > [snip] > > > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > > Is it me? Isn't the second network in each a subset of the first? Whooopss... I didn't even read the access-list that close, and your right the 172.31.0.0 is infact a subset of the 172.16.0.0 rule. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 22:31:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id E465F37B400 for ; Thu, 30 Nov 2000 22:31:07 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 763AF2B27A; Fri, 1 Dec 2000 00:31:02 -0600 (CST) Date: Fri, 1 Dec 2000 00:31:02 -0600 From: Bill Fumerola To: "Rodney W. Grimes" Cc: Igor Roshchin , freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports Message-ID: <20001201003102.I83422@elvis.mu.org> References: <20001130164905.E83422@elvis.mu.org> <200012010607.WAA46736@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012010607.WAA46736@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Thu, Nov 30, 2000 at 10:07:05PM -0800 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 10:07:05PM -0800, Rodney W. Grimes wrote: > > I wouldn't go as far as BCP. > > Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8: > > Because private addresses have no global meaning, routing information > about private networks shall not be propagated on inter-enterprise > links, and packets with private source or destination addresses > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > should not be forwarded across such links. Routers in networks not > ^^^^^^^^^^^^^^^^^^^^^^^ > using private address space, especially those of Internet service > providers, are expected to be configured to reject (filter out) > routing information about private networks. If such a router receives > such information the rejection shall not be treated as a routing > protocol error. You're mistaking "should" for "must". RFCs are very anal about pointing out the difference between these words. Noncompliance is different then behavior deemed suboptimal. > The problem is that the other RFC/BCP's (2827, 3013 in particular) only > talk about ingress filtering on source address, totally ignoreing what > RFC1918 says about these addresses :-( > > See nanog archives. > > Can you be more specific? In the interest of ego (and proof that I am consistant if nothing else): http://www.merit.edu/mail.archives/nanog/msg03756.html In the interest of completeness: http://www.merit.edu/mail.archives/nanog/msg03754.html A search of "RFC1918" revealed these. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 22:58:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id DD97737B400 for ; Thu, 30 Nov 2000 22:58:27 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 141kBo-0000BI-00; Fri, 01 Dec 2000 00:01:00 -0700 Message-ID: <3A274CAC.840ADD9C@softweyr.com> Date: Fri, 01 Dec 2000 00:01:00 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Bill Fumerola Cc: "Rodney W. Grimes" , Igor Roshchin , freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports References: <20001130164905.E83422@elvis.mu.org> <200012010607.WAA46736@gndrsh.dnsmgr.net> <20001201003102.I83422@elvis.mu.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola wrote: > > On Thu, Nov 30, 2000 at 10:07:05PM -0800, Rodney W. Grimes wrote: > > > > I wouldn't go as far as BCP. > > > > Well, RFC1918, aka BCP5 is pretty darn clear in section 3 paragraph 8: > > > > Because private addresses have no global meaning, routing information > > about private networks shall not be propagated on inter-enterprise > > links, and packets with private source or destination addresses > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > should not be forwarded across such links. Routers in networks not > > ^^^^^^^^^^^^^^^^^^^^^^^ > > using private address space, especially those of Internet service > > providers, are expected to be configured to reject (filter out) > > routing information about private networks. If such a router receives > > such information the rejection shall not be treated as a routing > > protocol error. > > You're mistaking "should" for "must". RFCs are very anal about pointing out > the difference between these words. Noncompliance is different then behavior > deemed suboptimal. This is a configuration issue as well. Your ISP may consider their entire network, including all customers, a private network and dole out 10.x.x.x addresses to you. I'd hate to see their NAT tables, unless they're a good old 6-customer ISP. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 30 23:44:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id AC3EE37B400 for ; Thu, 30 Nov 2000 23:44:07 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.9.3/8.9.3) id IAA24519 for freebsd-security@freebsd.org; Fri, 1 Dec 2000 08:44:06 +0100 (CET) (envelope-from kuku) Date: Fri, 1 Dec 2000 08:44:06 +0100 (CET) From: Christoph Kukulies Message-Id: <200012010744.IAA24519@gilberto.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: Mail cored Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yesterday, Nov. 30th, my root security logs say that the Mail program dumped core. In the same course I saw an ftpd connection which got refused from my tcpd filter. It's a 4.0 Release I'm running. Were there any security relevant issues with Mail at that time? -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 0:23:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id CFEBA37B400 for ; Fri, 1 Dec 2000 00:23:19 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.9.3/8.9.3) id JAA24840 for freebsd-security@freebsd.org; Fri, 1 Dec 2000 09:23:19 +0100 (CET) (envelope-from kuku) Date: Fri, 1 Dec 2000 09:23:19 +0100 (CET) From: Christoph Kukulies Message-Id: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: which ftpd Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I want to keep anonymous ftp on one of my machines but I'm not sure whether I should use wuftpd or the stock distributed ftpd. I want to have logging what users/sites are doing. But I want security also. I just discovered a bunch of suspicious files and directories in my incoming directory: drwxrwx-wx root/staff 0 Nov 28 19:45 2000 incoming/ drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/sm/ drwxr-xr-x ftp/staff 0 Aug 14 16:44 2000 incoming/. XFer/ drwxr-xr-x ftp/staff 0 Aug 14 16:50 2000 incoming/j/ drwxr-xr-x ftp/staff 0 Aug 21 04:15 2000 incoming/~tmp./ drwxr-xr-x ftp/staff 0 Aug 21 04:16 2000 incoming/.../ drwxr-xr-x ftp/staff 0 Nov 7 02:50 2000 incoming/.../ .sys/ -rw-r--r-- ftp/staff 937 Nov 7 02:49 2000 incoming/.../ .sys/eth-mmad.sfv -rw-r--r-- ftp/staff 15000000 Nov 7 02:50 2000 incoming/.../ .sys/eth-mmad.r00 -rw-r--r-- ftp/staff 6307200 Nov 7 02:51 2000 incoming/.../ .sys/eth-mmad.r01 drwxr-xr-x ftp/staff 0 Sep 21 17:45 2000 incoming/test345/ drwxr-xr-x ftp/staff 0 Oct 20 01:14 2000 incoming/ . test345/ -rw-r--r-- ftp/staff 1000000 Oct 20 01:14 2000 incoming/ . test345/1MB drwxr-xr-x ftp/staff 0 Nov 14 07:22 2000 incoming/ngf/ drwxr-xr-x ftp/staff 0 Nov 20 00:04 2000 incoming/asd/ drwxr-xr-x ftp/staff 0 Nov 21 11:32 2000 incoming/_ax/ The three-dot directories are normally used by intruder tools. I'm wondering if this was an attack or just a trial. It seems I didn't block creating diorectories otherwise it wouldn't have been possible to create that but I'm wondering if this is possible to disallow under the stock ftpd. -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 0:30:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 036E637B400 for ; Fri, 1 Dec 2000 00:30:31 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eB18V4Y41662; Fri, 1 Dec 2000 00:31:04 -0800 (PST) (envelope-from kris) Date: Fri, 1 Dec 2000 00:31:04 -0800 From: Kris Kennaway To: Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: which ftpd Message-ID: <20001201003104.A41598@citusc17.usc.edu> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de>; from kuku@gilberto.physik.rwth-aachen.de on Fri, Dec 01, 2000 at 09:23:19AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Dec 01, 2000 at 09:23:19AM +0100, Christoph Kukulies wrote: > I want to keep anonymous ftp on one of my machines but > I'm not sure whether I should use wuftpd or the stock distributed > ftpd. I want to have logging what users/sites are doing. > But I want security also. Never use wu-ftpd if you care about security. Use our stock ftpd unless you need something it can't do, and in that case strongly consider coding the needed functionality yourself before using another ftpd. Basically all of the third party ftpds in ports have had numerous security problems - the in-system one has been vulnerability-free for quite a while now. > The three-dot directories are normally used by intruder tools. > I'm wondering if this was an attack or just a trial. Upload point for warez kiddies, probably. Kris --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjonYcUACgkQWry0BWjoQKVgwQCgx3w0+QVggnU1uVxsnEyRQsZq U6QAnjZiQRSHn4sqcty+nddAOm784MwO =0Esv -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 0:58:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id 3FA3237B400 for ; Fri, 1 Dec 2000 00:58:33 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.9.3/8.9.3) id JAA25047; Fri, 1 Dec 2000 09:58:30 +0100 (CET) (envelope-from kuku) Date: Fri, 1 Dec 2000 09:58:30 +0100 From: Christoph Kukulies To: Chris Wasser Cc: freebsd-security@freebsd.org Subject: Re: which ftpd Message-ID: <20001201095830.A24994@gil.physik.rwth-aachen.de> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201015209.A38085@skunkworks.area51-arpa.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001201015209.A38085@skunkworks.area51-arpa.mil>; from cwasser@v-wave.com on Fri, Dec 01, 2000 at 01:52:09AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 01:52:09AM -0700, Chris Wasser wrote: > On Fri 01 Dec 2000, Christoph Kukulies wrote: > > I just discovered a bunch of suspicious files and directories > > in my incoming directory: > > Forgive me if I'm missing the point, but the obvious solution > would be to only allow ftp access to registered system users, > rather then anonymous which is a ripe target for the activities > of warez couriers. My only concern was security, that is, secure against exploits through buffer overflows and in the past, I agree with the foreposter, wuftpd always was lagging behind WRT closing these buffer overflow holes. I don't want to confine my ftp access to a closed circle. Looking into /incoming more frequently can keep those warez kids away. And forbidding directory creation as well. My point was, if the stock ftpd offers all this. > > -Chris -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 1:43: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 8619437B400 for ; Fri, 1 Dec 2000 01:43:00 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (2342 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 1 Dec 2000 03:41:38 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Fri, 1 Dec 2000 03:41:38 -0600 (CST) From: James Wyatt To: Christoph Kukulies Cc: freebsd-security@freebsd.org Subject: Re: which ftpd In-Reply-To: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Dec 2000, Christoph Kukulies wrote: > I want to keep anonymous ftp on one of my machines but > I'm not sure whether I should use wuftpd or the stock distributed > ftpd. I want to have logging what users/sites are doing. > But I want security also. > > I just discovered a bunch of suspicious files and directories > in my incoming directory: > drwxrwx-wx root/staff 0 Nov 28 19:45 2000 incoming/ > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/sm/ [ ... ] > -rw-r--r-- ftp/staff 937 Nov 7 02:49 2000 incoming/.../ .sys/eth-mmad.sfv > -rw-r--r-- ftp/staff 15000000 Nov 7 02:50 2000 incoming/.../ .sys/eth-mmad.r00 [ ... ] > I'm wondering if this was an attack or just a trial. > > It seems I didn't block creating diorectories otherwise it wouldn't have > been possible to create that but I'm wondering if this is possible > to disallow under the stock ftpd. I've found the stock FreeBSD FTPd really good. It offers a chrooted account I've had to take the WUFTPd risk for before on Linux. If you turn-up the logging you can easily catch things like this. (btw: this looks like some warez d00dz building a nest. I've had it happen before and there have been some FTPd holes that required writable anon-ftp to work.) Using the FTPd xfer log, you can easily audit uploaded files and spot things like this. You can also have an automatic process watch the log and move the files to a quarrantine area. I've liked having a writable incoming directory that can be written to, but not read. Doesn't give users warm-fuzzy of seeing their files arrive, but reduces the bandwidth freeloaders. For fun, make a ".../README" file asking folks not to leave warez junk. Hope this helps somehow - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 1:54:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id EAAC837B400 for ; Fri, 1 Dec 2000 01:54:28 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eB19rea29984; Fri, 1 Dec 2000 11:53:40 +0200 (EET) (envelope-from never) Date: Fri, 1 Dec 2000 11:53:39 +0200 From: Nevermind To: James Wyatt Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: which ftpd Message-ID: <20001201115339.G2185@nevermind.kiev.ua> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jwyatt@rwsystems.net on Fri, Dec 01, 2000 at 03:41:38AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, James Wyatt! On Fri, 1 Dec 2000, Christoph Kukulies wrote: > I want to keep anonymous ftp on one of my machines but > I'm not sure whether I should use wuftpd or the stock distributed > ftpd. I want to have logging what users/sites are doing. > But I want security also. > > I just discovered a bunch of suspicious files and directories > in my incoming directory: > drwxrwx-wx root/staff 0 Nov 28 19:45 2000 incoming/ > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/sm/ > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/~tmp./ I've been hacked few month ago with such kind of sht using standard ftpd. ps ax | grep supa also make fsck in single mode several times, then search for suspicious dirs in /var/games, /var/*. This is hack based on loading kernel module which prevents process name supa to be killed also try to find dir or/and file named "lohi". I'm not sure about this, because they may change executable names. -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:21:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 8C70837B400; Fri, 1 Dec 2000 02:21:27 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eB1ALPs30096; Fri, 1 Dec 2000 12:21:25 +0200 (EET) (envelope-from never) Date: Fri, 1 Dec 2000 12:21:24 +0200 From: Nevermind To: freebsd-security@freebsd.org Cc: freebsd-stabe@freebsd.org Subject: Important!! Vulnerability in standard ftpd Message-ID: <20001201122124.H2185@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! The parallel thread are discussing suspicious drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/* dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way. (with standard ftpd) First I've found incoming/~tmp./ dir. Then I've found suspicious process called "supa" (it may vary, I think). I don't exactly remember how I found directory in which ls -la said: ls: .: No such file or directory. This hack corrupts filesystem to make it's datadirs invisible. fsck in single mode severeal times helps. It is ttyp* and ttyv* sniffer, logger, password cracker. Please, check it out! -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:27:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 6149937B400; Fri, 1 Dec 2000 02:27:49 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id KAA06886; Fri, 1 Dec 2000 10:27:14 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Fri, 1 Dec 2000 12:27:14 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Nevermind Cc: freebsd-security@freebsd.org, freebsd-stabe@freebsd.org Subject: Re: Important!! Vulnerability in standard ftpd In-Reply-To: <20001201122124.H2185@nevermind.kiev.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anyone confirm this, that there is some kind of remotely workable vulnerability in the current stock ftpd (6.00LS)..? -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Fri, 1 Dec 2000, Nevermind wrote: > Hello! > > The parallel thread are discussing suspicious > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/* > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way. > (with standard ftpd) > > First I've found incoming/~tmp./ dir. > Then I've found suspicious process called "supa" (it may vary, I think). > I don't exactly remember how I found directory in which ls -la said: > ls: .: No such file or directory. > > This hack corrupts filesystem to make it's datadirs invisible. > fsck in single mode severeal times helps. > > It is ttyp* and ttyv* sniffer, logger, password cracker. > Please, check it out! > > -- > Alexandr P. Kovalenko http://nevermind.kiev.ua/ > NEVE-RIPE > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:28:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id DEA4237B400 for ; Fri, 1 Dec 2000 02:28:39 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eB1AT9844259; Fri, 1 Dec 2000 02:29:09 -0800 (PST) (envelope-from kris) Date: Fri, 1 Dec 2000 02:29:09 -0800 From: Kris Kennaway To: Nevermind Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201022909.A44090@citusc17.usc.edu> References: <20001201122124.H2185@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001201122124.H2185@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Fri, Dec 01, 2000 at 12:21:24PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 01, 2000 at 12:21:24PM +0200, Nevermind wrote: > Hello! >=20 > The parallel thread are discussing suspicious=20 > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/* > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this = way. > (with standard ftpd) >=20 > First I've found incoming/~tmp./ dir. > Then I've found suspicious process called "supa" (it may vary, I think). > I don't exactly remember how I found directory in which ls -la said: > ls: .: No such file or directory. >=20 > This hack corrupts filesystem to make it's datadirs invisible. > fsck in single mode severeal times helps. >=20 > It is ttyp* and ttyv* sniffer, logger, password cracker. > Please, check it out! Check what out? Probably your machine has some other vulnerability which was leveraged. You have given us nothing here beyond showing that your ftp server has a world writable directory. Kris --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjonfXUACgkQWry0BWjoQKW02QCfXG0NiAAcl963v6niKwW6Wn5x 2EYAni0MXDf1HH3IyUhLHxMVCFZqPzA0 =k7/5 -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:31:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id B9D1237B400 for ; Fri, 1 Dec 2000 02:31:14 -0800 (PST) Received: from sarenet.es (sollube.sarenet.es [192.148.167.16]) by orhi.sarenet.es (Postfix) with SMTP id 400BDD16A3 for ; Fri, 1 Dec 2000 11:30:32 +0100 (MET) Received: from sarenet.es ([192.148.167.77]) by sarenet.es ; Fri, 01 Dec 2000 11:30:32 +0100 Message-ID: <3A277DC8.3F466448@sarenet.es> Date: Fri, 01 Dec 2000 11:30:32 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Important!! Vulnerability in standard ftpd References: <20001201122124.H2185@nevermind.kiev.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nevermind wrote: > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way. > (with standard ftpd) Humm. Any evidence about the actual mechanism used to hack your machine? This is a very serious claim! Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:41:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 14D2B37B400; Fri, 1 Dec 2000 02:41:20 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eB1AfEf30654; Fri, 1 Dec 2000 12:41:14 +0200 (EET) (envelope-from never) Date: Fri, 1 Dec 2000 12:41:14 +0200 From: Nevermind To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201124114.I2185@nevermind.kiev.ua> References: <20001201122124.H2185@nevermind.kiev.ua> <20001201022909.A44090@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001201022909.A44090@citusc17.usc.edu>; from kris@FreeBSD.ORG on Fri, Dec 01, 2000 at 02:29:09AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Kris Kennaway! On Fri, Dec 01, 2000 at 02:29:09AM -0800, you wrote: > On Fri, Dec 01, 2000 at 12:21:24PM +0200, Nevermind wrote: > > Hello! > > > > The parallel thread are discussing suspicious > > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/* > > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way. > > (with standard ftpd) > > > > First I've found incoming/~tmp./ dir. > > Then I've found suspicious process called "supa" (it may vary, I think). > > I don't exactly remember how I found directory in which ls -la said: > > ls: .: No such file or directory. > > > > This hack corrupts filesystem to make it's datadirs invisible. > > fsck in single mode severeal times helps. > > > > It is ttyp* and ttyv* sniffer, logger, password cracker. > > Please, check it out! > > Check what out? Probably your machine has some other vulnerability > which was leveraged. You have given us nothing here beyond showing > that your ftp server has a world writable directory. I cannot find now files I've found few month ago. You should contact better man, who had found ~tmp. dirs in his incoming (it is in parallel thread). He surely can find hidden files using fsck. He should look afair in /var/games/ -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:43:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from guardian.hermes.si (guardian.hermes.si [193.77.5.150]) by hub.freebsd.org (Postfix) with ESMTP id 3A98C37B400 for ; Fri, 1 Dec 2000 02:43:40 -0800 (PST) Received: from hermes.si (primus.hermes.si [193.77.5.98]) by guardian.hermes.si (8.9.3/8.9.3) with ESMTP id LAA02702 for ; Fri, 1 Dec 2000 11:43:33 +0100 (MET) Received: (from uucp@localhost) by hermes.si (8.9.3/8.9.3) id LAA18626 for ; Fri, 1 Dec 2000 11:43:31 +0100 Received: from hal9000.hermes.si(10.17.5.136) by primus.hermes.si via smap (V2.1) id xma017039; Fri, 1 Dec 00 11:42:21 +0100 Received: by hal9000.hermes.si with Internet Mail Service (5.5.2650.21) id ; Fri, 1 Dec 2000 11:42:22 +0100 Message-ID: From: Matjaz Martincic To: freebsd-security@FreeBSD.ORG Subject: RE: Important!! Vulnerability in standard ftpd Date: Fri, 1 Dec 2000 11:42:20 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If that is really a remote vulnerability, that is definitely not good at all. Are you having any local accounts on your machine Alexandr? That gives more chance that the machine was hacked some other way. rgds, Matjaz ---------------------- Nevermind wrote: > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way. > (with standard ftpd) Humm. Any evidence about the actual mechanism used to hack your machine? This is a very serious claim! Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:47:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 7794A37B400 for ; Fri, 1 Dec 2000 02:47:37 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eB1AlDO30695; Fri, 1 Dec 2000 12:47:13 +0200 (EET) (envelope-from never) Date: Fri, 1 Dec 2000 12:47:13 +0200 From: Nevermind To: Matjaz Martincic Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201124713.K2185@nevermind.kiev.ua> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from matjaz.martincic@hermes.si on Fri, Dec 01, 2000 at 11:42:20AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Matjaz Martincic! On Fri, Dec 01, 2000 at 11:42:20AM +0100, you wrote: > If that is really a remote vulnerability, that is definitely not good at > all. Are you having any local accounts on your machine Alexandr? That gives > more chance that the machine was hacked some other way. No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted shell accounts. All of them have full sudo, but all of us were using only ssh, telnetd was closed, noone accessed to non-anonymous ftp from outside network. > Nevermind wrote: > > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this > way. > > (with standard ftpd) > > Humm. Any evidence about the actual mechanism used to hack your > machine? This is a very serious claim! > > Borja. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:48: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 65CFB37B6BB; Fri, 1 Dec 2000 02:48:04 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eB1Alun09933; Fri, 1 Dec 2000 02:47:56 -0800 (PST) Date: Fri, 1 Dec 2000 02:47:56 -0800 From: Alfred Perlstein To: Nevermind Cc: freebsd-security@FreeBSD.ORG, freebsd-stabe@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201024756.S8051@fw.wintelcom.net> References: <20001201122124.H2185@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001201122124.H2185@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Fri, Dec 01, 2000 at 12:21:24PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Nevermind [001201 02:21] wrote: > Hello! > > The parallel thread are discussing suspicious > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/* > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way. > (with standard ftpd) You wouldn't be the only one, you most likely got hacked through some other service or insecure permissions. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 2:58: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from guardian.hermes.si (guardian.hermes.si [193.77.5.150]) by hub.freebsd.org (Postfix) with ESMTP id BFAEE37B401 for ; Fri, 1 Dec 2000 02:58:03 -0800 (PST) Received: from hermes.si (primus.hermes.si [193.77.5.98]) by guardian.hermes.si (8.9.3/8.9.3) with ESMTP id LAA03082; Fri, 1 Dec 2000 11:57:36 +0100 (MET) Received: (from uucp@localhost) by hermes.si (8.9.3/8.9.3) id LAA26374; Fri, 1 Dec 2000 11:57:32 +0100 Received: from hal9000.hermes.si(10.17.5.136) by primus.hermes.si via smap (V2.1) id xma025361; Fri, 1 Dec 00 11:56:20 +0100 Received: by hal9000.hermes.si with Internet Mail Service (5.5.2650.21) id ; Fri, 1 Dec 2000 11:56:20 +0100 Message-ID: From: Matjaz Martincic To: "'Nevermind'" Cc: freebsd-security@FreeBSD.ORG Subject: RE: Important!! Vulnerability in standard ftpd Date: Fri, 1 Dec 2000 11:56:20 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Alexandr, >No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted shell >accounts. All of them have full sudo, but all of us were using only ssh, >telnetd was closed, noone accessed to non-anonymous ftp from outside network. Well, that seems like a problem then. What release were(are) you using when you find out that you've been compromised? Matjaz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 3: 0:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id BB41537B400 for ; Fri, 1 Dec 2000 03:00:34 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eB1B0Jr30766; Fri, 1 Dec 2000 13:00:19 +0200 (EET) (envelope-from never) Date: Fri, 1 Dec 2000 13:00:19 +0200 From: Nevermind To: Matjaz Martincic Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201130018.L2185@nevermind.kiev.ua> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from matjaz.martincic@hermes.si on Fri, Dec 01, 2000 at 11:56:20AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Matjaz Martincic! On Fri, Dec 01, 2000 at 11:56:20AM +0100, you wrote: > Hi Alexandr, > > >No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted > shell > >accounts. All of them have full sudo, but all of us were using only ssh, > >telnetd was closed, noone accessed to non-anonymous ftp from outside > network. > > Well, that seems like a problem then. What release were(are) you using when > you find out that you've been compromised? I was using 4.1-STABLE when was hacked. Now I'm using 4.2-STABLE and proftpd. -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 3:13:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 87F6437B400; Fri, 1 Dec 2000 03:13:47 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eB1BEHH44981; Fri, 1 Dec 2000 03:14:17 -0800 (PST) (envelope-from kris) Date: Fri, 1 Dec 2000 03:14:17 -0800 From: Kris Kennaway To: Nevermind Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201031417.A44830@citusc17.usc.edu> References: <20001201122124.H2185@nevermind.kiev.ua> <20001201022909.A44090@citusc17.usc.edu> <20001201124114.I2185@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001201124114.I2185@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Fri, Dec 01, 2000 at 12:41:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 01, 2000 at 12:41:14PM +0200, Nevermind wrote: > > Check what out? Probably your machine has some other vulnerability > > which was leveraged. You have given us nothing here beyond showing > > that your ftp server has a world writable directory. > I cannot find now files I've found few month ago. > You should contact better man, who had found ~tmp. dirs in his incoming (= it is > in parallel thread). >=20 > He surely can find hidden files using fsck. > He should look afair in /var/games/ You have come in and cried "Wolf!" (see subject line) and you don't have any evidence to back up your claim? That's fairly annoying to the people you have now caused to panic about some new super-secret ftp exploit. It is *much* more likely that your machine had some other well-known vulnerability which you overlooked, and this is actually what your attackers exploited. So far all you've shown is that you had a world-writable public directory which some people uploaded files to. If someone can upload files, it's much easier for them to take advantage of *other* security weaknesses on your system which require a local file to work. Guys, until someone can produce evidence that ftpd itself was actually the entrance vector and not just an incidental factor to some other vulnerability, I wouldn't worry about FreeBSD ftpd security problems. Of course, public writable directories have been, and always will be, a bad thing for your system security no matter what ftpd you use. Kris --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoniAkACgkQWry0BWjoQKWnuwCg/g+PfaLXzV2GNxFEkWinJqeX UtYAoLU2nmeyDUdA+/YAVBl46jAhLpw7 =yLIX -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 3:18:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [209.226.29.94]) by hub.freebsd.org (Postfix) with ESMTP id 9A97937B400; Fri, 1 Dec 2000 03:18:07 -0800 (PST) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.1/8.11.0) with ESMTP id eB1BI1w11194; Fri, 1 Dec 2000 06:18:02 -0500 (EST) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Fri, 1 Dec 2000 06:18:01 -0500 (EST) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: Kris Kennaway Cc: Nevermind , freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd In-Reply-To: <20001201031417.A44830@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD - The BEST upgrade you can do to NT! On Fri, 1 Dec 2000, Kris Kennaway wrote: > On Fri, Dec 01, 2000 at 12:41:14PM +0200, Nevermind wrote: > > > > Check what out? Probably your machine has some other vulnerability > > > which was leveraged. You have given us nothing here beyond showing > > > that your ftp server has a world writable directory. > > I cannot find now files I've found few month ago. > > You should contact better man, who had found ~tmp. dirs in his incoming (it is > > in parallel thread). > > > > He surely can find hidden files using fsck. > > He should look afair in /var/games/ > > You have come in and cried "Wolf!" (see subject line) and you don't > have any evidence to back up your claim? That's fairly annoying to the > people you have now caused to panic about some new super-secret ftp > exploit. It is *much* more likely that your machine had some other > well-known vulnerability which you overlooked, and this is actually > what your attackers exploited. > > So far all you've shown is that you had a world-writable public > directory which some people uploaded files to. If someone can upload > files, it's much easier for them to take advantage of *other* security > weaknesses on your system which require a local file to work. > > Guys, until someone can produce evidence that ftpd itself was actually > the entrance vector and not just an incidental factor to some other > vulnerability, I wouldn't worry about FreeBSD ftpd security > problems. Of course, public writable directories have been, and always > will be, a bad thing for your system security no matter what ftpd you > use. > > Kris > Why take the chance. i restrict access to ftpd via ipfw. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 3:23:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool136-tch-1.Sofia.0rbitel.net [212.95.170.136]) by hub.freebsd.org (Postfix) with SMTP id C4CDA37B400 for ; Fri, 1 Dec 2000 03:23:45 -0800 (PST) Received: (qmail 1890 invoked by uid 1000); 1 Dec 2000 11:22:57 -0000 Date: Fri, 1 Dec 2000 13:22:57 +0200 From: Peter Pentchev To: freebsd-security@FreeBSD.org Cc: "Roberto Samarone Araujo (RSA)" Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001201132257.A329@ringworld.oblivion.bg> Mail-Followup-To: freebsd-security@FreeBSD.org, "Roberto Samarone Araujo (RSA)" References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg> <200012010001.QAA01418@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012010001.QAA01418@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Thu, Nov 30, 2000 at 04:01:22PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 04:01:22PM -0800, Don Lewis wrote: > On Nov 30, 4:39pm, Peter Pentchev wrote: > } Subject: Re: FreeBSD Firewall - Help please > > } Much too true.. indeed, for those who haven't seen it the first few > } thousand times, there are numerous telnet- and netcat-like utilities, > } that are able to connect to previously installed backdoors, sending > } TCP or UDP packets with a specified source port. The above-pasted > } firewall config will happily let those in, assuming they are DNS replies. > } > } The only way to get around this is with a stateful firewall - allowing > } UDP-source-port-53 traffic only after an outgoing UDP packet to that > } host's port 53. > > ... or run named and only allow responses to go to its query-source port. > The disadvantage of this is that you can't debug DNS problems by pointing > dig at other name servers. ..and then there are those who do not want to run named, but instead, something like Dan J. Bernstein's dnscache (from the djbdns package), which picks a random source port for each query - and we're back to the stateful firewall :) G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 4: 1:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from postman.orangenetwork.net (ns.orangenetwork.net [211.123.49.50]) by hub.freebsd.org (Postfix) with SMTP id F23FE37B400 for ; Fri, 1 Dec 2000 04:01:12 -0800 (PST) Received: (qmail 18714 invoked from network); 1 Dec 2000 21:01:20 +0900 Received: from stanley.orangenetwork.net (HELO stanley) (211.123.49.54) by ns.orangenetwork.net with SMTP; 1 Dec 2000 21:01:20 +0900 Date: Fri, 01 Dec 2000 21:00:55 +0900 From: Melon To: freebsd-security@freebsd.org Subject: Re[2]: 137/udp In-Reply-To: References: Message-Id: <3A2792F72E4.BF8BMELON@postman.orangenetwork.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.26.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What? As probably you know, I am not a native English speaker. My e-mail may not be perfect as an English language, however, I have NEVER said all kids are stupid. Mr. Jonathan M. Slivko, please indicate that if I have ever said "All kids are stupid". I'm disgusted by a series of improper posts made by Mr. Jonathan M. Slivko on the list which is just intended for technical discussion. By the way, I have to read all of the posted messages for the issues. I will be here again if I have further question. I appreciate for people who helped me to solve the technical issue. Thank you. - Melon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 4: 3:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id 6EBF937B400 for ; Fri, 1 Dec 2000 04:03:19 -0800 (PST) Received: from winston.osd.bsdi.com (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.1/8.11.1) with ESMTP id eB1C32M34608; Fri, 1 Dec 2000 04:03:06 -0800 (PST) (envelope-from jkh@winston.osd.bsdi.com) To: Nevermind Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd In-Reply-To: Message from Nevermind of "Fri, 01 Dec 2000 12:21:24 +0200." <20001201122124.H2185@nevermind.kiev.ua> Date: Fri, 01 Dec 2000 04:03:02 -0800 Message-ID: <34604.975672182@winston.osd.bsdi.com> From: Jordan Hubbard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It is ttyp* and ttyv* sniffer, logger, password cracker. > Please, check it out! These are the kinds of "reports" we can actually do without because all they do is alarm people without actually informing them of anything. You make some vague reference to a tool but don't provide any information on where to get it, you make vague reference to a hack but don't give any details on how you confirmed it or the evidence you gathered, all you're essentially doing is making unsupported assertions which are basically difficult or impossible to verify. In short, if you're going to send messages with subject lines like "Important!! Vulnerability in XXX" at all, we expect you to follow some very basic common-sense guidelines for doing advance research and presentating sufficient evidence for your claims. If you are unable to meet that criteria, do not send such messages. It is very simple. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 4: 8:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 5D16037B400 for ; Fri, 1 Dec 2000 04:08:15 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eB1C7np31307; Fri, 1 Dec 2000 14:07:49 +0200 (EET) (envelope-from never) Date: Fri, 1 Dec 2000 14:07:49 +0200 From: Nevermind To: Jordan Hubbard Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201140748.A30994@nevermind.kiev.ua> References: <34604.975672182@winston.osd.bsdi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <34604.975672182@winston.osd.bsdi.com>; from jkh@winston.osd.bsdi.com on Fri, Dec 01, 2000 at 04:03:02AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Jordan Hubbard! On Fri, Dec 01, 2000 at 04:03:02AM -0800, you wrote: > > It is ttyp* and ttyv* sniffer, logger, password cracker. > > Please, check it out! > > These are the kinds of "reports" we can actually do without because > all they do is alarm people without actually informing them of > anything. You make some vague reference to a tool but don't provide > any information on where to get it, you make vague reference to a hack > but don't give any details on how you confirmed it or the evidence you > gathered, all you're essentially doing is making unsupported > assertions which are basically difficult or impossible to verify. > > In short, if you're going to send messages with subject lines like > "Important!! Vulnerability in XXX" at all, we expect you to follow > some very basic common-sense guidelines for doing advance research and > presentating sufficient evidence for your claims. If you are unable > to meet that criteria, do not send such messages. It is very simple. Ok, I'll never send vulnerability reports. Thanx. P.S. I've already said in this thread where you can get data for you experiments, so stop flaming and contact Christoph Kukulies . He sure have been hacked the same way as I've been few month ago. btw, I've already contacted him, if he will reply with data needed I'll forward it here. -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 4:13:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id 58F4D37B400 for ; Fri, 1 Dec 2000 04:13:53 -0800 (PST) Received: from winston.osd.bsdi.com (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.1/8.11.1) with ESMTP id eB1CDcM34680; Fri, 1 Dec 2000 04:13:38 -0800 (PST) (envelope-from jkh@winston.osd.bsdi.com) To: Nevermind Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd In-Reply-To: Message from Nevermind of "Fri, 01 Dec 2000 14:07:49 +0200." <20001201140748.A30994@nevermind.kiev.ua> Date: Fri, 01 Dec 2000 04:13:37 -0800 Message-ID: <34676.975672817@winston.osd.bsdi.com> From: Jordan Hubbard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Ok, I'll never send vulnerability reports. If you are indeed incapable of doing so in a professional manner (or even semi-professional) then that would indeed be the best course of action. Thank you. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 4:23:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool136-tch-1.Sofia.0rbitel.net [212.95.170.136]) by hub.freebsd.org (Postfix) with SMTP id 3706737B400 for ; Fri, 1 Dec 2000 04:23:06 -0800 (PST) Received: (qmail 2485 invoked by uid 1000); 1 Dec 2000 12:21:54 -0000 Date: Fri, 1 Dec 2000 14:21:54 +0200 From: Peter Pentchev To: Christoph Kukulies Cc: freebsd-security@freebsd.org Subject: Re: which ftpd Message-ID: <20001201142153.B329@ringworld.oblivion.bg> Mail-Followup-To: Christoph Kukulies , freebsd-security@freebsd.org References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de>; from kuku@gilberto.physik.rwth-aachen.de on Fri, Dec 01, 2000 at 09:23:19AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would seem to me that what you're seeing is somebody trying to use your machine as storage for warez. In particular, the '.../ .sys/' directory contains files with names and sizes that look a lot like the 15MB RAR archives used by some warez groups to 'distribute' their findings. I *think* the others might be just somebody testing to see if they can upload files onto your server, and belatedly realizing that there is no way to remove the files and directories they've created. G'luck, Peter -- This sentence every third, but it still comprehensible. On Fri, Dec 01, 2000 at 09:23:19AM +0100, Christoph Kukulies wrote: > I want to keep anonymous ftp on one of my machines but > I'm not sure whether I should use wuftpd or the stock distributed > ftpd. I want to have logging what users/sites are doing. > But I want security also. > > I just discovered a bunch of suspicious files and directories > in my incoming directory: > drwxrwx-wx root/staff 0 Nov 28 19:45 2000 incoming/ > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/sm/ > drwxr-xr-x ftp/staff 0 Aug 14 16:44 2000 incoming/. XFer/ > drwxr-xr-x ftp/staff 0 Aug 14 16:50 2000 incoming/j/ > drwxr-xr-x ftp/staff 0 Aug 21 04:15 2000 incoming/~tmp./ > drwxr-xr-x ftp/staff 0 Aug 21 04:16 2000 incoming/.../ > drwxr-xr-x ftp/staff 0 Nov 7 02:50 2000 incoming/.../ .sys/ > -rw-r--r-- ftp/staff 937 Nov 7 02:49 2000 incoming/.../ .sys/eth-mmad.sfv > -rw-r--r-- ftp/staff 15000000 Nov 7 02:50 2000 incoming/.../ .sys/eth-mmad.r00 > -rw-r--r-- ftp/staff 6307200 Nov 7 02:51 2000 incoming/.../ .sys/eth-mmad.r01 > drwxr-xr-x ftp/staff 0 Sep 21 17:45 2000 incoming/test345/ > drwxr-xr-x ftp/staff 0 Oct 20 01:14 2000 incoming/ . test345/ > -rw-r--r-- ftp/staff 1000000 Oct 20 01:14 2000 incoming/ . test345/1MB > drwxr-xr-x ftp/staff 0 Nov 14 07:22 2000 incoming/ngf/ > drwxr-xr-x ftp/staff 0 Nov 20 00:04 2000 incoming/asd/ > drwxr-xr-x ftp/staff 0 Nov 21 11:32 2000 incoming/_ax/ > > The three-dot directories are normally used by intruder tools. > I'm wondering if this was an attack or just a trial. > > It seems I didn't block creating diorectories otherwise it wouldn't have > been possible to create that but I'm wondering if this is possible > to disallow under the stock ftpd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 4:47:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from area51.v-wave.com (area51.v-wave.com [24.108.173.252]) by hub.freebsd.org (Postfix) with SMTP id E6DBD37B400 for ; Fri, 1 Dec 2000 04:47:29 -0800 (PST) Received: (qmail 21415 invoked by uid 1001); 1 Dec 2000 12:47:24 -0000 Date: Fri, 1 Dec 2000 05:47:24 -0700 From: Chris Wasser To: FreeBSD security Subject: Re: which ftpd Message-ID: <20001201054724.A21271@skunkworks.area51-arpa.mil> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201142153.B329@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001201142153.B329@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Dec 01, 2000 at 02:21:54PM +0200 X-Operating-System: FreeBSD 4.2-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 01 Dec 2000, Peter Pentchev wrote: > It would seem to me that what you're seeing is somebody trying to use > your machine as storage for warez. In particular, the '.../ .sys/' > directory contains files with names and sizes that look a lot like > the 15MB RAR archives used by some warez groups to 'distribute' their > findings. I actually replied to this but accidently sent to the wrong mailing list, this is indeed a file drop suituation. Seen it many times before, and had a somewhat unique perspective to such activies. I recently just switched from ProFTPd to the stock FreeBSD ftpd 6.00LS because it was becoming a pain to keep up with new problems in ProFTPd (albeit few and far between) and decided it was far easier to use to the stock ftpd for ftp services [afterall, comes with the OS, no need to compile a port to get ftp services up and going.] Granted ProFTPd is somewhat easier to setup (the apache-like configuration helps alot) but I see no difference in quality of service except perhaps a few missing options such as ftp bandwidth limiting (which can be accomplished other ways anyways) The "exploit" or "vulnerability" he's talking about I've seen before, mostly through an exploited ftpd called "glftpd" which is riddled with bugs (and unfortunately, is only distributed in platform-specific binaries only, making it hard to 'sanitize' -- in which case I'd think using jail would be preferrable if you must run this particular piece of software -- and it's my personal opinion services such as httpd and ftpd should be run inside a jail anyways) and it does indeed log input (in this particular case, the person who had installed it when I found it on a friends machine, had captured ftp, ssh and console [local] login names and passwords and hid the executable and it's logged information in /var/spool/lpd/.lpd/) Ideally, the best approach is not to allow anonymous upload access, or do as someone suggested and make your incoming directory write-only, thus preventing would-be couriers from making your site into a public file drop. Having a world writable/readable incoming directory is just begging to be abused. -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 4:50:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from postman.orangenetwork.net (ns.orangenetwork.net [211.123.49.50]) by hub.freebsd.org (Postfix) with SMTP id 2881137B400 for ; Fri, 1 Dec 2000 04:50:31 -0800 (PST) Received: (qmail 19542 invoked from network); 1 Dec 2000 21:50:42 +0900 Received: from stanley.orangenetwork.net (HELO stanley) (211.123.49.54) by ns.orangenetwork.net with SMTP; 1 Dec 2000 21:50:42 +0900 Date: Fri, 01 Dec 2000 21:50:17 +0900 From: Melon To: freebsd-security@freebsd.org Subject: Re[2]: 137/udp In-Reply-To: References: <3A26A013136.BF8AMELON@postman.orangenetwork.net> Message-Id: <3A279E89A0.BF8CMELON@postman.orangenetwork.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.26.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'm not familiar with NetBIOS behavior, but I know 137/udp (source) -> 53/udp (destination) is used for name resolving. All of Windows and Windows NT clients here are not installed Microsoft network sharing service, but I have Samba server for these Windows clients as the file server. I expected any of 137/udp packets incoming from outside of my LAN are illegal before. I wanted to know... * How 137/udp packet is sent for my network from Internet? * All of 137/udp packets are intended for portscan or explicit attack? I have missed to tell this... When 137/udp was sent here (the PC I'm writing this e-mail; Windows 98 SE), I was running Napster just for uploading a file. I'm logging an IP address of all 6699/tcp connections for security reason. Since I was doing tail -f [logname_for_my_firewall], I found 6699/tcp and 137/udp were coming from the same IP address. I asked him/her "Did you do something for my computer?" using Napster, I expected he or she would ignore my stupid question if he/she really or explicitly attacked me. However, the person who were connecting from the IP address was replied me and not seemed cracker. I have talked with so much entry-level pc users, so I asked him/her detailed PC related question. I can't believe he/she have attacked me. Now, I got problem. I expected *all* 137/udp from the outside are only intended for cracking. So I would like to know the 2 points listed above. - Melon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 6:39: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8955F37B400; Fri, 1 Dec 2000 06:39:07 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA26320; Fri, 1 Dec 2000 06:38:43 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26318; Fri Dec 1 06:38:36 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eB1EcU315944; Fri, 1 Dec 2000 06:38:30 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdz15942; Fri Dec 1 06:38:17 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eB1EcHO47163; Fri, 1 Dec 2000 06:38:17 -0800 (PST) Message-Id: <200012011438.eB1EcHO47163@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdZ47159; Fri Dec 1 06:37:45 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: mwlucas@exceptionet.com Cc: scrappy@hub.org (The Hermit Hacker), kris@FreeBSD.ORG, sriva@gufi.org, security@FreeBSD.ORG Subject: IDS (was: Re: FreeBSD hacked?) In-reply-to: Your message of "Thu, 30 Nov 2000 12:32:41 EST." <200011301732.MAA08853@easeway.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 01 Dec 2000 06:37:44 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200011301732.MAA08853@easeway.com>, mwlucas@exceptionet.com writes: > [picking this message to respond to in general, not you in particular] > Besides, the hackers *claim* it was a "harmless" intrusion. Kris must be > going nuts finding out what else was changed, or confirming nothing else > was. We've all been there. > > IIRC, Freefall's been rooted before. It'll probably be rooted again. A > security admin's job sucks, but life goes on. An IDS like tripwire or aide will help in this department. Of course there are limitations, e.g. rootkits that install themselves as kernel mods, and there extra things that need to be done to improve tripwire's or aide's ability to withstand database corruption, but it is better than doing nothing at all. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 6:55: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 85EB537B400; Fri, 1 Dec 2000 06:54:57 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA26360; Fri, 1 Dec 2000 06:54:44 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26356; Fri Dec 1 06:54:44 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eB1EscA16051; Fri, 1 Dec 2000 06:54:38 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdr16032; Fri Dec 1 06:54:18 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eB1EsH747653; Fri, 1 Dec 2000 06:54:17 -0800 (PST) Message-Id: <200012011454.eB1EsH747653@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdz47641; Fri Dec 1 06:53:49 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: Jordan Hubbard Cc: The Hermit Hacker , Kris Kennaway , Stefano Riva , security@FreeBSD.ORG Subject: Re: FreeBSD hacked? In-reply-to: Your message of "Thu, 30 Nov 2000 11:48:28 PST." <18748.975613708@winston.osd.bsdi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 01 Dec 2000 06:53:48 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <18748.975613708@winston.osd.bsdi.com>, Jordan Hubbard writes: > > so, for the next few days, there is a possibility that the rest of us are > > as vulnerable? *raised eyebrow* > > Only if you run all of FreeBSD.org's CGI scripts. Do you? :) I think the only CGI script that runs on www.freebsd.org that people might run is cvsweb because its a port in the ports collection. Until we hear otherwise there is the possibility that it might be the culprit. You people should just watch the commits to the www source tree. Eventually you'll see a commit that will fix the problem. Until then you'll have to wait. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 6:57:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id BFCD137B402 for ; Fri, 1 Dec 2000 06:57:35 -0800 (PST) Received: (qmail 58930 invoked from network); 1 Dec 2000 14:56:06 -0000 Received: from unknown (HELO nirvana) (200.242.253.60) by soure.expert.com.br with SMTP; 1 Dec 2000 14:56:06 -0000 Message-ID: <01af01c05ba6$fc3c4180$3cfdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: Subject: FreeBSD Firewall - Help Please - Part II Date: Fri, 1 Dec 2000 11:57:11 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry but, the rules that I put here yesterday didn't work right :/ The services still didn't work when I try to access them, for exemple DNS,FTP,POP3. Does anyone could please send the solution for this ? thanks, Roberto Samarone Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 7:17:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 02B7137B400 for ; Fri, 1 Dec 2000 07:17:32 -0800 (PST) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id eB1FGGL24710; Fri, 1 Dec 2000 09:16:16 -0600 (CST) Date: Fri, 1 Dec 2000 09:16:16 -0600 (CST) From: Marc Rassbach To: Nevermind Cc: Matjaz Martincic , freebsd-security@FreeBSD.ORG Subject: Move along, nothing to see here. Re: Important!! Vulnerability in standard ftpd In-Reply-To: <20001201124713.K2185@nevermind.kiev.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Dec 2000, Nevermind wrote: > No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted shell > accounts. All of them have full sudo, but all of us were using only ssh, > telnetd was closed, noone accessed to non-anonymous ftp from outside network. The Accounts and these people may all have been trusted. But what about the people who knew the people with the access? Could THEY be trusted? Did one of them use the same password on all machines, and therefore had a valid password from a non-trustable system? Unless you have logs of all commands/keystrokes of your remote users, stored on a seperate machine, you don't know if the break-in happened by one of your remote users ID's. If you can provide documentation to the break-in, good. If you have a script (either printed directions or an actual automated script) that does the break in, great. I'm positive Kris would love to see it. If all you can do is hand-wave and talk in vague generalities, then please don't post as "Important!! Vulnerability in standard ftpd" try something like "Did they use ftpd to break in?" or "I had a break in....would someone help me figure out what happned" or "Someone was messing with my ftp setup...I could use some help." I'm sure your break in was real, and raised your blood pressure, but your alarmist style of post raised the blood pressure of many sysadmins today. Consider their health....all that caffeine and sugar combined with a spike in blood pressure will kill them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 7:21:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id 4D6B237B400 for ; Fri, 1 Dec 2000 07:21:23 -0800 (PST) Received: (qmail 59937 invoked from network); 1 Dec 2000 15:19:55 -0000 Received: from unknown (HELO nirvana) (200.242.253.60) by soure.expert.com.br with SMTP; 1 Dec 2000 15:19:55 -0000 Message-ID: <01b501c05baa$4fa168c0$3cfdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: References: Subject: Re: FreeBSD Firewall - Help Please - Part II Date: Fri, 1 Dec 2000 12:20:59 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm using ipfw Roberto Samarone Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 7:40:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from xmh13.scott.af.mil (unknown [140.175.215.30]) by hub.freebsd.org (Postfix) with ESMTP id E235337B400 for ; Fri, 1 Dec 2000 07:40:09 -0800 (PST) Received: from vejxoisntav83.scott.af.mil (vejxoisntav83.scott.af.mil [140.175.254.103]) by xmh13.scott.af.mil (8.9.3/8.9.3) with SMTP id JAA06225 for ; Fri, 1 Dec 2000 09:52:43 -0600 Received: from vejxoisntc83.scott.af.mil ([140.175.254.200]) by vejxoisntav83.scott.af.mil (NAVIEG 2.1 bld 63) with SMTP id M2000120109391523012 ; Fri, 01 Dec 2000 09:39:15 -0600 Received: by vejxoisntc83.scott.af.mil with Internet Mail Service (5.5.2650.21) id ; Fri, 1 Dec 2000 09:39:59 -0600 Message-ID: <21A918476AFBD311B0C80000D1ECF0FF01A865FC@vejxoisnte85.scott.af.mil> From: Garrett Gregory Cntr AMC/LGXI To: Marc Rassbach , Nevermind Cc: Matjaz Martincic , freebsd-security@FreeBSD.ORG Subject: RE: Move along, nothing to see here. Re: Important!! Vulnerabili ty in standard ftpd Date: Fri, 1 Dec 2000 09:44:42 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Speaking from experience in a related case: I have had my website system hacked twice in the last year - BOTH times it happened because the hacker got into ANOTHER system where an individual with a trusted account had his userid and password stored on that server in a plain text file - they pogoed from that system with that userid and got in... The results from the investigation? There was nothing else I could do to my system to make it more secure - in fact I got kudos for it being as secure as it was. But as long as people keep info insecurly there's nothing you can do but keep watch and hope to catch them (and of course have good backup sets!). Greg Garrett UNIX Systems Administrator HQ AMC/LGXI DSN 779-4695 Comm 618-229-4695 Email Gregory.Garrett@scott.af.mil -----Original Message----- From: Marc Rassbach [mailto:marc@milestonerdl.com] Sent: Friday, December 01, 2000 9:16 AM To: Nevermind Cc: Matjaz Martincic; freebsd-security@FreeBSD.ORG Subject: Move along, nothing to see here. Re: Important!! Vulnerability in standard ftpd On Fri, 1 Dec 2000, Nevermind wrote: > No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted shell > accounts. All of them have full sudo, but all of us were using only ssh, > telnetd was closed, noone accessed to non-anonymous ftp from outside network. The Accounts and these people may all have been trusted. But what about the people who knew the people with the access? Could THEY be trusted? Did one of them use the same password on all machines, and therefore had a valid password from a non-trustable system? Unless you have logs of all commands/keystrokes of your remote users, stored on a seperate machine, you don't know if the break-in happened by one of your remote users ID's. If you can provide documentation to the break-in, good. If you have a script (either printed directions or an actual automated script) that does the break in, great. I'm positive Kris would love to see it. If all you can do is hand-wave and talk in vague generalities, then please don't post as "Important!! Vulnerability in standard ftpd" try something like "Did they use ftpd to break in?" or "I had a break in....would someone help me figure out what happned" or "Someone was messing with my ftp setup...I could use some help." I'm sure your break in was real, and raised your blood pressure, but your alarmist style of post raised the blood pressure of many sysadmins today. Consider their health....all that caffeine and sugar combined with a spike in blood pressure will kill them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 7:49:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [209.226.29.94]) by hub.freebsd.org (Postfix) with ESMTP id 288C437B401 for ; Fri, 1 Dec 2000 07:49:45 -0800 (PST) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.1/8.11.0) with ESMTP id eB1FmtW02350; Fri, 1 Dec 2000 10:48:55 -0500 (EST) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Fri, 1 Dec 2000 10:48:55 -0500 (EST) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: Marc Rassbach Cc: Nevermind , Matjaz Martincic , freebsd-security@FreeBSD.ORG Subject: Re: Move along, nothing to see here. Re: Important!! Vulnerability in standard ftpd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Very well said! FreeBSD - The BEST upgrade you can do to NT! On Fri, 1 Dec 2000, Marc Rassbach wrote: > > > On Fri, 1 Dec 2000, Nevermind wrote: > > > No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted shell > > accounts. All of them have full sudo, but all of us were using only ssh, > > telnetd was closed, noone accessed to non-anonymous ftp from outside network. > > The Accounts and these people may all have been trusted. But what about > the people who knew the people with the access? > > Could THEY be trusted? > > Did one of them use the same password on all machines, and therefore had a > valid password from a non-trustable system? > > Unless you have logs of all commands/keystrokes of your remote users, > stored on a seperate machine, you don't know if the break-in happened by > one of your remote users ID's. > > If you can provide documentation to the break-in, good. If you > have a script (either printed directions or an actual automated > script) that does the break in, great. I'm positive Kris would love to > see it. If all you can do is hand-wave and talk in vague generalities, > then please don't post as "Important!! Vulnerability in standard ftpd" try > something like "Did they use ftpd to break in?" or "I had a break > in....would someone help me figure out what happned" or "Someone was > messing with my ftp setup...I could use some help." I'm sure your break > in was real, and raised your blood pressure, but your alarmist style of > post raised the blood pressure of many sysadmins today. Consider their > health....all that caffeine and sugar combined with a spike in blood > pressure will kill them. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 7:54:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 6502037B401 for ; Fri, 1 Dec 2000 07:54:52 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id E586C2B28C; Fri, 1 Dec 2000 09:54:46 -0600 (CST) Date: Fri, 1 Dec 2000 09:54:46 -0600 From: Bill Fumerola To: Nevermind Cc: Matjaz Martincic , freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201095446.K83422@elvis.mu.org> References: <20001201124713.K2185@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001201124713.K2185@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Fri, Dec 01, 2000 at 12:47:13PM +0200 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 12:47:13PM +0200, Nevermind wrote: > No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted shell > accounts. All of them have full sudo, but all of us were using only ssh, > telnetd was closed, noone accessed to non-anonymous ftp from outside network. From the posts I've seen I trust FreeBSD more then your ability to sysadmin. Please don't cry wolf and stir up stupid threads without concrete proof of problems with FreeBSD. (ie, I do X and it gives me privledge Z). -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 8:20:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from cam067213.student.utwente.nl (cam067213.student.utwente.nl [130.89.226.203]) by hub.freebsd.org (Postfix) with SMTP id 8DFB637B401 for ; Fri, 1 Dec 2000 08:20:14 -0800 (PST) Received: (qmail 26367 invoked by uid 1001); 1 Dec 2000 17:21:47 -0000 Date: Fri, 1 Dec 2000 17:21:47 +0000 From: Frank van Vliet To: Cy Schubert - ITSD Open Systems Group Cc: security@freebsd.org Subject: Re: FreeBSD hacked? Message-ID: <20001201172147.A25455@root66.org> References: <18748.975613708@winston.osd.bsdi.com> <200012011454.eB1EsH747653@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012011454.eB1EsH747653@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Fri, Dec 01, 2000 at 06:53:48AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 01, 2000 at 06:53:48AM -0800, Cy Schubert - ITSD Open Systems G= roup wrote: > In message <18748.975613708@winston.osd.bsdi.com>, Jordan Hubbard=20 > writes: > > > so, for the next few days, there is a possibility that the rest of us= are > > > as vulnerable? *raised eyebrow* > >=20 > > Only if you run all of FreeBSD.org's CGI scripts. Do you? :) >=20 > I think the only CGI script that runs on www.freebsd.org that people=20 > might run is cvsweb because its a port in the ports collection. Until=20 > we hear otherwise there is the possibility that it might be the culprit. >=20 > You people should just watch the commits to the www source tree. =20 > Eventually you'll see a commit that will fix the problem. Until then=20 > you'll have to wait. Ofcourse cvsweb could contain bugs, but it is a www.freebsd.org specific sc= ript nohican and me exploited. I don't see any reason for 'panick' about cv= sweb. =20 Frank van Vliet alias {} karin@root66.org --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOifeKev9YnvRDibSEQJb4QCfRsjQu89Yu7wbf8tt2iw/1/M+OicAoOeY v8o/mnUMEO9+mMuy7jByy+8L =sDMO -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 8:23:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6257437B400 for ; Fri, 1 Dec 2000 08:23:41 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA26868; Fri, 1 Dec 2000 08:23:29 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26866; Fri Dec 1 08:23:24 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eB1GNJr16921; Fri, 1 Dec 2000 08:23:19 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdJ16919; Fri Dec 1 08:22:24 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eB1GMMO48317; Fri, 1 Dec 2000 08:22:22 -0800 (PST) Message-Id: <200012011622.eB1GMMO48317@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdF48311; Fri Dec 1 08:21:46 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: filtering ipsec traffic In-reply-to: Your message of "Thu, 30 Nov 2000 18:26:28 +0100." <20001130182628.P27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 01 Dec 2000 08:21:45 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20001130182628.P27042@speedy.gsinet>, Gerhard Sittig writes: > On Wed, Nov 29, 2000 at 18:57 +0100, Gerhard Sittig wrote: > > > > Am I wrong thinking that one already has these four hooks > > available? (Sorry, I haven't toyed with IPsec yet.) > > > > [ ... ] > > > > And the way out is similar with a chain of > > app -> enc0 -> IPsec -> tun0 -> wire > > Woops, forget the above, please! :) I must have been asleep and > was confusing this with OpenBSD. Let me cite from their manpages > (sorry, don't have a running system around here so I will UTSL :) > -- feel free to read the online manpages at www.CC.freebsd.org in > your preferred output format). > > ----- ipsec(4) -------------------------------------------------- > ... > For example: > .Bd -literal -offset indent > Net A <----> Firewall 1 <--- Internet ---> Firewall 2 <----> Net B > .Ed > .Pp > Firewall 1 and Firewall 2 can protect all communications between Net A > and Net B by using > .Tn IPsec > in tunnel mode, as illustrated above. > .Pp > This implementation makes use of a virtual interface > .Nm enc0 , > which can be used in packet filters to specify those > packets that have been or will be processed by > .Tn IPsec. > ... > ----------------------------------------------------------------- > > ----- enc(4) ---------------------------------------------------- > ... > .Sh SYNOPSIS > .Cd "pseudo-device enc 4" > .Sh DESCRIPTION > The > .Nm > interface is a software loopback mechanism that allows hosts or > firewalls to filter > .Xr ipsec 4 > traffic using > .Xr ipf 5 . > The > .Xr vpn 8 > manpage shows an example of such a setup. > ... > ----------------------------------------------------------------- > > Maybe that's something FreeBSD wants to have, too? I don't see a > difference in which filter gets the packet once is enters / > leaves the IPsec functionality block and feel the mention of > ipf(5) -- why 5, not 8 or 4? -- to come from the fact that it's > OpenBSD's native filter. This sounds like pretty handy feature. You can do the same thing with an IP-IP tunnel through the IPSec tunnel. Then you can just filter on the tun0 interface. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 8:31:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id AC33237B400 for ; Fri, 1 Dec 2000 08:31:34 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA26907; Fri, 1 Dec 2000 08:31:30 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26903; Fri Dec 1 08:31:28 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eB1GVMA16997; Fri, 1 Dec 2000 08:31:22 -0800 (PST) Message-Id: <200012011631.eB1GVMA16997@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdA16988; Fri Dec 1 08:31:06 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cschuber To: Frank van Vliet Cc: Cy Schubert - ITSD Open Systems Group , security@freebsd.org Subject: Re: FreeBSD hacked? In-reply-to: Your message of "Fri, 01 Dec 2000 17:21:47 GMT." <20001201172147.A25455@root66.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 01 Dec 2000 08:31:06 -0800 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20001201172147.A25455@root66.org>, Frank van Vliet writes: > > --xHFwDpU9dbj6ez1V > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Fri, Dec 01, 2000 at 06:53:48AM -0800, Cy Schubert - ITSD Open Systems G > roup wrote: > > In message <18748.975613708@winston.osd.bsdi.com>, Jordan Hubbard > > writes: > > > > so, for the next few days, there is a possibility that the rest of us > are > > > > as vulnerable? *raised eyebrow* > > > > > > Only if you run all of FreeBSD.org's CGI scripts. Do you? :) > > > > I think the only CGI script that runs on www.freebsd.org that people > > might run is cvsweb because its a port in the ports collection. Until > > we hear otherwise there is the possibility that it might be the culprit. > > > You people should just watch the commits to the www source tree. > > Eventually you'll see a commit that will fix the problem. Until then > > you'll have to wait. > > Ofcourse cvsweb could contain bugs, but it is a www.freebsd.org specific sc > ript nohican and me exploited. I don't see any reason for 'panick' about cv > sweb. Who said I was panicking? I don't even feel anxious about this issue. The only thing I feel anxious about is the stock market. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 8:38:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id EFB6D37B401; Fri, 1 Dec 2000 08:38:52 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA39951; Fri, 1 Dec 2000 11:38:51 -0500 (EST) (envelope-from wollman) Date: Fri, 1 Dec 2000 11:38:51 -0500 (EST) From: Garrett Wollman Message-Id: <200012011638.LAA39951@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: which ftpd In-Reply-To: <20001201003104.A41598@citusc17.usc.edu> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201003104.A41598@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Basically all of the third party ftpds in ports have had numerous > security problems - the in-system one has been vulnerability-free > for quite a while now. That doesn't imply that they are currently insecure. The advice that other people have given (e.g., running ftpd in a jail) is helpful, and of course the best thing you can do for anonymous FTP is to prohibit uploads altogether. If you need to allow uploads, several of the servers provide a much greater level of control over that function than standard UNIX permissions. For example, wuftpd allows the administrator to restrict uploads to a specific directory, and specify permissions for newly-uploaded files which will prevent them from being downloaded. (Merely setting the directory to 733 mode doesn't help -- the 31337 w4r3z d00dz don't need to be able to read the directory to download the files their friends have deposited there.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 9:35:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from trash.mashnet.de (trash.mashnet.de [212.5.1.3]) by hub.freebsd.org (Postfix) with ESMTP id 8876F37B400 for ; Fri, 1 Dec 2000 09:35:41 -0800 (PST) Received: from socha.net (IDENT:qmailr@dialin-2-148.bl.trmd.net [212.84.201.148]) by trash.mashnet.de (8.9.3/8.9.3) with SMTP id SAA01939 for ; Fri, 1 Dec 2000 18:35:33 +0100 Received: (qmail 11216 invoked by uid 500); 1 Dec 2000 17:33:58 -0000 To: security@FreeBSD.ORG Subject: Re: IDS References: <200012011438.eB1EcHO47163@cwsys.cwsent.com> Organization: Trial By Combat X-URL: X-MSMail-Priority: Urgent Virus Delivery X-Face: #Z}0zkbqU,m`+S)^0R[.23L-o>U{UQ|(DvIqu^Bjw:po_g9;4JnT9tbn;QX$ga/LYS From: "Robin S. Socha" Date: 01 Dec 2000 18:33:58 +0100 In-Reply-To: <200012011438.eB1EcHO47163@cwsys.cwsent.com> Message-ID: Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.2 (Pan Linux 2.4.0-test11) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Cy Schubert writes: > An IDS like tripwire or aide will help in this department. Of course > there are limitations, e.g. rootkits that install themselves as kernel > mods, and there extra things that need to be done to improve tripwire's > or aide's ability to withstand database corruption, but it is better > than doing nothing at all. Just out of curiosity: Linux has LIDS at http://www.lids.org/ - is there an equivalent to that for FreeBSD? - -- Robin S. Socha -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface iQA/AwUBOifg9hCwuQQD9m3wEQKN7wCePwZD9aDe9B1InXJcZ2fpbMFg2woAnjd9 g0fIeZeNR5pxuvPwNjKX9JVb =YZ+O -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 9:44:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from theseus.cs.brandeis.edu (theseus.cs.brandeis.edu [129.64.3.184]) by hub.freebsd.org (Postfix) with ESMTP id A1C7C37B400 for ; Fri, 1 Dec 2000 09:44:31 -0800 (PST) Received: from localhost (meshko@localhost) by theseus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id MAA24834; Fri, 1 Dec 2000 12:44:22 -0500 Date: Fri, 1 Dec 2000 12:44:22 -0500 (EST) From: Mikhail Kruk To: "Robin S. Socha" Cc: Subject: Re: IDS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org check http://www.trustedbsd.org/ I don't know how good it is though. > > Just out of curiosity: Linux has LIDS at http://www.lids.org/ - is there > an equivalent to that for FreeBSD? > - -- > Robin S. Socha > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.1 > Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface > > iQA/AwUBOifg9hCwuQQD9m3wEQKN7wCePwZD9aDe9B1InXJcZ2fpbMFg2woAnjd9 > g0fIeZeNR5pxuvPwNjKX9JVb > =YZ+O > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 9:49:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 1EECA37B69D for ; Fri, 1 Dec 2000 09:49:23 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA10757; Fri, 1 Dec 2000 10:49:08 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA05714; Fri, 1 Dec 2000 10:49:07 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14887.58514.983118.454312@nomad.yogotech.com> Date: Fri, 1 Dec 2000 10:49:06 -0700 (MST) To: James Wyatt Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: which ftpd In-Reply-To: References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I've found the stock FreeBSD FTPd really good. It offers a chrooted > account I've had to take the WUFTPd risk for before on Linux. If you > turn-up the logging you can easily catch things like this. (btw: this > looks like some warez d00dz building a nest. I've had it happen before and > there have been some FTPd holes that required writable anon-ftp to work.) > Using the FTPd xfer log, you can easily audit uploaded files and spot > things like this. You can also have an automatic process watch the log > and move the files to a quarrantine area. Do you have an example setup you could post to the list? One of the issues I'd like to have is an ftpd that allows uploads, but either moves them or changes the permissions on them as soon as the files are uploaded, to avoid having folks abuse the system for warez. This and the ability to chroot ftpd easily would allow me to switch away from my current ftpd daemon. Having this in the archive may help further users as well... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 11: 4:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from red.juniper.net (red.juniper.net [207.17.136.137]) by hub.freebsd.org (Postfix) with ESMTP id AB68937B400 for ; Fri, 1 Dec 2000 11:04:10 -0800 (PST) Received: from juniper.net (umesh-bsd.juniper.net [172.17.12.70]) by red.juniper.net (8.9.3/8.9.3) with ESMTP id LAA12578; Fri, 1 Dec 2000 11:04:05 -0800 (PST) Message-ID: <3A27F625.4C87CC7C@juniper.net> Date: Fri, 01 Dec 2000 11:04:05 -0800 From: Umesh Krishnaswamy Organization: Juniper Networks X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org, umesh@juniper.net Subject: Defeating SYN flood attacks Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Folks, I wanted to double-check which version of FreeBSD (if any) can address a SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and ip_input.c) do not seem to have any code to address such an attack. Maybe I am missing something. So if you folks can enlighten me on whether or how to handle the SYN attack from within the kernel, I would appreciate it. I am aware of ingress filtering; while that can help attacks from randomized IP addresses, it will fail in the case of an attack from a spoofed trusted IP address. Hence the desire to look into the kernel for a fix. Thanks. Umesh. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 11: 7: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id E50B037B400 for ; Fri, 1 Dec 2000 11:07:02 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id MAA25650; Fri, 1 Dec 2000 12:06:45 -0700 (MST) Message-Id: <200012011906.MAA25650@faith.cs.utah.edu> Subject: Re: Defeating SYN flood attacks To: umesh@juniper.net (Umesh Krishnaswamy) Date: Fri, 1 Dec 2000 12:06:45 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG, umesh@juniper.net In-Reply-To: <3A27F625.4C87CC7C@juniper.net> from "Umesh Krishnaswamy" at Dec 01, 2000 11:04:05 AM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD has been synflood resistant for several years. To a first order, you cannot effectively synflood a decently provisioned FreeBSD box and deny service to it UNLESS your "synflood" is really just a bandwidth consumption attack that eats up all of their bandwidth. There was a problem that cropped up about a year ago where a *really high volume* syn flood could cause some kernel problems, but that's fixed in all of the recent 4.x versions. Really high volume means 10Mbps+. -Dave Lo and behold, Umesh Krishnaswamy once said: > > Hi Folks, > > I wanted to double-check which version of FreeBSD (if any) can address a > SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and > ip_input.c) do not seem to have any code to address such an attack. Maybe I am > missing something. > > So if you folks can enlighten me on whether or how to handle the SYN attack from > within the kernel, I would appreciate it. I am aware of ingress filtering; while > that can help attacks from randomized IP addresses, it will fail in the case of > an attack from a spoofed trusted IP address. Hence the desire to look into the > kernel for a fix. > > Thanks. > Umesh. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 11:13:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (Postfix) with ESMTP id 0E29B37B400 for ; Fri, 1 Dec 2000 11:13:40 -0800 (PST) Received: (from alan@localhost) by agora.rdrop.com (8.11.1/8.11.1) id eB1JDeW49581; Fri, 1 Dec 2000 11:13:40 -0800 (PST) Date: Fri, 1 Dec 2000 11:13:40 -0800 From: Alan Batie To: "David G. Andersen" Cc: Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks Message-ID: <20001201111340.P45293@agora.rdrop.com> Mail-Followup-To: "David G. Andersen" , Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG References: <3A27F625.4C87CC7C@juniper.net> <200012011906.MAA25650@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012011906.MAA25650@faith.cs.utah.edu>; from dga@pobox.com on Fri, Dec 01, 2000 at 12:06:45PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 12:06:45PM -0700, David G. Andersen wrote: > FreeBSD has been synflood resistant for several years. To a first order, > you cannot effectively synflood a decently provisioned FreeBSD box and > deny service to it UNLESS your "synflood" is really just a bandwidth > consumption attack that eats up all of their bandwidth. > > There was a problem that cropped up about a year ago where a *really high > volume* syn flood could cause some kernel problems, but that's fixed in > all of the recent 4.x versions. Really high volume means 10Mbps+. I was just subject to such an attack last weekend; I'm running 4.1-RELEASE at the moment. The attack was SYNs from a large number of (probably spoofed, randomly generated) addresses to a sequence of ports. The reason I noticed it was because the port unreachable icmp messages exceeded the default icmp bandwidth limit and the console and syslog were filled with the resulting messages about that. The attack ran from Friday evening until Monday morning. I'm not sure if it's related, but it's suspicious, that the system under attack crashed (wedged) Sunday morning. FWIW -- Alan Batie ______ www.rdrop.com/users/alan Me alan@batie.org \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 11:23: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from wasp.eng.ufl.edu (wasp.eng.ufl.edu [128.227.116.1]) by hub.freebsd.org (Postfix) with ESMTP id 4B1DC37B400 for ; Fri, 1 Dec 2000 11:23:02 -0800 (PST) Received: from eng.ufl.edu (scanner.engnet.ufl.edu [128.227.152.221]) by wasp.eng.ufl.edu (8.9.3/8.9.3) with ESMTP id OAA26271; Fri, 1 Dec 2000 14:22:42 -0500 (EST) Message-ID: <3A27FA7F.D2604732@eng.ufl.edu> Date: Fri, 01 Dec 2000 14:22:39 -0500 From: Bob Johnson Organization: University of Florida X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: melon@orangenetwork.net Cc: freebsd-security@freebsd.org Subject: Re[2]: 137/udp Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Fri, 01 Dec 2000 21:50:17 +0900 > From: Melon > Subject: Re[2]: 137/udp > > Hello, > > I'm not familiar with NetBIOS behavior, but I know 137/udp (source) -> > 53/udp (destination) is used for name resolving. > > All of Windows and Windows NT clients here are not installed Microsoft > network sharing service, but I have Samba server for these Windows > clients as the file server. > > I expected any of 137/udp packets incoming from outside of my LAN are > illegal before. > > I wanted to know... > > * How 137/udp packet is sent for my network from Internet? > * All of 137/udp packets are intended for portscan or explicit attack? Port 137/udp packets are not necessarily hostile. See http://www.robertgraham.com/pubs/firewall-seen.html#10 for a discussion of this. > > I have missed to tell this... > When 137/udp was sent here (the PC I'm writing this e-mail; Windows 98 SE), > I was running Napster just for uploading a file. > I'm logging an IP address of all 6699/tcp connections for security > reason. Since I was doing tail -f [logname_for_my_firewall], I found > 6699/tcp and 137/udp were coming from the same IP address. I asked > him/her "Did you do something for my computer?" using Napster, I > expected he or she would ignore my stupid question if he/she really or > explicitly attacked me. However, the person who were connecting from the > IP address was replied me and not seemed cracker. If you are connected to a Napster server, you will see a lot of miscellaneous traffic as people search for song titles, etc. This is probably part of that. > I have talked with so much entry-level pc users, so I asked him/her > detailed PC related question. I can't believe he/she have attacked me. > > Now, I got problem. I expected *all* 137/udp from the outside are only > intended > for cracking. So I would like to know the 2 points listed above. > > - - Melon > -- Bob Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 11:53:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from battery.yi.org (rn081014.mrs.umn.edu [146.57.81.14]) by hub.freebsd.org (Postfix) with ESMTP id 5524937B400 for ; Fri, 1 Dec 2000 11:53:43 -0800 (PST) Received: from localhost (root@localhost) by battery.yi.org (8.9.3/8.9.3) with ESMTP id NAA06017 for ; Fri, 1 Dec 2000 13:45:28 -0600 (CST) (envelope-from root@battery.yi.org) Date: Fri, 1 Dec 2000 13:45:28 -0600 (CST) From: Brad Mace To: freebsd-security@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org query freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 11:54:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.gti.net (apollo.gti.net [199.171.27.7]) by hub.freebsd.org (Postfix) with ESMTP id 954E437B400 for ; Fri, 1 Dec 2000 11:54:27 -0800 (PST) Received: from fuckoff (intra-gw.gti.net [206.67.179.20]) by apollo.gti.net (mail) with SMTP id C607E1459EA; Fri, 1 Dec 2000 14:54:26 -0500 (EST) Message-ID: <006b01c05bd0$3a06e730$0501a8c0@fuckoff> Reply-To: "Shadow" From: "Shadow" To: "Rodney W. Grimes" , "Igor Roshchin" Cc: References: <200011301820.KAA45049@gndrsh.dnsmgr.net> Subject: Re: Danger Ports Date: Fri, 1 Dec 2000 14:52:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not to get off topic, but try null routes instead of access lists on routers for the destination filtering; it eats a lot less CPU time. ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 10.0.0.0 255.0.0.0 Null0 -Shadow Sr. Systems Administrator, Global Telecom Inc. shadow@gti.net ----- Original Message ----- From: "Rodney W. Grimes" To: "Igor Roshchin" Cc: Sent: Thursday, November 30, 2000 1:20 PM Subject: Re: Danger Ports > > > From: "Rodney W. Grimes" > > > Subject: Re: Danger Ports > > > Date: Thu, 30 Nov 2000 09:43:57 -0800 (PST) > > > > > > Please do all the rest of us a favor and filter the > > > packets to reserved networks, not just from them. > > > > > > > this is right out of the ACL for my core router.. > > > > > > > > ! reserved networks > > > > access-list 110 deny ip 127.0.0.0 0.0.0.255 any log > > > > access-list 110 deny ip 10.0.0.0 0.255.255.255 any log > > > > access-list 110 deny ip 172.16.0.0 0.15.255.255 any log > > > > access-list 110 deny ip 172.31.0.0 0.0.255.255 any log > > > > access-list 110 deny ip 192.168.0.0 0.0.255.255 any log > > > > > > access-list 110 deny ip any 127.0.0.0 0.0.0.255 log > > > access-list 110 deny ip any 10.0.0.0 0.255.255.255 log > > > access-list 110 deny ip any 172.16.0.0 0.15.255.255 log > > > access-list 110 deny ip any 172.31.0.0 0.0.255.255 log > > > access-list 110 deny ip any 192.168.0.0 0.0.255.255 log > > > > > > > > > > I am not sure if filtering some reserved networks would not stop legible > > traffic for some people. E.g. Home.net (@Home, @Work) > > is using 10.0.0.0 to number their aggregation routers. Thus its > > users will probably suffer if they block this network at the firewall. > > No they won't suffer, reserved networks are reserved, blocking them > at AS boundaries is a BCP, both source and desitnation address. It > does do some funny things to traceroute, but it doesn't effect normal > operations: > traceroute to 199.172.150.100 (199.172.150.100), 30 hops max, 40 byte packets > 1 12.127.217.157 (12.127.217.157) 9.037 ms 8.890 ms 8.914 ms > 2 gbr1-p20.wswdc.ip.att.net (12.123.194.130) 15.247 ms 15.217 ms 15.454 ms > 3 gbr3-p70.wswdc.ip.att.net (12.122.1.157) 16.046 ms 15.984 ms 16.376 ms > 4 gbr3-p80.sl9mo.ip.att.net (12.122.2.145) 31.230 ms 31.205 ms 31.215 ms > 5 gbr3-p20.sffca.ip.att.net (12.122.2.74) 71.592 ms 71.609 ms 83.002 ms > 6 gbr1-p50.sffca.ip.att.net (12.122.1.162) 73.615 ms 70.807 ms 70.809 ms > 7 ar4-a300s3.sffca.ip.att.net (12.123.12.89) 72.431 ms 72.168 ms 72.241 ms > 8 12.126.204.18 (12.126.204.18) 72.468 ms 78.563 ms 74.011 ms > 9 * * * > 10 * * * > 11 nblb1.dmz.home.net (199.172.150.100) 72.997 ms 72.785 ms 72.876 ms > > Notice what happened to the 192.168.*.* addresses.... > > > Regards, > > > > Igor > > > > PS. > > Here is how a traceroute output looks for a client of @Work: > > 1 local router ... > > 2 10.252.4.49 (10.252.4.49) 16.012 ms 12.834 ms 12.852 ms > > 3 10.252.6.1 (10.252.6.1) 11.823 ms 7.354 ms 4.556 ms > > 4 c1-pos6-0.hrfrct1.home.net (24.7.74.65) 3.496 ms 15.956 ms 2.303 ms > > 5 c1-pos6-0.nycmny1.home.net (24.7.69.2) 5.043 ms 7.764 ms 15.248 ms > > 6 c1-pos8-0.cmdnnj1.home.net (24.7.65.229) 15.514 ms 22.998 ms 9.477 ms > > 7 24.7.69.33 (24.7.69.33) 66.412 ms 66.057 ms 79.060 ms > > 8 24.7.76.81 (24.7.76.81) 77.324 ms 65.984 ms 77.516 ms > > 9 bb1-pos1-0.rwc1.sfba.home.net (24.7.74.118) 66.701 ms 78.673 ms 66.758 ms > > 10 bfr-ge0-0.excite.com (24.7.70.34) 67.170 ms 66.809 ms 77.240 ms > > 11 192.168.249.139 (192.168.249.139) 81.213 ms 68.489 ms 81.637 ms > > 12 192.168.251.4 (192.168.251.4) 67.023 ms 164.883 ms 173.432 ms > > 13 nblb1.dmz.home.net (199.172.150.100) 179.639 ms 178.223 ms 197.902 ms > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 12: 9:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from red.juniper.net (red.juniper.net [207.17.136.137]) by hub.freebsd.org (Postfix) with ESMTP id 93B7A37B400 for ; Fri, 1 Dec 2000 12:09:41 -0800 (PST) Received: from juniper.net (umesh-bsd.juniper.net [172.17.12.70]) by red.juniper.net (8.9.3/8.9.3) with ESMTP id MAA16797; Fri, 1 Dec 2000 12:09:36 -0800 (PST) Message-ID: <3A280580.D63A0F70@juniper.net> Date: Fri, 01 Dec 2000 12:09:36 -0800 From: Umesh Krishnaswamy Organization: Juniper Networks X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "David G. Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks References: <200012011906.MAA25650@faith.cs.utah.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "David G. Andersen" wrote: > FreeBSD has been synflood resistant for several years. To a first order, > you cannot effectively synflood a decently provisioned FreeBSD box and > deny service to it UNLESS your "synflood" is really just a bandwidth > consumption attack that eats up all of their bandwidth. > > There was a problem that cropped up about a year ago where a *really high > volume* syn flood could cause some kernel problems, but that's fixed in > all of the recent 4.x versions. Really high volume means 10Mbps+. > Cool. That is good to hear. I just verified that the synflood attack does not bring down a 3.3.4 machine. If anybody knows off the top of their head, the kernel source files which have the fixes, it would help. Thx. Umesh. > > -Dave > > Lo and behold, Umesh Krishnaswamy once said: > > > > Hi Folks, > > > > I wanted to double-check which version of FreeBSD (if any) can address a > > SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and > > ip_input.c) do not seem to have any code to address such an attack. Maybe I am > > missing something. > > > > So if you folks can enlighten me on whether or how to handle the SYN attack from > > within the kernel, I would appreciate it. I am aware of ingress filtering; while > > that can help attacks from randomized IP addresses, it will fail in the case of > > an attack from a spoofed trusted IP address. Hence the desire to look into the > > kernel for a fix. > > > > Thanks. > > Umesh. > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 12:11: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 1F15037B401 for ; Fri, 1 Dec 2000 12:10:57 -0800 (PST) Received: by pluto.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Fri, 1 Dec 2000 12:10:56 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0242D4@goofy.epylon.lan> From: Jason DiCioccio To: 'Umesh Krishnaswamy' , "David G. Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: RE: Defeating SYN flood attacks Date: Fri, 1 Dec 2000 12:10:55 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C05BD2.D08C5472" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C05BD2.D08C5472 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 3.3.4? is that 3.3 or 3.4? - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Umesh Krishnaswamy [mailto:umesh@juniper.net] Sent: Friday, December 01, 2000 12:10 PM To: David G. Andersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks "David G. Andersen" wrote: > FreeBSD has been synflood resistant for several years. To a first > order, you cannot effectively synflood a decently provisioned > FreeBSD box and deny service to it UNLESS your "synflood" is really > just a bandwidth consumption attack that eats up all of their > bandwidth. > > There was a problem that cropped up about a year ago where a > *really high volume* syn flood could cause some kernel problems, > but that's fixed in all of the recent 4.x versions. Really high > volume means 10Mbps+. > Cool. That is good to hear. I just verified that the synflood attack does not bring down a 3.3.4 machine. If anybody knows off the top of their head, the kernel source files which have the fixes, it would help. Thx. Umesh. > > -Dave > > Lo and behold, Umesh Krishnaswamy once said: > > > > Hi Folks, > > > > I wanted to double-check which version of FreeBSD (if any) can > > address a SYN flooding DoS attack. The latest FreeBSD sources > > (tcp_input.c and ip_input.c) do not seem to have any code to > > address such an attack. Maybe I am missing something. > > > > So if you folks can enlighten me on whether or how to handle the > > SYN attack from within the kernel, I would appreciate it. I am > > aware of ingress filtering; while that can help attacks from > > randomized IP addresses, it will fail in the case of an attack > > from a spoofed trusted IP address. Hence the desire to look into > > the kernel for a fix. > > > > Thanks. > > Umesh. > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science > http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOigF/FCmU62pemyaEQIS9QCg5BhTO6+ItPtZ9n94WFEoQ6C53UsAn06S atYxY0C/YVeZIbveb4by76/I =GQZm -----END PGP SIGNATURE----- ------_=_NextPart_000_01C05BD2.D08C5472 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C05BD2.D08C5472-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 12:14:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from red.juniper.net (red.juniper.net [207.17.136.137]) by hub.freebsd.org (Postfix) with ESMTP id 8462537B400 for ; Fri, 1 Dec 2000 12:14:07 -0800 (PST) Received: from juniper.net (umesh-bsd.juniper.net [172.17.12.70]) by red.juniper.net (8.9.3/8.9.3) with ESMTP id MAA17053; Fri, 1 Dec 2000 12:13:55 -0800 (PST) Message-ID: <3A280683.A10605A4@juniper.net> Date: Fri, 01 Dec 2000 12:13:55 -0800 From: Umesh Krishnaswamy Organization: Juniper Networks X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Jason DiCioccio Cc: "David G. Andersen" , freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks References: <657B20E93E93D4118F9700D0B73CE3EA0242D4@goofy.epylon.lan> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > 3.3.4? is that 3.3 or 3.4? > > - -JD- > Sorry, It was a 3.4 RELEASE. Umesh. > > - ------- > Jason DiCioccio > Evil Genius > Unix BOFH > > mailto:jasond@epylon.com > > 415-593-2761 Direct & Fax > 415-593-2900 Main > > Epylon Corporation > 645 Harrison Street, Suite 200 > San Francisco, CA 94107 > www.epylon.com > > BSD is for people who love Unix - > Linux is for people who hate Microsoft > > - -----Original Message----- > From: Umesh Krishnaswamy [mailto:umesh@juniper.net] > Sent: Friday, December 01, 2000 12:10 PM > To: David G. Andersen > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Defeating SYN flood attacks > > "David G. Andersen" wrote: > > > FreeBSD has been synflood resistant for several years. To a first > > order, you cannot effectively synflood a decently provisioned > > FreeBSD box and deny service to it UNLESS your "synflood" is really > > just a bandwidth consumption attack that eats up all of their > > bandwidth. > > > > There was a problem that cropped up about a year ago where a > > *really high volume* syn flood could cause some kernel problems, > > but that's fixed in all of the recent 4.x versions. Really high > > volume means 10Mbps+. > > > > Cool. That is good to hear. I just verified that the synflood attack > does not bring > down a 3.3.4 machine. If anybody knows off the top of their head, the > kernel source > files which have the fixes, it would help. > > Thx. > Umesh. > > > > > -Dave > > > > Lo and behold, Umesh Krishnaswamy once said: > > > > > > Hi Folks, > > > > > > I wanted to double-check which version of FreeBSD (if any) can > > > address a SYN flooding DoS attack. The latest FreeBSD sources > > > (tcp_input.c and ip_input.c) do not seem to have any code to > > > address such an attack. Maybe I am missing something. > > > > > > So if you folks can enlighten me on whether or how to handle the > > > SYN attack from within the kernel, I would appreciate it. I am > > > aware of ingress filtering; while that can help attacks from > > > randomized IP addresses, it will fail in the case of an attack > > > from a spoofed trusted IP address. Hence the desire to look into > > > the kernel for a fix. > > > > > > Thanks. > > > Umesh. > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -- > > work: dga@lcs.mit.edu me: dga@pobox.com > > MIT Laboratory for Computer Science > > http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > > iQA/AwUBOigF/FCmU62pemyaEQIS9QCg5BhTO6+ItPtZ9n94WFEoQ6C53UsAn06S > atYxY0C/YVeZIbveb4by76/I > =GQZm > -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 12:22:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 43A0937B402 for ; Fri, 1 Dec 2000 12:22:40 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA25759; Fri, 1 Dec 2000 13:22:33 -0700 (MST) Message-Id: <4.3.2.7.2.20001201131729.04907bf0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 01 Dec 2000 13:22:22 -0700 To: Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG, umesh@juniper.net From: Brett Glass Subject: Re: Defeating SYN flood attacks In-Reply-To: <3A27F625.4C87CC7C@juniper.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Steve Gibson just published a great article on SYN flood avoidance, complete with a mechanism that I think FreeBSD should adopt for it. See http://grc.com/r&d/nomoredos.htm --Brett At 12:04 PM 12/1/2000, Umesh Krishnaswamy wrote: >Hi Folks, > >I wanted to double-check which version of FreeBSD (if any) can address a >SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and >ip_input.c) do not seem to have any code to address such an attack. Maybe I am >missing something. > >So if you folks can enlighten me on whether or how to handle the SYN attack from >within the kernel, I would appreciate it. I am aware of ingress filtering; while >that can help attacks from randomized IP addresses, it will fail in the case of >an attack from a spoofed trusted IP address. Hence the desire to look into the >kernel for a fix. > >Thanks. >Umesh. > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 12:33: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [209.226.29.94]) by hub.freebsd.org (Postfix) with ESMTP id E123137B400 for ; Fri, 1 Dec 2000 12:32:53 -0800 (PST) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.1/8.11.0) with ESMTP id eB1KWm400569; Fri, 1 Dec 2000 15:32:48 -0500 (EST) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Fri, 1 Dec 2000 15:32:48 -0500 (EST) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: Umesh Krishnaswamy Cc: freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks In-Reply-To: <3A27F625.4C87CC7C@juniper.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org check your /etc/defaults/rc.conf file for protection against synfloods. FreeBSD - The BEST upgrade you can do to NT! On Fri, 1 Dec 2000, Umesh Krishnaswamy wrote: > Hi Folks, > > I wanted to double-check which version of FreeBSD (if any) can address a > SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and > ip_input.c) do not seem to have any code to address such an attack. Maybe I am > missing something. > > So if you folks can enlighten me on whether or how to handle the SYN attack from > within the kernel, I would appreciate it. I am aware of ingress filtering; while > that can help attacks from randomized IP addresses, it will fail in the case of > an attack from a spoofed trusted IP address. Hence the desire to look into the > kernel for a fix. > > Thanks. > Umesh. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 12:57: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 7ACA337B404 for ; Fri, 1 Dec 2000 12:56:58 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id QAA93146; Fri, 1 Dec 2000 16:02:11 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Fri, 1 Dec 2000 16:02:11 -0500 (EST) From: Ralph Huntington To: Brett Glass Cc: Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG, Umesh Krishnaswamy Subject: Re: Defeating SYN flood attacks In-Reply-To: <4.3.2.7.2.20001201131729.04907bf0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is very very clever. I don't see any holes in it (anyone else?). On Fri, 1 Dec 2000, Brett Glass wrote: > Steve Gibson just published a great article on SYN flood avoidance, > complete with a mechanism that I think FreeBSD should adopt for it. > See > > http://grc.com/r&d/nomoredos.htm > > --Brett > > At 12:04 PM 12/1/2000, Umesh Krishnaswamy wrote: > > >Hi Folks, > > > >I wanted to double-check which version of FreeBSD (if any) can address a > >SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and > >ip_input.c) do not seem to have any code to address such an attack. Maybe I am > >missing something. > > > >So if you folks can enlighten me on whether or how to handle the SYN attack from > >within the kernel, I would appreciate it. I am aware of ingress filtering; while > >that can help attacks from randomized IP addresses, it will fail in the case of > >an attack from a spoofed trusted IP address. Hence the desire to look into the > >kernel for a fix. > > > >Thanks. > >Umesh. > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 13: 1: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id E265337B402 for ; Fri, 1 Dec 2000 13:00:56 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id OAA05277; Fri, 1 Dec 2000 14:00:48 -0700 (MST) Message-Id: <200012012100.OAA05277@faith.cs.utah.edu> Subject: Re: Defeating SYN flood attacks To: rjh@mohawk.net (Ralph Huntington) Date: Fri, 1 Dec 2000 14:00:48 -0700 (MST) Cc: brett@lariat.org (Brett Glass), umesh@juniper.net (Umesh Krishnaswamy), freebsd-security@FreeBSD.ORG In-Reply-To: from "Ralph Huntington" at Dec 01, 2000 04:02:11 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Ralph Huntington once said: > > This is very very clever. I don't see any holes in it (anyone else?). It needs more peer review. In particular: a) A good comparison to Linux's syncookies b) An evaluation of the computational load of performing an encryption on every SYN. Does this create a CPU DOS attack? c) An evaluation of how it times out old SYN packets (replay, packet duplication). What are the consequences? d) Not to use a patented and licensed cipher. I think that my reasons for suggesting all of the above are obvious, but if you'd like clarification, I'll spout more. -Dave > > On Fri, 1 Dec 2000, Brett Glass wrote: > > > Steve Gibson just published a great article on SYN flood avoidance, > > complete with a mechanism that I think FreeBSD should adopt for it. > > See > > > > http://grc.com/r&d/nomoredos.htm > > > > --Brett > > > > At 12:04 PM 12/1/2000, Umesh Krishnaswamy wrote: > > > > >Hi Folks, > > > > > >I wanted to double-check which version of FreeBSD (if any) can address a > > >SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and > > >ip_input.c) do not seem to have any code to address such an attack. Maybe I am > > >missing something. > > > > > >So if you folks can enlighten me on whether or how to handle the SYN attack from > > >within the kernel, I would appreciate it. I am aware of ingress filtering; while > > >that can help attacks from randomized IP addresses, it will fail in the case of > > >an attack from a spoofed trusted IP address. Hence the desire to look into the > > >kernel for a fix. > > > > > >Thanks. > > >Umesh. > > > > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 13: 8:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CD46537B401 for ; Fri, 1 Dec 2000 13:08:48 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA26265; Fri, 1 Dec 2000 14:08:36 -0700 (MST) Message-Id: <4.3.2.7.2.20001201140439.048d42f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 01 Dec 2000 14:08:29 -0700 To: "David G. Andersen" , rjh@mohawk.net (Ralph Huntington) From: Brett Glass Subject: Re: Defeating SYN flood attacks Cc: umesh@juniper.net (Umesh Krishnaswamy), freebsd-security@FreeBSD.ORG, steve@grc.com In-Reply-To: <200012012100.OAA05277@faith.cs.utah.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:00 PM 12/1/2000, David G. Andersen wrote: >Lo and behold, Ralph Huntington once said: >> >> This is very very clever. I don't see any holes in it (anyone else?). > >It needs more peer review. In particular: > > a) A good comparison to Linux's syncookies Steve *sort of* does this, but doesn't get into much detail. > b) An evaluation of the computational load of performing an > encryption on every SYN. Does this create a CPU DOS attack? Good question! This can probably be controlled by the number of rounds of encryption. > c) An evaluation of how it times out old SYN packets > (replay, packet duplication). What are the consequences? Steve's algorithm doesn't have any timeouts. I think that this is one of its weaknesses: the key is only changed at each boot, instead of, say, hourly. This leaves a server open to known plaintext attacks which can drastically limit the search space required to break the cipher. > d) Not to use a patented and licensed cipher. I see no reason not to use MD5 instead of RC5. FreeBSD already has MD5 in the kernel! --Brett >I think that my reasons for suggesting all of the above are obvious, but >if you'd like clarification, I'll spout more. > > -Dave > > >> >> On Fri, 1 Dec 2000, Brett Glass wrote: >> >> > Steve Gibson just published a great article on SYN flood avoidance, >> > complete with a mechanism that I think FreeBSD should adopt for it. >> > See >> > >> > http://grc.com/r&d/nomoredos.htm >> > >> > --Brett >> > >> > At 12:04 PM 12/1/2000, Umesh Krishnaswamy wrote: >> > >> > >Hi Folks, >> > > >> > >I wanted to double-check which version of FreeBSD (if any) can address a >> > >SYN flooding DoS attack. The latest FreeBSD sources (tcp_input.c and >> > >ip_input.c) do not seem to have any code to address such an attack. Maybe I am >> > >missing something. >> > > >> > >So if you folks can enlighten me on whether or how to handle the SYN attack from >> > >within the kernel, I would appreciate it. I am aware of ingress filtering; while >> > >that can help attacks from randomized IP addresses, it will fail in the case of >> > >an attack from a spoofed trusted IP address. Hence the desire to look into the >> > >kernel for a fix. >> > > >> > >Thanks. >> > >Umesh. >> > > >> > > >> > > >> > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >> > >with "unsubscribe freebsd-security" in the body of the message >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >-- >work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 13:30:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 645EA37B400 for ; Fri, 1 Dec 2000 13:30:31 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id OAA08033; Fri, 1 Dec 2000 14:30:13 -0700 (MST) Message-Id: <200012012130.OAA08033@faith.cs.utah.edu> Subject: Re: Defeating SYN flood attacks To: brett@lariat.org (Brett Glass) Date: Fri, 1 Dec 2000 14:30:13 -0700 (MST) Cc: dga@pobox.com (David G. Andersen), rjh@mohawk.net (Ralph Huntington), umesh@juniper.net (Umesh Krishnaswamy), freebsd-security@FreeBSD.ORG, steve@grc.com In-Reply-To: <4.3.2.7.2.20001201140439.048d42f0@localhost> from "Brett Glass" at Dec 01, 2000 02:08:29 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Brett Glass once said: > > b) An evaluation of the computational load of performing an > > encryption on every SYN. Does this create a CPU DOS attack? > > Good question! This can probably be controlled by the number of > rounds of encryption. You need sufficient rounds of encryption so that it's not trivial to break; the recommended number of rounds for RC5 these days is sixteen, not twelve. Regardless of the number nitpicking, the time it takes to perform this encryption in a secure manner is nontrivial, though likely not huge since there's a constant key and relatively static IV. > > c) An evaluation of how it times out old SYN packets > > (replay, packet duplication). What are the consequences? > > Steve's algorithm doesn't have any timeouts. I think that this is > one of its weaknesses: the key is only changed at each boot, > instead of, say, hourly. This leaves a server open to known > plaintext attacks which can drastically limit the search space > required to break the cipher. This is fixable; you could have a rollover period where you check the key against two different tables, for instance. But that adds to the complexity and to the CPU requirements. .. but like I said: I think his proposal needs more serious thought than it's been given before we chuck it into the kernel. I'm fairly certain that there are other questions that should be raised and answered about his scheme. That doesn't mean I think it's a bad idea - I like it, though his presentation sucks - it just needs more careful consideration than his own "It's perfect! " paper. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 13:33:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 68A1837B400 for ; Fri, 1 Dec 2000 13:33:52 -0800 (PST) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Fri, 1 Dec 2000 13:33:50 -0800 Message-ID: <00a101c05bdf$4e6e9b00$fd01a8c0@pacbell.net> From: "John Howie" To: "Ralph Huntington" , "David G. Andersen" Cc: "Brett Glass" , "Umesh Krishnaswamy" , References: <200012012100.OAA05277@faith.cs.utah.edu> Subject: Re: Defeating SYN flood attacks Date: Fri, 1 Dec 2000 13:40:21 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1800 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "David G. Andersen" wrote: > Lo and behold, Ralph Huntington once said: > > > > This is very very clever. I don't see any holes in it (anyone else?). > > It needs more peer review. In particular: There are flaws in the implementation: I don not believe that on a heavily used site encryption would not slow the system down (somewhat), especially a heavily used system. By maintaining a cache, as suggested, you are still consuming resources so a DoS can still occur. Given that you know the plaintext (the Client IP Address), the cipher text (SISN - CISN) and the algorithm, you can work out the key used (eventually). If the key is only changed at system startup, the longer the system is running, the more likely it will be that the key is computed. We all talk about how long our boxes are up and running for (compared to NT/2000) and we usually talk in months, if not years. The key needs to be changed more often - perhaps hourly (which still might not be enough). You could improve security by combining the CISN with some (server-specific) value which would allow a unique key to be created for each incoming connection. You would need to store state (the key) and that consumes resources so we are back to where we were (DoS). Spoofers can still cause you a problem. If the spoofer is on the return route to the spoofed IP addressed host then they will still see the sequence. This proposed system, IMHO, is flawed. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 13:53:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.137]) by hub.freebsd.org (Postfix) with ESMTP id 21BC837B401 for ; Fri, 1 Dec 2000 13:53:33 -0800 (PST) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id WAA07088; Fri, 1 Dec 2000 22:53:06 +0100 (MET) Date: Fri, 1 Dec 2000 22:53:06 +0100 (MET) From: "Vladimir Mencl, MK, susSED" To: Brett Glass Cc: Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks In-Reply-To: <4.3.2.7.2.20001201131729.04907bf0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Dec 2000, Brett Glass wrote: > Steve Gibson just published a great article on SYN flood avoidance, > complete with a mechanism that I think FreeBSD should adopt for it. > See I see two problems with it. 1) SYN/ACKs are not resent. This partially breaks the TCP concept, resending is completely transferred to client, doubling the load (statistically according to the probability that a packet is lost). 2) Once you KNOW the SISN, you can make requests to the server even without being able to read its responses. This can be security issue when you rely on your firewall to block some incoming connections (SYN packets only), and you have a stateless firewall. In the current state, one could wait for the servers SISN for an (allowed) http connection, then try to telnet to that machine (not allowed) by spoofing an ACK with the already known SISN. The scheme might be improved be making BOTH portnumbers a part of the encrypted plaintext, however still the scheme may be exploited (though in rather obscure scenarios). Vladimir Mencl > > http://grc.com/r&d/nomoredos.htm > > --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 15:10:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipfw.org (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 8B69637B400 for ; Fri, 1 Dec 2000 15:10:56 -0800 (PST) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.ipfw.org (Postfix) with ESMTP id 5A002312D; Fri, 1 Dec 2000 18:10:55 -0500 (EST) Date: Fri, 1 Dec 2000 18:10:55 -0500 From: Peter Chiu X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <32502992254.20001201181055@ipfw.org> To: Garrett Gregory Cntr AMC/LGXI Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Move along, nothing to see here. Re: Important!! Vulnerabili ty in standard ftpd In-reply-To: <21A918476AFBD311B0C80000D1ECF0FF01A865FC@vejxoisnte85.scott.af.mil> References: <21A918476AFBD311B0C80000D1ECF0FF01A865FC@vejxoisnte85.scott.af.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Garrett, Friday, December 01, 2000, 10:44:42 AM, you wrote: GGCAL> Speaking from experience in a related case: GGCAL> I have had my website system hacked twice in the last year - BOTH times it GGCAL> happened because the hacker got into ANOTHER system where an individual with GGCAL> a trusted account had his userid and password stored on that server in a GGCAL> plain text file - they pogoed from that system with that userid and got GGCAL> in... GGCAL> The results from the investigation? There was nothing else I could do to my GGCAL> system to make it more secure - in fact I got kudos for it being as secure GGCAL> as it was. But as long as people keep info insecurly there's nothing you can GGCAL> do but keep watch and hope to catch them (and of course have good backup GGCAL> sets!). Implement ssh2 RSA login only (disable password login everywhere). Also make sure your users use a non-blank pass pharse. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 19:38:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.sovintel.ru (ns.sovintel.ru [212.44.130.6]) by hub.freebsd.org (Postfix) with ESMTP id 4976337B400 for ; Fri, 1 Dec 2000 19:38:18 -0800 (PST) Received: from blackman.ru (p105.spb.sovintel.ru [213.221.48.105] (may be forged)) by ns.sovintel.ru (8.9.3/8.9.3) with ESMTP id GAA28566 for ; Sat, 2 Dec 2000 06:38:09 +0300 (MSK) Message-ID: <3A286EB4.50908@blackman.ru> Date: Sat, 02 Dec 2000 06:38:28 +0300 From: "Mr. Blackman" User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; m18) Gecko/20001018 X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: which ftpd (Imortant &etc) aka wold cry References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201115339.G2185@nevermind.kiev.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (sorry if this is an offtopic) Nevermind wrote: > Hello, James Wyatt! > > >> > > I've been hacked few month ago with such kind of sht > using standard ftpd. Do you _know_ this was "standart ftpd"?:) I think, don't:) > ps ax | grep supa > also make fsck in single mode several times, then search for suspicious dirs in > /var/games, /var/*. > > This is hack based on loading kernel module This is a rootkit, not hack (vulnerability) :) > which prevents process name supa > to be killed > also try to find dir or/and file named "lohi". ^^^^ File "lohi" gives you a clue - this was a russian hackers (99%), so you can meet them, buy them a beer and ask: "Guys, how do u hacked my box, a?:)" It will be better, then flaming here. P.S> Sorry one more time. Blackman "Peace man" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 19:58:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4C8E937B400 for ; Fri, 1 Dec 2000 19:58:56 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 1 Dec 2000 19:57:23 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eB23wlK22178; Fri, 1 Dec 2000 19:58:47 -0800 (PST) (envelope-from cjc) Date: Fri, 1 Dec 2000 19:58:47 -0800 From: "Crist J . Clark" To: Nate Williams Cc: James Wyatt , Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: which ftpd Message-ID: <20001201195847.J99903@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <14887.58514.983118.454312@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <14887.58514.983118.454312@nomad.yogotech.com>; from nate@yogotech.com on Fri, Dec 01, 2000 at 10:49:06AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 10:49:06AM -0700, Nate Williams wrote: > > I've found the stock FreeBSD FTPd really good. It offers a chrooted > > account I've had to take the WUFTPd risk for before on Linux. If you > > turn-up the logging you can easily catch things like this. (btw: this > > looks like some warez d00dz building a nest. I've had it happen before and > > there have been some FTPd holes that required writable anon-ftp to work.) > > Using the FTPd xfer log, you can easily audit uploaded files and spot > > things like this. You can also have an automatic process watch the log > > and move the files to a quarrantine area. > > Do you have an example setup you could post to the list? One of the > issues I'd like to have is an ftpd that allows uploads, but either moves > them or changes the permissions on them as soon as the files are > uploaded, to avoid having folks abuse the system for warez. How about hardcoding the UMASK to 777? Should be a trivial code hack. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 21: 4:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with SMTP id 82CD937B400 for ; Fri, 1 Dec 2000 21:04:46 -0800 (PST) Received: from netrinsics.com([202.106.5.60]) by public.bta.net.cn(JetMail 2.5.3.0) with SMTP id jm33a28963f; Sat, 2 Dec 2000 05:04:08 -0000 Received: (from robinson@localhost) by netrinsics.com (8.11.1/8.11.1) id eB256OP08066 for freebsd-security@freebsd.org; Sat, 2 Dec 2000 13:06:24 +0800 (+0800) (envelope-from robinson) Date: Sat, 2 Dec 2000 13:06:24 +0800 (+0800) From: Michael Robinson Message-Id: <200012020506.eB256OP08066@netrinsics.com> To: freebsd-security@freebsd.org Subject: Dialup access and KAME IPSEC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A while ago I posted on the problem of creating dialup VPNs with KAME IPSEC (because KAME has no facility to update SPD entries with dynamic IP addresses). I heard from several other people with the same problem. I finally had to hack together a fix, and I thought I should share it. It's ugly but it works. There are two python scripts, "secmon" and "secping". The "secmon" script sits on a port on the dedicated gateway waiting for a "ping" from the "secping" script, and when it gets one, updates the SPD entries accordingly. The "secping" script is run from /etc/ppp/ppp.linkup on the dialup gateway before pipsecd (caveat: pipsecd will not work with a kernel that has IPSEC enabled). There are rudimentary security features to discourage DoS attacks (port and password checking). These versions of the scripts are for my own requirements (a remote office with a /23 subnet). The scripts are not intended to be plug and play, but they should be trivial to hand customize to meet other requirements. It would also be trivial to port these scripts to perl, for people who don't install python. -Michael Robinson ----------- Cut Here -------------- #!/usr/local/bin/python # # secmon script to update KAME IPSEC SPD entries for dialup VPNs # from socket import socket, AF_INET, SOCK_DGRAM from popen2 import popen2 # change this config string to match your VPN configuration config_base = """ spddelete 172.16.0.0/12 172.16.0.16 any -P out; spddelete 172.16.0.16 172.16.0.0/12 any -P in; spddelete 172.16.0.0/12 172.16.4.0/23 any -P out; spddelete 172.16.4.0/23 172.16.0.0/12 any -P in; add 216.136.204.21 %(address)s esp 1010 -lh 36000 -ls 3600 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef ; add %(address)s 216.136.204.21 esp 1010 -lh 36000 -ls 3600 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef ; spdadd 172.16.0.0/12 172.16.0.16 any -P out ipsec esp/tunnel/216.136.204.21-%(address)s/require ; spdadd 172.16.0.16 172.16.0.0/12 any -P in ipsec esp/tunnel/%(address)s-216.136.204.21/require ; spdadd 172.16.0.0/12 172.16.4.0/23 any -P out ipsec esp/tunnel/216.136.204.21-%(address)s/require ; spdadd 172.16.4.0/23 172.16.0.0/12 any -P in ipsec esp/tunnel/%(address)s-216.136.204.21/require ; """ # end config string s = socket(AF_INET, SOCK_DGRAM) s.bind(("216.136.204.21", 4884)) while 1: (data, address) = s.recvfrom(1500) if data == "Open Sesame" and address[1]==4884: print "good ping: %s" % address[0] config = config_base % {"address":address[0]} (stdout, stdin) = popen2("/usr/sbin/setkey -c") stdin.write(config) stdin.close() print stdout.read() s.sendto("OK", address) else: print "bad ping: %s" % address[0] s.sendto("BAD", address) ----------- Cut Here -------------- #!/usr/local/bin/python # # secping script to trigger secmon SPD update # place in /etc/ppp/ppp.linkup # from socket import socket, AF_INET, SOCK_DGRAM s = socket(AF_INET, SOCK_DGRAM) s.bind(("0.0.0.0", 4884)) s.sendto("Open Sesame", ("216.136.204.21", 4884)) (data, address) = s.recvfrom(1500) if data=="OK" and address[0]=="216.136.204.21" and address[1]==4884: print "good reply" else: print "bad reply" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 22: 1: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from aurora.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 1F60F37B401 for ; Fri, 1 Dec 2000 22:01:00 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by aurora.scoop.co.nz (8.9.3/8.9.3) with SMTP id TAA19301; Sat, 2 Dec 2000 19:00:11 +1300 (NZDT) Date: Sat, 2 Dec 2000 19:00:10 +1300 (NZDT) From: Andrew McNaughton Reply-To: andrew@scoop.co.nz To: cjclark@alum.mit.edu Cc: Nate Williams , James Wyatt , Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: which ftpd In-Reply-To: <20001201195847.J99903@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Dec 2000, Crist J . Clark wrote: > On Fri, Dec 01, 2000 at 10:49:06AM -0700, Nate Williams wrote: > > > I've found the stock FreeBSD FTPd really good. It offers a chrooted > > > account I've had to take the WUFTPd risk for before on Linux. If you > > > turn-up the logging you can easily catch things like this. (btw: this > > > looks like some warez d00dz building a nest. I've had it happen before and > > > there have been some FTPd holes that required writable anon-ftp to work.) > > > Using the FTPd xfer log, you can easily audit uploaded files and spot > > > things like this. You can also have an automatic process watch the log > > > and move the files to a quarrantine area. > > > > Do you have an example setup you could post to the list? One of the > > issues I'd like to have is an ftpd that allows uploads, but either moves > > them or changes the permissions on them as soon as the files are > > uploaded, to avoid having folks abuse the system for warez. > > How about hardcoding the UMASK to 777? Should be a trivial code hack. You could do this in much the same way that people do in order to use pop logins to authenticate smtp relaying. If you start the daemon with 'ftpd -l -l' then you get syslog messages which a process could use to monitor and act on new uploads. -- Andrew McNaughton Scoop Media Ltd andrew@scoop.co.nz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 22:10:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 1DAB237B400 for ; Fri, 1 Dec 2000 22:10:47 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 1 Dec 2000 22:09:11 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eB26AY322854; Fri, 1 Dec 2000 22:10:34 -0800 (PST) (envelope-from cjc) Date: Fri, 1 Dec 2000 22:10:34 -0800 From: "Crist J . Clark" To: Mikhail Kruk Cc: "Robin S. Socha" , security@FreeBSD.ORG Subject: Re: IDS Message-ID: <20001201221034.K99903@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from meshko@cs.brandeis.edu on Fri, Dec 01, 2000 at 12:44:22PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 12:44:22PM -0500, Mikhail Kruk wrote: > check http://www.trustedbsd.org/ > I don't know how good it is though. > > > > > Just out of curiosity: Linux has LIDS at http://www.lids.org/ - is there > > an equivalent to that for FreeBSD? > > - -- > > Robin S. Socha All of these are more than IDS, they are fundamental changes to the operating system right down to the kernel. But to add another, http://www.securebsd.com -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 22:13:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 6D78737B400 for ; Fri, 1 Dec 2000 22:13:26 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id BAA24185; Sat, 2 Dec 2000 01:13:20 -0500 Date: Sat, 2 Dec 2000 01:13:20 -0500 (EST) From: Mikhail Kruk To: Cc: "Robin S. Socha" , Subject: Re: IDS In-Reply-To: <20001201221034.K99903@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > All of these are more than IDS, they are fundamental changes to the > operating system right down to the kernel. But to add another, well, we started at www.lids.org which is a set of kernel patches. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 22:26:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id C827437B400 for ; Fri, 1 Dec 2000 22:26:50 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 1 Dec 2000 22:25:17 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eB26QT522939; Fri, 1 Dec 2000 22:26:29 -0800 (PST) (envelope-from cjc) Date: Fri, 1 Dec 2000 22:26:29 -0800 From: "Crist J . Clark" To: Alan Batie Cc: "David G. Andersen" , Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks Message-ID: <20001201222629.L99903@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <3A27F625.4C87CC7C@juniper.net> <200012011906.MAA25650@faith.cs.utah.edu> <20001201111340.P45293@agora.rdrop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001201111340.P45293@agora.rdrop.com>; from alan@batie.org on Fri, Dec 01, 2000 at 11:13:40AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 11:13:40AM -0800, Alan Batie wrote: > On Fri, Dec 01, 2000 at 12:06:45PM -0700, David G. Andersen wrote: > > FreeBSD has been synflood resistant for several years. To a first order, > > you cannot effectively synflood a decently provisioned FreeBSD box and > > deny service to it UNLESS your "synflood" is really just a bandwidth > > consumption attack that eats up all of their bandwidth. > > > > There was a problem that cropped up about a year ago where a *really high > > volume* syn flood could cause some kernel problems, but that's fixed in > > all of the recent 4.x versions. Really high volume means 10Mbps+. > > I was just subject to such an attack last weekend; I'm running 4.1-RELEASE > at the moment. The attack was SYNs from a large number of (probably > spoofed, randomly generated) addresses to a sequence of ports. The reason > I noticed it was because the port unreachable icmp messages exceeded the > default icmp bandwidth limit and the console and syslog were filled with > the resulting messages about that. The attack ran from Friday evening > until Monday morning. I'm not sure if it's related, but it's suspicious, > that the system under attack crashed (wedged) Sunday morning. You are not describing a SYN attack. A SYN attack does not produce ICMP port unreachables. A SYN attack is focused on _open_ _TCP_ ports. Port unreachables are produced by _closed_ _UDP_ ports. And if you hit a closed TCP port with a SYN, you get a TCP RST, not a ICMP message. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 1 23:25:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 7059937B400 for ; Fri, 1 Dec 2000 23:25:57 -0800 (PST) Received: (qmail 4849 invoked by uid 1000); 2 Dec 2000 07:25:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Dec 2000 07:25:56 -0000 Date: Sat, 2 Dec 2000 01:25:56 -0600 (CST) From: Mike Silbersack To: cjclark@alum.mit.edu Cc: Alan Batie , "David G. Andersen" , Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks In-Reply-To: <20001201222629.L99903@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Dec 2000, Crist J . Clark wrote: > On Fri, Dec 01, 2000 at 11:13:40AM -0800, Alan Batie wrote: > > I was just subject to such an attack last weekend; I'm running 4.1-RELEASE > > at the moment. The attack was SYNs from a large number of (probably > > spoofed, randomly generated) addresses to a sequence of ports. The reason > > I noticed it was because the port unreachable icmp messages exceeded the > > default icmp bandwidth limit and the console and syslog were filled with > > the resulting messages about that. The attack ran from Friday evening > > until Monday morning. I'm not sure if it's related, but it's suspicious, > > that the system under attack crashed (wedged) Sunday morning. > > You are not describing a SYN attack. A SYN attack does not produce > ICMP port unreachables. A SYN attack is focused on _open_ _TCP_ > ports. Port unreachables are produced by _closed_ _UDP_ ports. And if > you hit a closed TCP port with a SYN, you get a TCP RST, not a ICMP > message. > -- > Crist J. Clark cjclark@alum.mit.edu Once again, you're both right. The current code says "icmp unreachable" whether it's actually a RST or a true icmp message sent. I'll be creating a PR with a patch that fixes the error in reporting tomorrow. I need to find a better way to test and do a bit more research, but I suspect at the moment that the purpose synflooding unopen ports serves is not to deny service to the port, but rather to eat bandwidth and bloat the route table. If so, the bloated route table may explain why the box wedged. (Why someone wouldn't spend their stolen bandwidth on an open port is beyond me, though.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 2 2:42:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 8BBCB37B400 for ; Sat, 2 Dec 2000 02:42:54 -0800 (PST) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.3) with ESMTP id NAA99232; Sat, 2 Dec 2000 13:36:51 +0300 (MSK) Date: Sat, 2 Dec 2000 13:36:52 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <28146581553.20001202133652@sandy.ru> To: Melon Cc: freebsd-security@freebsd.org Subject: Re: 137/udp In-reply-To: <3A26A013136.BF8AMELON@postman.orangenetwork.net> References: <3A26A013136.BF8AMELON@postman.orangenetwork.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Melon, I'm little bit late, but hope this information will help you. As it was correctly noted by few authors Windows uses NetBIOS name resolution in the process of name resolution. You can get UDP/137 packet every time then someone from windows box tries to resolve your IP to name. It was incorrectly noted, that it will happen if you have Windows client. In fact, usually you can get this packet then you try to connect Windows server, for example then you connect IIS server while browsing WWW. Then this packets sent from windows box you will have both SRC and DST ports UDP/137. If you have different SRC port -someone is probably scanning your network (or this box is behind NAT). NetBIOS name resolution is a valid process defined by RFC 1000/1001. Windows host can also use this protocol instead of ident, since it allows to find active user of windows box. P.S. If you prefer to filter this packets with ipfw it's better to use "unreach port" instead of "deny" since it can eliminate timeout of remote host in name resolution process. -- Vladimir Dubrovin Sandy, ISP Sandy CCd chief Customers Care dept http://www.sandy.ru Nizhny Novgorod, Russia http://www.security.nnov.ru 30.11.2000 21:44, you wrote: 137/udp; M> Hello, M> All network administrator may always see rejected 137/udp packet... M> I want to know how these udp packets are occured? M> I expect some stupid kids attacked me. However, is there any exception? M> Someone sent only 3 137/udp packets to specific IP address. In general, M> these stupid does not sent to specific IP address, sent to all IP M> addresses I have. M> Any suggestions appreciated. M> - Melon M> To Unsubscribe: send mail to majordomo@FreeBSD.org M> with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 2 4:45:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (beleriand.online.bg [195.138.137.181]) by hub.freebsd.org (Postfix) with SMTP id A5BBE37B402 for ; Sat, 2 Dec 2000 04:45:41 -0800 (PST) Received: (qmail 2310 invoked by uid 1000); 2 Dec 2000 12:45:02 -0000 Date: Sat, 2 Dec 2000 14:45:02 +0200 From: Peter Pentchev To: freebsd-security@FreeBSD.ORG Subject: Re: Move along, nothing to see here. Re: Important!! Vulnerabili ty in standard ftpd Message-ID: <20001202144502.A1968@ringworld.oblivion.bg> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <21A918476AFBD311B0C80000D1ECF0FF01A865FC@vejxoisnte85.scott.af.mil> <32502992254.20001201181055@ipfw.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <32502992254.20001201181055@ipfw.org>; from pccb@yahoo.com on Fri, Dec 01, 2000 at 06:10:55PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 01, 2000 at 06:10:55PM -0500, Peter Chiu wrote: > Hello Garrett, > > Friday, December 01, 2000, 10:44:42 AM, you wrote: > > GGCAL> Speaking from experience in a related case: > > GGCAL> I have had my website system hacked twice in the last year - BOTH times it > GGCAL> happened because the hacker got into ANOTHER system where an individual with > GGCAL> a trusted account had his userid and password stored on that server in a > GGCAL> plain text file - they pogoed from that system with that userid and got > GGCAL> in... > > GGCAL> The results from the investigation? There was nothing else I could do to my > GGCAL> system to make it more secure - in fact I got kudos for it being as secure > GGCAL> as it was. But as long as people keep info insecurly there's nothing you can > GGCAL> do but keep watch and hope to catch them (and of course have good backup > GGCAL> sets!). > > Implement ssh2 RSA login only (disable password login everywhere). > Also make sure your users use a non-blank pass pharse. This will not necessarily help; if another machine (or even an account on another machine) has been compromised, the attackers could easily install a backdoored (read: logging) ssh client. I've seen that kind of client several times, and it's not so hard to do it. It might be a bit harder, if only an account was compromised, to get the legitimate user of that account to actually execute the backdoored client instead of the system one; but.. seriously.. besides seasoned admins, who have already been burned, just what percentage of the average users examine often their profile/rc scripts for 'new' aliases? :\ G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 2 7:23:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 595F837B400 for ; Sat, 2 Dec 2000 07:23:13 -0800 (PST) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id eB2FN9L28957; Sat, 2 Dec 2000 09:23:09 -0600 (CST) Date: Sat, 2 Dec 2000 09:23:08 -0600 (CST) From: Marc Rassbach To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: Move along, nothing to see here. Re: Important!! Vulnerabili ty in standard ftpd In-Reply-To: <20001202144502.A1968@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > Implement ssh2 RSA login only (disable password login everywhere). > > Also make sure your users use a non-blank pass pharse. > > This will not necessarily help; if another machine (or even an account on > another machine) has been compromised, the attackers could easily install > a backdoored (read: logging) ssh client. I've seen that kind of client > several times, and it's not so hard to do it. I've seen it also. 3 Linux boxes, and one FreeBSD 2.2.7 The 3 linux boxes were trojaned in different ways (different people). 2 of them had ssh *ADDED* just so they could start capturing passwords. (the client wasn't using ssh) Password sniffing, etc la. They had the root password for the FreeBSD box for about a month. They kept placing Linux binaries on the FreeBSD box. The box would run "wierd" according to the customer. They were going to move over to a new FreeBSD box....so fixing the 2.2.7 box wasn't important :-) After the linux boxen were used to portscan other boxes, did I get to scrub the BSD box :-) The Linux boxes....they were all re-installed from scratch. They couldn't find ALL the trojans with the linux box. From the BSD side.... make world and the script kiddies were gone. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 2 8: 5:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id ECF5837B400 for ; Sat, 2 Dec 2000 08:05:46 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id eB2G5Sf35686; Sat, 2 Dec 2000 11:05:28 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 2 Dec 2000 11:05:28 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "David G. Andersen" Cc: Umesh Krishnaswamy , freebsd-security@FreeBSD.ORG Subject: Re: Defeating SYN flood attacks In-Reply-To: <200012011906.MAA25650@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Dec 2000, David G. Andersen wrote: > FreeBSD has been synflood resistant for several years. To a first > order, you cannot effectively synflood a decently provisioned FreeBSD > box and deny service to it UNLESS your "synflood" is really just a > bandwidth consumption attack that eats up all of their bandwidth. > > There was a problem that cropped up about a year ago where a *really > high volume* syn flood could cause some kernel problems, but that's > fixed in all of the recent 4.x versions. Really high volume means > 10Mbps+. FreeBSD SYN flood resistance relies on the use of a SYN cache -- essentially a mechanism by which SYNs do not result in full state allocation, and by which that state can be rapidly recycled. In recent versions of FreeBSD, there are additional precautions in the form of avoiding unnecessarily allocating routing state (code contributed by Yahoo!). These techniques help FreeBSD resist moderately bandwidth (>10mbps) SYN floods, depending on CPU and memory capacity of the victim. However, given a sufficiently high bandwidth SYN flood, the system will remain in interrupt processing for extended periods of time, starving the system of CPU for normal processing and continued operation. This does not result in catastrophic unrecoverable failure, but can result in apparent hangs for the duration of the high volume attack. In coordination with Yahoo!, we've been considering implementing some additional steps to limit state and CPU allocation, reduce vulnerability to attacks based on arbitrary (and not hardware-bounded) configuration limits, and increase the rate of state recycling under load (in particular, in response to Naptha-style attacks); as with all denial of service issues, there's a balance between responding to the attack and increasing fragility and complexity of the system. In reality the issue is: can you distinguish "legitimate" requests from "illegitimate" ones without allocating greater resources than you would not distinguishing them; the more sophisticated the attack, the harder it is to identify, and the less you as a victim will be able to respond to the attack. Most SYN attack response mechanisms are heuristics that attempt to balance rapid discarding of incomplete or improper connection attempts while being sensitive to lossy network conditions. Techniques that attempt to address the stateful attack vulnerability associated with SYN attacks (such as traditional SYN cookie implementations) often impose a CPU load comparable or higher than the SYN cache technique on the same hardware. These techniques also reflect the same tradeoffs: your response to a denial of service scenario must avoid resource allocation in excess of allocation prior to introducing the response :-). The traditional SYN cookie implementations exchange increased CPU load for reduced state allocation, but often do a poor job of it, and can result in some protocol violations that make SYN cookies more fragile in adverse network environments (such as those under DoS attack). This means that we should cautiously consider both the positive and negative aspects of the technique before committing to it. Suffice to say that fundamentally it is very difficult to respond to DoS in the current framework of network and resource allocation paradigms, but that we're constantly exploring ways to deal with the current attack mechanisms in more effective ways. Expect to see more work on the FreeBSD IP stack addressing some of these DoS issues in the near future. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 2 17:28: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from web116.yahoomail.com (web116.mail.yahoo.com [205.180.60.89]) by hub.freebsd.org (Postfix) with SMTP id EEE2F37B400 for ; Sat, 2 Dec 2000 17:28:02 -0800 (PST) Received: (qmail 25515 invoked by uid 60001); 3 Dec 2000 01:28:02 -0000 Message-ID: <20001203012802.25514.qmail@web116.yahoomail.com> Received: from [216.205.158.97] by web116.yahoomail.com; Sat, 02 Dec 2000 17:28:02 PST Date: Sat, 2 Dec 2000 17:28:02 -0800 (PST) From: Holtor Subject: Rate Limiting syn-ack's To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, Is there anyway I can limit outgoing syn-ack packets my computer sends? I had a large syn flood which was about 7 mbps incomming. The server also sent 7 mbps outgoing to reply to those syn's. How can i stop that or somehow rate limit to maybe 500 kbps or 1 mbps? I'm not able to find an option to do this using ipfw and/or dummynet. Thanks. Holt __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 2 20:48:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 663DD37B400 for ; Sat, 2 Dec 2000 20:48:53 -0800 (PST) Received: (from root@localhost) by giganda.komkon.org (8.9.3/8.9.3) id XAA17920 for security@freebsd.org; Sat, 2 Dec 2000 23:48:47 -0500 (EST) (envelope-from str) Date: Sat, 2 Dec 2000 23:48:47 -0500 (EST) From: Igor Roshchin Message-Id: <200012030448.XAA17920@giganda.komkon.org> To: security@freebsd.org Subject: tcsh-6.09.03_1 package Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! This question might be better suited to -ports, but this package was recently discussed here, due to its vulnerability. On Nov. 30, I downloaded tcsh-6.09.03_1 package from ftp.freebsd.org, (for 3-STABLE), and installed it on a 3.5.1-RELEASE box using pkg_add. I've noticed one strange oddity: pkg_add replaced /usr/local/bin/tcsh in /etc/shells with a strings "bin/tcsh" (see the Packing list below). Why is it so ? Thanks, Igor The relevant part of the Packing list (output of pkg_info): Packing list: Package name: tcsh-6.09.03_1 CWD to /usr/local File: man/man1/tcsh.1.gz Comment: MD5:6e58573bc5a047867b5af95b030e1756 File: bin/tcsh Comment: MD5:58859c01f8d28d2d02025b00aeba7a9b EXEC 'echo "updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/bin/tcsh /etc/shells.bak; echo bin/tcsh) >/etc/shells' UNEXEC 'echo "updating /etc/shells"; cp /etc/shells /etc/shells.bak; (gr ep -v %D/bin/tcsh /etc/shells.bak) >/etc/shells' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message